Three products are Recommended. Cisco Firepower receives a Caution.
NSS Labs, Inc., has released results of its third annual Data Center Security Gateway (DCSG) Group Test.
Four of the industry’s leading data center deep inspection firewall products were tested to compare product capabilities for security effectiveness (exploit block rate, evasion techniques, and stability & reliability), total cost of ownership (TCO), and performance:
- Cisco FirePOWER 4110 v6.4.0.4
- Fortinet FortiGate 6300F V6.0.4 build8262 (GA)
- Juniper Networks SRX5400 JUNOS 18.2X30.1 Kernel 64-bit JNPR-11.0-20190316.df99236
- Palo Alto Networks PA-5250 9.0.3-h2
Key Findings
- Juniper is reasserting itself in the data center with a strong showing and should be on the short list.
- Fortinet and Palo Alto Networks provided excellent protection.
- Cisco received a Caution rating with poor security, and performance well below claims. In addition to sub-standard exploit protection, NSS Labs test engineers were able to evade defenses using a well known evasion.
- Testing revealed that vendors systematically overstated performance, sometimes dramatically.
- The type of network traffic matters. Performance is largely dependent on connection rates and packet size.
Implementation of DCSG devices can be a complex process with multiple factors affecting overall security effectiveness. Considerations for deployment should include:
- What server operating systems and applications are to be protected?
- What are peak performance requirements?
- Can the security product be bypassed using common evasion techniques?
- How reliable and stable is the device?