7 products receive Recommended Rating; 1 product receives Security Recommended Rating; and 2 products receive Caution rating

AUSTIN, Texas – July 17, 2018 – NSS Labs, a global leader and trusted source for independent, fact-based cybersecurity guidance, today announced the results of its 2018 Next Generation Firewall (NGFW 8.0) Group Test. In this year’s test, 10 products were examined for security effectiveness, performance, and total cost of ownership (TCO).

The NGFW is the first line of defense against today’s threats and is a critical component of any defense-in-depth strategy. The NGFW market is one of the largest and most mature markets in the cybersecurity industry. According to the NSS Labs 2017 Security Architecture Study, 80.5% of US enterprises deploy NGFWs.1 Industry analysts estimate that the NGFW market is estimated to grow from US$2.39 billion in 2017 to US$4.27 billion by 2022 at a compound annual growth rate (CAGR) of 12.3%. 2

Of the products that participated in NSS Labs’ 2018 NGFW Group Test, six out of the 10 products assessed demonstrated resistance to common evasion techniques with the remaining four missing at least one evasion technique. Evasion techniques are commonly used by attackers as a means of disguising and modifying attacks at the point of delivery to avoid detection and blocking by security products. Failure of a security device to correctly identify a specific type of evasion potentially allows an attacker to use an entire class of exploits for which the device is assumed to have protection.

In this eighth iteration of the NGFW test, NSS Labs expanded its evasion testing to include resiliency against modified exploits. The resiliency of a product is defined as its ability to absorb an attack and reorganize around the attack. When an attacker is presented with a vulnerability, the attacker can select one or more paths to trigger the vulnerability using a nearly infinite number of representations of the exploit. A resilient product will be able to detect and prevent against different variations of an attack. Of the products tested, none demonstrated full resilience against tested attack variants. With the expanded use of secure sockets layer (SSL)/transport layer security (TLS) in the traffic traversing the modern network, an NGFW must be able to inspect encrypted content. NSS Labs also expanded test with the inclusion secure sockets layer (SSL)/transport layer security (TLS) testing.

In conjunction with the 2018 NGFW Group Test, NSS Labs conducted an investigation of attacks using JavaScript and attacks using code obfuscation on NGFW products. Code obfuscation is an effective evasion tactic against many NGFWs. None of the products tested properly decoded JavaScript and instead appeared to simply rely on signatures to detect common obfuscation tools. This NSS Labs investigation shows that code obfuscation reduces the average effectiveness of detecting malicious activity by as much as 34% with some products missing as much as 60% of the attacks obfuscated with common JavaScript tools. In addition, benign content transformed with common JavaScript tools can more than double false positive rates for some products. Since these mechanisms are used during everyday browsing, they represent potentially high operational costs for the enterprise security teams that manage NGFWs.

Key Findings from the test:

  • Overall Security Effectiveness ranged from 25.0% to 99.7%, with 60% of the tested products achieving a rating greater than 90.3%.
  • The average Security Effectiveness rating was 66.1%; 7 of the products tested received a recommended rating.
  • TCO per Protected Mbps ranged from US$2 to US$57, with most tested products costing less than US$10 per protected Mbps.
  • The average TCO per Protected Mbps was US$20.86; 70% of the products tested were rated as having above-average value, and 30% of the products tested were rated as having below-average value.
  • 40% of the products tested missed at least one evasion.
  • Of the products tested, none demonstrated full resilience against tested attack variants.

1NSS Labs “Security Controls in the US Enterprise: Next Generation Firewalls,” August 2017
2Markets and Markets “Next Generation Market by Delivery Type, Service, Organization Size, Vertical, and Region – Global Forecast to 2022,” June 2017

“NGFW is a mature market with significant room for growth,” said Jason Brvenik, Chief Technology Officer at NSS Labs. “Newer entrants in the market are demonstrating strong capabilities and challenging established players. NSS Labs recommends enterprises exercise diligence in evaluating NGFW products to ensure both enterprises and end users are protected.”

The following products were tested:

  • Barracuda Networks CloudGen Firewall F800.CCE v7.2.0
  • Check Point 15600 Next Generation Threat Prevention (NGTP) Appliance vR80.20
  • Cisco Firepower 4120 Security Appliance v6.2.2
  • Forcepoint NGFW 2105 Appliance v6.3.3 build 19153 (Update Package: 1056)
  • Fortinet FortiGate 500E V5.6.3GA build 7858
  • Palo Alto Networks PA-5220 PAN-OS 8.1.1
  • SonicWall NSa 2650 SonicOS Enhanced
  • Sophos XG Firewall 750 SFO v17 MR7
  • Versa Networks FlexVNF 16.1R1-S6
  • WatchGuard M670 v12.0.1.B562953

NSS Labs is committed to providing empirical data and objective group test results that enable organizations to make educated decisions about purchasing and optimizing security infrastructure products and services. As with all NSS Labs group tests, there is no fee for participation, and the test methodology is available in the public domain to provide transparency and to help enterprises understand the factors behind test results.