NSS Labs Announces Results of 2018 Data Center Security Gateway Group Test (CDSA)

NSS Labs today announced the results of its 2018 Data Center Security Gateway (DCSG) Group Test. Four products from two market-leading security vendors were evaluated for security effectiveness, resistance to evasion, stability and reliability, total cost of ownership (TCO), and performance. The DCSG group test is one of two data center network security (DCNS) tests conducted by NSS Labs.

This year’s DCSG Group Test includes expanded performance testing covering transactional, multimedia, and corporate real-world data center traffic profiles. Earlier this week, NSS Labs released the second edition of its 2018 Data Center Intrusion Prevention Systems (DCIPS) Group Test.

DCSG devices are considered layer three (OSI model) devices that route traffic, provide protection against threats, anti-evasion capabilities, and full resilience against attacks. They must be capable of performing access control and deep packet inspection in order to protect server applications from remote attacks. Unlike the next generation firewall that protects users from the Internet, a DCSG’s firewall component protects data center servers and the applications that run on them from the Internet.

Similar to a DCIPS product, a DCSG’s intrusion prevention security component should be capable of correctly blocking malicious traffic through comparison of packet/session contents against signatures, filters, protocol decoders.

In a 2018 NSS Labs Security Insight Study, 73% of the US enterprises surveyed reported deploying an DCFW to protect their data center, and 56% reported deploying a DCIPS to protect their data center. Additionally, 3.5% reported plans to acquire a DCFW in the next 12 months and 10.6% reported plans to acquire a DCIPS in the same time frame.1

Key Takeaways

Attackers continue to use different vectors to gain unauthorized access and exfiltrate sensitive data and deliver malware.
DCSG devices are required to remain operational and stable under different traffic loads. The DCSG Group Test determined the behavior of the state engine under load. All devices must balance the risk between denying legitimate traffic or allowing malicious traffic once they run low on resources.
A DCSG device will drop new connections when resources (such as state table memory) are low, or when traffic loads exceed its capacity. Furthermore, DCSG inspection engines must be capable of performing optimally under stress and at maximum real-world traffic capacity.
Providing results for a product’s protection against exploits without fully factoring in evasions can be highly misleading in terms of understanding a DCSG product’s security efficacy. The NSS Labs’ Security Effectiveness score includes evasion techniques. The more classes of evasion that are missed (such as IP packet fragmentation, RPC fragmentation, URL obfuscation, FTP/Telnet evasion, resiliency, and attacks on nonstandard ports), the lower a product’s security efficacy. Products were tested against 99 evasions to evaluate how well they were able to detect and block the evasions.
NSS research has determined that the majority of enterprises tune their DCSG products. Although attacks against desktop client applications are mainstream in typical enterprise perimeter deployments, servers will always be the primary targets in data center deployments, so tuning is critical. All products in this test were optimally tuned similar to a typical customer deployment, keeping in mind security effectiveness and performance.