Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 AM
Dark Reading
Dark Reading
Products and Releases

NSS Labs Tests Show Next Generation Firewall Security Effectiveness

Products Become More Cost Competitive as NGFW and UTM markets converge

AUSTIN, Texas – September 23, 2014 - NSS Labs today released its latest Next Generation Firewall Security Value Map™ (SVM) and Comparative Analysis Report™ (CAR) series, which evaluated 12 of the leading NGFW products on the market for security effectiveness, performance, and total cost of ownership (TCO).  Our enterprise research indicates that enterprise adoption of NGFW remains strong.   NGFW deployment scenarios are varied, requiring detailed data on which to base investment decisions. This is the third group test for NGFW conducted by NSS and is the first to test fully integrated NGFW offerings from Cisco since its acquisition of Sourcefire in 2013.
Learn More:
NSS Next Generation Firewall Security Value Map and Comparative Analysis Reports
NSS’s research yielded several key conclusions:
·         Eight of Twelve NGFWs Tested Received NSS Labs Coveted “Recommended” Status: In the latest tests, 8 products scored over 95% for security effectiveness. The overall range of scores for security effectiveness improved in 2014 to a range of 60.1% - 99.2% compared to 34.2% - 98.5% in 2013. Four products had lower security effectiveness scores in 2014.
·         Evasions Continue to be a Challenge for the Industry:  Missing a low level evasion, such as TCP stream segmentation or IP packet fragmentation, can result in security devices failing to detect and block an entire class of exploits. This results in significantly lower security effectiveness.  Two products experienced significant reversals in their security effectiveness scores this year: one product was 36.3% less effective than last year due to missed evasions, while another increased effectiveness by 63.6% after rectifying evasion weaknesses identified in last year’s test. Ten out of twelve products demonstrated complete evasion detection.  
·         NGFWs Become More Cost Competitive: The average Total Cost of Ownership / Protected Mbps figure fell by half in 2014 to $21.80 – down from an average of $46.28 per protected Mbps in 2013. Half of the products tested in 2014 had a TCO below $20 per protected Mbps with an overall range of $6 - $64, down from a range of $18 - $106 in the 2013 test. This price movement is an early indicator that NGFW and UTM markets are converging. Vendors wishing to address the enterprise market will be forced to differentiate through premium features.
·         Most Vendor Performance Claims Hold Up in Testing: Over half of the products outperformed their vendor-stated throughput rates during testing this year. Three vendors had products that achieved throughput rates over 25% higher than their stated rates, while two vendors performed at throughput rates 50% or more below those claimed by the vendor.
Commentary:  NSS Labs CEO Vikram Phatak
“Evasions continue to be a challenge for the industry. To date, every single NGFW group test has resulted in at least one vendor missing one or more critical evasions,” said Vikram Phatak, CEO of NSS Labs. “If someone uses an evasion to circumvent a security product, you will never know until you are compromised. This is why ongoing independent testing is so important to cyber resiliency.”
Commentary: NSS Labs VP of Research, Mike Spanbauer
“One of the most notable changes we’ve seen this year has been a significant decrease in the overall total cost of ownership.  With security effectiveness rates remaining fairly consistent among most vendors, this is an early indicator that NGFW and UTM markets are merging.  Expect to see vendors differentiate through premium features such as centralized management, enhanced forensics, and integration with other security devices on the network,” said Mike Spanbauer, VP of Research at NSS Labs.
The NSS Labs NGFW Security Value Map™, Comparative Analysis Reports™, and Product Analysis Reports™ for each vendor are currently available to NSS Labs’ subscribers at www.nsslabs.com.
The products covered in the 2014 NGFW Group Test are:
·         Barracuda F800b
·         Check Point 13500
·         Cisco ASA 5525-X
·         Cisco ASA 5585-X SSP60
·         Cisco FirePOWER 8350
·         Cyberoam CR2500iNG-XP
·         Dell SonicWALL SuperMassive E10800
·         Fortinet FortiGate 1500D
·         Fortinet FortiGate 3600C
·         McAfee NGF-1402
·         Palo Alto Networks PA-3020
·         WatchGuard XTM1525
About NSS Labs, Inc.
NSS Labs, Inc. is the world's leading information security research and advisory company. We deliver a unique mix of test-based research and expert analysis to provide our clients with the information they need to make good security decisions. CIOs, CISOs, and information security professionals from many of the largest and most demanding enterprises rely on NSS Labs’ insight, every day. For more information, visit www.nsslabs.com.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
TPM-Fail: What It Means & What to Do About It
Ari Singer, CTO at TrustPhi,  11/19/2019
Ransomware Surge & Living-Off-the-Land Tactics Remain Big Threats
Jai Vijayan, Contributing Writer,  11/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-22
In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.
PUBLISHED: 2019-11-22
PowerDNS Authoritative daemon , all versions pdns 4.1.x before pdns 4.1.10, exiting when encountering a serial between 2^31 and 2^32-1 while trying to notify a slave leads to DoS.
PUBLISHED: 2019-11-22
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
PUBLISHED: 2019-11-22
cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field.
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.