02:46 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
Repost This

Are Next-Generation Firewalls Ready For The Enterprise?

NSS Labs released results and analysis from its 2012 Group Test for Next Generation Firewall

AUSTIN, TX--(Oct 18, 2012) - NSS Labs today released the final results and analysis from its 2012 Group Test for Next Generation Firewall (NGFW), which evaluated products from 8 leading NGFW vendors. This was the first group test conducted by NSS Labs for NGFW and results show that many products in the market need to mature in order to be ready for effective enterprise deployments.

View the NSS Labs 2012 NGFW Security Value Map&trade, Comparative Analysis and Product Analysis Reports.

NGFW Market Must Mature to Fully Meet Large Enterprise Requirements

While the changing threat landscape and ever-growing use of Web 2.0 technologies increasingly challenge traditional firewalls to evolve, NSS Labs concludes that current NGFW features, such as more granular application controls, frequently come with trade-offs. Testing reveals that most of the available NGFW solutions fall short in performance and security effectiveness when compared to combining traditional dedicated legacy firewalls and intrusion prevention systems (IPS).

Few NGFWs are ready for "prime time": Only 50% of the NFGWs tested scored over 90% in security effectiveness vs. 75% of major IPS vendors in the dedicated IPS group.

Convenient configurations mean less protection: NSS Labs research shows that IPS features in NGFWs are seldom tuned and the devices are often deployed using vendors' default or recommended policy settings, creating significant gaps in coverage between NGFWs and dedicated firewall and IPS devices.

Vendor claims are often exaggerated: Of the 8 products tested, 5 performed well below vendors' throughput claims. Maximum connection rates were lower than preferred in all products tested -- revealing a major concern; NGFWs must improve performance before they are ready for large enterprise deployments.

Commentary: Francisco Artes, Research Director

"Vendors turned in a good first showing, however there is significant room for NGFW technologies as a whole to improve before they are widely deployed in large enterprises," said Francisco Artes, Research Director at NSS Labs. "It's natural for enterprises to consider NGFW technology as their existing firewall and IPS defenses near replacement or renewal. However, until vendors improve overall stability, leakage, performance and security effectiveness, customers will be better served taking an incremental approach to introducing NGFW products to their networks."

The 2012 NGFW Security Value Map&trade, Comparative Analysis Reports&trade, and Product Analysis Reports&trade for each vendor are currently available to NSS Labs' subscribers at

The products covered in the 2012 NGFW Group Test are:

Barracuda NG Firewall F900

CheckPoint 12600

Fortinet FortiGate 3140B

Juniper SRX 3600

Palo Alto PA-5020

SonicWALL SuperMassive E10800

Sourcefire 3D8250

Stonesoft StoneGate FW-1301

NSS Labs did not receive any compensation in return for vendor participation; All testing and research was conducted free of charge.

About NSS Labs, Inc.

NSS Labs, Inc. is the world's leading information security research and advisory company. We deliver a unique mix of test-based research and expert analysis to provide our clients with the information they need to make good security decisions. CIOs, CISOs, and information security professionals from many of the largest and most demanding enterprises rely on NSS Labs' insight, every day. Founded in 1991, the company is located in Austin, Texas. For more information, visit

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web