Deciding what products can improve an organization's network security is a complex process. You must weigh a number of factors as part of the purchase decision, one of the most crucial of which is the impact of the product on network performance. However, given the current state of security product testing, it is virtually impossible to perform an accurate "apples-to-apples" product comparison. Proprietary testing methods conducted under uniquely optimized conditions create a chaotic scenario in which everyone plays by their own rules and customers are left struggling to sort it all out. NetSecOPEN is working to solve this problem by developing an open, industry-standard testing framework.
Wild, Wild West
Other industries have established standards, with which all companies must comply, and for good reason. When different companies use the same terms and claim to use the same metrics but define the terms and calculate the metrics entirely differently, it creates chaos for customers.
For example, years ago there was no standard for determining miles per gallon for vehicles. Automobile manufacturers had their own proprietary definitions and methods for calculating miles per gallon. Two vehicles that both got 25 mpg according to the manufacturer might have wildly different mileage results in the real world. The National Highway Traffic Safety Administration and the Environment Protection Agency stepped in and established standardized definitions and requirements for fuel economy, enabling consumers to use miles-per-gallon ratings to evaluate automobile performance with confidence.
There are many other industries that could benefit from standardized methodologies. Laptop manufacturers cite battery life as a key feature of their devices, but the battery life results customers experience rarely — if ever — live up to the claims. Vendors test battery life in very specific conditions with highly customized configurations. The result is that there is no accurate way to compare battery life claims from one vendor to the next.
Cybersecurity is critical for organizations, and it generally represents a very significant investment. It is not feasible for a company to implement and test a wide variety of solutions to determine which works best. Even when an organization is able to narrow down the options and conduct pilot tests in the organization's own environment, vendors can, and often do, place strict limits and constraints on how the pilot test is configured and managed
I previously worked in the technology testing field and have firsthand experience with some of the challenges of traditional testing methodologies. Vendors frequently impose specific test requirements that highlight the performance aspects on which they want to focus — which more or less invalidates the purpose of testing in the first place. Ultimately, such an approach threatens the integrity of testing in general.
Standardizing Network Security Product Testing
There are currently no up-to-date, relevant open test standards for network security performance testing. In the last decade, networks have evolved from 80% unencrypted HTTP — in many enterprises, over 80% of the perimeter traffic is now encrypted with HTTPS and modern secure cipher suites. In other words, network traffic has evolved, changing significantly over the last 10 years, but testing standards and methodologies have not been updated or adapted to account for these changes.
One result of these rapid changes and the absence of universal test standards is that to determine the performance of their network security solutions, testing groups have developed proprietary methods. We have reached a critical point, however, where we need to close the gap between proprietary test performance metrics and observed real-world performance. Otherwise, the tests themselves may become meaningless.
What is needed is greater transparency and standardization of testing methodology, with real-world factors integrated into the testing scenarios. Leading cybersecurity tool vendors and testing labs recognize these requirements, which is why momentum is building for developing and implementing standardized testing methodologies.
Role of NetSecOPEN
NetSecOPEN, a nonprofit, membership-driven organization, was formed in 2017 with the goal of developing open standards for testing network security products. Founding members include leading security vendors, test equipment vendors, and testing laboratories, including Check Point, Cisco, Fortinet, Palo Alto Networks, SonicWall, Sophos, and WatchGuard; test solution and services vendors Spirent and Ixia/Keysight; and testing labs European Advanced Networking Test Center (EANTC), and the University of New Hampshire InterOperability Lab (UNH-IOL).
The organization exists to overcome the current situation — competing and confusing testing methodologies — and establish a new way of designing tests that are open, transparent, and created collaboratively. NetSecOPEN's testing methodology was developed in consultation with the current membership and will continue to evolve as new members join and as a new generation of security products come to market.
The effort to standardize is backed by significant collaboration and momentum. The intent is not to compete with or replace today's testing labs. In fact, the industry's premier testing labs support the effort and are collaborating to improve and standardize network security performance testing. Testing organizations and vendors alike recognize that apples-to-apples performance tests that realistically portray the impact of a network security product on network performance are essential, and they are cooperating to make that happen.