Three Products Receive Recommended Rating; one product receives Caution Rating
AUSTIN, Texas – October 31, 2018 – NSS Labs, Inc., a global leader and trusted source for independent, fact-based cybersecurity guidance, today announced the results of its 2018 Data Center Security Gateway (DCSG) Group Test. Four products from two market-leading security vendors were evaluated for security effectiveness, resistance to evasion, stability and reliability, total cost of ownership (TCO), and performance. The DCSG group test is one of two data center network security (DCNS) tests conducted by NSS Labs. This year’s DCSG Group Test includes expanded performance testing covering transactional, multimedia, and corporate real-world data center traffic profiles. Earlier this week, NSS Labs released the second edition of its 2018 Data Center Intrusion Prevention Systems (DCIPS) Group Test.
DCSG devices are considered layer three (OSI model) devices that route traffic, provide protection against threats, anti-evasion capabilities, and full resilience against attacks. They must be capable of performing access control and deep packet inspection in order to protect server applications from remote attacks. Unlike the next generation firewall that protects users from the Internet, a DCSG’s firewall component protects data center servers and the applications that run on them from the Internet. Similar to a DCIPS product, a DCSG’s intrusion prevention security component should be capable of correctly blocking malicious traffic through comparison of packet/session contents against signatures, filters, protocol decoders.
In a 2018 NSS Labs Security Insight Study, 73% of the US enterprises surveyed reported deploying an DCFW to protect their data center, and 56% reported deploying a DCIPS to protect their data center. Additionally, 3.5% reported plans to acquire a DCFW in the next 12 months and 10.6% reported plans to acquire a DCIPS in the same time frame.
Key Takeaways
- Attackers continue to use different vectors to gain unauthorized access and exfiltrate sensitive data and deliver malware.
- DCSG devices are required to remain operational and stable under different traffic loads. The DCSG Group Test determined the behavior of the state engine under load. All devices must balance the risk between denying legitimate traffic or allowing malicious traffic once they run low on resources.
- A DCSG device will drop new connections when resources (such as state table memory) are low, or when traffic loads exceed its capacity. Furthermore, DCSG inspection engines must be capable of performing optimally under stress and at maximum real-world traffic capacity.
- Providing results for a product’s protection against exploits without fully factoring in evasions can be highly misleading in terms of understanding a DCSG product’s security efficacy. The NSS Labs’ Security Effectiveness score includes evasion techniques. The more classes of evasion that are missed (such as IP packet fragmentation, RPC fragmentation, URL obfuscation, FTP/Telnet evasion, resiliency, and attacks on nonstandard ports), the lower a product’s security efficacy. Products were tested against 99 evasions to evaluate how well they were able to detect and block the evasions.
- NSS research has determined that the majority of enterprises tune their DCSG products. Although attacks against desktop client applications are mainstream in typical enterprise perimeter deployments, servers will always be the primary targets in data center deployments, so tuning is critical. All products in this test were optimally tuned similar to a typical customer deployment, keeping in mind security effectiveness and performance.
The 2018 NSS Labs DCSG Group Test included:
- More than 2,300 attacks, which included 99 unique evasion samples
- No products scored well during resiliency testing; the average block rate here was only 79.96%
- More than 600 Tbps of throughput was utilized during testing.
- Throughput of tested products ranged from 10.27 Gbps to 91.3 Gbps depending on the data center profile assessed
“Data centers host high-value information such as customer data, intellectual property, and mission-critical applications,” said Jason Brvenik, Chief Technology Officer at NSS Labs. “When organizations bolster their data center security, threat actors respond by building attacks that are more sophisticated and more targeted and that are capable of bypassing traditional endpoint and network security products. The 2018 DCSG Group Test provides valuable insights to help enterprises make informed decisions regarding which devices are the best fit for their environment.”
The following products were tested:
- Fortinet FortiGate 3200D v5.4.10 GA Build 7811
- Fortinet FortiGate 6300F v5.4.10 GA Build 4283
- Palo Alto Networks PA-5250 PAN-OS 8.1.2
- Juniper Networks SRX4200 v15.1X49-D140.2
Unverified Products:
- Check Point
- Cisco
- Huawei
As with all NSS Labs group tests, there is no fee for participation, and the test methodology is available in the public domain to provide transparency and to help enterprises understand the factors behind test results.