Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:46 PM
Dark Reading
Dark Reading
Products and Releases

Are Next-Generation Firewalls Ready For The Enterprise?

NSS Labs released results and analysis from its 2012 Group Test for Next Generation Firewall

AUSTIN, TX--(Oct 18, 2012) - NSS Labs today released the final results and analysis from its 2012 Group Test for Next Generation Firewall (NGFW), which evaluated products from 8 leading NGFW vendors. This was the first group test conducted by NSS Labs for NGFW and results show that many products in the market need to mature in order to be ready for effective enterprise deployments.

View the NSS Labs 2012 NGFW Security Value Map&trade, Comparative Analysis and Product Analysis Reports.

NGFW Market Must Mature to Fully Meet Large Enterprise Requirements

While the changing threat landscape and ever-growing use of Web 2.0 technologies increasingly challenge traditional firewalls to evolve, NSS Labs concludes that current NGFW features, such as more granular application controls, frequently come with trade-offs. Testing reveals that most of the available NGFW solutions fall short in performance and security effectiveness when compared to combining traditional dedicated legacy firewalls and intrusion prevention systems (IPS).

Few NGFWs are ready for "prime time": Only 50% of the NFGWs tested scored over 90% in security effectiveness vs. 75% of major IPS vendors in the dedicated IPS group.

Convenient configurations mean less protection: NSS Labs research shows that IPS features in NGFWs are seldom tuned and the devices are often deployed using vendors' default or recommended policy settings, creating significant gaps in coverage between NGFWs and dedicated firewall and IPS devices.

Vendor claims are often exaggerated: Of the 8 products tested, 5 performed well below vendors' throughput claims. Maximum connection rates were lower than preferred in all products tested -- revealing a major concern; NGFWs must improve performance before they are ready for large enterprise deployments.

Commentary: Francisco Artes, Research Director

"Vendors turned in a good first showing, however there is significant room for NGFW technologies as a whole to improve before they are widely deployed in large enterprises," said Francisco Artes, Research Director at NSS Labs. "It's natural for enterprises to consider NGFW technology as their existing firewall and IPS defenses near replacement or renewal. However, until vendors improve overall stability, leakage, performance and security effectiveness, customers will be better served taking an incremental approach to introducing NGFW products to their networks."

The 2012 NGFW Security Value Map&trade, Comparative Analysis Reports&trade, and Product Analysis Reports&trade for each vendor are currently available to NSS Labs' subscribers at www.nsslabs.com.

The products covered in the 2012 NGFW Group Test are:

Barracuda NG Firewall F900

CheckPoint 12600

Fortinet FortiGate 3140B

Juniper SRX 3600

Palo Alto PA-5020

SonicWALL SuperMassive E10800

Sourcefire 3D8250

Stonesoft StoneGate FW-1301

NSS Labs did not receive any compensation in return for vendor participation; All testing and research was conducted free of charge.

About NSS Labs, Inc.

NSS Labs, Inc. is the world's leading information security research and advisory company. We deliver a unique mix of test-based research and expert analysis to provide our clients with the information they need to make good security decisions. CIOs, CISOs, and information security professionals from many of the largest and most demanding enterprises rely on NSS Labs' insight, every day. Founded in 1991, the company is located in Austin, Texas. For more information, visit www.nsslabs.com.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
Primary Source Verification in VerityStream MSOW Solutions before 3.1.1 allows an anonymous internet user to discover Social Security Number (SSN) values via a brute-force attack on a (sometimes hidden) search field, because the last four SSN digits are part of the supported combination of search se...
PUBLISHED: 2021-05-06
Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
PUBLISHED: 2021-05-06
Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...