Tag: Cisco

MEF and CyberRatings Kick-Off Beta Program of the SASE Certification Designed to Increase Market Confidence in Cybersecurity Solutions

Posted on by CyberRatings.org

Dallas, Texas, 3 October 2023 – MEF, a global industry association of network, cloud, security, and technology providers accelerating enterprise digital transformation, and CyberRatings.org (CyberRatings), dedicated to providing confidence in cybersecurity products and services through its research and testing programs, today announced the kick-off of its beta program for certification of Secure Access Service Edge (SASE) products and services. Participants in the beta program include MEF Technology Advisory Board (TAB) member companies Cisco, Fortinet, Juniper Networks, Palo Alto Networks, Versa Networks, and VMware. The SASE certification program is supported by MEF’s Board of Directors which includes senior executives from AT&T Business, Colt Technology Services, Comcast Business, Liberty Latin America, Lumen, Microsoft, PCCW Global, Orange, Sparkle and Verizon Business.

Read the full press release here.

Enterprise Firewall Comparative Test Results Show That Encryption and Evasions Matter

Posted on by CyberRatings.org

AUSTIN, Texas – RSAC 2023 – April 25, 2023 – CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, has completed an independent test of eight market leading security vendors in its Enterprise Firewall comparative evaluation. Six products received Recommended ratings with high security effectiveness scores ranging from 94.05% to 99.94%.

Security Effectiveness tests measured how well the enterprise firewall controlled network access/applications and prevented exploits/evasions, all while remaining resistant to false positives. Products were subjected to thorough testing to determine their support for TLS/SSL 1.2 and 1.3 cipher suites, how they defended against 1,724 exploits, whether protection could be bypassed by any of 1,482 evasions, and if the devices would remain stable under adverse conditions.

Performance was measured using both clear text and encrypted traffic in order to provide more realistic ratings that are based on modern network traffic. Performance was measured with security enabled, and security effectiveness was measured while under moderate performance load. This was to ensure vendors did not take security shortcuts to improve performance nor enable overly aggressive security protections that would adversely impact performance. Connection rates and throughput of TLS 1.2 and TLS 1.3 encrypted traffic were significantly lower. Average connection rates of encrypted traffic were between 65% to 86.5% lower than unencrypted traffic.

Evasions were measured by taking several previously blocked attacks and then applying evasion techniques to those baseline samples. This ensured that any misses were due to the evasions, not the baseline samples. Several vendors missed evasions, with one vendor missing 72 evasions.

Key Findings:

  • Encryption matters: Roughly 80% of web traffic is encrypted. The top four cipher suites account for over 95% of HTTPS traffic.
    • Decryption is not on by default: Firewalls will not see attacks delivered via HTTPS unless configured to do so.
    • There is a performance cost when TLS/SSL is turned on. Sometimes performance is significantly different.
  • When a “known good” exploit is blocked by a firewall, applying an evasion technique to that exploit is often easier for an attacker than finding a new exploit that isn’t blocked by that firewall.
    • Many firewall evasion defenses are not on by default, potentially leaving customers at significant risk.
    • Most enterprises are not testing for evasions.
    • Some products have concerning gaps when it comes to evasions.
  • At times, CyberRatings found multiple signatures/rules for the same CVE, with some more effective than others.
    • Attempts to provide rapid coverage for vulnerabilities that are not fully understood can result in multiple exploit-specific signatures that may be inaccurate, ineffective, or prone to false positives.
    • A single poorly written signature/rule can significantly impact performance.

“Firewalls are the keystone of most network security programs,” said Vikram Phatak, CEO of CyberRatings.org. “It is concerning that some market share leaders are falling behind. CISOs should put pressure on those vendors to improve and look at alternatives in case they don’t.”

The following products were evaluated:

  • Check Point Quantum QLS250 Lightspeed R81.20
  • Cisco Firepower 2130 v7.3.1-19
  • Forcepoint 2205 NGFW version 7.0.1.28052
  • Fortinet FortiGate 600F v6.4.12 build5431 (GA)
  • Juniper Networks SRX4600 22.3R1.12
  • Palo Alto Networks PA-3220 v10.2.3
  • Sangfor NGAF 5300 AF8.0.47.1004
  • Versa Networks CSG5000 versa-flexvnf-22.1.1-B

CyberRatings.org Announces Results from First-of-its-Kind Comparative Test on Cloud Network Firewall

Posted on by CyberRatings.org

AUSTIN, Texas – December 1, 2022 – CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, has completed an independent test of eight market leading security vendors in its first-ever Cloud Network Firewall comparative evaluation. Forcepoint, Fortinet and Juniper’s test reports were published earlier in the year, all with ‘AAA’ ratings. In this latest release of test reports, Check Point and Versa Networks received a ‘AAA’ rating. Palo Alto Networks received an ‘AA,’ Sophos an ‘A,’ and Cisco ‘CC.’

The test covered capabilities considered essential in a firewall including basic routing, access control, SSL / TLS decryption, threat prevention (exploits), evasion, performance, stability and reliability, and management. Amazon Web Services (AWS) was the public cloud service chosen to run the test. Ratings were calculated using a scale from 0 to 800.

Key Findings include:

  • Cloud services assume a shared security model, where cloud providers are responsible for the infrastructure and customers are responsible for securing the applications running on the infrastructure.
  • Roughly 80% of web traffic is encrypted and firewall decryption is not on by default: Firewalls will not see/block attacks delivered via (encrypted) HTTPS unless configured to do so.
  • Security vendors are used to controlling the platform on which their products are installed. In the cloud, they do not have that control; vendors are learning how to operate under these new conditions and there will be challenges.
  • Supply Chain attacks are on the rise. Using the cloud means relying on third parties to maintain software supply chain integrity. APIs, code reuse, open-source libraries, not maintained code, and other shared resources introduce unknown risks.

Security effectiveness scores ranged from 27% to 100%. The security effectiveness tests verified how effectively the firewall protected control network access, applications, and users while preventing threats (exploits and evasions), blocking malicious traffic while under extended load, and remaining resistant to false positives. Exploit block rates ranged from 88.3% to 100%. All products achieved 100% for resistance to evasion techniques.

“Security is your problem, not Amazon’s,” said Vikram Phatak, CEO of CyberRatings.org. “If you are migrating your data center to the cloud, create a plan for securing it,” Phatak added. “And if you needed a firewall for your data center, you probably need one for your cloud deployment.”

There are different ways consumers can purchase security products for the cloud. The individual test reports reflect the bring-your-own-license model while the comparative report illustrates the pay-as-you-go pricing. Both pricing models provide consumers with options to compare pricing on items important to their own organizations.

Cloud Network Firewall (CNFW) Test Update

Posted on by Vikram Phatak

Today we published our test report of Forcepoint’s Cloud Network Firewall (CNFW). This follows last month’s publication of Fortinet’s Cloud Network Firewall at the RSA Conference in San Francisco. These are the first two publications from the Cloud Network Firewall group test. Testing covered Management & Reporting Capabilities, Routing and Policy Enforcement, SSL/TLS Functionality, Threat Prevention and Performance. Amazon Web Services (AWS) was the cloud provider.

We have been asked who else is in the test, and we want to let everyone know there is more coming!! We expect several more products to be added to the test before we publish our comparative report in a few months. The next reports to be published will be Juniper and Versa, which are currently being tested. I don’t mean to be coy about the specifics of when and who all will be published; this is a new test and like anything new, testing the first few products takes time. We ask everyone to bear with us while we go through these growing pains.

As a reminder, we ask that you please tell us which technologies and vendors you would like to see us test. The easiest way is to email us at members@cyberratings.org.

Thank you,
Vikram Phatak
CEO

CyberRatings.org Announces 2021 Enterprise Firewall Product Ratings

Posted on by CyberRatings.org

AUSTIN, Texas – February 9, 2021 – CyberRatings.org has begun its publication of the 2021 Enterprise Firewall + SSL/TLS Product Ratings with the first two reports for Palo Alto Networks and Cisco published today. Eleven market leaders are part of this group comparative test that will culminate with the Comparative Rating announcement later this month. CyberRatings determines a vendor’s inclusion in a group test based on an analysis of the market and an understanding of the criteria important to consumers. Elements considered are:

  • Vendor market presence 
  • Products identified by industry analysts covering the specific technology area
  • Consumer requests for a product to be included in a test
  • Innovative technology or solution (requires internal vetting for emerging vendors)

Dedicated to providing transparency on cybersecurity product efficacy, CyberRatings has already initiated new testing programs to fill the void left by the closure of NSS Labs. Tests currently underway are Browser Protection and Cloud Network Firewall. Cloud Native Security, Cloud XDR, Endpoint Protection and SASE are also on the test road map. “The team and I have been touched by the outreach from the cybersecurity community,” said Vikram Phatak, Chairman and CEO at CyberRatings. “It’s not often you get a second chance to do something right. We’re looking forward to working with the community to identify where we can be helpful,” Phatak added. Community Members have free access to the 2021 Enterprise Firewall Methodology. A $100 PAID Membership is required to gain access to the detailed reports. To participate in an upcoming test, email info@www.cyberratings.org.

Additional Resources: