PUBLICATION & RESEARCH LIBRARY

Authors: Morgan Dhanraj and Thomas Skybakmoen

Publish Date: June 6, 2017

NSS Labs defines a firewall is a mechanism used to protect a trusted network from an untrusted network, while allowing authorized communications to pass from one side to the other, thus facilitating secure business use of the Internet. With the emergence of new web applications and security threats, however, firewalls are evolving further. Next generation firewalls (NGFWs) traditionally have been deployed to defend the network on the edge, but enterprises have expanded deployment options to include internal segmentation.

NSS research indicates that NGFW devices are typically deployed to protect users rather than data center assets, and that the majority of enterprises will not separately tune intrusion prevention system (IPS) modules within their NGFWs. 

REPORT OVERVIEW:

This report focuses on how effectively products block attacks from live, active campaigns. For live testing, NSS employs a unique live test harness, the Cyber Advanced Warning System™ (CAWS), to measure how well security products protect against “drive-by” exploits that target client applications. (Note: NSS also offers a Security Comparative Report that measures products’ effectiveness against a broad range of exploits and evasions using NSS Labs’ Exploit Library.)

The CAWS test harness captures thousands of suspicious URLs per day from threat data generated by NSS and its customers and open-source and commercial threat feeds. This list of URLs is optimized and assigned to victim machines, each of which has a unique combination of operating system (including service pack/patch level), browser, and client application.

PRODUCTS EVALUATED:

The following products were evaluated:

  • Barracuda NextGen Firewall F600.E20 Firmware Version 7.0.2
  • Check Point Software Technologies 15600 Next Generation Threat Prevention (NGTP) Appliance R77.20
  • Cisco Firepower 4110 v6.1.0.1?
  • Forcepoint NGFW 3301 Appliance v6.1.2?
  • Fortinet FortiGate 3200D FortiOS v5.4.4 GA Build 1117?
  • Fortinet FortiGate 600D FortiOS v5.4.4 GA Build 1117?
  • Juniper Networks SRX 4200 v15.1X49-D75.5?
  • Palo Alto Networks PA-5250 PAN-OS 8.0.0?
  • SonicWall NSA 6600 SonicOS 6.2?
  • Sophos XG-750 Firewall v16.01?
  • WatchGuard Firebox M4600 v11.10.7

To learn how each vendor performed, download a copy of each individual Test Report. NSS clients can also download the NGFW Comparative Reports on Security, Performance, and Total Cost of Ownership.

As with all NSS Labs group tests, there was no fee for participation. In addition, the test methodology applied is in the public domain to provide transparency and to help enterprises understand the results.