Data Center Intrusion Prevention System (DCSG)


Why DCSG is Important

Enterprises demand a lot of their data center, which makes performance and availability concerns paramount. Network security technology is a critical component of a data center architecture, providing connectivity and in some cases traffic inspection or special handling in order to better protect critical assets located within the data center. Data center network security (DCNS) is a term used to describe devices that provide network security for the data center. The two main devices in this category are the data center firewall (DCFW) and the data center intrusion prevention system (DCIPS). A third type of device combines the capabilities of the DCFW and DCIPS and is referred to as a data center security gateway (DCSG).

DCSGs converge DCFW and DCIPS capabilities. The DCSG must be capable of performing access control and deep packet inspection in order to protect server applications from remote attacks. Unlike its NGFW cousin which protects users from the Internet, the DCSG protects data center servers and the applications that run on them (i.e., web servers, mail servers, DNS servers, application servers etc.) from the Internet. DCSG devices are implemented as layer three (routing) devices and are configured to drop traffic (fail closed) when resources are exhausted. DCSG devices are designed to route traffic and provide threat protection, anti-evasion, and full resilience against attack variants. In addition to security capabilities, when considering a DCSG device, performance, throughput, and latency metrics become critical since the volume of traffic will be significantly higher than it would for a device that is intended to protect end users within the corporate network perimeter.

Data centers host the crown jewels of an enterprise, e.g., customer data, intellectual property, and mission-critical applications. Therefore, security effectiveness is critical to organizations evaluating these devices. A DCSG's intrusion prevention security component should be capable of correctly blocking malicious traffic through comparison of packet/session contents against signatures/filters/protocol decoders. Enterprise servers and applications being protected by a DCSG device host a myriad of content such as streaming audio and video, retail and b2b e-commerce, mission-critical business applications, and the routing infrastructure that runs the Internet. In addition to ensuring security effectiveness and resiliency against attacks and evasions, providing high throughput, low latency, and high availability are critical in a DCSG device. For the enterprise's data center security gateway deployment and strategy, it is important to understand whether data center security technologies are deployed at the perimeter or in the interior (zero-trust model). It is also important to understand if enterprise data centers are zoned for breach containment, if they are passively monitored, and if there is data center redundancy for high availability.

NSS Research Security Insight Study in 2018 found that latency and throughput are the most important factors to consider in understanding the performance of a data center security product

NSS research has found that there are many factors involved in understanding the performance of data center security products, each of which can be critical in evaluating their value. To ascertain which performance factors are most salient to enterprises, participants were asked to rate the importance of five data center security technology performance factors for their organizations on a 0–10 scale, with 0 indicating not important at all and 10 indicating critically important. Unsurprisingly, all performance factors were rated highly important; however, latency and throughput received the highest median scores (9.0).

What We Tested & Why

Performance and Latency - NSS Labs

Data center technologies are changing rapidly in response to the adoption of social media, streaming video, teleconferencing, and other bandwidth-intensive technologies, data center technologies are changing rapidly. Many factors must be taken into account in order to understand the performance of a DCSG product, and each of these factors can be critical in evaluating its value.

When evaluating performance, the following should be taken into consideration: HTTP capacity for application average response time and for HTTP persistent connections, single application flows, UDP throughput, and latency. DCSGs must be resilient to attacks when they are operating at near maximum traffic capacity. Find out which DCSG devices were able to provide effective protection without compromising on security when they were subjected to high TCP traffic throughput and attacks happening over a period of time.

Throughput - NSS Labs

To account for significant variances in data center network traffic between industries and enterprises, NSS considered three traffic profiles in this test: transactional, multimedia, and corporate. The average throughput measurement across these three profiles reveals which DCSG product is best for your data center. Other important metrics to review when understanding the security effectiveness of a DCSG inspection engine in a real-world deployment are TCP connections per second and HTTP connections per second. Rated throughput should focus on packet sizes and protocols that are more likely to be found in typical enterprise deployments, such as email, video, ecommerce, database, and file sharing.

Exploit Block Rate - NSS Labs

The most serious exploits are those that result in a remote system compromise, providing the attacker with the ability to execute arbitrary system-level commands on the target server. Attackers are developing new weaponized techniques to exploit server vulnerabilities at an ever-increasing pace. Which DCSG products are capable of keeping up? With more than 2000 exploits, NSS Labs’ exploit library provides most comprehensive coverage. Get visibility into which attacks are blocked, and how effective your data center security products are.

Evasions - NSS Labs

Attackers can modify basic attacks to evade detection in a number of ways. If a DCSG device fails to detect a single form of evasion, any exploit can pass through the device, rendering it ineffective. What’s worse, when an attacker successfully uses an evasion to bypass defenses, there is no trace of the attack. There are no logs; there are no alerts. Providing exploit protection without fully factoring in evasion can be misleading. The more classes of evasion that are missed (such as IP packet fragmentation, RPC fragmentation, URL obfuscation, FTP/Telnet Evasion, resiliency, and attacks on nonstandard ports), the less effective the device. Find out which products were the most resistant to evasions in our latest DCSG Group Test.

Security Effectiveness - NSS Labs

The Security Effectiveness of a device is determined by factoring the results of evasions testing and stability and reliability testing into the exploit block rate. Our latest DCSG Group Test reveals how the tested products fared.

Stability and Reliability - NSS Labs

Long term stability is particularly important for a DCSG device, where failure can produce network outages and disrupt business operations. Find out which of the DCSG products remained operational and stable throughout our tests.

Total Cost of Ownership - NSS Labs

Your expenses don’t end when you purchase a product. Enterprises should include the total cost of ownership (TCO) as part of their evaluations, focusing on the acquisition costs for DCSG devices, expenses incurred for annual maintenance, support, and signature updates, and labor costs for installation, maintenance, and upkeep. Which products have the lowest TCO over a multi-year period?

Value To You - NSS Labs

If your DCSG product that fails to protect your crown jewels, this can lead to catastrophic consequences for your organization. Furthermore, providing the optimal combination of security effectiveness and performance is critical for real-world data center deployments. Just because a product is the least expensive doesn’t mean it provides the best value or meets your needs. NSS Labs can help you determine which DCSG products are right for you.

Is Your Enterprise Looking for Insights in addition to the DCSG Test Reports?

Exploit Block Rate - NSS Labs

Still have questions? Ask us! Any time we conduct a test, there is more information than we can possibly include in our test reports. NSS Research Analysts help clients from the world's most demanding organizations get the answers they need.

Who We Tested

FortiGate 3200D
v5.4.10 GA Build 7811
FortiGate 6300F
v5.4.10 GA Build 4283
Juniper Networks
Juniper Networks1
SRX4200 v15.1X49-D140.2
Palo Alto Networks
PA-5250 PAN-OS 8.1.2
1. Juniper Networks report available upon request

What are the Key Takeaways from 2018 DCSG Group Test?

3 out of 4
Products Achieved a
Recommended Rating

Overall Security
Between 99.0% and 99.2%

TCO per Protected
Ranged from
US$4 to US$10

Performance VS Security - NSS Labs

Data center network traffic varies significantly between business applications, multimedia and mission-critical corporate applications. NSS-tested throughput for DCSG products took into consideration transactional, multimedia ,and corporate traffic for both IPv4 and IPv6:

  • The transactional traffic profile is intended to represent a data center with traffic that is more transactional in nature, such as B2B (business-to-business) or B2C (business-to-consumer) e-commerce. The rated throughput emphasizes smaller packet sizes and connections per second.
  • The multimedia traffic profile is intended to represent a data center whose purpose is to serve media content. The rated throughput emphasizes larger packet sizes, maximum concurrent sessions, and streaming protocols.
  • The corporate traffic profile may be best described as the data center footprint of a typical enterprise, where mission-critical applications such as email and ERP (enterprise resource planning software) are kept. The rated throughput emphasizes various packet sizes and protocols that are more likely to be found in those situations, such as email, database, and file sharing.

Latency - NSS Labs

DCSG inspection engines must be capable of performing optimally under stress and at maximum real-world traffic capacity. The following critical latency parameters were taken into consideration for DCSG products for both IPv4 and IPv6 traffic:

  • Excessive concurrent TCP connections - Latency within the device is causing an unacceptable increase in open connections.
  • Excessive concurrent HTTP connections - Latency within the device is causing excessive delays and increased response time.
  • Unsuccessful HTTP transactions - Normally, there should be zero unsuccessful transactions. Once these appear, it is an indication that excessive latency within the device is causing connections to time out.

Exploit Block Rate - NSS Labs

Attackers continue to leverage old vulnerabilities using variants of known exploits. That is why the latest DCSG Group Test introduced resiliency testing. A system's resiliency can be defined as its ability to protect against multiple variants of an exploit, not just the known exploit variant.

By testing resilience, NSS Labs enables you to know which DCSG products will continue to protect you after the spotlight has moved on.

Threat Protection - NSS Labs

NSS research has found that the key threats detected in US enterprise data centers include HTML injection, SQL injection, cross site scripting (XSS), OS command injection, and more. DCSG products are designed to provide inline protection against threats, anti-evasion capabilities, and full resilience to attack variants. Find out which products were effective against the key threats impacting enterprise data center deployments.

99 Evasion Techniques - NSS Labs

Providing results for a product's protection against exploits without fully factoring in evasions can be highly misleading in terms of understanding a product's security efficacy. That is why NSS Labs' Security Effectiveness score includes evasion techniques. The more classes of evasion that are missed (such as IP packet fragmentation, RPC fragmentation, URL obfuscation, FTP/Telnet evasion, resiliency, and attacks on nonstandard ports), the lower a product's security efficacy. In the latest DCSG Group Test, products were tested against 99 evasions to evaluate how well they were able to detect and block them.

Operational Efficiency - NSS Labs

DCSG devices are required to remain operational and stable under different traffic loads. The DCSG Group Test determined the behavior of the state engine under load. All devices must balance the risk between denying legitimate traffic or allowing malicious traffic once they run low on resources. A DCSG device will drop new connections when resources (such as state table memory) are low, or when traffic loads exceed its capacity.

TCO Protected MBPS - NSS Labs

NSS Labs uses a unique formula, Total Cost of Ownership (TCO) per Protected Mbps, to enable value-based comparisons of DCSG products in the market. TCO per Protected Mbps is calculated using three-year TCO, security effectiveness, and NSS-tested throughput.

Product Tuning - NSS Labs

NSS research has determined that the majority of enterprises tune their DCSG products. Even though attacks against desktop client applications are mainstream, servers will always be the primary targets in data center deployments, so tuning is critical. Therefore, all DCSG products in this test were optimally tuned similar to a typical customer deployment, keeping in mind security effectiveness and performance.

Contrary to popular belief, the biggest risks are not always driven by the latest "Patch Tuesday" disclosures. NSS' threat research reveals that many older attacks are still in circulation and therefore remain relevant. Review NSS Labs test results before making key decisions.

Exploit Block Rate - NSS Labs

Different vendors take different approaches to adding coverage once a vulnerability is disclosed. Attempts to provide rapid coverage for vulnerabilities that are not fully understood can result in multiple exploit-specific signatures that may be inaccurate, ineffective, or prone to false positives. Vendors that have the resources to fully research a vulnerability should be able to produce vulnerability-oriented signatures that provide coverage for all exploits written to take advantage of that flaw. This approach provides more effective coverage with fewer false positives.

Vendors may retire older signatures in attempts to alleviate product performance limitations; however, this may result in inconsistent coverage for older vulnerabilities and varying levels of protection across products.

What You Get
DCSG Product Test Reports

Security Comparative Report

The Security Comparative Report provides high-level analysis of the security effectiveness of different DCSG products in the market. The report provides comparisons of blocking capabilities, stability and reliability, and resistance to common evasion techniques.

Using this report, enterprise security teams can compare security effectiveness and resistance to evasion techniques across different DCSG products.

Performance Comparative Report

The Performance Comparative Report provides analysis of various performance metrics for tested DCSG products. The report contains comparisons of maximum capacity, HTTP connections per second and capacity, and UDP throughput and latency, all while using real-word traffic mixes.

Using the Performance Comparative Report, enterprise networking teams can compare performance across DCSG products and select those that will support their volume and type of network traffic.

Total Cost of Ownership (TCO) Comparative Report

The TCO Comparative Report provides a comparison of the costs associated with product purchase, installation, maintenance, and support, as well as threat-associated costs.

Using the TCO Comparative Report, the enterprise C-Suite and management can understand the true TCO of a product over a three-year period, incorporating product purchase cost, product operational cost, and the overall capability score of a product.

Security Value MapTM (SVM) Comparative Report

Empirical data from individual Test Reports and Comparative Reports is used to create NSS Labs' unique Security Value Map (SVM). The SVM illustrates the relative value of security investments by mapping the Security Effectiveness and the Total Cost of Ownership (TCO) per Mbps of tested product configurations.

The SVM Comparative Report provides an aggregated view of the detailed findings from the NSS Labs group tests. Using this report, enterprise security decision makers can see the relative value of security investments.

Individual Test Reports

Test Reports provide detailed analysis for each product tested. Data from these reports is used in the NSS Labs Comparative Reports.

Test Reports enable enterprise security teams to understand the impact of features and limitations across different products. These reports are used to shortlist products for further evaluation and proof-of concept testing.