Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 AM
Dark Reading
Dark Reading
Products and Releases

NSS Labs Tests Show Next Generation Firewall Security Effectiveness

Products Become More Cost Competitive as NGFW and UTM markets converge

AUSTIN, Texas – September 23, 2014 - NSS Labs today released its latest Next Generation Firewall Security Value Map™ (SVM) and Comparative Analysis Report™ (CAR) series, which evaluated 12 of the leading NGFW products on the market for security effectiveness, performance, and total cost of ownership (TCO).  Our enterprise research indicates that enterprise adoption of NGFW remains strong.   NGFW deployment scenarios are varied, requiring detailed data on which to base investment decisions. This is the third group test for NGFW conducted by NSS and is the first to test fully integrated NGFW offerings from Cisco since its acquisition of Sourcefire in 2013.
Learn More:
NSS Next Generation Firewall Security Value Map and Comparative Analysis Reports
NSS’s research yielded several key conclusions:
·         Eight of Twelve NGFWs Tested Received NSS Labs Coveted “Recommended” Status: In the latest tests, 8 products scored over 95% for security effectiveness. The overall range of scores for security effectiveness improved in 2014 to a range of 60.1% - 99.2% compared to 34.2% - 98.5% in 2013. Four products had lower security effectiveness scores in 2014.
·         Evasions Continue to be a Challenge for the Industry:  Missing a low level evasion, such as TCP stream segmentation or IP packet fragmentation, can result in security devices failing to detect and block an entire class of exploits. This results in significantly lower security effectiveness.  Two products experienced significant reversals in their security effectiveness scores this year: one product was 36.3% less effective than last year due to missed evasions, while another increased effectiveness by 63.6% after rectifying evasion weaknesses identified in last year’s test. Ten out of twelve products demonstrated complete evasion detection.  
·         NGFWs Become More Cost Competitive: The average Total Cost of Ownership / Protected Mbps figure fell by half in 2014 to $21.80 – down from an average of $46.28 per protected Mbps in 2013. Half of the products tested in 2014 had a TCO below $20 per protected Mbps with an overall range of $6 - $64, down from a range of $18 - $106 in the 2013 test. This price movement is an early indicator that NGFW and UTM markets are converging. Vendors wishing to address the enterprise market will be forced to differentiate through premium features.
·         Most Vendor Performance Claims Hold Up in Testing: Over half of the products outperformed their vendor-stated throughput rates during testing this year. Three vendors had products that achieved throughput rates over 25% higher than their stated rates, while two vendors performed at throughput rates 50% or more below those claimed by the vendor.
Commentary:  NSS Labs CEO Vikram Phatak
“Evasions continue to be a challenge for the industry. To date, every single NGFW group test has resulted in at least one vendor missing one or more critical evasions,” said Vikram Phatak, CEO of NSS Labs. “If someone uses an evasion to circumvent a security product, you will never know until you are compromised. This is why ongoing independent testing is so important to cyber resiliency.”
Commentary: NSS Labs VP of Research, Mike Spanbauer
“One of the most notable changes we’ve seen this year has been a significant decrease in the overall total cost of ownership.  With security effectiveness rates remaining fairly consistent among most vendors, this is an early indicator that NGFW and UTM markets are merging.  Expect to see vendors differentiate through premium features such as centralized management, enhanced forensics, and integration with other security devices on the network,” said Mike Spanbauer, VP of Research at NSS Labs.
The NSS Labs NGFW Security Value Map™, Comparative Analysis Reports™, and Product Analysis Reports™ for each vendor are currently available to NSS Labs’ subscribers at www.nsslabs.com.
The products covered in the 2014 NGFW Group Test are:
·         Barracuda F800b
·         Check Point 13500
·         Cisco ASA 5525-X
·         Cisco ASA 5585-X SSP60
·         Cisco FirePOWER 8350
·         Cyberoam CR2500iNG-XP
·         Dell SonicWALL SuperMassive E10800
·         Fortinet FortiGate 1500D
·         Fortinet FortiGate 3600C
·         McAfee NGF-1402
·         Palo Alto Networks PA-3020
·         WatchGuard XTM1525
About NSS Labs, Inc.
NSS Labs, Inc. is the world's leading information security research and advisory company. We deliver a unique mix of test-based research and expert analysis to provide our clients with the information they need to make good security decisions. CIOs, CISOs, and information security professionals from many of the largest and most demanding enterprises rely on NSS Labs’ insight, every day. For more information, visit www.nsslabs.com.



Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version allows unauthenticated remote attackers to start a telnetd service on the device.