Why DCIPS is Important
Data center network security (DCNS) is a term used to describe devices that provide network security for the data center. The two main devices in this category are the data center firewall (DCFW) and the data center intrusion prevention system (DCIPS). The DCIPS device sits inline behind the data center perimeter (as "a bump in the wire") and provides internal network segmentation and deep inspection without introducing the complexity of a routing firewall. The DCIPS works as a layer 2 device and is configured to have bypass (fail-open) capabilities.
DCIPS handle traffic for potentially hundreds of thousands of users who are accessing large applications in a server farm. Application traffic generates many connections and transactions per request for different traffic types (email, video, ecommerce, database, file shares), which places a high demand on a DCIPS device's ability to set-up many connections quickly, hold many connections open, and achieve high throughput rates. Data centers host the crown jewels of an enterprise, e.g., customer data, intellectual property, and mission-critical applications. Therefore, security effectiveness is critical to organizations evaluating these devices. A DCIPS should be capable of correctly blocking malicious traffic through comparison of packet/session contents against signatures/filters/protocol decoders.
Enterprise servers and applications being protected by DCIPS host a myriad of content such as streaming audio and video, retail and b2b e-commerce, mission-critical business applications, and the routing infrastructure that runs Internet. In addition to ensuring security effectiveness and resiliency against attacks and evasions, providing high throughput, low latency and high availability are critical in a DCIPS device. For the enterprise's data center network security deployment and strategy, it is important to understand whether data center security products are deployed at the perimeter or in the interior (zero-trust model). It is also important to understand if enterprise data centers are zoned for breach containment, if they are passively monitored, and if there is data center redundancy for high availability.
NSS research has found that there are many factors involved in understanding the performance of data center security products, each of which can be critical in evaluating their value. To ascertain which performance factors are most salient to enterprises, participants were asked to rate the importance of five data center security technology performance factors for their organizations on a 0-10 scale, with 0 indicating not important at all and 10 indicating critically important. Unsurprisingly, all performance factors were rated highly important; however, latency and throughput received the highest median scores (9.0).
Attackers can modify basic attacks to evade detection in a number of ways. If a device fails to detect a single form of evasion, any exploit can pass through the device, rendering it ineffective. What's worse, when an attacker successfully uses an evasion to bypass defenses, there is no trace of the attack. There are no logs; there are no alerts. Providing exploit protection without fully factoring in evasion can be misleading. The more classes of evasion that are missed (such as IP packet fragmentation, RPC fragmentation, URL obfuscation, FTP/Telnet evasion, resiliency, and attacks on nonstandard ports), the less effective the device. Find out which products were the most resistant to evasions in our latest DCIPS Group Test.
Attackers use evasions to bypass security controls. A single evasion can grant an attacker access to your network. What's worse, when an attacker successfully uses an evasion to bypass defenses, there is no trace of the attack. There are no logs; there are no alerts. Which products were the most resistant, and which were the least resistant, to evasions in our latest DCIPS Group Test?
Data center technologies are changing rapidly in response to the adoption of social media, streaming video, teleconferencing, and other bandwidth-intensive technologies. Many factors must be taken into account in order to understand the performance of a data center security product, and each of these factors can be critical in evaluating its value. When evaluating performance, the following should be taken into consideration: HTTP capacity for application average response time and for HTTP persistent connections, single application flows, UDP throughput, and latency. DCIPS devices must be resilient to attacks when they are operating at near maximum traffic capacity. Find out which DCIPS devices were able to provide effective protection without compromising on security when they were subjected to high TCP traffic throughput and attacks happening over a period of time.
To account for significant variances in data center network traffic between industries and enterprises, NSS considered three traffic profiles in this test: transactional, multimedia, and corporate. The average throughput across these three profiles reveals which DCIPS product is best for your data center. Other important metrics to review when understanding a DCIPS inspection engine's effectiveness in the real-world are TCP connections per second and HTTP connections per second. Rated throughput should focus on packet sizes and protocols that are more likely to be found in typical enterprise deployments, such as email, video, e-commerce, database, and file sharing.
Long term stability is particularly important for an inline DCIPS device where failure can produce network outages and disrupt business operations. Find out which of the DCIPS products remained operational and stable throughout our tests.
The Security Effectiveness of a device is determined by factoring the results of evasions testing and stability and reliability testing into the exploit block rate. Our latest DCIPS Group Test reveals how the tested DCIPS products fared.
A security product that fails to protect what's important to you can have catastrophic consequences for your organization. Just because a product is the least expensive doesn't mean it provides the best value or meets your needs. NSS Labs can help you determine which products are right for you.
If your data center security product fails to protect your crown jewels, this can lead to catastrophic consequences for your organization. In addition, providing the optimal combination of security effectiveness and performance is critical for real-world data center deployments. Just because a product is the least expensive doesn't mean it provides the best value or meets your needs. NSS Labs can help you determine which DCIPS products are right for you.
Still have questions? Ask us! Any time we conduct a test, there is more information than we can possibly include in our test reports. NSS Research Analysts help clients from the world's most demanding organizations get the answers they need.
3 out of 3
Products Achieved a
Between 99.0% and 99.2%
TCO per Protected
Mbps Ranged from
US$3.78 to US$6.68
Attackers continue to leverage old vulnerabilities using variants of known exploits. That is why the latest DCIPS Group Test introduced resiliency testing. A system's resiliency can be defined as its ability to protect against multiple variants of an exploit, not just the known exploit variant.
By testing resilience, NSS Labs enables you to know which DCIPS products will continue to protect you after the spotlight has moved on.
NSS research has found that the key threats detected in US enterprise data centers include HTML injection, SQL injection, cross site scripting (XSS), OS command injection, and more. DCIPS products are designed to provide inline protection against threats, anti-evasion capabilities, and full resilience to attack variants. Find out which products were effective against the key threats impacting enterprise data center deployments.
Providing results for a product's protection against exploits without fully factoring in evasions can be highly misleading in terms of understanding a product's security efficacy. That is why NSS Labs' Security Effectiveness score includes evasion techniques. The more classes of evasion that are missed (such as IP packet fragmentation, RPC fragmentation, URL obfuscation, FTP/Telnet evasion, resiliency, and attacks on nonstandard ports), the lower a product's security efficacy. In the latest DCIPS Group Test, products were tested against 99 evasions to evaluate how well they were able to detect and block them.
Data center network traffic varies significantly between business applications, multimedia and mission-critical corporate applications. NSS-tested throughput for DCIPS products took into consideration transactional, multimedia ,and corporate traffic for both IPv4 and IPv6:
DCIPS inspection engines must be capable of performing optimally under stress and at maximum real-world traffic capacity. The following critical latency parameters were taken into consideration for DCIPS products for both IPv4 and IPv6 traffic:
DCIPS devices are required to remain operational and stable under different traffic loads. The DCIPS Group Test determined the behavior of the state engine under load. All devices must balance the risk between denying legitimate traffic or allowing malicious traffic once they run low on resources. A DCIPS device will drop new connections when resources (such as state table memory) are low, or when traffic loads exceed its capacity.
NSS research has determined that the majority of enterprises tune their DCIPS products. Even though attacks against desktop client applications are mainstream, servers will always be the primary targets in data center deployments, so tuning is critical. Therefore, all DCIPS products in this test were optimally tuned similar to a typical customer deployment, keeping in mind security effectiveness and performance.
NSS Labs uses a unique formula, Total Cost of Ownership (TCO) per Protected Mbps, to enable value-based comparisons of DCIPS products in the market. TCO per Protected Mbps is calculated using three-year TCO, security effectiveness, and NSS-tested throughput.
Different vendors take different approaches to adding coverage once a vulnerability is disclosed. Attempts to provide rapid coverage for vulnerabilities that are not fully understood can result in multiple exploit-specific signatures that may be inaccurate, ineffective, or prone to false positives. Vendors that have the resources to fully research a vulnerability should be able to produce vulnerability-oriented signatures that provide coverage for all exploits written to take advantage of that flaw. This approach provides more effective coverage with fewer false positives.
Vendors may retire older signatures in attempts to alleviate product performance limitations; however, this may result in inconsistent coverage for older vulnerabilities and varying levels of protection across products.
Individual Test Reports
Test Reports provide detailed analysis for each product tested. Data from these reports is used in the NSS Labs Comparative Reports.
Test Reports enable enterprise security teams to understand the impact of features and limitations across different products. These reports are used to shortlist products for further evaluation and proof-of concept testing.