PUBLICATION & RESEARCH LIBRARY

Authors: NSS Labs

Publish Date: September 18, 2019

The firewall market is one of the largest and most mature security technology segments. Firewalls have undergone several stages of development, from early packet filtering and circuit relay firewalls to application layer (proxy-based) and dynamic packet filtering firewalls. Throughout their history, however, the goal has been to enforce an access control policy between two networks, and they should therefore be viewed as an implementation of policy.

A firewall is a mechanism used to protect a trusted network from an untrusted network, while allowing authorized communications to pass from one side to the other, thus facilitating secure business use of the Internet. As new web adoption trends push critical business applications through firewall ports that previously were reserved for a single function, such as HTTP, legacy firewall technology is effectively blinded. Legacy stateful firewalls are unable to differentiate between actual HTTP traffic and non-HTTP services tunneling over port 80, such as VoIP or instant messaging. It is no longer possible to rely on port and protocol combinations alone to define network applications. Today, application-level monitoring must be performed in addition to analysis of port and destination.

Next generation firewalls (NGFWs) have emerged to provide an answer to the increased complexity of the IT security architecture. The NGFW must be capable of performing deep packet inspection (DPI) on all packets, on all ports, and over all protocols in order to determine which applications are running over which ports and thus secure them effectively. In addition, with the expanded use of SSL/TLS in much of the traffic traversing the modern network, inspection of encrypted content is required. The value of this capability for the enterprise has expanded beyond the perimeter, and today, NGFWs have expanded deployment options to include internal segmentation for scanning east-west traffic.

This Test Methodology describes how NSS Labs will evaluate NGFWs to provide an objective and fair assessment of the technology.