NSS Labs has announced the results of its second Web Application Firewall (WAF) Group Test. A growing segment of the security market, WAFs employ a wide range of functions to work in conjunction with perimeter firewalls and intrusion prevention system (IPS) technologies to provide protection specifically for web applications. Of the five market-leading WAF vendors whose products had results published today, four products received a Recommended rating, while one product received a Caution rating.
Websites are exposed to web-based application attacks designed to bypass data center firewalls (DCFWs) and data center intrusion prevention systems (DCIPS). WAF products protect web servers by inspecting HTTP communication for malicious content. Although WAF products can be used as transparent bridges to inspect traffic, many enterprises are utilizing WAFs as reverse proxies that sit between the user and web server, allowing inspection of encrypted traffic. The ability of WAFs to inspect encrypted traffic has become increasingly important, as at least 75% of all web traffic will be encrypted by 2019.
To validate their security effectiveness, WAF products were tested for their ability to successfully identify and protect against targeted exploits, including known vulnerabilities and coding errors. Products were also tested against the Open Web Application Source Project (OWASP) Top Ten, and false positive testing was conducted to determine whether they could support SSL encryption and identify legitimate traffic. Total cost of ownership (TCO) was calculated based on Protected Mbps to provide enterprises with insight into cost and to create a normalized comparison across products.
Key findings include:
- Overall Security Effectiveness ranged from 92.45% to 98.11%, with four of the five tested products achieving a rating greater than 98%.
- TCO per Protected CPS ranged from US $0.37 to US $25.01, with most tested products costing less than US$7.00 per Protected CPS.
- The average Security Effectiveness rating was 96.98%; four devices received an above-average Security Effectiveness rating, and one received a below-average Security Effectiveness rating.
- The average TCO per Protected CPS was US$8.21; four products were rated as having above-average value, and one was rated as having below-average value.
“In 2016, close to half of the network attacks targeting web applications came in through HTTP traffic and SSL vectors,” said Vikram Phatak, CEO at NSS Labs. “WAF devices are important lines of defense to secure critical web commerce operations and combat these attacks. The WAF Group Test results underscore the need for objective, vendor-neutral insights to help enterprises select the right solutions to strengthen their security posture.”
The five market leaders in the WAF Group Test include:
- Citrix NetScaler Web Application Firewall (AppFirewall) MPX 5910 v220.127.116.116
- F5 BIG-IP 10050S Application Security Manager (ASM) v18.104.22.168.0.184
- Fortinet FortiWeb-3000E v5.5.5
- Radware AppWall 1008 v7.3.4
- Symantec Blue Coat ProxySG v22.214.171.124
As with all NSS Labs Group Tests, there was no fee for participation, and the Test Methodology is available in the public domain to provide transparency and help enterprises understand the factors behind the results. The “no fee for participation” and “public domain” are part of NSS Labs commitment to provide empirical data and objective group test results that enable security organizations to make educated decisions about purchasing and optimizing security infrastructure products and services.
A free download of the Security Value Map™ (SVM) graphic can be found here. For more information, or to purchase NSS Labs Test Reports, click here. To learn more about the WAF Test Methodology and the WAF Group Test results, please click here.