In a recent independent test by CyberRatings, Cisco's Firepower 2130 Threat Defense v7.3.1 firewall received a “caution” rating, a stark contrast to the “recommended” status earned by seven other market-leading enterprise firewall products.
Nonprofit testing lab CyberRatings conducted an extensive evaluation of eight enterprise firewall products from major players in the market including Check Point, Cisco, Forcepoint, Fortinet, Hewlett Packard Enterprise (HPE) Juniper Networks, Palo Alto Networks, Sangfor and Versa Networks.
Each of these vendors summited an enterprise firewall product with about 10 Gb/s throughput to CyberRatings for the test, CyberRatings Chairman and CEO Vikram Phatak told SDxCentral.
The goal was to assess the effectiveness of these firewalls in protecting trusted networks from untrusted networks while allowing authorized communications. The test results revealed the tested firewalls’ protection rate, rated throughput and price per protected Mb/s.
According to CyberRatings, Check Point's Quantum Force 19200 plus R81.20 firewall posted a protection rate of 98.41%, handling a throughput of 12,281 Mb/s, and a cost efficiency measured at $11.28 per protected Mb/s.
Forcepoint 3410 next-generation firewall (NGFX) version 7.1.1 build 29059 received a protection rate of 96.89%, 14,961 Mb/s rated throughput, and a cost $7.93 per protected Mb/s.
Fortinet's FortiGate-900G v7.4.4 had a protection rate of 98.21%, 14,096 Mb/s rated throughput, and offered an economical cost of $3.25 per protected Mb/s.
Juniper Networks' SRX4600 JUNOS 22.4X3.1 scored a 99.54% protection rate, 7,772 Mb/s rated throughput, and a cost $13.74 per protected Mb/s.
Palo Alto Networks’ PA-450 v11.1.1 received a 96.36% protection rate, posted a 1,026 Mb/s rated throughput with a cost of $6.52 per protected Mb/s.
Sangfor NGAF 5300 AF 8.0.85.1029 Build 20240423 received a protection rate of 97.48%, posted a 5,719 Mb/s rated throughput with a cost of $1.57 per protected Mb/s.
Versa Networks CSG5000 versa-flexvnf-22.1.4-B scored a 99.87% protection rate, with 15,811 Mb/s rated throughput at a cost of $2.15 per protected Mb/s.
[caption id="attachment_142821" align="alignnone" width="1200"] Cisco's enterprise firewall receives ‘caution’ rating from CyberRatings.[/caption]
Why Cisco firewall received a caution ratingAmong the eight tested firewalls, Cisco's Firepower 2130 Threat Defense v7.3.1 (build 19) firewall was the only product that garnered a “caution” rating from CyberRatings’ test with a low protection rate of 37.01%, managing a rated throughput of 1,040 Mb/s and a cost of $77.34 per protected Mb/s.
Phatak noted the Cisco firewall struggled with two critical aspects — encryption and evasions, which are two of the key metrics weighed significantly in the evaluation.
Encryption “is an important factor, because 80% of the web traffic is now encrypted and if you're not decrypting your web traffic you just don't see it,” Phatak said, urging organizations to enable the capability within their firewalls as decryption is not on by default.
In terms of evasion techniques, threat actors employ them to disguise and modify attacks to avoid detection by security products. “Missing a type of evasion means a hacker can use an entire class of exploits to circumvent the security product,” the firm wrote.
Despite a good native block rate, Cisco’s Firepower 2130 Threat Defense v7.3.1 firewall “missed over 100 evasions, when you put it all together meant that there's a lot of ways for attackers to get past their system,” Phatak said.
Phatak further noted Cisco is aware of these issues. “I think that's one of the challenges that they have is not necessarily that they don't have the people or the technology but that they're very blocked by the way the company's organizational structure runs,” Phatak said.
For businesses currently using Cisco's Firepower 2130 Threat Defense v7.3.1 firewall, Phatak recommends considering replacement with one of the recommended products from the report, tuning the existing system to improve its performance against evasions and finding ways to enable anti-evasion defenses.
Cisco denied submitting an enterprise firewall product to CyberRatings for testing.
In an email to SDxCentral, a Cisco spokesperson stated, “Cisco actively partners with the broader security research community and we view these relationships as essential to helping secure our customers. Unfortunately, we were not engaged to provide a product for this test, which used an older firewall model and outdated software version, nor have we received details of the tests or results.”
Phatak countered in a statement that “we can confirm that the model number we used for the test is current and we had the latest software at the time of the test. We asked Cisco to engage and they said, 'we’re not interested.'”
Key takeaways for enterprise firewall buyersPhatak advises enterprise firewall buyers to use this report as a shortlist for product selection.
“Talk to the vendors, take a look at their products,” Phatak suggested. “Do you like the user interface? What kind of support contracts can they provide you? What kind of professional services? ... What other products are in their portfolio.”
The choice of a firewall should not only consider the product's standalone capabilities but also how well it integrates with other security capabilities and platforms, such as zero-trust network access (ZTNA) and security service edge (SSE).
Image: CyberRatings Security Value Map. Image credit: CyberRatings.
UPDATE: This story was updated to include a statement from Cisco and from CyberRatings.