Next Generation Firewall: Firedrill or Firestop

Next Generation Firewall (NGFW) technology has finally become a mainstay in the enterprise. End users are finding that NGFWs are no longer as limiting in their performance or capability trade-offs as they once were. In fact, in this most recent NGFW group test several vendors submitted products that exceeded 10Gb throughput under load, demonstrating that performance meets or exceeds that of many firewalls just a few years ago. In our research, NSS Labs discovered that many enterprises are choosing NGFW over traditional firewalls for a variety of reasons without feeling that they are compromising on features or performance. Some NGFW solutions scale to tens of gigabits which satisfies the needs of all but the most demanding enterprise WAN connections.

Orange, abstract image of binary code and fiber optic cablesToday, NSS Labs released its third NGFW Security Value Map™, Comparative Analysis Reports, and Product Analysis Reports.  These results help guide security professionals in the enterprise to make informed decisions when evaluating the many offerings in the industry. Do you know with certainty which evasion techniques can be handled by your NGFW product? How about the exploits themselves? In this test, NSS Labs made some interesting discoveries.

Our group tests normalize the performance of security devices so that enterprises may assess one solution against another. Furthermore, our tests are representative of the diverse volume and types of exploits in the wild today, targeting all aspects of the modern enterprise architecture. Additionally, we employ a wide variety of techniques from simple single vector attacks to multi-vector, multi-protocol evasions and application targeted attacks in order to best measure the device or solution under test (DUT/SUT).

Evasions are particularly crucial when testing security solutions as they allow an exploit to bypass a security product that would otherwise detect/block it.  In addition, certain evasion techniques can allow an entire class of exploits to bypass a security product, thus rendering the protection ineffective. In these instances, the security effectiveness rating is further reduced to represent the potentially limited efficacy in an enterprise deployment. This allows enterprise customers to more accurately compare solutions based on their effective security ratings.

Some points to consider:

  • The simpler and/or easier to implement the evasion technique, the more critical the efficacy score impact.
  • Performance often degrades as signature tables grow or features are added or enabled, therefore always buy or architect your solution for sufficient growth capacity.
  • The SVM may have 2 representative points for a given DUT/SUT, one representing the security effectiveness score as tested, warts and all, and the second score adjusted to show the effect of remediating product failings in evasion capabilities, reliability, etc.
  • NSS Labs also normalizes the cost for a device by calculating total cost of ownership per protected megabit (TCO per Protected Mbps).

Furthermore, this test reveals that an aggressive pricing movement is occurring in the NGFW market place reflecting a merge between UTM and NGFW feature sets. Expect vendors to differentiate portfolios through the delivery of more sophisticated management features and deeper integration with other security technologies, for example enhanced forensics, analytics, etc.

As any security professional knows, every technology choice made is an exercise in risk. Whether it be policy, control list, or software updates. Knowledge of how a device performs and how effective it is buys not only peace of mind, but protection of the enterprise.

To see how your preferred NGFW vendor performed, download a copy of the NGFW SVM graphic. NSS Clients – click here to download the full reports.

Follow us on Twitter (@mikespanbauer) to keep informed as new research is released.

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.

TAGS: Next Generation Firewall