2013 Firewall Comparative Analysis

Report Overview

Although firewalls are one of the most mature and stable security technologies, NSS finds that there is still much room for improvement in management capabilities, which are increasing critical for enterprise deployments. These are the final results and analysis from our 2013 Group Test for Firewall (FW), which evaluates products from 12 leading Firewall vendors.

The firewall market is mature, populated with established vendors and providing limited scope for true innovation. As such, cost and capabilities, especially enterprise management and the ability to integrate with the established security and network infrastructure, are emerging as drivers for final product selection by customers.  The 2013 Firewall Group Test revealed the following key findings:

  • Enterprise management emerges as key differentiator: Only 4 of the 12 vendors tested scored 100% for their management capabilities. This is the first Firewall SVM where management scores are weighted into a vendor’s overall score a change NSS made to reflect enterprises’ growing emphasis on more robust management capabilities when making firewall purchasing decisions.
  • Some firewalls continue to fail TCP Split Handshake and SYN Flood Protection tests: While most vendors passed all security tests, two out of twelve products failed the fundamental TCP split handshake test, meaning a remote attacker could bypass these firewalls’ rules and policies by posing as an internal “trusted” connection. One firewall also failed SYN flood protection tests, meaning it could prove susceptible to denial of service (DoS) attacks. With ongoing attacks by groups like LulzSec and Anonymous as well as the growing use of easily downloaded exploit tools, standard attacks such as DoS are seeing a resurgence and it’s critical that all firewalls be able to block these threats.
  • Vendor claims continue to be exaggerated: Of the 12 products tested, all performed significantly below the vendors’ throughput claims – 40% below on average.  Individual product rates ranged from 15% to 78% below their published throughput and buyers should consider this when evaluating the overall value of particular firewall.

This comparative report consists of five sections, each covering the following topics.  To download each Comparative Report, please click on the following links:

Tested Products

NSS Labs’ comparative analysis of firewall products is based upon empirical data gathered during testing at the NSS Labs facility in Austin, Texas. Testing was performed in accordance with to NSS Labs’ Network Firewall Methodology 4.0. 

 

 

Go to top