NSS Labs ranks next-gen firewalls, with some surprises

Researchers used individual test reports and comparison data to determine the value of investments in next-generation firewall technology.

New testing of next-generation firewalls found that products from seven vendors effectively protected enterprises from malicious traffic for a reasonable total cost of ownership -- under $10 per Mbps of network traffic.

NSS Labs released its annual evaluation of next-gen firewalls on Tuesday, offering seven of 10 product recommendations for security effectiveness and total cost of ownership (TCO) based on comparative testing of hardware and software that prevents unauthorized access to networks.

"Our data shows that north of 80% of enterprises deploy next-gen firewalls," said Jason Brvenik, CTO at NSS Labs, who noted that the market is mature and many of these vendors' technologies are in refresh cycles.

The research analysts reviewed next-gen firewalls from 10 vendors for the comparative group test, including:

  • Barracuda Networks CloudGen Firewall F800.CCE v7.2.0;
  • Check Point 15600 Next Generation Threat Prevention Appliance vR80.20;
  • Cisco Firepower 4120 Security Appliance v6.2.2;
  • Forcepoint NGFW 2105 Appliance v6.3.3 build 19153 (Update Package: 1056);
  • Fortinet FortiGate 500E V5.6.3GA build 7858;
  • Palo Alto Networks PA-5220 PAN-OS 8.1.1;
  • SonicWall NSa 2650 SonicOS Enhanced;
  • Sophos XG Firewall 750 SFO v17 MR7;
  • Versa Networks FlexVNF 16.1R1-S6; and
  • WatchGuard M670 v12.0.1.B562953.

The independent testing involved some cooperation from participating vendors and in some cases help from consultants who verified that the next-gen firewall technology was configured properly using default settings for physical and virtual test environments. NSS Labs did not evaluate systems from Huawei or Juniper Networks because it could not "verify the products," which researchers claimed was necessary to measure their effectiveness.

Despite the maturity of the NGFW market, the vast majority of enterprises don't customize default configurations, according to Brvenik. Network security teams disable core protections that are noisy to avoid false positives and create access control policies, but otherwise they trust the vendors' default recommendations.

The expanding functionality in next-gen firewalls underscores the complexity of protecting enterprise networks against modern threats. In addition to detecting and blocking malicious traffic through the use of dynamic packet filtering and user-defined security policies, next-gen firewalls integrate intrusion prevention systems (IPS), application and user awareness controls, threat intelligence to block malware, SSL and SSH inspection and, in some cases, support for cloud services.

Some products offer a single management console to enable network security teams to monitor firewall deployments and policies, including VPN and IPS, across environments. An assessment of manageability was not part of NSS Labs' evaluation, however. NSS Labs focused on the firewall technology itself.

Worth the investment?

Researchers used individual test reports and comparison data to assess security effectiveness, which ranged from 25.0% to 99.7%, and total cost of ownership per protected Mbps, which ranged from U.S. $2 to U.S. $57, to determine the value of investments. The testing resulted in overall ratings of "recommended" for seven next-gen firewalls, two "caution" limited value ratings (Check Point and Sophos) and one "security recommended" but higher than average cost (Cisco).

The security effectiveness assessment was based on the product's ability to enforce security policies and block attacks while passing nonmalicious traffic over a testing period that lasted several hours. Researchers factored in exploit block rates, evasion techniques, stability and reliability, and performance under different traffic conditions. The total cost of ownership per protected Mbps was calculated using a three-year TCO based on capital expenditure for the products divided by security effectiveness times network throughput.

Six of the next-gen firewalls scored 90.3% or higher for security effectiveness, and most products cost less than $10 per protected Mbps of network throughput, according to the report. While the majority of the next-gen firewalls received favorable assessments, four failed to detect one or more common evasion techniques, which could cause a product to completely miss a class of attacks.

Lack of resilience

NSS Labs added a new test in 2018 for resiliency against modified exploits and, according to the report, none of the devices exhibited resilience against all attack variants.

"The most surprising thing that we saw in this test was that ... our research and our testing showed that a fair number of firewalls did not demonstrate resilience against changes in attacks that are already known," Brvenik said.

Enterprises deploy next-gen firewalls to protect their networks from the internet, he added, and as part of that they expect that employees who browse the internet should not have to worry about new threats. Technology innovation related to cloud integration and real-time updates is promising, but key enterprise problems remain unsolved such as the ability to defend against attacks delivered in JavaScript.

"I think one of the greatest opportunities in the market is to handle that traffic," said Brvenik, who noted that some next-gen firewalls performed adequately in terms of toolkit-based protections, but NSS Labs didn't observe any of them "wholly mitigating JavaScript."

TCO in 2018 is trending lower than previous years. While there are a number of very affordable next-gen firewalls on the market, vendors that can't validate the effectiveness of next-gen firewalls with independent testing to show the technology can consistently deliver on top-level protections, should be questioned, according to Brvenik. Affordable products are a great choice only if they achieve what the enterprise is looking for and "live up to the security climate."

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing