NSS Labs tests reveal that not all firewalls deliver the enterprise features, most notably in management capabilities, expected from a mature technology.
AUSTIN, Texas – January 22, 2013 – NSS Labs today released the final results and analysis from its 2013 Group Test for Firewall (FW), which evaluated products from 12 leading Firewall vendors. Although firewalls are one of the most mature and stable security technologies, NSS finds that there is still significant room for vendors to improve firewalls’ management capabilities, which are increasingly critical for enterprise deployments.
Enterprise Management Capabilities Becoming Crucial Factor for Firewall Selection
The firewall market is mature, populated with established vendors and providing limited scope for true innovation. As such, cost and capabilities, especially enterprise management and the ability to integrate firewalls within established and evolving security and network infrastructures, are emerging as drivers for final product selection by customers. The 2013 Firewall Group Test revealed the following key findings:
- Enterprise management emerges as key differentiator: Only 4 of the 12 vendors tested scored 100% for their management capabilities. This is the first Firewall SVM where management scores are weighted into a vendor’s overall score a change NSS made to reflect enterprises’ growing emphasis on more robust management capabilities when making firewall purchasing decisions.
- Some firewalls continue to fail TCP Split Handshake and SYN Flood Protection tests: While most vendors passed all security tests, two out of twelve products failed the fundamental TCP split handshake test, meaning a remote attacker could bypass these firewalls’ rules and policies by posing as an internal “trusted” connection. One firewall also failed SYN flood protection tests, meaning it could prove susceptible to denial of service (DoS) attacks. With ongoing attacks by groups like LulzSec and Anonymous as well as the growing use of easily downloaded exploit tools, standard attacks such as DoS are seeing a resurgence and it’s critical that all firewalls be able to block these threats.
- Vendor claims continue to be exaggerated: Of the 12 products tested, all performed significantly below the vendors’ throughput claims – 40% below on average. Individual product rates ranged from 15% to 78% below published throughput. Buyers should consider this when evaluating the overall value of particular firewall.
Commentary: Thomas Skybakmoen, Research Director
“Overall, the 2013 Group Test showed what you’d expect – mature products that were stable and secure – however, enterprise customers need to look beyond actual throughput, and total cost of ownership to thoroughly evaluate enterprise management features when determining the real value of firewalls,” said Thomas Skybakmoen, Research Director at NSS Labs. “Management capabilities are increasingly becoming a key feature around which purchasing decisions are made, if a device cannot be managed and integrated effectively, the security effectiveness of that device is compromised”
The 2013 Firewall Security Value Map™, Comparative Analysis Reports™, and Product Analysis Reports™ for each vendor are currently available in the library.
The products covered in the 2013 Firewall Group Test are:
- Barracuda F800
- Check Point 12600
- Cyberoam CR2500iNG
- Dell SonicWALL NSA 4500
- Fortinet FortiGate 800c
- Juniper SRX550
- NETASQ ng1000-A
- NETGEAR ProSecure UTM9S
- Palo Alto Networks PA-5020
- Sophos UTM 425
- Stonesoft StoneGate FW-1301
- WatchGuard XTM 1050
NSS Labs did not receive any compensation in return for vendor participation; All testing and research was conducted free of charge.