NSS Labs Releases Data Center IPS Report – Recommends Palo Alto Networks

Jul 06, 2016
4 minutes

It’s exciting when we’re recognized in the market as the security vendor customers can count on to protect their users and their data. Now, we have a third-party report that publicly corroborates whatNSS Recommended Hi-Resour customers have been saying: that Palo Alto Networks is effective when it comes to protecting the data center.

Today, NSS Labs published results from their 2016 Data Center Intrusion Prevention Systems (DCIPS) group test, and granted Palo Alto Networks their “recommended” rating. Most notable within our results report:

  • 100% effectiveness rating against all evasion techniques tested
  • 94.2% overall exploit block rate
  • Only 3 false positive triggers

I invite you to read through our report, and more importantly, look through the configurations used during this test.

NSS Labs’ test rules allow vendors to configure their devices before the test but not during, which means that vendors must configure products to account for both performance and security, as this is the typical balance most customers must make when deploying security products in the data center. We configured our PA-7050 for this test using the defaults that a large portion of our customers use every day to protect their applications, users, and data. We encourage you to review our test configurations so you can see for yourself how our PA-7050 managed to achieve 94.2 percent security effectiveness and 30 Gbps, and compare them to the test configurations of other vendors who participated for complete context behind the comparative results of this test.

Protecting the data center is not new for us – we’ve been protecting data centers around the world from threats for the better part of a decade by addressing multiple stages within the attack lifecycle. Today we have the PA-7000 Series NGFW: two massive chassis that address the increased traffic throughput requirements of large data centers and service providers without sacrificing security.

How do we accomplish this? We take advantage of every opportunity to identify and stop an attack in as few traffic scans as possible.

Exploitation makes up one stage of the attack lifecycle. As our security score shows, we do a great job blocking exploits at the network level. But we’re also excellent at blocking subsequent attack stages, such as malware installation and command-and-control (C2). What you may not know is that anti-malware and C2 protection is grouped in with our platform’s IPS capabilities, so our performance results on this test are indicative of security beyond the exploit stage against which it was tested. Along with exploits, our platform blocks malware and C2 communication without additional performance degradation, software, or appliances. This approach has been one of the driving forces behind Palo Alto Networks success in protecting the data center.

Attack surface reduction through complete visibility into the applications that comprise data center traffic and the ability to granularly control which applications you want to allow and what kind of content they’re allowed to bring into and out of the data center is critical in keeping threats at bay. When you combine this with identifiable users – not just IP addresses, but actual user names – you further limit the opportunity attackers have to infiltrate your data center by allowing only certain users and user groups to access certain data via certain applications. While the focus of this particular test is on our IPS’s ability to block known exploits – which we clearly do well – and not on attack surface reduction, Palo Alto Networks has long known that reducing the attack surface through these mechanisms is the first step in effectively securing data center assets.

This latest NSS Labs DCIPS test report validates not only that blocking attacks at the exploit stage is an important tactic in preventing them, but also that our prevention technology stands up tall against data center threats and traffic loads. We hope that in sharing our test configurations, we can provide valuable information to practitioners that will help them achieve a similarly strong preventive stance against evasions and exploits in their data centers.

Read the full NSS Labs DCIPS test report.


Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.