NSS Labs Announces 2018 Next Generation Firewall Group Test Results (CDSA)


NSS Labs today announced the results of its 2018 Next Generation Firewall (NGFW 8.0) Group Test. In this year’s test, 10 products were examined for security effectiveness, performance, and total cost of ownership (TCO).

The NGFW is the first line of defense against today’s threats and is a critical component of any defense-in-depth strategy. The NGFW market is one of the largest and most mature markets in the cybersecurity industry. According to the NSS Labs 2017 Security Architecture Study, 80.5% of US enterprises deploy NGFWs.1 Industry analysts estimate that the NGFW market is estimated to grow from US$2.39 billion in 2017 to US$4.27 billion by 2022 at a compound annual growth rate (CAGR) of 12.3%.2

Of the products that participated in NSS Labs’ 2018 NGFW Group Test, six out of the 10 products assessed demonstrated resistance to common evasion techniques with the remaining four missing at least one evasion technique. Evasion techniques are commonly used by attackers as a means of disguising and modifying attacks at the point of delivery to avoid detection and blocking by security products. Failure of a security device to correctly identify a specific type of evasion potentially allows an attacker to use an entire class of exploits for which the device is assumed to have protection.

In this eighth iteration of the NGFW test, NSS Labs expanded its evasion testing to include resiliency against modified exploits. The resiliency of a product is defined as its ability to absorb an attack and reorganize around the attack. When an attacker is presented with a vulnerability, the attacker can select one or more paths to trigger the vulnerability using a nearly infinite number of representations of the exploit.

A resilient product will be able to detect and prevent against different variations of an attack. Of the products tested, none demonstrated full resilience against tested attack variants. With the expanded use of secure sockets layer (SSL)/transport layer security (TLS) in the traffic traversing the modern network, an NGFW must be able to inspect encrypted content. NSS Labs also expanded test with the inclusion secure sockets layer (SSL)/transport layer security (TLS) testing.

In conjunction with the 2018 NGFW Group Test, NSS Labs conducted an investigation of attacks using JavaScript and attacks using code obfuscation on NGFW products. Code obfuscation is an effective evasion tactic against many NGFWs. None of the products tested properly decoded JavaScript and instead appeared to simply rely on signatures to detect common obfuscation tools.

This NSS Labs investigation shows that code obfuscation reduces the average effectiveness of detecting malicious activity by as much as 34% with some products missing as much as 60% of the attacks obfuscated with common JavaScript tools. In addition, benign content transformed with common JavaScript tools can more than double false positive rates for some products. Since these mechanisms are used during everyday browsing, they represent potentially high operational costs for the enterprise security teams that manage NGFWs.