Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/19/2012
02:46 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Are Next-Generation Firewalls Ready For The Enterprise?

NSS Labs released results and analysis from its 2012 Group Test for Next Generation Firewall

AUSTIN, TX--(Oct 18, 2012) - NSS Labs today released the final results and analysis from its 2012 Group Test for Next Generation Firewall (NGFW), which evaluated products from 8 leading NGFW vendors. This was the first group test conducted by NSS Labs for NGFW and results show that many products in the market need to mature in order to be ready for effective enterprise deployments.

View the NSS Labs 2012 NGFW Security Value Map&trade, Comparative Analysis and Product Analysis Reports.

NGFW Market Must Mature to Fully Meet Large Enterprise Requirements

While the changing threat landscape and ever-growing use of Web 2.0 technologies increasingly challenge traditional firewalls to evolve, NSS Labs concludes that current NGFW features, such as more granular application controls, frequently come with trade-offs. Testing reveals that most of the available NGFW solutions fall short in performance and security effectiveness when compared to combining traditional dedicated legacy firewalls and intrusion prevention systems (IPS).

Few NGFWs are ready for "prime time": Only 50% of the NFGWs tested scored over 90% in security effectiveness vs. 75% of major IPS vendors in the dedicated IPS group.

Convenient configurations mean less protection: NSS Labs research shows that IPS features in NGFWs are seldom tuned and the devices are often deployed using vendors' default or recommended policy settings, creating significant gaps in coverage between NGFWs and dedicated firewall and IPS devices.

Vendor claims are often exaggerated: Of the 8 products tested, 5 performed well below vendors' throughput claims. Maximum connection rates were lower than preferred in all products tested -- revealing a major concern; NGFWs must improve performance before they are ready for large enterprise deployments.

Commentary: Francisco Artes, Research Director

"Vendors turned in a good first showing, however there is significant room for NGFW technologies as a whole to improve before they are widely deployed in large enterprises," said Francisco Artes, Research Director at NSS Labs. "It's natural for enterprises to consider NGFW technology as their existing firewall and IPS defenses near replacement or renewal. However, until vendors improve overall stability, leakage, performance and security effectiveness, customers will be better served taking an incremental approach to introducing NGFW products to their networks."

The 2012 NGFW Security Value Map&trade, Comparative Analysis Reports&trade, and Product Analysis Reports&trade for each vendor are currently available to NSS Labs' subscribers at www.nsslabs.com.

The products covered in the 2012 NGFW Group Test are:

Barracuda NG Firewall F900

CheckPoint 12600

Fortinet FortiGate 3140B

Juniper SRX 3600

Palo Alto PA-5020

SonicWALL SuperMassive E10800

Sourcefire 3D8250

Stonesoft StoneGate FW-1301

NSS Labs did not receive any compensation in return for vendor participation; All testing and research was conducted free of charge.

About NSS Labs, Inc.

NSS Labs, Inc. is the world's leading information security research and advisory company. We deliver a unique mix of test-based research and expert analysis to provide our clients with the information they need to make good security decisions. CIOs, CISOs, and information security professionals from many of the largest and most demanding enterprises rely on NSS Labs' insight, every day. Founded in 1991, the company is located in Austin, Texas. For more information, visit www.nsslabs.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4682
PUBLISHED: 2021-01-28
IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization of trusted data. An attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 186509.
CVE-2020-4888
PUBLISHED: 2021-01-28
IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker co...
CVE-2020-13569
PUBLISHED: 2021-01-28
A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can...
CVE-2021-20620
PUBLISHED: 2021-01-28
Cross-site scripting vulnerability in Aterm WF800HP firmware Ver1.0.9 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.
CVE-2021-20621
PUBLISHED: 2021-01-28
Cross-site request forgery (CSRF) vulnerability in Aterm WG2600HP firmware Ver1.0.2 and earlier, and Aterm WG2600HP2 firmware Ver1.0.2 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.