Security Product Testing

To infinity and beyond!

2008-06-17T10:53:00.000-07:00

Well, perhaps not as glamorous as Buzz Lightyear's famous launch slogan, but still exciting for the universe, er industry, is our move to 10Gbps testing and beyond. Today we are launching a mini-webinar series starting July 16, discussing high-speed deep packet inspection testing. More information.

10 Gbps Intrusion Prevention - Finally?

2008-06-09T14:27:00.000-07:00

Ladies and Gentlemen, start your engines...
The races are now officially on. After a couple of quiet and not so quiet announcements of 10Gbps network IPS products this last year, it appears the market has achieved a quorum. And NSS Labs is continuing its tradition by leading the industry's first group test of these speed-demons. We will be evaluating the security effectiveness of these products at various performance levels, as well as their stability, usability/management features. See the methodology (link below) if you're interested in the details.

Several vendors are offering appliances boasting true 10Gbps throughput, while yet others are offering solutions which combine a load balancer and multiple smaller NIPS appliances. There are operational and financial reasons for both approaches. Some of the trade-offs will be discussed in the final group report to be published in Q4. If you're a vendor, we'd like to hear from you. If you're a user, buyer, or otherwise interested, you may wish to sign up to be alerted when the results are out (newsletter sign-up).

More Info:
- Details of the test announcement
- The preliminary test methodology

PCI Research Survey

2008-05-29T11:37:00.001-07:00

NSS Labs is collaborating with the Aberdeen Group on a benchmark study regarding best practices for achieving and sustaining PCI DSS compliance. In exchange for your participation in this 15-minute survey, you’ll receive a full copy of the final report when it publishes on 6/30/08 (a $399 value). Individual responses will be kept strictly confidential, and data will only be used in aggregate. Take the survey.

More research from NSS Labs.

Interview with TechTarget's Neil Roiter on PCI Suitability Reports

2008-05-21T15:50:00.000-07:00

TechTarget's Neil Roiter and I discussed our new PCI Suitability reports, and how these help merchants seeking compliance to evaluate products before they face a PCI assessment. Listen to the podcast.

PCI Compliant Products

2008-05-17T13:59:00.000-07:00

Kurt Roemer, CTO at Citrix recently discussed PCI Compliant Products on his blog, and I agree with his points thoroughly. So, since he mentioned us so kindly, I thought I'd offer some support and clarification.

I've written before in the NSS Labs blog , there's no such thing as a PCI compliant product . No product will make you compliant, but having the wrong product, or even the right product incorrectly configured could impede validation of compliance. From a terminology perspective, we prefer to say that products address or support compliance (to varying degrees).

That's right, there's no wholesale certification. Different aspects of a product support different requirements either completely, partially, or not at all. And in some cases, the requirements are not even directly applicable to a product. To get this "factual information" that Kurt is calling for, someone has to get their hands dirty with the details. This is what we are about at NSS Labs. Our reports only contain statements of a product's ability to support the specific individual requirements of the PCI DSS that we have empirically validated in the lab. Given that there is no official PCI certification for network/security products (other than PEDs), this is a pretty good start. Note: NSS Labs has been certifying network/security productsagainst our openly published standards since the 1990's. Our new reports focus on the suitability of a product for use in merchant networks, using the PCI DSS as a reference.

In this manner, I believe we're helping security and compliance professionals get beyond broad marketing claims and make more informed buying and implementation decisions. (So far, we've released 2 public PCI Suitability reports and have a number of others in the queue.)

PS. Eventually I will have 'the talk' with my kids about Santa Claus, Unicorns and PCI compliance. But thankfully, no time soon. ;-)

Thanks Kurt!

Keep It In The Family

2008-05-09T12:16:00.000-07:00

I am often asked why we only have single product certifications on our Web site, and why we don't certify an entire product family from each vendor. Well we do, but the problem for the vendor is that it gets very expensive to produce such a certification.

Let me explain.

NSS is ONLY prepared to certify any product after a thorough evaluation of that product. Our view is that performance and security effectiveness BOTH need to be evaluated completely for every product. If you have a range of seven products ranging from 100Mbps to 2Gbps, the vendor might claim that they are all using the same code base, but for them to receive an NSS Approved award we have to verify that fact. After all, if someone tried to convince you that Bart and Lisa were both identical because they are both Simpsons you would be more than a little skeptical, would you not?

We need to put every device in our test rig and subject each one to the same extensive battery of tests that we would for a single product certification. That is the ONLY way to ensure that you, the reader and eventual purchaser of these products, are getting the real information on how these devices will perform in your network. The only thing that stays constant across an entire product family (usually!) is the management interface and usability.

It pains me to see so called "product family certifications" from other sources, because we know how they are produced - after all, those same vendors are our clients also. We read the "reports" and note the lack of any valid performance figures for each of the products. We note the lack of any individual security effectiveness analyses for the individual products. We note also an abundance of "as reported by vendor" statements in some of these, indicating a willingness to take vendor claims on faith without verifying them. They read like a marketing or branding exercise rather than a technical evaluation - a waste of money for the vendor and a waste of time for the reader.

As a testing house, it may be painful but you DO need to test absolutely everything for every single product in the family. A "representative sample" just does not cut it.

You, dear reader, need to know individual performance details, for example. How can you rely on manufacturers performance figures? Isn't that why you read NSS reports in the first place? You need to know if the 1Gbps device is going to give you a true 1Gbps across the wire when you load it up or if you will need to budget for the 2Gbps device instead. If you were buying a TV, wouldn't you want to know why you should consider paying 20% more for the next model in the range? You also need to know that the 100Mbps device doesn't disable fragmentation reassembly or curtail the signature set, opening up huge security holes in the process of trying to get higher performance out of low-end hardware.

That is the value NSS provides with its detailed individual product reports.

Right now, two enlightened vendors are putting their entire UTM product range through our labs, and the results will appear later this year. The advantage for the vendor is that they receive a true NSS Approved award for every device in the product line. The end result for you, dear reader, will not be a single product family report, but one complete report for every device tested, allowing you to make your purchasing or short-listing decisions with absolute confidence.

Rest assured that when you read an NSS report, you will be getting a detailed evaluation of the device under test in terms of usability, security effectiveness and performance. For every single product in the range!

-Bob Walder, CTO/Founder

Toys for Geeks

2008-05-09T07:33:00.000-07:00

One of the best things about working in a test lab like NSS is that we get play with all the latest, coolest stuff. Well, cool if you are a geek at heart, that is. It might not be an Aston Martin or a Playstation 4 but the new BP10K from BreakingPoint Systems does at least have white "go faster" stripes on the British racing green front panel....
And go faster it does. NSS has spent almost a year evaluating this equipment for use in its labs, and has been using it in earnest for the last few months. This has been a considerable commitment by NSS, given that our extensive methodologies consist of literally hundreds of different performance tests, and moving them to a new platform is no mean feat.

BreakingPoint has made this possible with a software architecture and GUI design that abstracts as much of the physical layer of the test rig from the logical requirements of the test. As just one example, converting an existing test between in-line layer 2 to routed layer 3 is the work of only a couple of mouse clicks - no need to go through hundreds of test scripts altering IP addresses and default gateways. And there are lots of new cool bells and whistles which will allow us to create incredibly complex tests.

But software isn't cool, is it guys? It's the hardware that gets us excited. And the BP10K can generate complex multi-protocol real-world traffic at line speeds - and that means at 20Gbps (40Gbps full duplex), with 7.5 million concurrent connections and rates of up to 750,000 connections per second from a single appliance with four fiber 10Gbps ports. And you can incorporate multiple appliances in a single test to scale up to hundreds of Gigabits.

In our lab, we have mixed 'n' matched BP10K's and the 2Gbps (4Gbps full duplex) BP1000's to provide us with a total of 60Gbps of traffic generation capability over both 10Gbps fiber and 1Gbps copper interfaces, and this will allow us to standardize on the BPS kit for our Layer 4-7 testing going forward.

All it needs now is a twin exhaust and flashy alloy wheels and we are all set...

-Bob Walder, CTO/Founder

RFI for leading network/test tools

2008-05-08T00:55:00.000-07:00

NSS Labs continually evaluates and validates testing tools and best practices. This is a necessary step prior to selecting and implementing the best tools in our test methodologies, which result in our publicly published test reports. Our lab engineering team is thus requesting leading test tool, network infrastructure product and service providers to brief them on their offerings and roadmap. Best in class products will be selected for use in NSS Labs' next generation test facility. More info

Fastest Public Test of a Network IPS

2008-05-07T16:56:00.000-07:00

As network traffic continues to grow, so too do the demands on network infrastructures. As a result, multi-gigabit network IPS devices are gaining traction, and providing essential protection in a switched core environment.

Yesterday, NSS Labs released a milestone report on what is the fastest independently verified Network IPS product on the market, to date - the IBM/ISS GX6116. (I say to-date because there are certainly a couple of 10Gig devices that have recently debuted, and we look forward to also testing these). What is notable here is that our tests are not based merely on RFC 2544 (UDP packet blasting), which can inflate a vendor’s performance metrics due to the stateless nature of UDP and typically large packet sizes used. (See our white paper on Pitfalls of Performance Testing). Rather, NSS Labs dedicates a lot of attention to creating real-world multi-protocol test suites across a wide range of use cases.

In our real world tests, we create a complex mix of protocols including HTTP, FTP, SMTP, DNS, etc and pass these through the device under (DUT) test at speeds up to 30 Gbps. This is a live test with deep packet inspection and default or recommended rules turned on. The Proventia GX6116 displayed excellent performance up to 6 Gbps coupled with extremely low latency under all normal traffic conditions.Security effectiveness was also impressive, with excellent coverage above 95% for the most critical vulnerabilities, out of a set of 579 – the largest set of exploits run in any public test.

Read the full report here: http://nsslabs.com/intrusion-prevention/iss-proventia-nips-gx6116.html

PCI Self-Assessment Questionnaires Embrace Use-Case Philosophy!

2008-05-06T09:39:00.000-07:00

I have been meaning to comment on this for a while, but better late than never. Earlier this year, the PCI SSC released an updated, and well-thought out collection of self-assessment questionnaires to replace the previous, single questionnaire. This is a very welcome enhancement for a number of reasons, not the least of which is because it shows a clear support for a use-case-based approach - something NSS Labs has been working towards in its own testing.

In fact, we've written a white paper outlining how use cases can help IT Security and Compliance professionals evaluate products for appropriate usage in their environments. In short, know your environment, and specifically what you're trying to protect, and this will help you define more granular (and thus more useful) protection requirements for your control selections (i.e. security products).

There is no silver bullet or magic product, and in fact, as products are increasingly differentiating themselves, defining the requirements early on in the process is increasingly important. For buyers, this means being better prepared, and more discerning in the evaluation process. For vendors, this should be a welcome opportunity to claim some higher ground (in terms of positioning and differentiation) in some very 'mushy' crowded markets where customers turn quickly to price as a differentiator when they can't tell the difference in benefits.

Bankinfosecurity.com interview with Rick Moy on Product Testing

2008-05-05T10:42:00.000-07:00

My interview with Tom Field of BankInfoSecurity.com at RSA about NSS Labs and how our product evaluations are helping the banking and payment card industry with security and compliance.

Listen to the interview
View page at bankinfosecurity.com

Interview with Martin McKeay at RSA

2008-04-27T22:13:00.000-07:00

I had the pleasure of a brief chat with Martin of Networks Security Podcasts about what we do at NSS Labs. Martin is a prolific security blogger, podcaster, and QSA by day. Listen to the interview here: http://www.mckeay.net/2008/04/09/rsa-2008-rick-moy-nss-labs/

Rocking RSA

2008-04-14T02:22:00.000-07:00

Last week's RSA Conference 2008 in San Francisco was one of the best one's I've ever been to. For purely selfish reasons! NSS Labs had a number of firsts.

It was our first time to have a booth at any trade show.
Over a dozen product vendors proudly displayed their NSS Approved logos at their booths. These large shiny plaques are about 5 times larger than the typical plastic sign you might otherwise see floating about.
Our debut was accompanied by the support of a broad ecosystem of test tool providers, security vendors, and others who shared our booth as partners.
We hosted two incredibly well attended Advisory Group sessions on testing and PCI.
We released a record number of product certification reports.
We threw the undisputed coolest party of all RSA and hung out with the heavy-lifters of the security industry, press, and analyst community. Where else could you get your groove on, and enjoy a shoe shine, shave and massage?

What could we possibly do next? I ask myself.

Security Products & PCI Compliance

2007-10-22T16:31:00.000-07:00

There's one compliance question that keeps raising its head - for every piece of hardware and software that's considered to be 'in scope' for an assessment. "Will this product make me compliant?" We've heard this through our advisory groups and discussions with information security pros, and compliance/risk management executives.

Fact: No product will make you compliant. But having an inadequate or misconfigured product can prevent you from achieving compliance.

That's not to say that product vendors are not scrambling to answer these questions from their customers with an affirmitive "yes! ACME's web application firewall will make you compliant." But then the hard part begins: First, by answering "HOW" specifically it does in a manner that will likely be convincing to assessors and card brands reading the reports on compliance. And secondly, by clearly articulating this message in a crowded, noisy marketplace of product vendors all claiming that their products will either make you compliant or help you achieve compliance.

The question should actually be broken into two distinct components:

1. Does this product have the features to support a compliant network environment? i.e. is it capable and appropriate for the use case?

2. Is this product properly configured and deployed according to PCI requirements?

If you have deep expertise and plenty of resources you can try to tackle question 1 on your own. And many Level 1 and 2 merchants do. Warning. It's a trickier endeavor than one might think. There are over 200 sub-requirements to the DSS and they are not necessarily all grouped around a particular product. e.g. you have security functionality, management features, update requirements, and procedures throughout. What has been missing up til now is a product-centric view of DSS requirements. This is where NSS Labs has come in with its partners and advisors to create a product validation scheme which addresses the requirements of PCI DSS. We are actively evaluating products against this standard and producing validation reports accordingly.

Regarding question 2, merchants and service providers are obligated to prove to assessors and their acquiring banks that they not only have the right products, but that they are configured properly. To this end, NSS Labs is including in its PCI reports several recommended configurations for various PCI deployments. For example, which settings in a UTM are necessary to deploy the product in a retail storefront? or what firewall configuration and policies are needed at the perimeter?

To be clear, only an assessor and ultimately the card brands can certify and validate a cardholder network as being compliant. NSS Labs' contribution is to provide independent, empirical validation of product suitability. We will be releasing the first reports imminently. Stay tuned.

We've heard from many corners of the industry that this is a good thing and merchants, assessors and banks are looking forward to seeing more and more products validated in this manner. What's your opinion? Let me know [ rmoy AT nsslabs DOT com ]

Welcome

2007-10-20T11:58:00.000-07:00

Welcome to the NSS Labs Blog, where key members of our team will share insights and perspectives on issues, technologies and trends in security, compliance and product testing and certificaiton.