Why DCSG is Important
Enterprises demand a lot of their data center, which makes performance and availability concerns paramount. Network security technology is a critical component of a data center architecture, providing connectivity and in some cases traffic inspection or special handling in order to better protect critical assets located within the data center. Data center network security (DCNS) is a term used to describe devices that provide network security for the data center. The two main devices in this category are the data center firewall (DCFW) and the data center intrusion prevention system (DCIPS). A third type of device combines the capabilities of the DCFW and DCIPS and is referred to as a data center security gateway (DCSG).
DCSGs converge DCFW and DCIPS capabilities. The DCSG must be capable of performing access control and deep packet inspection in order to protect server applications from remote attacks. Unlike its NGFW cousin which protects users from the Internet, the DCSG protects data center servers and the applications that run on them (i.e., web servers, mail servers, DNS servers, application servers etc.) from the Internet. DCSG devices are implemented as layer three (routing) devices and are configured to drop traffic (fail closed) when resources are exhausted. DCSG devices are designed to route traffic and provide threat protection, anti-evasion, and full resilience against attack variants. In addition to security capabilities, when considering a DCSG device, performance, throughput, and latency metrics become critical since the volume of traffic will be significantly higher than it would for a device that is intended to protect end users within the corporate network perimeter.
Data centers host the crown jewels of an enterprise, e.g., customer data, intellectual property, and mission-critical applications. Therefore, security effectiveness is critical to organizations evaluating these devices. A DCSG's intrusion prevention security component should be capable of correctly blocking malicious traffic through comparison of packet/session contents against signatures/filters/protocol decoders. Enterprise servers and applications being protected by a DCSG device host a myriad of content such as streaming audio and video, retail and b2b e-commerce, mission-critical business applications, and the routing infrastructure that runs the Internet. In addition to ensuring security effectiveness and resiliency against attacks and evasions, providing high throughput, low latency, and high availability are critical in a DCSG device. For the enterprise's data center security gateway deployment and strategy, it is important to understand whether data center security technologies are deployed at the perimeter or in the interior (zero-trust model). It is also important to understand if enterprise data centers are zoned for breach containment, if they are passively monitored, and if there is data center redundancy for high availability.
NSS research has found that there are many factors involved in understanding the performance of data center security products, each of which can be critical in evaluating their value. To ascertain which performance factors are most salient to enterprises, participants were asked to rate the importance of five data center security technology performance factors for their organizations on a 0–10 scale, with 0 indicating not important at all and 10 indicating critically important. Unsurprisingly, all performance factors were rated highly important; however, latency and throughput received the highest median scores (9.0).
Data center technologies are changing rapidly in response to the adoption of social media, streaming video, teleconferencing, and other bandwidth-intensive technologies, data center technologies are changing rapidly. Many factors must be taken into account in order to understand the performance of a DCSG product, and each of these factors can be critical in evaluating its value.
When evaluating performance, the following should be taken into consideration: HTTP capacity for application average response time and for HTTP persistent connections, single application flows, UDP throughput, and latency. DCSGs must be resilient to attacks when they are operating at near maximum traffic capacity. Find out which DCSG devices were able to provide effective protection without compromising on security when they were subjected to high TCP traffic throughput and attacks happening over a period of time.
To account for significant variances in data center network traffic between industries and enterprises, NSS considered three traffic profiles in this test: transactional, multimedia, and corporate. The average throughput measurement across these three profiles reveals which DCSG product is best for your data center. Other important metrics to review when understanding the security effectiveness of a DCSG inspection engine in a real-world deployment are TCP connections per second and HTTP connections per second. Rated throughput should focus on packet sizes and protocols that are more likely to be found in typical enterprise deployments, such as email, video, ecommerce, database, and file sharing.
The most serious exploits are those that result in a remote system compromise, providing the attacker with the ability to execute arbitrary system-level commands on the target server. Attackers are developing new weaponized techniques to exploit server vulnerabilities at an ever-increasing pace. Which DCSG products are capable of keeping up? With more than 2000 exploits, NSS Labs’ exploit library provides most comprehensive coverage. Get visibility into which attacks are blocked, and how effective your data center security products are.
Attackers can modify basic attacks to evade detection in a number of ways. If a DCSG device fails to detect a single form of evasion, any exploit can pass through the device, rendering it ineffective. What’s worse, when an attacker successfully uses an evasion to bypass defenses, there is no trace of the attack. There are no logs; there are no alerts. Providing exploit protection without fully factoring in evasion can be misleading. The more classes of evasion that are missed (such as IP packet fragmentation, RPC fragmentation, URL obfuscation, FTP/Telnet Evasion, resiliency, and attacks on nonstandard ports), the less effective the device. Find out which products were the most resistant to evasions in our latest DCSG Group Test.
The Security Effectiveness of a device is determined by factoring the results of evasions testing and stability and reliability testing into the exploit block rate. Our latest DCSG Group Test reveals how the tested products fared.
Long term stability is particularly important for a DCSG device, where failure can produce network outages and disrupt business operations. Find out which of the DCSG products remained operational and stable throughout our tests.
Your expenses don’t end when you purchase a product. Enterprises should include the total cost of ownership (TCO) as part of their evaluations, focusing on the acquisition costs for DCSG devices, expenses incurred for annual maintenance, support, and signature updates, and labor costs for installation, maintenance, and upkeep. Which products have the lowest TCO over a multi-year period?
If your DCSG product that fails to protect your crown jewels, this can lead to catastrophic consequences for your organization. Furthermore, providing the optimal combination of security effectiveness and performance is critical for real-world data center deployments. Just because a product is the least expensive doesn’t mean it provides the best value or meets your needs. NSS Labs can help you determine which DCSG products are right for you.
Still have questions? Ask us! Any time we conduct a test, there is more information than we can possibly include in our test reports. NSS Research Analysts help clients from the world's most demanding organizations get the answers they need.
3 out of 4
Products Achieved a
Between 99.0% and 99.2%
TCO per Protected
Mbps Ranged from
US$4 to US$10
Data center network traffic varies significantly between business applications, multimedia and mission-critical corporate applications. NSS-tested throughput for DCSG products took into consideration transactional, multimedia ,and corporate traffic for both IPv4 and IPv6:
DCSG inspection engines must be capable of performing optimally under stress and at maximum real-world traffic capacity. The following critical latency parameters were taken into consideration for DCSG products for both IPv4 and IPv6 traffic:
Attackers continue to leverage old vulnerabilities using variants of known exploits. That is why the latest DCSG Group Test introduced resiliency testing. A system's resiliency can be defined as its ability to protect against multiple variants of an exploit, not just the known exploit variant.
By testing resilience, NSS Labs enables you to know which DCSG products will continue to protect you after the spotlight has moved on.
NSS research has found that the key threats detected in US enterprise data centers include HTML injection, SQL injection, cross site scripting (XSS), OS command injection, and more. DCSG products are designed to provide inline protection against threats, anti-evasion capabilities, and full resilience to attack variants. Find out which products were effective against the key threats impacting enterprise data center deployments.
Providing results for a product's protection against exploits without fully factoring in evasions can be highly misleading in terms of understanding a product's security efficacy. That is why NSS Labs' Security Effectiveness score includes evasion techniques. The more classes of evasion that are missed (such as IP packet fragmentation, RPC fragmentation, URL obfuscation, FTP/Telnet evasion, resiliency, and attacks on nonstandard ports), the lower a product's security efficacy. In the latest DCSG Group Test, products were tested against 99 evasions to evaluate how well they were able to detect and block them.
DCSG devices are required to remain operational and stable under different traffic loads. The DCSG Group Test determined the behavior of the state engine under load. All devices must balance the risk between denying legitimate traffic or allowing malicious traffic once they run low on resources. A DCSG device will drop new connections when resources (such as state table memory) are low, or when traffic loads exceed its capacity.
NSS Labs uses a unique formula, Total Cost of Ownership (TCO) per Protected Mbps, to enable value-based comparisons of DCSG products in the market. TCO per Protected Mbps is calculated using three-year TCO, security effectiveness, and NSS-tested throughput.
NSS research has determined that the majority of enterprises tune their DCSG products. Even though attacks against desktop client applications are mainstream, servers will always be the primary targets in data center deployments, so tuning is critical. Therefore, all DCSG products in this test were optimally tuned similar to a typical customer deployment, keeping in mind security effectiveness and performance.
Different vendors take different approaches to adding coverage once a vulnerability is disclosed. Attempts to provide rapid coverage for vulnerabilities that are not fully understood can result in multiple exploit-specific signatures that may be inaccurate, ineffective, or prone to false positives. Vendors that have the resources to fully research a vulnerability should be able to produce vulnerability-oriented signatures that provide coverage for all exploits written to take advantage of that flaw. This approach provides more effective coverage with fewer false positives.
Vendors may retire older signatures in attempts to alleviate product performance limitations; however, this may result in inconsistent coverage for older vulnerabilities and varying levels of protection across products.
Individual Test Reports
Test Reports provide detailed analysis for each product tested. Data from these reports is used in the NSS Labs Comparative Reports.
Test Reports enable enterprise security teams to understand the impact of features and limitations across different products. These reports are used to shortlist products for further evaluation and proof-of concept testing.