Are Next-Generation Firewalls Ready For The Enterprise?

NSS Labs released results and analysis from its 2012 Group Test for Next Generation Firewall

October 20, 2012

3 Min Read


AUSTIN, TX--(Oct 18, 2012) - NSS Labs today released the final results and analysis from its 2012 Group Test for Next Generation Firewall (NGFW), which evaluated products from 8 leading NGFW vendors. This was the first group test conducted by NSS Labs for NGFW and results show that many products in the market need to mature in order to be ready for effective enterprise deployments.

View the NSS Labs 2012 NGFW Security Value Map&trade, Comparative Analysis and Product Analysis Reports.

NGFW Market Must Mature to Fully Meet Large Enterprise Requirements

While the changing threat landscape and ever-growing use of Web 2.0 technologies increasingly challenge traditional firewalls to evolve, NSS Labs concludes that current NGFW features, such as more granular application controls, frequently come with trade-offs. Testing reveals that most of the available NGFW solutions fall short in performance and security effectiveness when compared to combining traditional dedicated legacy firewalls and intrusion prevention systems (IPS).

Few NGFWs are ready for "prime time": Only 50% of the NFGWs tested scored over 90% in security effectiveness vs. 75% of major IPS vendors in the dedicated IPS group.

Convenient configurations mean less protection: NSS Labs research shows that IPS features in NGFWs are seldom tuned and the devices are often deployed using vendors' default or recommended policy settings, creating significant gaps in coverage between NGFWs and dedicated firewall and IPS devices.

Vendor claims are often exaggerated: Of the 8 products tested, 5 performed well below vendors' throughput claims. Maximum connection rates were lower than preferred in all products tested -- revealing a major concern; NGFWs must improve performance before they are ready for large enterprise deployments.

Commentary: Francisco Artes, Research Director

"Vendors turned in a good first showing, however there is significant room for NGFW technologies as a whole to improve before they are widely deployed in large enterprises," said Francisco Artes, Research Director at NSS Labs. "It's natural for enterprises to consider NGFW technology as their existing firewall and IPS defenses near replacement or renewal. However, until vendors improve overall stability, leakage, performance and security effectiveness, customers will be better served taking an incremental approach to introducing NGFW products to their networks."

The 2012 NGFW Security Value Map&trade, Comparative Analysis Reports&trade, and Product Analysis Reports&trade for each vendor are currently available to NSS Labs' subscribers at

The products covered in the 2012 NGFW Group Test are:

Barracuda NG Firewall F900

CheckPoint 12600

Fortinet FortiGate 3140B

Juniper SRX 3600

Palo Alto PA-5020

SonicWALL SuperMassive E10800

Sourcefire 3D8250

Stonesoft StoneGate FW-1301

NSS Labs did not receive any compensation in return for vendor participation; All testing and research was conducted free of charge.

About NSS Labs, Inc.

NSS Labs, Inc. is the world's leading information security research and advisory company. We deliver a unique mix of test-based research and expert analysis to provide our clients with the information they need to make good security decisions. CIOs, CISOs, and information security professionals from many of the largest and most demanding enterprises rely on NSS Labs' insight, every day. Founded in 1991, the company is located in Austin, Texas. For more information, visit

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights