Next-gen firewall tests highlight caution on evasion

And now for an astonishing secret: Some analysis firms in the IT industry sell their work for profit.

Okay, it isn’t much of a secret. But I raise it because this week NSS Labs, an independent IT security equipment testing company released its most recent test of a dozen next generation firewalls (NGFWs), appliances that are application-aware and can scan traffic. For a fee you can see the detailed results.

We don’t have that kind of money. What they did release for free, though, is an observation that CSOs and security administrators should keep in mind: Evasion techniques included in malware continue to be a challenge.

“Missing a low level evasion, such as TCP stream segmentation or IP packet fragmentation, can result in security devices failing to detect and block an entire class of exploits,” a summary of the report says. “This results in significantly lower security effectiveness.  Two products experienced significant reversals in their security effectiveness scores this year: one product was 36.3 per cent less effective than last year due to missed evasions, while another increased effectiveness by 63.6 per cent after rectifying evasion weaknesses identified in last year’s test.” On the other hand 10 out of 12 products demonstrated complete evasion detection.

You’re probably wondering which two did worse than last year: I don’t know, and I don’t want this to appear to be an ad for paying NSS so you should find out which product to avoid.

The point is that selecting any security product has to be done by carefully evaluating all criteria and fitting the solution into a well-crafted multi-layer defence.

The report also notes that NGFWs are becoming more cost competitive: The average Total Cost of Ownership / Protected Mbps figure fell by half in 2014 to US$21.80 – down from an average of US$46.28 per protected Mbps from the 2013 test. Half of the products tested in 2014 had a TCO below US$20 per protected Mbps, the report says, with an overall range of US$6 – $64, down from a range of US$18 – $106 in the 2013 test. “This price movement is an early indicator that NGFW and UTM markets are converging,” it concluded.

Finally, most vendor performance claims hold up in testing: “Over half of the products outperformed their vendor-stated throughput rates during testing this year. Three vendors had products that achieved throughput rates over 25 per cnt higher than their stated rates.”


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now