Palo Alto fixes issues identified by NSS Labs
Next-generation-firewall vendor thanks testing house for its assistance in applying fix just days after questioning its objectivity and accuracy
Palo Alto Networks has buried the hatchet with NSS Labs after its next-generation firewall was savaged by the testing lab in a recent report.
In two separate blogs, the duo revealed they have worked together to verify and fix the issues NSS Labs discovered that led it to award Palo Alto a ‘caution' rating in its latest NGFW test.
Maintaining that spirit of reconciliation, NSS Labs admitted that one issue it had identified was related to how it configured the device, rather than the device itself.
The détente follows a heated exchange between the duo last week in which Palo Alto accused NSS Labs of operating a "pay-for-play" model and questioned its "accuracy and objectivity".
Lee Klarich, senior vice president of product management at Palo Alto, said in a blog post published yesterday that his firm was able to replicate and fix the two issues identified by NSS Labs through its own testing and through working with NSS.
"We would like to thank NSS for their assistance in this matter and greatly appreciate the professional and collaborative manner in which this occurred," Klarich said.
"Given that new attack methods are being developed at all times, any input that assists in identifying and blocking them is helpful as demonstrated in this case, and we plan to proactively engage in future tests to ensure we benefit from all input."
NSS Labs founder Bob Walder said in his blog post: "In my previous blog about the Palo Alto Networks results in our recent NGFW test I expressed the hope that ‘Palo Alto Network executives will take this issue seriously and move quickly to protect their customers'.
"Well, they did. Both NSS and Palo Alto Networks worked together to verify the issues and fix the problems, and that fix [was] rolled out [yesterday]. This code was tested in our labs over the past few days (on our dime) to verify that it addresses all of the major evasion issues identified in the recent NGFW tests. "
Walder continued: "While the Split Handshake turned out to be an issue with our configuration of the device, the layered TCP segmentation/IP fragmentation and RPC evasion problems were proven to be valid issues with PAN-OS that have now been rectified. The fixes for those specific issues have been tested and verified to be effective in our labs."