| FAQ |
|
|
|
General & Certification 1. What is the history of NSS Labs? The NSS Group was founded in 1991 as Europe’s first independent network and security testing facility, servicing the needs of corporate entities, product vendors and professional publications. By 1999 NSS had shifted focus entirely to the security space, and had established a leading brand and exemplary reputation for thorough, accurate and fair-minded testing. Since these pioneering days, NSS has remained the leading independent authority on several comprehensive methodologies including; Intrusion Detection and Prevention Systems, Unified Threat Management, Firewalls, and most recently Web Application Firewalls. In 2007, the company became NSS Labs, expanded its testing facilities and moved operations to the United States in order to better serve its customers. 2. How independent is NSS? NSS is totally independent. NSS does not sell security products, nor is it owned by a parent company that sells security products. We do not compete with product vendors or consultants. 3. What is the difference between NSS Labs certifications and those of other organizations? NSS Certifications are based on meaningful standards and best practices criteria. Our staff are experienced network implementers that apply their decades of experience from Fortune 500 implementations to testing criteria and methodologies that matter. We back up our certification with detailed test results containing both quantitative and qualitative metrics. NSS Certifications contain comprehensive reports that highlight product performance under various test conditions. We do not simply state that a product is “certified” and we do not simply “verify claims” made by vendors, which may or may not be relevant to end-user organizations in real-world scenarios. 4. How do vendors provide feedback to NSS Labs? Vendor feedback is solicited, and we encourage vendors to tell us how they feel we can improve; both technically, and as a service business. However, NSS Labs does not develop standards in a consortium model. Experience has shown that the consortium model is dissatisfying for most vendor participants resulting in lowest common denominator testing criteria. It tends to be more of an academic approach that may be suitable for stable technologies but does not produce acceptable criteria for testing technologies in emerging markets. Our approach is one of professional consultation which we believe produces the most applicable tests for both stable and emerging technologies. Thus, NSS operates several Advisory Groups, which serve to provide feedback on technology requirements, in-field experiences, and product capabilities. 5. What certifications do you offer? NSS Labs offers both “standard” and PCI Certifications for Firewall, IDS, IPS, UTM, WAF (both network and host based), Wireless Security (WIPS), AV (both network and host based), HIPS, Log Management, and other products. If you have a product that you would like certified that we do not currently test, ask us! We are constantly developing and extending our certification criteria to cover the growing spectrum of security products. 6. What is the difference between tested, approved and gold awards? NSS 'Tested' products were evaluated extensively in our labs but did not satisfy all of the required criteria for Approved, or Gold. 'Approved' means the product met NSS standards and we are awarding it accordingly. 'Gold' is awarded to products that have not only met the criteria but have exceeded our expectations in meaningful ways that demonstrate not only a solid product but vendor leadership in addressing the emerging challenges in that security discipline. 7. How long are certifications good for? They are good for the version of product that is tested. Vendors must re-certify the product when new, major revisions are released. On average, this is every 12 to 18 months, depending on the technology. 8. If a vendor fails a test, what happens? The purpose of certification is to demonstrate that products meet certain standards. If they do not at the time of test, our goal is to assist the vendor in improving the product in order to achieve certification. The purpose of an NSS pre-test is to quickly identify potential gaps in an efficient manner. NSS works collaboratively with vendors during the pre-test to evaluate product readiness for certification. If non-trivial issues are encountered, the vendor has the option to postpone the certification. They then have the option to contract for further custom analysis of the problems. Once the outstanding issues are resolved, the product may be resubmitted for certification. The product test would be scheduled according to available lab time, and additional fees can apply. 9. What is a private analysis? It is an in-depth “flexing” of the product’s engines to determine its “breaking points” or maximum capabilities. Based upon a Private Analysis, the NSS team can tell you how they believe your product will fare in either the NSS (traditional) or the NSS-PCI tests. It will also provide you with real metrics by which you can determine how your product will fare in different customer environments so that you don’t have any unpleasant surprises, as well as help you determine where to concentrate future development efforts based upon your target market and competitive feature sets. 10. What is the difference between a criteria and a methodology? NSS Labs Test Criteria outlines the components of the system to be tested, and represents requirements for the product’s features and capabilities. Example: Stateful Inspection – System is required to track protocol-specific state and should be resilient against attacks on state management functions such as DoS and session tampering. NSS Labs Test Methodology is a detailed list of specific requirements expected of the product to be tested. Example: 1.4.3 – TCP State Management Capacity - TCP state management tables will be measured by opening the maximum concurrent TCP connections. Each connection will be associated with one unique IP address source to a single target destination. 11. Can we test one product and receive certification for the entire family? As both a matter of integrity and assurance, we cannot certify what we have not tested. Even though a family of products may utilize the same code base, there are typically differences pertaining to the underlying hardware. For example, a lower-end product may use an integrated network interface and driver, while the higher-end units utilize specialized NICs with different performance characteristics. 12. What marketing programs are available? In addition to logo usage rights, we offer additional services, such as speaking engagements for webinars, internal and external events, and will assist with whitepapers & case studies. Please contact us with your needs and we’ll be happy to work with you. 13. When is payment for the test due? In order to guarantee lab availability as well as the integrity of certification, payment is due in full 30 days prior to start of testing. |
