NGFW Test Methodology v8.0

NGFW Test Methodology v8.0

Publish Date: December 7, 2017

Firewall technology is one of the largest and most mature security markets. Firewalls have undergone several stages of development, from early packet filtering and circuit relay firewalls to application layer (proxy-based) and dynamic packet filtering firewalls. Throughout their history, however, the goal has been to enforce an access control policy between two networks, and they should therefore be viewed as an implementation of policy.

A firewall is a mechanism used to protect a trusted network from an untrusted network, while allowing authorized communications to pass from one side to the other, thus facilitating secure business use of the Internet. With the emergence of new web applications and security threats, however, firewalls are evolving further. Next generation firewalls (NGFWs) traditionally have been deployed to defend the network on the edge, but enterprises have expanded deployment options to include internal segmentation.

As Web 3.0 trends push critical business applications through firewall ports that previously were reserved for a single function, such as HTTP, legacy firewall technology is effectively blinded. It is unable to differentiate between actual HTTP traffic and non-HTTP services tunneling over port 80, such as VoIP or instant messaging. Today, application-level monitoring must be performed in addition to analysis of port and destination. Firewalls are evolving to address this increased complexity.

It is no longer possible to rely on port and protocol combinations alone to define network applications. The next generation firewall (NGFW) must be capable of performing deep packet inspection on all packets, on all ports, and over all protocols in order to determine which applications are running over which ports and thus secure them effectively. In addition, with the expanded use of SSL/TLS in much of the traffic traversing the modern network, inspection of encrypted content is required.

This methodology describes how NSS will evaluate NGFW products to provide an objective and fair assessment of the technology.

As with all NSS Labs group tests, there was no fee for participation. All testing was conducted independently and was not paid for by any vendor.