Performance is critical when evaluating data center intrusion-prevention systems (DCIPS), which face significantly higher traffic volumes than traditional IPSes.
A typical IPS is deployed at the corporate network perimeter to protect end-user activity, while a DCIPS sits inline, inside the data center perimeter, to protect data-center servers and the applications that run on them. That requires a DCIPS to keep pace with traffic from potentially hundreds of thousands of users who are accessing large applications in a server farm, says NSS Labs, which recently tested five DCIPS products in the areas of security, performance and total cost of ownership.
“Application traffic generates many connections and transactions per request, which places a high demand on a network-security device’s ability to set up many connections quickly, hold many connections open and achieve high throughput rates,” says NSS Labs, which specializes in cybersecurity testing and purchasing guidance for security infrastructure products and services.
NSS researchers tested five products to see how well they can identify and block threats against web servers, application servers and database servers without false positives or degradation of network performance. The five tested products are:
- Fortinet FortiGate 3000D v5.4.5 GA Build 3273
- Fortinet FortiGate 7060E v5.4.5 GA Build 6355
- Juniper Networks SRX5400E v15.1X49-D100.6
- McAfee Network Security Platform NS9100 Appliance v188.8.131.52
- Trend Micro TippingPoint 8400TX v184.108.40.20615
The lab also tested a product from Cisco, but the results are unverified. “NSS was unable to measure the effectiveness and determine the suitability of data-center products from Cisco and therefore cautions against their deployment without a comprehensive evaluation,” the firm states.
After its testing, NSS Labs reports that all five verified products achieved a “recommended” rating for both IPv4 and IPv6.
NSS Labs has made its security value map, which visualizes vendors’ performance, available for free download. The security value map gives a general overview of how well the five different products did in NSS Labs’ group test.
For example, the security effectiveness of the products ranged from an 89% block rate (Trend Micro's TippingPoint 8400TX) to a 98.7% block rate (Fortinet's FortiGate 3000D and Juniper Networks' SRX5400E).
At the high end for throughput is Fortinet’s FortiGate 7060E, which achieved 130,526 Mbps for IPv4 and 70,534 Mbps for IPv6 in NSS testing.
In terms of effectiveness while subjected to normal and excessive load, NSS reports that all five devices were effective against all evasion techniques tested, and they each passed all stability and reliability tests.
The security value map also shows the investment value of each product, which NSS calculates by looking at the total cost of ownership (TCO) per protected Mbps of tested product configurations. TCO per protected Mbps ranged between $3 and $9.
“An enterprise’s most valuable IT assets and intellectual property reside in its corporate data center,” said Jason Brvenik, CTO at NSS Labs, in a statement. “The goal of the DCIPS is to protect these assets from remote attacks. Because DCIPS are typically deployed inline, there is frequently a trade-off between security effectiveness and performance.”
In announcing the availability of its DCIPS testing results, NSS Labs cited research from Mordor Intelligence that predicts increased spending on data-center security solutions, thanks to growing data traffic, a rise in cyber threats, and growth of virtualized data centers. The market is estimated to reach $13.4 billion by 2020, up from $6.7 billion in 2015, Mordor Intelligence says.
For more granular testing results than the freely available security value map, security professionals with an annual research subscription ($1,995 for an individual) can access NSS Labs' comparative reports related to DCIPS performance, security and TCO. The comparative reports go into greater detail about each product’s ability.
The comparative report on DCIPS performance covers results such throughput, latency, concurrent connection capacity, connection rates, HTTP capacity, and real-world traffic mixes, for example. The security-focused comparative report covers IPS exploit blocking capabilities, IPS anti-evasion capabilities, and stability and reliability. The comparative report on TCO goes into greater details on each product’s acquisition costs (for the DCIPS and a central management system); fees paid to the vendor for annual maintenance, support and signature updates; and labor costs for installation, maintenance and upkeep.
Individual test reports are also available for each DCIPS product tested, for $295 each.