Posts

SonicWall’s Consistent Value, Cyber Security Effectiveness Earn ‘Recommended’ Rating from NSS Labs

For far too long the modern organization has been told it must pay hundreds of thousands of dollars (or even millions) for powerful, enterprise-grade security.

But for more than 25 years, SonicWall’s mission has been to deliver consistent value and powerful cyber security for organizations of all sizes and budgets. For the fifth time since 2012, this has been validated by one of the most trusted, fact-based organizations in the industry: NSS Labs.

In its 2018 group test of next-generation firewalls (NGFW), NSS Labs strongly positioned SonicWall and the NSa 2650 firewall in the upper-right ‘Recommended’ quadrant of the 2018 NSS Labs Security Value MapTM (SVM).

“NSS Labs is committed to independent testing that helps enterprises make informed cybersecurity decisions,” said NSS Labs CEO Vikram Phatak in SonicWall’s official announcement. “With ‘Recommended’ ratings for five years, SonicWall next-generation firewalls are an excellent choice for any company seeking devices with strong security and consistent product quality to evolve their security architectures. We applaud SonicWall’s focus on product consistency and security effectiveness.”

This year’s in-depth firewall comparison was comprised of totals based on security effectiveness, block rates, stability, performance, product purchasing price, maintenance, installation costs, required upkeep, management and installation. In its head-to-head comparison tests, NSS Labs verifies that NSa 2650:

  • Remains one of the highest-rated and best-value NGFWs in the industry, with a 98.8 percent security effectiveness rating
  • Delivers second-best total cost of ownership (TCO) with $4 per protected Mbps
  • Tested 100 percent effective in countering all advanced HTTP evasion, obfuscation and fragmentation techniques
  • Earned 100 percent ratings in stability and reliability testing

Many factors are taken into consideration when weighing vendor options, measuring security efficacy and calculating TCO.

Security Effectiveness of Firewalls

NSS Labs conducts one of the industry’s most respected, comprehensive and fact-based validation programs for a full range of cybersecurity products, including network and breach security, endpoint protection, cloud and virtual security, and more.

For this year’s comparison test, the SonicWall NSa 2650 next-generation firewall was compared against other industry offerings. During the NSS Labs evaluation, SonicWall NSa 2650 endured thorough testing exercises via the NSS Exploit Library, which exposed the appliance to more than 1,900 exploits.

To ensure real-world testing conditions, NSS Labs engineers utilize multiple commercial, open-source and propriety tools to launch a broad range of attacks. SonicWall NSa 2650 blocked 98.8 percent of all attacks was 100 percent reliable during testing. SonicWall also was successful in countering 100 percent of all advanced HTTP evasion, obfuscation and fragmentation techniques.

The SonicWall NSa 2650 strong security effectiveness and findings within the NSS report are applicable to the entire SonicWall NSa next-generation firewall series.

Total Cost of Ownership for Firewalls

“SonicWall offers the second-lowest TCO with $4 cost per protected Mbps.”

The cyber security industry’s pricing models are, frankly, out of date. Too many legacy vendors believe their old way of doing business — charging hundreds of thousands, or even millions of dollars — is beneficial to end customers and prospects. In some cases, high-end hardware is required, but there should also be powerful, cost-effective options for today’s business.

SonicWall understands and embraces this change.

It’s the reason we continually monitor and refine our pricing structures to ensure every organization is able to protect themselves from today’s most malicious cyberattacks. And we’re proud to say that NSS Labs found SonicWall to offer the second-lowest TCO with $4 cost per protected Mbps.

NSS Labs calculates TCO across a three-year period. At a high level, the formula includes:

  • Year 1 Purchase Price
  • Year 1 Installation & Labor
  • Year 1 Maintenance Costs
  • Year 2 Maintenance Costs
  • Year 3 Maintenance Costs

According to NSS Labs, “Calculations are based on a labor rate of $75 (USD) per hour and vendor-provided pricing information. Where possible, the 24/7 maintenance and support option with 24-hour replacement is used, since enterprise customers typically select that option. Pricing includes one enterprise-class CMS to manage up to five devices.”

As a best practice, enterprises and security-conscious organizations should include TCO as part of their NGFW evaluations, including:

  • Acquisition costs for NGFW and a central management system (CMS)
  • Fees paid to the vendor for annual maintenance, support and signature updates
  • Labor costs for installation, maintenance and upkeep

NSS Labs Affirms SonicWall Excellence in Security Value Map

On June 6, 2017, NSS Labs published its annual 2017 Next-Generation Firewall (NGFW) Test Report and Security Value MapTM (SVM). For the first time in five years, NSS Labs did not place SonicWall in its “Recommended” quadrant of the SVM. In response, SonicWall immediately resolved the identified issues, automatically updated our firewalls worldwide, and was then publicly retested by NSS Labs to place in its upper right quadrant.

The results of this public retest mean that, SonicWall has excelled in the industry’s most comprehensive, real-world testing of NGFWs once again. With its updated 2017 findings, NSS Labs verifies that the SonicWall NSA 6600:

  • Blocked 99.76% of real-time, real-world live exploits
  • Tested 100 percent effective in countering all advanced HTTP evasion, obfuscation and fragmentation techniques
  • Earned 100 percent in stability and reliability, firewall, application control and identity awareness tests

Rapid response

It is perfectly normal in these types of cyber war games to uncover security gaps. It took NSS Labs five years and seven iterations of its test methodology to introduce a new evasion technique that uncovered a security gap in the SonicWall device.  In the initial tests, the SonicWall NSA 6600 running SonicOS version 6.2 had failed a number of HTTP evasion test cases.  After analyzing the evidence provided by NSS Labs, SonicWall immediately mitigated the identified issues with an automatic worldwide update to our security services on our installed base of next-generation firewalls.

Affirmation from NSS Labs

Only one vendor has been able to maintain the NSS Labs Recommended rating for all five years since the NGFW report first published.  In fact, for four years straight, SonicWall was one of only two vendors to be recommended each year, and in last year’s test, we earned a 100% score in the evasions category.

With SonicWall’s updates, NSS Labs retested the NSA 6600 using the same HTTP evasion techniques with a modified exploit. NSS Labs verified that SonicWall was no longer susceptible to the previously cited HTTP evasion techniques. The NSA 6600 now consistently blocks tested HTTP evasion techniques. NSS Labs noted this in both its SVM and its individual SonicWall SVM test report.

As the graph below shows, the SonicWall NSA 6600 now is strongly positioned in the upper right quadrant.  The blue dot (Figure 1) shows the new SonicWall positioning and demonstrates that the SonicWall NSA 6600 is one of the highest-rated, best-valued NGFWs in the industry, with scores of 97.8% Security Effectiveness and a low TCO of $10 per Protected Mbps.  Another critical data point is that in this retest, the SonicWall NSA 6600 scored 100 percent of evasions in the HTTP evasion test. (Figure 2).

NSS Labs

SonicWall recognizes and values NSS Labs long-standing reputation as an unbiased third party product test and validation organization. We endorse NSS Labs’ test methodology and trust its results. NSS Labs tests have produced extremely useful test results that challenge security vendors to be continuously vigilant. The value of this type of service is maximized when the tests uncover security gaps in security devices before real adversaries do.

Flexible, automated, self-healing security

More importantly, the flexibility of our solution allowed us to automatically provide protections for the evasions NSS Labs discovered to all of our worldwide firewalls, with no need for firmware updates. This flexibility is unique in the market, and a core strength of SonicWall’s automated real-time breach detection and prevention solution, consisting of our next-generation firewalls, intrusion prevention, gateway anti-malware, Capture Advanced Threat Protection, email security and secure remote access products.

In fact, our Capture Labs team provided remediation for the newly discovered NSS issues within 24 hours! This means our customers don’t need to wait for days or even months until new, fully tested firmware is available. Remember, in cases like this, any network is vulnerable until the solution patch is applied.

Staying ahead of the pack

It is important to note that in this year’s NSS Labs SVM, eight of the ten vendors were actually susceptible to the new HTTP evasion test cases. Of the eight, only SonicWall and one other vendor were able to remediate the evasions in an automated fashion.  Tellingly, several vendors placed in the “Recommended” quadrant had still not provided remediation at all. This is why an automated, self-healing solution is absolutely required in today’s extremely fast-paced and complicated cyber threat landscape.

We encourage you to read the full NSS Labs SonicWall Secure Value Map report to learn more.

Avoid Making a Costly Network Security Shortlist Decision

Living the life of a chief security officer (CSO), chief information security officer (CISO) or any title with the word “security” in it nowadays is surely a heart-wrenching experience each day. Far too often, yet another data breach in the news reminds you of the obvious notion that it’s not a matter of if but when you’ll be called upon to manage and contain a security incident in your organization. Regardless of its depth and severity, this has to be very disturbing and there seems to be no end. As a result, you find yourself regularly worrying if you’ve done a thorough job at vetting your cyber-defense system, and determining if it is really doing its job to prevent avoidable attacks on your networks. You understand the stakes. If any part of your security strategy is not functioning at its optimal level, you know your organization is susceptible to countless security risks. The bottom line is you don’t ever want to stand in front of the executives explaining why the company is breached, and dealing with the after-math as a result of a failure in one or more of your security layers. There is a way, however, to help you avoid such a disaster.

Limited resources and shortage of security staff can constrain your ability to carry out a rigorous vendor vetting process. The fundamental question then is what alternatives are there to help you efficiently select potential technologies that can put you in a position of strength and success against evolving threats. As a security leader, you’ve been down this road many times. You‘re aware that choosing the right technology partner with capable solutions to support your security strategy for the long-term is one of the most nerve-wracking but crucial task you must undertake. The range of capabilities and factors impacting your choice are overwhelming. You understand very well that making a poor choice could end up costing your organization millions in breach remediation expenses, immeasurable brand damage, loss of public confidence and possibly even your career. To help avoid such a costly decision when shortlisting possible vendors and their solutions for proof of concept (PoC) consideration or making the purchase, there are highly specialized market research companies that are well-recognized by the security industry for their reputable and impartial validation of network security quality and effectiveness that you can confidently use when making your selections.

The difficulty here is that there are many market research companies available. Most have specialization in a variety of technologies including network security. And to make things a little more complicated, each has it its own definition, criteria and approach to how vendors are evaluated and graded for their security effectiveness, performance and cost of ownership. The results often vary among them especially those that are vendor-sponsored research. Subsidized research and testing are always skewed to make one vendor’s product more favorable than its rival. And as such, these kind of reports lack objectivity, are seldom reliable from a technical perspective, and should not be viewed as serious research. So who should I depend on? Who do I need to stay clear of? Should I trust its finding completely? Where do I start? These are some good questions to help set clear direction and decision points. From our point of view, a good place to start is to give greater attention to independent research companies that are self-funded, has zero connection to any one vendor and focus exclusively on cyber-security. More importantly, you would also want the research to be fully verified by extensive public testing using different permutation of actual real-world use cases that best match your unique security environment requirements.

One particular company has differentiated itself in the IT security category over the past few years: NSS Labs. It is now broadly recognized as the world’s trusted authority in providing unbiased, independent, security product test reports and security intelligence services. NSS Labs reporting can help you shortlist vendors and their products based on empirical laboratory test results as opposed to fuzzy marketing, product surveys, opinion based analysis and/or peer-to-peer recommendation. The NSS Labs Test report is the ultimate validation of network security performance, resiliency and efficacy under various network traffic mixes and loads that mimic real-world use cases.  Download a free copy of the NSS Labs Test Report to gain knowledge of key performance indicators essential to the success of your cyber-defense strategy.

Five Essentials for Best of Breed Next Gen Firewalls

Beyond basic network firewall testing scenarios, the specialized firewall testing tools needed to accurately assess next-generation firewall (NGFW) security effective remain out of reach to any but the largest IT department budgets. Therefore, most organizations look to independent hands-on test results from respected research laboratories such as NSS Labs. NSS Labs uses a very specific testing methodology that is run on each of the NGFWs being tested. Their Next-Generation Firewall Product Analysis Report provides detailed information on how a specific firewall scored when tested in these key essential areas:

  • Security Effectiveness
  • Performance
  • Stability and Reliability
  • Management and Configuration
  • Total Cost of Ownership

Security Effectiveness

Security effectiveness verifies that the firewall being tested is capable of enforcing the security policy effectively. Security effectiveness tests include:

Firewall Policy enforcement

Incremental tests that build configuration from simple to complex real world policy consisting of many addresses, policies, applications, inspection engines, protection from DoS attacks, IP spoofing.

Application Control

Firewall is tested to see if it can correctly determine application regardless of ports/protocols used and enforce appropriate application policy granularity.

User/Group ID aware policies

Correctly determine user/group from deep packet inspection and enforce policy with user awareness.

Intrusion Prevention

Correctly block malicious traffic “out of the box” using the default policy (for this test no IPS tuning is allowed).
Evasion Decode/Block basic obfuscated exploits and provide accurate alert based on the actual attack not be fooled by the evasion technique itself.

How did SonicWall next-generation firewalls do? Passed all criteria. Noteworthy SonicWall results included a 97.9 percent exploit block rate. No NGFW tested achieved 100 percent exploit block rate due to constantly changing NSS Labs test suite. However, over the last three years SonicWall has consistently been rated in the leaders quadrant and has demonstrated consistent improved block rate year over year.

Performance

Measures how well a given NGFW performs when subjected to various traffic conditions. No two networks will have the exact same characteristics but this test does provide metrics to gauge if a given NGFW is appropriate in a given environment.

Raw Packet Processing Performance (UDP packets of various sizes are tested) Measures raw packet processing capability of each of the NGFWs in-line port pairs, packet forwarding rate is measured for highest performance /lowest latency.
Latency (packet loss/average latency) Determine the effect the NGFW has on traffic passing through it under various loads. Traffic passes through all port pairs simultaneously.
Maximum Capacity ( generates TCP session based connections and HTTP transactions) Stress the inspection engine with Multi-Gigabit “Real World” traffic generated to determine expected user response times, max connections per second, concurrent open connections, application transaction per second on a backdrop of a heavily utilized network.
HTTP Capacity ““ No Transaction Delay (uses HTTP GET request) How much HTTP traffic can be passed of varying packet sizes and various connection per second loads.
Application average response time ““ HTTP (across all in-line port pairs simultaneously) Measures average HTTP latency using various packet sizes at 90 percent of max load.
HTTP Capacity with Transaction Delay Same as above except introduces 5 second server response delay, forces a high number of open connections.
Real World Traffic (generates protocol mix usually seen by industry verticals, i.e. Financial, education, Data Center, Mobile Carrier, etc”¦ ) Same as previous test, excepts adds additional protocols and real content.

Stability and Reliability

These tests measure how well a next-generation firewall passes legitimate traffic while under attack. To pass, the NGFW must be able to block and alert on 100 percent of the attacks previously blocked while remaining operational.

Blocking under Extended Attack Measures consistency of Blocking. Sends continuous policy violations at 100Mbps over 8 hours.
Passing Legitimate Traffic Under Extended Attack Same as previous test except legitimate traffic is sent in addition. NGFW must pass all legitimate traffic.
Behavior of State Engine Under Load ( Can the NGFW preserve state across large number of connections over extended time. Must not exhaust resources allocated to state tables or “˜leak’ connections through after theoretical max concurrent connection is reached.
Protocol Fuzzing and Mutation Sends random, unexpected, or invalid data to the NGFW, verifies NGFW remains operational and detects/blocks exploit throughout the test.
Power Fail Power is turned off while passing traffic, NGFW should fail closed after power is cut.
Persistence of Data Measures if NGFW retains policy, configuration, log data when restored from power failure.

Total Cost of Ownership and Value

Measures overall costs over of deployment, maintenance and upkeep over the useful life of the product.

Product Purchase Cost of acquisition
Product Maintenance Fees paid to vendor (hardware maintenance, subscription services, etc”¦)
Installation Time required to make the NGFW operational out of the box.
Upkeep Time required to apply vendor supplied firmware, updates, patches.

5 Key Performance Indicators to measure

The SonicWall Security Threat Research team sifts through hundreds of thousands of unique malware samples daily. In their latest threat report, they’ve documented that businesses continue to be under attack in ways that are increasingly difficult to defend against. We often see threat actors using combinations of evasion techniques and modifying their attacks vectors to circumvent firewalls and intrusion detection systems. The multitude of published security breaches proves that many existing network security controls are not working effectively against today’s modern threats. For companies that have been fortunate thus far, it’s time to face some tough questions about your security risks.

  • Are the company’s network security controls doing an effective job?
  • Are we testing and measuring its effectiveness thoroughly? What are the key quantifiable performance metrics?
  • Where do we need to improve to gain a better security posture?

Understandably there are many other important risk-related inquiries concerning different security controls that also require our attention. However, we’ll narrow the focus of this discussion primarily on next-generation firewalls (NGFWs) given their principal role in facilitating secure business communications and data exchanges over the Internet. Thus, the stability, reliability and most importantly, security effectiveness of the NGFW device is imperative when it comes to protecting the confidentiality, integrity, and availability of an information system and its information.

Picture of SonicWall's SuperMassive E10000 Series model

The concept of a “security effectiveness” score is generally recognized today as a decisive network security metric used by IT organizations across all industries. The computed rating helps decision makers establish a reference level in assessing the quality and efficacy of an NGFW based upon “5 performance indicators” identified by NSS Labs, a well-trusted independent information security research firm that supports its product analysis through exhaustive laboratory testing. NGFW devices are tested and rated for their effectiveness, performance, manageability and cost of ownership to provide answers to tough questions faced by IT professionals when selecting and implementing security products. So when NSS documents these scores and makes its recommendations in its published reports, it is solely based upon empirical test data. Testing is performed starting with a baseline configuration to more complex, real-world configurations that simulate varying use cases. The firewall ranking is heavily weighted on 5 key performance indicators that determine the effectiveness score verifying that the firewall is capable of the following:

  1. Intrusion Prevention – correctly blocking malicious traffic based on a comparison of packet/session contents against signatures/filters/protocol decoders without false positives.
  2. Evasion – accurately detecting and blocking known exploits when subjected to varying evasion techniques.
  3. Application Control – accurately executing outbound and inbound policies consisting of many rules, objects, and applications and identifying the correct application, and taking the appropriate control action.
  4. Firewall Policy Enforcement – correctly enforcing firewall rules that permit or deny access from one network resource to another based on identifying criteria such as source, destination, and service.
  5. Stability and Reliability – maintaining security effectiveness while passing malicious traffic under normal or heavy conditions.

The NSS security effectiveness report is the ultimate validation of NGFW quality and performance. The report contains a full range of tests results that have direct relevance towards the evaluation and selection of a capable NGFW to protect and secure your organization. Some of the interesting findings include exploit block rate, coverage by attack vector, impact type and popular applications and resistance to various combination of advanced evasive attacks. As an IT security leader responsible for information and network security in your organization, I’d like to share with you a copy of the NSS Labs report that is packed with important information to serve as a guide when measuring the security effectiveness of your current firewall.