NSS Labs Releases Next-Generation Firewall Test Results

Jason Brvenik, chief technology officer at NSS Labs, spends his time testing a lot of different security technologies in an effort to evaluate vendor claims and product efficacy. The most recent set of technologies tested by NSS Labs are next-generation firewalls (NGFWs), with test results published on July 17.

Among the products tested by NSS Labs were NGFWs from Barracuda, Check Point, Cisco, Forcepoint, Fortinet, Palo Alto Networks, SonicWall, Sophos, Versa Networks and WatchGuard.

The NSS Labs’ 2018 NGFW Group Test report reveals that 60 percent of the assessed NGFWs were able to demonstrate a resistance to common evasion techniques. Attackers increasingly use different evasion techniques to try to bypass the protection provided by cyber-security products. Of note, NSS Labs reported that one evasion technique that all NGFWs struggle against is obfuscated JavaScript. According to the test results, none of the tested products was able to properly decode the JavaScript.

In a video interview with eWEEK, Brvenik explains how NSS Labs tests security technologies and why his firm is moving to a continuous evaluation model to help provide the most accurate results.

There are multiple techniques and tools for testing cyber-security technologies, including the popular open-source Metasploit penetration testing framework. Brvenik said NSS Labs goes above and beyond what Metasploit does, analyzing protocols and looking for ambiguities in specifications. 

Brvenik added that NSS Labs has its own Baitnet test harness that is a core element of the evaluation process. Baitnet is an automation framework for replaying attacks in parallel. Compliance conformance is not, however, something that Brvenik is overly concerned about.

"It's about effectiveness at the end of the day. We look to assess how well a technology meets an enterprise’s needs and compliance is irrelevant, especially in our space. Our entire industry exists because compliance fails," he said. "Whether or not you comply with any given standard really comes down to how well the technology identifies an attack, identifies evasive behavior, identities the presence of an adversary or prevents that action from occurring."

Watch the full video interview with Jason Brvenik above.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.