Tag: Fortinet

Exploring the Landscape of Cloud Network Firewalls Available on AWS

Posted on by CyberRatings.org

Today we focus on the diverse array of Cloud Network Firewalls available on Amazon Web Services (AWS). This comprehensive overview aims to inform IT professionals, network administrators, security analysts, and cybersecurity enthusiasts about the various firewall options on AWS, beyond just AWS’s native offerings.

Cloud Network Firewalls on AWS: A Broad Spectrum

AWS hosts a range of third-party cloud network firewalls, each offering unique features and capabilities tailored to different organizational needs. Here’s a rundown of some key players:

  1. Arista Networks Cloud Network Firewall
    Arista Networks provides a cloud network firewall offering for AWS environments, with a focus on traffic management and security. Its features include firewall capabilities, detailed traffic inspection, and policy enforcement tools. The offering is designed for compatibility with complex network architectures, providing various deployment options to meet diverse cloud security requirements.
  2. Barracuda CloudGen Firewall
    The Barracuda CloudGen Firewall, designed for AWS, offers security for cloud-connected networks. Its features encompass threat protection, VPN connectivity, and application-based traffic management. The firewall is developed to adapt to the evolving requirements of cloud infrastructures and includes centralized management for administration across distributed network setups.
  3. Check Point CloudGuard
    Check Point CloudGuard is a network security offering for AWS, including features like intrusion prevention, identity awareness, and anti-bot technology. It is designed for AWS service integration, aiming to protect cloud assets. CloudGuard supports auto-scaling to adapt its security measures in response to network traffic variations. This offering is intended for cloud environments, providing capabilities for managing security policies and handling network traffic.
  4. Cisco Cloud Network Firewall
    Known for its firepower series and ASA (Adaptive Security Appliances), Cisco offers a cloud network firewall tailored for AWS environments, equipped with features to manage network traffic and enforce security policies. This offering includes capabilities for inspecting and controlling traffic flow, as well as implementing security rules across cloud deployments. Designed to integrate with AWS, Cisco’s firewall aims to provide network security management suited to various cloud infrastructure requirements.
  5. Forcepoint Cloud Network Firewall
    Forcepoint’s cloud network firewall for AWS offers capabilities like SD-WAN integration and centralized management to safeguard network perimeters in cloud environments. The Forcepoint offering is structured to provide security management for cloud-based networks. It incorporates features for monitoring network activities and implementing security protocols to address potential threats.
  6. Fortinet FortiGate-VM: The Fortinet FortiGate-VM is a virtual firewall solution tailored for AWS environments, providing a range of network security capabilities. It offers features such as intrusion prevention, web filtering, and SSL inspection, aimed at safeguarding virtualized and cloud infrastructures. Key aspects include its ability to scale dynamically with AWS workloads, integration with AWS services for enhanced management and monitoring, and support for centralized control through Fortinet’s FortiManager. FortiGate-VM is designed to address various security requirements for AWS deployments, from basic VPC protection to advanced threat prevention, catering to diverse network architectures and compliance needs. As with any cloud network firewall solution, its effectiveness and suitability can vary based on specific organizational requirements and network configurations.
  7. Hillstone Networks: Focused on visibility and control, Hillstone offers advanced features for threat detection and mitigation. The offering includes capabilities for inspecting network activities and enforcing relevant security measures. Hillstone’s firewall is developed to support the security needs of cloud deployments, providing functionalities that facilitate the management of network traffic and the implementation of security policies in cloud environments.
  8. Juniper Networks vSRX Cloud Network Firewall
    Juniper Networks offers the vSRX Cloud Network Firewall for AWS, providing network traffic management and policy enforcement. This firewall includes features for monitoring network activities and implementing security protocols. The vSRX offering is designed for AWS environments, aiming to address various network security management needs in cloud infrastructures.
  9. Palo Alto Networks VM-Series
    The VM-Series from Palo Alto Networks is a cloud network firewall available on AWS, focusing on network traffic security and policy management. It offers features for inspecting network traffic and applying security rules. The VM-Series is developed to integrate with AWS, providing network security capabilities for different cloud deployment scenarios.
  10. Sophos UTM and XG Firewalls
    Sophos offers the UTM and XG Firewalls for AWS environments, delivering features to manage network security and traffic. These firewalls include tools for network activity monitoring and security protocol enforcement. Both the UTM and XG Firewalls by Sophos are structured to support security management in cloud-based networks, with functionalities aimed at maintaining network integrity and implementing necessary security measures.
  11. Versa Networks Cloud Network Firewall
    Versa Networks specializes in next-generation firewall capabilities integrated with SD-WAN, suitable for enterprises looking for a combination of security and network optimization. Its cloud network firewall solution for AWS is equipped to handle network security and traffic control. Versa Networks’ firewall is tailored for AWS cloud environments, focusing on meeting diverse network security management requirements in cloud infrastructures.

Choosing the Right Cloud Network Firewall on AWS

Selecting the right cloud network firewall on AWS depends on specific security requirements, scalability needs, and integration capabilities. Factors to consider include:

  • Security Features: Assess the firewall’s capability to protect against the specific threats your organization faces.
  • Performance and Scalability: Ensure the firewall can handle your current and projected traffic volumes without compromising performance.
  • Integration with AWS Services: Look for firewalls that offer seamless integration with other AWS services for streamlined security management.
  • Cost: Consider both upfront and ongoing costs associated with each firewall solution.

Conclusion

The choice of a cloud network firewall on AWS should be guided by your organization’s unique security, performance, and budgetary requirements. Each of the mentioned firewalls brings distinct advantages and specialties to the table, catering to a wide range of cloud-based security needs.

Stay tuned for our Cloud Network Firewall test results coming in March.

CyberRatings.org Announces SD-WAN Test Results for Fortinet

Posted on by CyberRatings.org

Austin, TX – October 3, 2023 – CyberRatings.org/ (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has issued a Recommended Rating for Fortinet’s Software-Defined Wide Area Network (SD-WAN) Fortigate 100F model as a high availability pair at the head-end, along with Fortigate 70F models at corporate headquarters, a regional office, and a retail outlet. A product with the “Recommended” rating has the highest rating assigned by CyberRatings.

SD-WAN technology helps organizations achieve operational savings by enabling remote configuration of new locations rather than requiring engineers to be on site. Many vendors, such as Fortinet, offer zero-touch provisioning, where on site engineering expertise is optional other than the ability to power up the device and connect to the appropriate internal and external links. Once online, the device will call “home” through a cloud configuration service to gather the configuration details.

An SD-WAN offers traditional routing and policy control features including basic application identification, policy controls, stateful network controls and a virtual private network (VPN). It prioritizes applications, has remote configuration capabilities and should have a predictable performance experience for users. SD-WANs have highly resilient remote office connectivity.

To assess the SD-WAN, the traffic content, throughput, transport, and impairments were tailored for each use case to provide insight into how the SD-WAN would perform under various conditions. Management, routing and stateful access control, encryption, application identification and prioritization, WAN maximum capacity, stability and reliability, and rated throughput were all rigorously tested.

“The Fortinet SD-WAN handled all use cases with ease and proved to be highly reliable and capable. It should be on everyone’s short list,” said Vikram Phatak, CEO of CyberRatings.org.

SD-WAN is a component of the Secure Access Service Edge (SASE) security model which integrates multiple security services in a cloud-native platform. The SD-WAN report published today by CyberRatings is part of the independent, third party testing program that CyberRatings provides to the industry at large.

In addition, CyberRatings and MEF, a global industry association of network, cloud, security and technology providers, signed an agreement in August to launch a new SASE Certification Program for MEF technology and service provider members worldwide. The SASE certification program, based upon CyberRatings’ methodologies and test programs, will issue a rating on product and service effectiveness of SD-WAN, Security Service Edge (SSE Threat Protection), Zero Trust Network Access (ZTNA) and SASE. Participants in the beta program were announced today.

CyberRatings members can read Fortinet’s SD-WAN report here.

MEF and CyberRatings Kick-Off Beta Program of the SASE Certification Designed to Increase Market Confidence in Cybersecurity Solutions

Posted on by CyberRatings.org

Dallas, Texas, 3 October 2023 – MEF, a global industry association of network, cloud, security, and technology providers accelerating enterprise digital transformation, and CyberRatings.org (CyberRatings), dedicated to providing confidence in cybersecurity products and services through its research and testing programs, today announced the kick-off of its beta program for certification of Secure Access Service Edge (SASE) products and services. Participants in the beta program include MEF Technology Advisory Board (TAB) member companies Cisco, Fortinet, Juniper Networks, Palo Alto Networks, Versa Networks, and VMware. The SASE certification program is supported by MEF’s Board of Directors which includes senior executives from AT&T Business, Colt Technology Services, Comcast Business, Liberty Latin America, Lumen, Microsoft, PCCW Global, Orange, Sparkle and Verizon Business.

Read the full press release here.

Enterprise Firewall Comparative Test Results Show That Encryption and Evasions Matter

Posted on by CyberRatings.org

AUSTIN, Texas – RSAC 2023 – April 25, 2023 – CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, has completed an independent test of eight market leading security vendors in its Enterprise Firewall comparative evaluation. Six products received Recommended ratings with high security effectiveness scores ranging from 94.05% to 99.94%.

Security Effectiveness tests measured how well the enterprise firewall controlled network access/applications and prevented exploits/evasions, all while remaining resistant to false positives. Products were subjected to thorough testing to determine their support for TLS/SSL 1.2 and 1.3 cipher suites, how they defended against 1,724 exploits, whether protection could be bypassed by any of 1,482 evasions, and if the devices would remain stable under adverse conditions.

Performance was measured using both clear text and encrypted traffic in order to provide more realistic ratings that are based on modern network traffic. Performance was measured with security enabled, and security effectiveness was measured while under moderate performance load. This was to ensure vendors did not take security shortcuts to improve performance nor enable overly aggressive security protections that would adversely impact performance. Connection rates and throughput of TLS 1.2 and TLS 1.3 encrypted traffic were significantly lower. Average connection rates of encrypted traffic were between 65% to 86.5% lower than unencrypted traffic.

Evasions were measured by taking several previously blocked attacks and then applying evasion techniques to those baseline samples. This ensured that any misses were due to the evasions, not the baseline samples. Several vendors missed evasions, with one vendor missing 72 evasions.

Key Findings:

  • Encryption matters: Roughly 80% of web traffic is encrypted. The top four cipher suites account for over 95% of HTTPS traffic.
    • Decryption is not on by default: Firewalls will not see attacks delivered via HTTPS unless configured to do so.
    • There is a performance cost when TLS/SSL is turned on. Sometimes performance is significantly different.
  • When a “known good” exploit is blocked by a firewall, applying an evasion technique to that exploit is often easier for an attacker than finding a new exploit that isn’t blocked by that firewall.
    • Many firewall evasion defenses are not on by default, potentially leaving customers at significant risk.
    • Most enterprises are not testing for evasions.
    • Some products have concerning gaps when it comes to evasions.
  • At times, CyberRatings found multiple signatures/rules for the same CVE, with some more effective than others.
    • Attempts to provide rapid coverage for vulnerabilities that are not fully understood can result in multiple exploit-specific signatures that may be inaccurate, ineffective, or prone to false positives.
    • A single poorly written signature/rule can significantly impact performance.

“Firewalls are the keystone of most network security programs,” said Vikram Phatak, CEO of CyberRatings.org. “It is concerning that some market share leaders are falling behind. CISOs should put pressure on those vendors to improve and look at alternatives in case they don’t.”

The following products were evaluated:

  • Check Point Quantum QLS250 Lightspeed R81.20
  • Cisco Firepower 2130 v7.3.1-19
  • Forcepoint 2205 NGFW version 7.0.1.28052
  • Fortinet FortiGate 600F v6.4.12 build5431 (GA)
  • Juniper Networks SRX4600 22.3R1.12
  • Palo Alto Networks PA-3220 v10.2.3
  • Sangfor NGAF 5300 AF8.0.47.1004
  • Versa Networks CSG5000 versa-flexvnf-22.1.1-B

CyberRatings.org Announces Results from First-of-its-Kind Comparative Test on Cloud Network Firewall

Posted on by CyberRatings.org

AUSTIN, Texas – December 1, 2022 – CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, has completed an independent test of eight market leading security vendors in its first-ever Cloud Network Firewall comparative evaluation. Forcepoint, Fortinet and Juniper’s test reports were published earlier in the year, all with ‘AAA’ ratings. In this latest release of test reports, Check Point and Versa Networks received a ‘AAA’ rating. Palo Alto Networks received an ‘AA,’ Sophos an ‘A,’ and Cisco ‘CC.’

The test covered capabilities considered essential in a firewall including basic routing, access control, SSL / TLS decryption, threat prevention (exploits), evasion, performance, stability and reliability, and management. Amazon Web Services (AWS) was the public cloud service chosen to run the test. Ratings were calculated using a scale from 0 to 800.

Key Findings include:

  • Cloud services assume a shared security model, where cloud providers are responsible for the infrastructure and customers are responsible for securing the applications running on the infrastructure.
  • Roughly 80% of web traffic is encrypted and firewall decryption is not on by default: Firewalls will not see/block attacks delivered via (encrypted) HTTPS unless configured to do so.
  • Security vendors are used to controlling the platform on which their products are installed. In the cloud, they do not have that control; vendors are learning how to operate under these new conditions and there will be challenges.
  • Supply Chain attacks are on the rise. Using the cloud means relying on third parties to maintain software supply chain integrity. APIs, code reuse, open-source libraries, not maintained code, and other shared resources introduce unknown risks.

Security effectiveness scores ranged from 27% to 100%. The security effectiveness tests verified how effectively the firewall protected control network access, applications, and users while preventing threats (exploits and evasions), blocking malicious traffic while under extended load, and remaining resistant to false positives. Exploit block rates ranged from 88.3% to 100%. All products achieved 100% for resistance to evasion techniques.

“Security is your problem, not Amazon’s,” said Vikram Phatak, CEO of CyberRatings.org. “If you are migrating your data center to the cloud, create a plan for securing it,” Phatak added. “And if you needed a firewall for your data center, you probably need one for your cloud deployment.”

There are different ways consumers can purchase security products for the cloud. The individual test reports reflect the bring-your-own-license model while the comparative report illustrates the pay-as-you-go pricing. Both pricing models provide consumers with options to compare pricing on items important to their own organizations.

CyberRatings.org Invites Industry Participation in Forthcoming Enterprise Firewall and Data Center Firewall Tests

Posted on by CyberRatings.org

AUSTIN, Texas – October 6, 2022 – CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, will begin testing Enterprise Firewalls and Data Center Firewalls this fall with group test scores and ratings to be released in 2023. Test methodologies have been published at CyberRatings.org and are provided at no charge.

CyberRatings invites all leading vendors to submit their offerings to be tested for free. Products with significant market share, as well as challengers with innovative technologies, will be included at CyberRatings’ discretion. The scope of the methodologies includes security effectiveness, performance, stability and reliability, and total cost of ownership.

Enterprise Firewalls (also known as Next Generation Firewalls) are one of the largest and most mature markets in the industry, projected to grow 10% year over year. A firewall is the first line of defense that monitors incoming and outgoing network traffic. Its purpose is to protect the network by allowing or blocking data packets based on a set of security rules. Without a firewall, networks and data can be vulnerable to thousands of attacks.

“While Cloud Firewalls and SASE are new categories that garner a lot of attention, the Enterprise Firewall market is vast, and while mature, is still growing. Most firewalls remain at the enterprise perimeter or data center,” said Vikram Phatak, CEO of CyberRatings.org. “Our test methodologies are designed to address the challenges faced by enterprise security and IT professionals in selecting and managing security products. We welcome feedback from the community about which firewalls should be tested.”

CyberRatings.org test reports are primarily reserved for members with a paid subscription. In observance of Cybersecurity Awareness Month and courtesy of Keysight CyPerf, CyberRatings.org is making its recent Cloud Network Firewall test reports for Fortinet, Forcepoint and Juniper Networks available for free. Additional products are currently being tested with ratings and a comparative report to be published in the coming weeks.

If you would like to see an Enterprise Firewall or Data Center Firewall product tested, please contact us at [email protected].

Cloud Network Firewall (CNFW) Test Update

Posted on by Vikram Phatak

Today we published our test report of Forcepoint’s Cloud Network Firewall (CNFW). This follows last month’s publication of Fortinet’s Cloud Network Firewall at the RSA Conference in San Francisco. These are the first two publications from the Cloud Network Firewall group test. Testing covered Management & Reporting Capabilities, Routing and Policy Enforcement, SSL/TLS Functionality, Threat Prevention and Performance. Amazon Web Services (AWS) was the cloud provider.

We have been asked who else is in the test, and we want to let everyone know there is more coming!! We expect several more products to be added to the test before we publish our comparative report in a few months. The next reports to be published will be Juniper and Versa, which are currently being tested. I don’t mean to be coy about the specifics of when and who all will be published; this is a new test and like anything new, testing the first few products takes time. We ask everyone to bear with us while we go through these growing pains.

As a reminder, we ask that you please tell us which technologies and vendors you would like to see us test. The easiest way is to email us at [email protected].

Thank you,
Vikram Phatak
CEO

CyberRatings.org Announces First-of-its-Kind Test on Cloud Network Firewall

Posted on by CyberRatings.org

AUSTIN, Texas – June 6, 2022 – CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, has completed an independent test of FortiGate-VM, Fortinet’s virtual network firewall, as part of the first-ever Cloud Network Firewall evaluation. Fortinet received the highest possible rating of ‘AAA’ with Management and Reporting Capabilities, Routing and Policy Enforcement, SSL/TLS Functionality, Threat Prevention and Performance all earning ‘AAA’ ratings.

The CyberRatings exploit repository contains exploits that demonstrate a wide range of protocols and applications. Exploit sets for individual tests are selected based on CVSS score (how widely used is an application + what can an attacker do?), use case, and relevance to customers. Fortinet’s Threat Protection was rated excellent, blocking 35 out of 35 evasion techniques, 977 out of 977 exploits, and passing all the stability and reliability tests.

While the firewall market is one of the largest and most mature security technology segments, cloud network firewalls are relatively new. Firewalls have undergone several stages of development, from early packet filtering and circuit relay firewalls to application layer (proxy-based) and dynamic packet filtering firewalls. This latest evolution virtualizes this functionality to provide scalable and elastic policy enforcement in a cloud environment.

“This Cloud Network Firewall test is the first of its kind,” said Vikram Phatak, CEO of CyberRatings.org “This is a new technology, deployed within a cloud service that by definition is constantly changing, protecting resources that are also deployed within that same cloud service. It is always fun to be the first to test new technologies because we get to learn new things and apply what we have learned,” added Phatak.

“We are extremely proud to have received top marks across all five categories in CyberRatings’ assessment of FortiGate-VM. With cyberattacks more advanced and persistent than ever before, it’s crucial for the safety of people, devices, and data everywhere that cybersecurity products deliver the performance and protection that vendors claim,” said John Maddison, CMO and EVP of Products at Fortinet. “Independent testing from nonprofits like CyberRatings plays a critical role in helping organizations stay ahead of the threat landscape because it offers an unbiased assessment of effective security solutions that meet an evolving set of requirements and aids customers in their decision-making process.”

To read the CyberRatings in-depth report on the various CNFW capabilities offered by Fortinet, go to CyberRatings.org.