NSS Labs Tests Show Next Generation Firewall Security Effectiveness

Products Become More Cost Competitive as NGFW and UTM markets converge

September 23, 2014

4 Min Read


AUSTIN, Texas – September 23, 2014 - NSS Labs today released its latest Next Generation Firewall Security Value Map™ (SVM) and Comparative Analysis Report™ (CAR) series, which evaluated 12 of the leading NGFW products on the market for security effectiveness, performance, and total cost of ownership (TCO).  Our enterprise research indicates that enterprise adoption of NGFW remains strong.   NGFW deployment scenarios are varied, requiring detailed data on which to base investment decisions. This is the third group test for NGFW conducted by NSS and is the first to test fully integrated NGFW offerings from Cisco since its acquisition of Sourcefire in 2013.
Learn More:
NSS Next Generation Firewall Security Value Map and Comparative Analysis Reports
NSS’s research yielded several key conclusions:
·         Eight of Twelve NGFWs Tested Received NSS Labs Coveted “Recommended” Status: In the latest tests, 8 products scored over 95% for security effectiveness. The overall range of scores for security effectiveness improved in 2014 to a range of 60.1% - 99.2% compared to 34.2% - 98.5% in 2013. Four products had lower security effectiveness scores in 2014.
·         Evasions Continue to be a Challenge for the Industry:  Missing a low level evasion, such as TCP stream segmentation or IP packet fragmentation, can result in security devices failing to detect and block an entire class of exploits. This results in significantly lower security effectiveness.  Two products experienced significant reversals in their security effectiveness scores this year: one product was 36.3% less effective than last year due to missed evasions, while another increased effectiveness by 63.6% after rectifying evasion weaknesses identified in last year’s test. Ten out of twelve products demonstrated complete evasion detection.  
·         NGFWs Become More Cost Competitive: The average Total Cost of Ownership / Protected Mbps figure fell by half in 2014 to $21.80 – down from an average of $46.28 per protected Mbps in 2013. Half of the products tested in 2014 had a TCO below $20 per protected Mbps with an overall range of $6 - $64, down from a range of $18 - $106 in the 2013 test. This price movement is an early indicator that NGFW and UTM markets are converging. Vendors wishing to address the enterprise market will be forced to differentiate through premium features.
·         Most Vendor Performance Claims Hold Up in Testing: Over half of the products outperformed their vendor-stated throughput rates during testing this year. Three vendors had products that achieved throughput rates over 25% higher than their stated rates, while two vendors performed at throughput rates 50% or more below those claimed by the vendor.
Commentary:  NSS Labs CEO Vikram Phatak
“Evasions continue to be a challenge for the industry. To date, every single NGFW group test has resulted in at least one vendor missing one or more critical evasions,” said Vikram Phatak, CEO of NSS Labs. “If someone uses an evasion to circumvent a security product, you will never know until you are compromised. This is why ongoing independent testing is so important to cyber resiliency.”
Commentary: NSS Labs VP of Research, Mike Spanbauer
“One of the most notable changes we’ve seen this year has been a significant decrease in the overall total cost of ownership.  With security effectiveness rates remaining fairly consistent among most vendors, this is an early indicator that NGFW and UTM markets are merging.  Expect to see vendors differentiate through premium features such as centralized management, enhanced forensics, and integration with other security devices on the network,” said Mike Spanbauer, VP of Research at NSS Labs.
The NSS Labs NGFW Security Value Map™, Comparative Analysis Reports™, and Product Analysis Reports™ for each vendor are currently available to NSS Labs’ subscribers at www.nsslabs.com.
The products covered in the 2014 NGFW Group Test are:
·         Barracuda F800b
·         Check Point 13500
·         Cisco ASA 5525-X
·         Cisco ASA 5585-X SSP60
·         Cisco FirePOWER 8350
·         Cyberoam CR2500iNG-XP
·         Dell SonicWALL SuperMassive E10800
·         Fortinet FortiGate 1500D
·         Fortinet FortiGate 3600C
·         McAfee NGF-1402
·         Palo Alto Networks PA-3020
·         WatchGuard XTM1525
About NSS Labs, Inc.
NSS Labs, Inc. is the world's leading information security research and advisory company. We deliver a unique mix of test-based research and expert analysis to provide our clients with the information they need to make good security decisions. CIOs, CISOs, and information security professionals from many of the largest and most demanding enterprises rely on NSS Labs’ insight, every day. For more information, visit www.nsslabs.com.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights