Next-generation firewalls are actually getting better
- By William Jackson
- Mar 20, 2013
Independent testing company NSS Labs recently released a second round of tests on next-generation firewalls and found that firewalls are improving, both in security effectiveness and throughput speeds.
“We were pleasantly surprised to see that the vendors who returned from last year are performing better,” NSS research director Frank Artes said of the second round of comparative tests. “They are taking steps in remediating issues” identified in earlier evaluations.
Overall security effectiveness increased significantly, with eight of nine products tested scoring over 90 percent. When combined with improvements in throughput, this boosted the value of the products. The range of cost per protected megabit/sec dropped from a range of $30 to $375 last year to a range of $18 to $124.
“We’re making the tests progressively harder,” Artes said, which makes the improvements more impressive.
NSS defined next-generation firewalls as those that are user and application aware, rather than focusing only on Layers 2 and 3 (data and network) of the OSI stack. This lets the firewalls apply rules for specific applications or activities, even when traffic is moved to an unexpected port. They also can work with third-party authentication systems, such as Active Directory, to support policies for user groups and based on user identities rather than on machine address.
Firewalls tested in the most recent round were:
- Check Point 12600
- Dell SonicWALL SuperMassive E10800
- Fortinet FortiGate 3600C
- Juniper SRX 3600
- Palo Alto PA-5020
- Sourcefire 8250
- Sourcefire 8290
- Stonesoft 3202
- WatchGuard XTM 2050
NSS sells the test results, so details on individual performance have not been released, but broad trends showed an improvement in detecting and stopping 1,500 exploits and evasions targeting Adobe, Apple, IBM, Microsoft and Oracle assets.
With eight out of nine scoring above 90 percent (the highest score was 98.5 percent), the one outlier scored only 34.2 percent. But this was better than last year’s worst performer, which came in at just 18 percent effectiveness.
Products also are doing a better job of living up to performance claims for throughput. In last year’s tests, five out of eight products performed well below advertised speeds; this year only two out of nine products fell short.
Some problems also were identified during the tests. Of the nine firewalls tested, six vendors submitted products that required firmware updates or configuration changes. A new measurement showed wide variation in enterprise management capabilities for products, which can affect a firewall’s usefulness.
The ability of vendors to address shortcomings shows that “there is no reason to expect a substandard product,” Artes said.
NSS is planning comparative tests of “big iron” firewalls, which provide at least 30 gigabits/sec of throughput for carriers and service providers. Artes said multi-terabit firewalls are not too far off.
William Jackson is freelance writer and the author of the CyberEye blog.