NSS Labs 2017 Next Generation Firewall NGFW Testing Released

NSS Labs has recently released the new next generation firewall testing results. Those results can be found HERE. You have to pay for the details but you can download a free high-level report HERE. The results from the free version are as shown.

The big difference I noticed from last year to this year is the large delta between vendors considered recommended verses ones that were found to miss threats. In 2016, it seemed liked pretty much everybody was found to be 95% or higher at effectiveness however this current 2017 report shows effectiveness ranging from 25.8% to 99.9%. Many of the non-effective offerings were in the high 90s last year but now under 40% effective. Why is this? According to NSS labs, they updated their testing stagey as explained here.

For this seventh iteration of the NSS Labs NGFW Group Test, the Test Methodology incorporated additional use cases to support current real-world requirements for security efficacy and encryption. In particular, evasion techniques were expanded beyond active, in-the-wild threats to include new, weaponized attacks. Evasions are a growing concern as many exploits are capable of bypassing security measures using simple techniques that can be applied to HTTP traffic. More than 80% of the NGFW products tested missed evasions, and three moved from Recommended to Caution ratings. Many of these vendors have worked with NSS Labs to update their products so that they are able to detect these evasions in the future.

The argument could be made that testing can show effective or not effective depending on how the vendor tunes their solution meaning if the vendor is knowledgeable of the attack being used, they essentially can develop a block even though that’s not how things work in the real world. The same goes for challenging the tactics used to test solutions compared to what would be seen in the real world. Regardless, this is the seventh year NSS has performed this exercise so the results are worth noting when considering a solution.

My personal recommendation is to use this or the paid NSS labs details for basic guidance then test solutions in your own environment. Nobody knows your network better!

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.