Check Point Infinity NGFW Earns Recommended in NSS Labs 2017 NGFW Group Test

I am pleased to report we achieved another NSS Recommended in the recent NGFW Group Test! This is our 6th NGFW Recommended since 2011 and our 14th NSS Recommended overall. Participating in credible, independent 3rd party testing is an important investment for us at Check Point. Independent testing provides valuable “point in time” feedback for us and we recognize it also provides important security validation for our customers and the overall market too. That said, we are very proud of our long-term track record of consistent leadership and excellence in security as validated by our track record in independent testing. We are even more excited about this “point in time” NSS NGFW test because our great results were delivered from our new line of security gateways and our NGFW function which is a fundamental part of our Infinity security architecture, continuing our leadership and excellence with these new offerings.

This NSS NGFW test was their most comprehensive and demanding to date and among many, included:

  • Over 6,600 exploits spanning the last 13 years targeting applications from more than 70 vendors.
  • 137 evasion techniques in 10 different categories.
  • Multiple performance, capacity, stability and reliability measures including five different “real world” traffic mixes.
  • Multiple total cost of ownership analyses concluding in a 3-Year TCO valuation and Security Value Map (SVM) valuation for a deployment of five appliances and management.

It is indeed a rigorous set of tests and analyses and to achieve NSS Recommended requires leading scores in the three most important purchase criteria categories – security, performance and TCO. We are pleased to have again delivered an NSS Recommended and our result is continued evidence to our customers that they made the right choice in selecting and entrusting Check Point to secure their IT operations. Now let’s take a look at our results.

We submitted our Check Point 15600 Next Generation Threat Prevention (NGTP) security gateway which is one of our new line of appliances. The test results it delivered are testimony of excellent security and performance delivering great value. Here are some highlights of our results:

  • 100% protection against recent attacks (2013 – 2016)
  • 100% protection against Apple, IBM and Oracle vulnerabilities
  • 99.9% protection against Microsoft vulnerabilities
  • 99.86% NSS Exploit Library Block Rate
  • 100% Stability and Reliability, FW Policy, and Application Control Tests
  • $18 TCO per Protected-Mbps vs. the highest vendor TCO of $105

These are truly excellent results. Yet we missed one evasion attack out of the 137. This is in part why we participate in credible, 3rd party tests – to challenge our products and make them better. Upon learning of the miss, Check Point R&D began immediate research and within 24 hours had a fix being tested internally. Once tested we delivered the hotfix to NSS and they tested and confirmed that “… after application of the hotfix, all tested HTTP evasion techniques were blocked”. We take high severity vulnerabilities and attacks, especially evasions very seriously and when they occur it is our standard operating procedure to respond in full force to close the window of exposure and protect our customers as fast as possible. While we are very disappointed to miss an evasion in this test, our Check Point R&D sense of urgency responded to deliver protection very rapidly. This fix is already included in versions R77.30 and after.

In the SVM, NSS accounts for evasion misses by decrementing the overall security effectiveness based on an assessed severity of the evasion missed. This is why you see the many shooting stars in the SVM graphic. Nine products in this test missed at least one evasion and six products missed multiple evasion attacks. This is important – if a security product can be evaded then attackers have a free pass to the assets behind that security product. Check Point’s Exploit Block Rate is 99.56% and had one missed evasion for which we had a fix within 24 hours.

Check Point Infinity Graph

As you can see in the NSS NGFW SVM, eleven participating products delivered the following range of results:

  • Security Effectiveness ranges from about 26% to 100%. We delivered 99.56% and 90% after adjustment for one evasion miss.
  • TCO per Protected-Mbps ranges from about $105 to $5. We delivered $16 and then $18 after the evasion adjustment.
  • Six products missed multiple evasions.
  • Six products delivered an overall Security Effectiveness score less than 80%.
  • Four products were below average in both Security and TCO.

These results are very revealing toward who is and who is not delivering the best security and value at this “point in time”. At Check Point we are pleased to again deliver leading security and value in this NSS NGFW test and to also extend our multi-year “point in time” track record of leadership and excellence.

The Check Point NGTP product we submitted to this NSS test is deployed by many thousands of our customers and as confirmed by our test results, delivers leading security and excellence for their networks. Our recently introduced Check Point Infinity is the first security architecture to enable businesses to protect their networks, cloud and mobile with a single security infrastructure, policy and management from administration to monitoring to incident response. And with the Check Point Infinity architecture our NGTP customers can easily extend their security infrastructure to protect their cloud and mobile instances with the same leading protection and management. Doing so drives better and more timely security because an integrated security architecture is more efficient and effective than a mix of non-integrated point products.

You can find our full test report from the 2017 NSS NGFW Test.

For further evidence of our full Check Point Infinity solution, you can check out these other test reports.