Next Generation Intrusion Prevention System (NGIPS)


Why NGIPS is Important

Next generation intrusion prevention systems (NGIPS) are devices that decode and inspect network packets for exploits. NGIPS allow legitimate traffic to pass while also blocking attacks and resisting evasion techniques. An NGIPS must provide deep inspection of network traffic, closely monitor system activities for malicious attack activities, and provide protection against threats. NGIPS are typically placed behind NGFWs and implemented as inline devices that inspect and block traffic identified as malicious or unwanted.

87.6% of All US Enterprises Surveyed Reported Deploying NGIPS Technology and What Matters Most to Them Is Achieving Effective Threat Protection with Minimal False Positives and Actionable Alerts on Targeted Attacks

False Positives - NSS Labs

Organizations purchasing an NGIPS should seek a device that offers high security effectiveness, a low false positive rate, and actionable alerts. Organizations should start with an NGIPS that best aligns with their organizational requirements and then tune appropriately. Our NGIPS group test results provide you with metrics on performance, security, and value that help you evaluate which NGIPS product is the best fit for your environment.

NSS Labs research found the top challenges experienced by enterprises with NGIPS technology are:

  • False positives
  • Rules are difficult to manage
  • Few actionable alerts

What We Tested & Why

Exploit Block Rate - NSS Labs

Cybersecurity is a never-ending game of cat and mouse. Attackers are developing new techniques to exploit vulnerabilities at an ever increasing pace. Which security products are capable of keeping up? NSS Labs' 24/7 live exploit testing is unique in the world. We provide visibility into which attacks are blocked, how long it takes a vendor to provide protection in their product, and how effective their protection is over time.

Evasions - NSS Labs

Attackers use evasions to bypass security controls. A single evasion can grant an attacker access to your network. What's worse, when an attacker successfully uses an evasion to bypass defenses, there is no trace of the attack. There are no logs; there are no alerts. Which products were the most resistant, and which were the least resistant, to evasions in our latest NGIPS Group Test?

Product Stability - NSS Labs

An unstable device that disrupts traffic unexpectedly can ruin your day. Testing revealed some products had stability issues with certain versions. Find out which ones.

Performance - NSS Labs

Thanks to rapid adoption of social media, streaming video, teleconferencing, and other bandwidth-intensive technologies, network behavior is changing rapidly. Which NGIPS products have adapted and what should you consider when you are designing your next-generation network?

Total Cost of Ownership - NSS Labs

Your expenses don't end when you purchase a product. Installation costs (people), software maintenance, and ongoing policy and log maintenance are some of the expenses you should plan for. Which products have the lowest Total Cost of Ownership over a multi-year period?

Security Effectiveness - NSS Labs

The Security Effectiveness of a device is determined by factoring the results of evasions testing and stability and reliability testing into the exploit block rate. In the NGIPS 4.0 Group Test, the Security Effectiveness of the tested products ranged from 25.0% to 99.8%. Find out how the different products fared.

Value To You - NSS Labs

A security product that fails to protect what's important to you can have catastrophic consequences for your organization. Just because a product is the least expensive doesn't mean it provides the best value or meets your needs. NSS Labs can help you determine which products are right for you.

Is Your Enterprise Looking for Insights in addition to the NGIPS Test Reports?

Exploit Block Rate - NSS Labs

Still have questions? Ask us! Any time we conduct a test, there is more information than we can possibly include in our test reports. NSS Research Analysts help clients from the world's most demanding organizations get the answers they need.

Who We Tested


What are the Key Takeaways from NGIPS 4.0 Group Test?

TCO per Protected
Ranged from
US$2 to US$199

5 out of 7
Products Achieved a
Recommended Rating

Overall Security
Between 25.0% and 99.8%

Exploit Block Rate - NSS Labs

Attackers are "going back to the well," exploiting old vulnerabilities using variants of known exploits. That is why the NGIPS 4.0 Group Test introduced resiliency testing. A system's resiliency can be defined as its ability to protect against multiple variants of an exploit, not just the known exploit variant.

By testing resilience, NSS Labs enables you to know which NGIPS products will continue to protect you after the spotlight has moved on.

Evasion Techniques - NSS Labs

Providing results for a product's protection against exploits without fully factoring in evasions can be highly misleading in terms of understanding a product's security efficacy. That is why NSS Labs' Security Effectiveness score includes evasion techniques. The more classes of evasion that are missed (such as HTTP evasions, IP packet fragmentation, TCP stream segmentation, HTML obfuscation and resiliency), the lower a product's security efficacy. In the NGIPS 4.0 Group Test, NGIPS products were tested against 147 evasions to evaluate how well the products were able to detect and block the evasions.

Policy & Setting - NSS Labs

NSS research has determined that the majority of enterprises do not tune their NGIPS products but rather rely on a vendor's default/recommended policies and settings. Therefore, all products in this test were tested using pre-defined vendor-recommended settings that ship with the product.

TCO Protected MBPS - NSS Labs

In NSS Labs testing, a unique formula, Total Cost of Ownership (TCO) per Protected Mbps, is used to enable value-based comparisons of NGIPS products in the market. TCO per Protected Mbps is calculated using three-year TCO, security effectiveness, and NSS-tested throughput.

Older Attacks Are Still in Circulation and Therefore Remain Relevant Threats

Exploit Block Rate - NSS Labs

Different vendors take different approaches to adding coverage once a vulnerability is disclosed. Attempts to provide rapid coverage for vulnerabilities that are not fully understood can result in multiple exploit-specific signatures that may be inaccurate, ineffective, or prone to false positives. Vendors that have the resources to fully research a vulnerability should be able to produce vulnerability-oriented signatures that provide coverage for all exploits written to take advantage of that flaw. This approach provides more effective coverage with fewer false positives.

Vendors may retire older signatures in attempts to alleviate product performance limitations; however, this may result in inconsistent coverage for older vulnerabilities and varying levels of protection across products.

What You Get
NGIPS Product Test Reports

Security Comparative Report

The Security Comparative Report provides high-level analysis of the security effectiveness of different NGIPS products in the market. The report provides comparisons of blocking capabilities, stability and reliability, and resistance to common evasion techniques.

Using this report, enterprise security teams can compare security effectiveness and resistance to evasion techniques across different NGIPS products.

Example Report

Performance Comparative Report

The Performance Comparative Report provides analysis of various performance metrics for tested NGIPS products. The report contains comparisons of maximum capacity, HTTP connections per second and capacity, and UDP throughput and latency, all while using real-word traffic mixes.

Using the Performance Comparative Report, enterprise networking teams can compare performance across NGIPS products and select those that will support their volume and type of network traffic.

Example Report

Total Cost of Ownership (TCO) Comparative Report

The TCO Comparative Report provides a comparison of the costs associated with product purchase, installation, maintenance, and support, as well as threat-associated costs.

Using the TCO Comparative Report, the enterprise C-Suite and management can understand the true TCO of a product over a three-year period, incorporating product purchase cost, product operational cost, and the overall capability score of a product.

Example Report

Security Value MapTM (SVM) Comparative Report

Empirical data from individual Test Reports and Comparative Reports is used to create NSS Labs' unique Security Value Map (SVM). The SVM illustrates the relative value of security investments by mapping the Security Effectiveness and the Total Cost of Ownership (TCO) per Mbps of tested product configurations.

The SVM Comparative Report provides an aggregated view of the detailed findings from the NSS Labs group tests. Using this report, enterprise security decision makers can see the relative value of security investments.

Example Report

Individual Test Reports

Test Reports provide detailed analysis for each product tested. Data from these reports is used in the NSS Labs Comparative Reports.

Test Reports enable enterprise security teams to understand the impact of features and limitations across different products. These reports are used to shortlist products for further evaluation and proof-of concept testing.