Fun and Excitement on the Next Generation Firewall Front

The Next Generation Firewall (NGFW) market place  is getting a little more exciting these days.  NSS Labs  has released their NGFW Comparative Analysis 2012.  It’s available on their website for $3,500, pre coupon!

Key Findings of the   NSS  NGFW Comparative Analysis 2012  Report

1. Few NGFWs are ready for “prime time”: Only 50% of the NFGWs tested scored over 90% in security effectiveness vs. 75% of major IPS vendors in the dedicated IPS group.
2. Convenient configurations mean less protection: NSS Labs research shows that IPS features in NGFWs are seldom tuned and the devices are often deployed using vendors’ default or recommended policy settings, creating significant gaps in coverage between NGFWs and dedicated firewall and IPS devices.
3. Vendor claims are often exaggerated: Of the eight  products tested, five performed well below vendors’ throughput claims.  Maximum connection rates were lower than preferred in all products tested - revealing a major concern; NGFWs must improve performance before they are ready for large enterprise deployments

This Comparative Analysis Report  2012 consists of five sections, covering the following topics in-depth: Security Value Map (SVM), Security, Performance, Management,   and Total cost of ownership (TCO).  

Tested Products

•     Barracuda F-900
•     Check Point 12600
•     DELL SonicWALL SuperMassive E10800
•     Fortinet FortiGate 3140B
•     Juniper Networks SRX 3600
•     Palo Alto Networks PA-5020
•     Sourcefire 8250
•     Stonesoft FW-1301

Only two products were positioned in the Leaders portion of the December 2011 Gartner Magic Quadrant for the “Enterprise Network Firewall”.   Gartner takes great care to explain that products in other portions of the Magic Quadrant  can be best for a given customer.

NGFW Events  over the Last Several Months

In early July, Dell SonicWALL announced that their NGFW appliance was the first   to receive NGFW certification. SonicWall was a top performer on the NSS Next Generation Firewall Security Value Map.

https://www.icsalabs.com/press-release/dell-sonicwall-receives-first-next-generation-firewall-evaluation-icsa-labs

In early October, Barracuda Networks  raised $130 million from Sequoia Capital and Francisco Partners.  The proceeds will help them   with  expansion and provide cash to founders and early employees. 

“They’ve done a wonderful job of putting together a value proposition and creating a solution that’s often a 10th the cost” of traditional products, said Jim Goetz, a partner at Sequoia and a Barracuda director.  Initial Public Offering (IPO) in the offing?  Barracuda has a base of 150,000 customers.  They won SearchSecurity's Readers' Choice Bronze Award for Best of Web Application Firewalls 2012 in mid October (this is different from their NGFW solutions).  Barracuda topped both Fortinet and Juniper on the   NSS 2012 "Next Generation Firewall Security Value Map". This was released during RSA San Francisco.

.

In early October, Check Point issued a press release stating that IDC Data in the latest IDC Worldwide Q2 2012 Security Appliance Tracker, that they lead the global market with 20.9% Firewall and UTM appliance revenue share.  They also stated that they are the leader in Firewall and UTM factory revenue in US with  a 22.1% share and Western Europe with a  29.8% share.

Fortinet rolled out their Fortinet second generation FortiASIC-SoC2 this week.  Groundbreaking performance!  Double the processing capacity!  They also rolled out their new Fortinet FortiOS 5.0 operating system.  Enabling more security!  Additional intelligence to fight advanced threats and secure BYOD (Bring your own Device) environments!  On the    "Next Generation Firewall Security Value Map",   Fortinet had  great Block Rate but a high Price per Protected Mbps.   

The rumor mill has Juniper Networks reportedly considering putting itself   up for sale.  Early names floating around as acquirers, EMC (this one is being panned), Brocade, and Arista.  Nonetheless, the stocked jumped 11% because of the rumors. 

http://www.networkworld.com/news/2012/101812-juniper-sale-update-263504.html?t51hb&hpg1=mp

A Juniper Networks patent suit is slowly working its way through the system, with a trial date set for February 2013.  There are a handful of patents being contested.  Palo Alto Networks founders Nir Zuk and Yuming Mao left Juniper to start Palo Alto Networks.  Juniper Networks was outperformed by everyone on the "Value Map".

Channelnomics has a nice summary about Juniper Networks, Palo Alto Networks suit  at http://channelnomics.com/2012/10/19/patent-list-grows-slow-juniper-palo-alto-suit/

 

Palo Alto Networks has been as high as $73 this year since closing at around $51 when they went public. They closed at $62 on October 19.

Look for lots of spin to take place with the  NSS  Comparative Analysis report over the next couple of months.  It's a comprehensive document. 

Becoming Learned on  the NGFW

Sourcefire is making NSS’s evaluation of their product available at https://info.sourcefire.com/2012NSSLabsNGFW.html

It’s several months old, but an additional nice source of information is the  NSS “2012 Next Generation Firewall Security Value Map”, released by NSS Labs during RSA San Francisco.  http://o-www.sonicwall.com/us/en/14233.html , which graphs Block Rate versus Price per Protected Mbps.

Want to learn more about evaluating NGFWs?  NSS has a relatively neutral document “What do You Need to Know about Next Generation Firewalls” at https://www.nsslabs.com/can-next-generation-firewalls-stand-heat

Learn about “Next Generation Firewalls for Dummies” and get a subtle push for the Palo Alto Network NGFW solution at http://connect.paloaltonetworks.com/ngfw-4dummies-EN

A Fortinet 2011 take on “Next-Generation Security for Enterprise Networks” is available at http://www.fortinet.com/next_generation_security_for_enteprise_networks.html

SonicWall and Check Point Top Network World Clear Choice Test - Next Generation Firewalls - Best of Interop 2012

In the Network World Clear  Choice Test on Next Generation Firewalls, SonicWall was the top performer when it came to throughput (Part 1).  Check Point’s Check Point Security Gateway received the top score  in Part 2. Joel Snyder  did a deep dive looking at and testing Application Identification and Control.  Other companies in the Clear Choice Test, SonicWall (purchased by Dell from Thoma Bravo a couple of months ago), Fortinet, Check Point Software, and Barracuda Networks. This is a great two part article. (Scroll down for Best of Interop 2012 list)

David Newman wrote in Part 1 that   SonicWall    “Comes out on top in performance tests, but trade-offs remain”.  One of the Newman’s overall conclusions was that next generation firewalls are getting faster, and the tradeoff between speed and security is definitely getting smaller, but that these tradeoffs still exist.    

Network World used Spirent Avalanche traffic generator to measure content handling in a number of different configurations.  This was for Mixed Content HTTP handling and Static HTTP content handling.  Fortinet and SonicWall tended to have far superior performance in the tests over Check Point, and Barracuda Networks.  Newman includes a number of tables showing test results for throughput  in Part 1.

Seven features were tested as Part 2 of the Clear Choice Test:: Anti-Malware and URL Filtering, Intrusion Prevention, SSL Decryption, Next-Generation Application Identification, Basic Firewall Features, IPv6 Feature Set, and Next-Generation Visibility.  The final rankings and weighted average scores (top score possible, 5.0) were:

1. 4.1 – Check Point Security Gateway
2. 3.9 – SonicWall SonicOS
3. 3.8 – Fortinet Fortigate
4. 3.2 – Barracuda NG Firewall

Palo Alto Networks, the   company most associated with the phrase Next Generation Firewall (NGFW), was not in the Clear Choice Test on Next Generation Firewalls.  However, Snyder wrote,  “We stand by our original PA-5060 test headline back in August.  Palo Alto earns short list status.  If you are considering replacing your firewall to gain next generation features, Palo Alto remains a credible contender.”  The test methodology was a bit different last August. BTW,  not a lot of new information about Palo Alto Networks and their proposed initial public offering (IPO).

 

http://www.networkworld.com/reviews/2012/050712-firewall-test-palo-alto-258621.html

 Check Point’s product was superior when it came to Anti-Malware and URL Filtering, Intrusion Prevention, and Basic Firewall Functions.  SonicWall was the top product in SSL Decryption.  They tied on Next Generation Application Identification.

 “The Check Point Security Gateway has a fantastic management interface for application identification and control,” according to Joel Snyder.  He found  their product    much easier to use than the other products   tested.

SonicWall, "Would have had a higher score if its application identification GUI wasn't so poorly designed”  Snyder wrote.

“SonicWall has so many sub-divisions of every application, none of which were documented or made any sense to us, that we gave it a failing score when we tried to allow end users to see Facebook, but not post to it — one of vendor marketing's favorite examples of why a next-generation firewall is a good idea.  It was possible to block Facebook completely, but you can do that with a URL filter — you don't need a next-generation firewall." 

Some next generation firewall vendors take the position that with their products, you don't need the URL filtering capabilities provided by such vendors as Websense, McAfee and  Blue Coat Systems. Of course, they'll choose to differ!

According to  Snyder, “the defining characteristic of a next-generation firewall is the ability to identify and control traffic at the application layer.”  Network World    designed a suite of 40 tests in nine categories to see how well the firewalls would come out.  No product stopped all 40.  SonicWall was able to stop 26 for the top score.

About the Testing

In the first part of this test, vendors submitted their biggest, fastest boxes to David Newman's lab in California for performance testing.  Vendors were allowed to send a smaller, lighter device within the same product family to Joel Snyder's Arizona lab for features testing.There are links in both parts of the test providing details about test methodologies.

Part One – “Fast-forwarding firewall faceoff” was done by David Newman.

http://www.networkworld.com/reviews/2012/042312-firewalls-test-258120.html

  

Part Two of “Next-Gen Firewalls, Off to a Good Start” was done by Joel Snyder.

http://www.networkworld.com/reviews/2012/050712-firewall-test-258613.html

 

Joel Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com .

Both parts of the test are well worth reading.  Read them in conjunction with the test that NSS labs performed and released during RSA San Francisco."SonicWall, Palo Alto Networks Top Performers in New NSS NGFW Study – Block Rate vs. Price per Protected Mbps".  

http://kensek.blogspot.com/2012/03/sonicwall-palo-alto-networks-top.htm

 

Best of Interop 2012 Awards  - Las Vegas

Below is the list of winners for Best of Interop 2012. These were announced during Interop  Las Vegas. 16 editors evaluated the 130 plus entrants for the Best of Interop Awards.

Best of Interop

NEC ProgrammableFlow PF6800 Controller

NEC Corporation of America

Security  Winner

McAfee Network Security XC Cluster

McAfee

Best Startup Company

V3 Systems

Cloud Computing & Virtualization Winner

Citrix VDI-in-a-Box

Citrix Systems

Collaboration Winner

Alcatel-Lucent OpenTouch Conversation            

Alcatel-Lucent

Data Center & Storage Winner

Panzura Quicksilver Global Cloud Storage System v3.0

Panzura

Management, Monitoring & Testing Winner

NEC ProgrammableFlow PF6800 Controller

NEC Corporation of America

Networking Winner

GS0072 Switch

Gnodal

Performance Optimization Winner

AppNav Virtualization Technology

Cisco Systems

Wireless & Mobility Winner

XpressConnect Enrollment System

Cloudpath Networks

http://www.bestofinterop.com/