NSS Labs: Choose Wisely with Next-Gen Firewalls

To help stop emerging cybersecurity threats at the perimeter, enterprises are looking at a bevy of next-generation firewall (NGFW) options today, controls that feature all sorts of advanced features and capabilities, including behavioral analysis services, better forensics, sandboxed malware analysis, and SSL inspection abilities.

But all these NGFW options come with a headache: all these new features and configuration capabilities are giving enterprise buyers far too many products to evaluate, and the wrong security investment could prove pricey and stick companies with the wrong product for years.

That’s according to a new report — “Evolution of Next Generation Firewall: Choosing Your First Line of Defense” — from NSS Labs, which examines the capabilities of NGFWs and offers advice to companies looking to invest in new security features.

“Further complicating the buying process is the fact that the maturation of the NGFW market has led to a wide spectrum of security and performance proficiency that’s dependent not only on the vendor but also on how the NGFW is configured and deployed,” the report reads. “An increase in security functionality usually causes a proportionate decrease in performance, and vice versa.

“This relationship between security and performance is particularly challenging in the NGFW market because of the mission-critical nature of network throughput and the growing need for threat prevention at the network perimeter.”

The report recommends that those looking to invest in a NGFW system take a nuanced approach to evaluating which service works best, and understand the following (from the report):

  • Although vendors are trying to commoditize the NGFW market, it remains diverse — features, security capabilities, and inspected traffic performance vary greatly.
  • Depending on vendor data sheets to narrow your list of vendors for proof of concept (POC) testing will only makes things confusing.
  • Before conducting any POC, organizations should quantitatively assess products using common metrics, such as security effectiveness, performance, stability and reliability, and total cost of ownership.
  • The POC is the time when evaluators should shortlist products based on traits specific to the organization’s use case.
  • Selecting products for a POC shortlist requires a disciplined approach that’s based on facts rather than marketing hype.

“Even before getting to the POC stage, enterprises need to compare NGFW products based on facts, not just vendor claims,” the report reads. “Buyers who can’t establish their own quantitative metrics for comparison are forced to rely on marketing data sheets to narrow down the field, and these claims can often distract enterprises from finding the products they truly need.”

NSS Labs lists four crucial areas for testing a NGFW before purchase: Security effectiveness, performance, stability and reliability, and the total cost of ownership.

For more information about the report, visit