Evasions Remain an Issue for Market Leaders

AUSTIN, Texas – October 1, 2019 – NSS Labs, Inc., a global leader and trusted source for independent cybersecurity product testing, today announced the results of its 2019 Next Generation Intrusion Prevention System (NGIPS) Group Test. Five of the industry’s leading NGIPS products were tested to compare product capabilities for security effectiveness (exploit block rate, evasion techniques and stability & reliability), total cost of ownership (TCO), and performance.

The threat landscape is evolving constantly; attackers are refining their strategies and increasing both the volume and the effective capabilities of their attacks. Enterprises must defend against persistent attacks targeting highest-value assets with little room for error.

Evasion techniques are a means of disguising and modifying attacks at the point of delivery to avoid detection by security solutions. Failure of a security device to correctly identify a specific type of evasion enables an attacker to use an entire class of exploits for which the device otherwise has protection.  The more classes of evasion that are missed (such as HTTP evasions, IP packet fragmentation, TCP stream segmentation and HTML obfuscation), the less effective the device.

This is the fifth year of testing NGIPS products. In this year’s test, NSS Labs was able to evade three NGIPS products. Only one demonstrated robust protection against script-obfuscated attack variants designed to test the security devices’ resilience.

This NGIPS test focuses on the following product capabilities:

  • Exploit block rate: Blocking exploits is the purpose of an Intrusion Prevention System (IPS). This test determines IPS exploit protection capabilities across a broad range of attacks – while ensuring the device does not block legitimate traffic (false positives).
  • Resistance to Evasions: Evasions are techniques of disguising attacks in order to avoid detection. Missing an evasion means an attacker can circumvent the IPS, bypassing defenses. The techniques used in this test have been widely known for years and should be considered minimum requirements for the IPS product category. Providing exploit protection results without factoring in evasions can be misleading since the more evasions that are missed, the worse the situation. The test determines the ability of NGIPS products to properly detect and block exploits that apply evasion techniques.
  • Real-world performance: Vendors’ datasheets provide product maximums under ideal conditions that rarely exist in the real world. NSS Labs’ extensive performance tests capture edge cases and points of failure of the tested products. Our real-world testing enables us to predict the performance limits of products so that buyers do not have to learn the hard way.

Of the five products tested, four were rated as Recommended based on comparative scores for overall security effectiveness, TCO per protected Mbps, and performance:

  • Forcepoint NGFW 2105 v6.3.10 Dynamic Update Package 1164
  • Fortinet FortiGate-100F v6.0.2 build6215 (GA)
  • Palo Alto Networks PA-5250 9.0.3-h2
  • Versa Networks V2000 16.1 R2 S8
  • Vendor A

NSS Labs is committed to providing empirical data and objective group test results that help organizations make educated decisions about purchasing and optimizing security products and services. We believe if a product is good enough to sell, it is good enough to test. If you do not see a product you’re interested in, ask the vendors where their results are and encourage participation. As with all NSS Labs group tests, there is no fee for participation.