On June 6, 2017, NSS Labs published its annual 2017 Next-Generation Firewall (NGFW) Test Report and Security Value MapTM (SVM). For the first time in five years, NSS Labs did not place SonicWall in its “Recommended” quadrant of the SVM. In response, SonicWall immediately resolved the identified issues, automatically updated our firewalls worldwide, and was then publicly retested by NSS Labs to place in its upper right quadrant.
The results of this public retest mean that, SonicWall has excelled in the industry’s most comprehensive, real-world testing of NGFWs once again. With its updated 2017 findings, NSS Labs verifies that the SonicWall NSA 6600:
- Blocked 99.76% of real-time, real-world live exploits
- Tested 100 percent effective in countering all advanced HTTP evasion, obfuscation and fragmentation techniques
- Earned 100 percent in stability and reliability, firewall, application control and identity awareness tests
It is perfectly normal in these types of cyber war games to uncover security gaps. It took NSS Labs five years and seven iterations of its test methodology to introduce a new evasion technique that uncovered a security gap in the SonicWall device. In the initial tests, the SonicWall NSA 6600 running SonicOS version 6.2 had failed a number of HTTP evasion test cases. After analyzing the evidence provided by NSS Labs, SonicWall immediately mitigated the identified issues with an automatic worldwide update to our security services on our installed base of next-generation firewalls.
Affirmation from NSS Labs
Only one vendor has been able to maintain the NSS Labs Recommended rating for all five years since the NGFW report first published. In fact, for four years straight, SonicWall was one of only two vendors to be recommended each year, and in last year’s test, we earned a 100% score in the evasions category.
With SonicWall’s updates, NSS Labs retested the NSA 6600 using the same HTTP evasion techniques with a modified exploit. NSS Labs verified that SonicWall was no longer susceptible to the previously cited HTTP evasion techniques. The NSA 6600 now consistently blocks tested HTTP evasion techniques. NSS Labs noted this in both its SVM and its individual SonicWall SVM test report.
As the graph below shows, the SonicWall NSA 6600 now is strongly positioned in the upper right quadrant. The blue dot (Figure 1) shows the new SonicWall positioning and demonstrates that the SonicWall NSA 6600 is one of the highest-rated, best-valued NGFWs in the industry, with scores of 97.8% Security Effectiveness and a low TCO of $10 per Protected Mbps. Another critical data point is that in this retest, the SonicWall NSA 6600 scored 100 percent of evasions in the HTTP evasion test. (Figure 2).
SonicWall recognizes and values NSS Labs long-standing reputation as an unbiased third party product test and validation organization. We endorse NSS Labs’ test methodology and trust its results. NSS Labs tests have produced extremely useful test results that challenge security vendors to be continuously vigilant. The value of this type of service is maximized when the tests uncover security gaps in security devices before real adversaries do.
Flexible, automated, self-healing security
More importantly, the flexibility of our solution allowed us to automatically provide protections for the evasions NSS Labs discovered to all of our worldwide firewalls, with no need for firmware updates. This flexibility is unique in the market, and a core strength of SonicWall’s automated real-time breach detection and prevention solution, consisting of our next-generation firewalls, intrusion prevention, gateway anti-malware, Capture Advanced Threat Protection, email security and secure remote access products.
In fact, our Capture Labs team provided remediation for the newly discovered NSS issues within 24 hours! This means our customers don’t need to wait for days or even months until new, fully tested firmware is available. Remember, in cases like this, any network is vulnerable until the solution patch is applied.
Staying ahead of the pack
It is important to note that in this year’s NSS Labs SVM, eight of the ten vendors were actually susceptible to the new HTTP evasion test cases. Of the eight, only SonicWall and one other vendor were able to remediate the evasions in an automated fashion. Tellingly, several vendors placed in the “Recommended” quadrant had still not provided remediation at all. This is why an automated, self-healing solution is absolutely required in today’s extremely fast-paced and complicated cyber threat landscape.
We encourage you to read the full NSS Labs SonicWall Secure Value Map report to learn more.