NSS Labs Publishes First Test of Next Generation Intrusion Prevention System Products

AUSTIN, Texas – April 20, 2015 - NSS Labs today released its first Security Value Map™ (SVM) and Comparative Report series for Next Generation Intrusion Prevention System (NGIPS) in which the leading NGIPS products on the market were evaluated for security effectiveness, performance, and total cost of ownership (TCO). 

A key differentiator for NGIPS products is the integration of several components, including intrusion prevention, reputation systems, and application identification, within a single platform.  NSS research indicates that this segment has supplanted traditional Network Intrusion Prevention Systems and is continuing to grow at nearly 5% per year, exceeding $1.7 billion by the end of 2018.

The products covered in the 2015 NGIPS Group Test are:

  • Cisco FirePOWER 8350
  • Fortinet FortiGate-1500D
  • HP TippingPoint S7500NX
  • IBM Security Network Protection XGS 5100
  • IBM Security Network Protection XGS 7100
  • Palo Alto Networks PA-5020

NSS’s research yielded several key conclusions:

  • NGIPS protection ranged from 86.6% to 99.5% for overall security effectiveness.
  • Live Attacks Make a Difference: The NSS live test segment measures how effectively products block attacks being used by threat actors in current campaigns, and it is a strong indicator of NGIPS protection against mainstream attacks.  In this critical test, protection effectiveness between products varied in excess of 25% with only one product achieving a 100% block rate. 
  • Most Vendor Performance Claims Hold Up in Testing: Five (5) out of six (6) products outperformed their vendor-stated throughput rates during testing this year. Four (4) vendors had products that achieved throughput rates over 20% higher than their stated rates.
  • Product Costs Vary:  TCO per Protected Megabit (Mbps) ranged between $4.95 and $25.30.
  • Reputation systems show promise.  Real-time communication with cloud systems and other forensic technologies bolster the performance of NGIPS over traditional IPS technologies.

“The Next Generation Intrusion Prevention System will continue to evolve as a modern replacement for inline prevention devices,” said Mike Spanbauer, VP of Research at NSS Labs. “As evasions, techniques, and protocol attacks become more sophisticated, reputation services and other real-time technologies that augment these protections will provide competitive differentiation and improved security for the enterprise.”