Palo Alto Networks Appliance Vulnerable To Evasion, Was Tested Thoroughly, Says NSS Labs | CRN (2024)

A weakness in Palo Alto Networks' Next Generation Firewall, if deployed using the default configuration, could enable attackers to easily bypass the appliance's detection capabilities, according to independent testing firm NSS Labs.

Austin, Texas-based NSS Labs issued a statement on its blog Wednesday calling Palo Alto Networks' criticism about the firm's testing methodology unfounded. Version 6.03 of PAN-OS proved to be susceptible to multiple evasion techniques, said Bob Walder, founder and chief research officer of NSS Labs. The firm said all appliances it tested were placed in a "predefined vendor-recommended setting."

"Palo Alto Networks NGFW misses several critical evasions that leave its customers at risk," Walder wrote. "Palo Alto Networks was treated exactly the same as every other vendor in this test. NSS tests all NGFW products with the predefined vendor-recommended settings."

[Related: Palo Alto Networks Earns Poor Results, Caution Rating In NGFW Test]

type

Sponsored post

Palo Alto Networks has been shipping version 6.03 of PAN-OS since January, according to a Palo Alto Networks spokesperson, who said the company was not commenting further on the NSS Labs test.

The inability to detect common evasion techniques used by attackers caused Palo Alto Networks to be given the only "caution" rating from NSS Labs and a security effectiveness score far below its chief competitors in the next-generation firewall market. Walder's comments were in response to Lee Klarich, Palo Alto Networks' senior vice president of product management, who said the company did not participate in the NSS Labs testing and did not provide guidance on the proper configuration of the appliance for the test.

"No tuning is permitted," Walder said of NSS Labs' testing methodology. "When it comes to NGFW, NSS research shows that most customers deploy these devices with the default/recommended configuration out of the box. This, therefore, is how we deploy NGFWs in our test harness. To reiterate, no tuning is permitted."

The testing firm's study pit Palo Alto against appliances from Barracuda, Check Point Software Technologies, Cisco Systems, Cyberroam, Dell, Fortinet, Intel Security (formerly McAfee) and WatchGuard. NSS Labs gave Palo Alto's PA-3020 appliance a 60.9 percent average security effectiveness score. The test, conducted earlier this year, also found the appliance fell short of the company's claimed 1-Gbps throughput. Appliances from Cisco and Cisco-Sourcefire earned the highest security effectiveness scores followed by Dell SonicWall Supermassive, and WatchGuard's XTM 525 appliance.

Solution providers that sell network security gear from Palo Alto Networks and many of its competitors said tests are used by sales teams and in marketing material, but no customer can ultimately know how well an appliance performs until it is fully deployed and configured.

Some customers have unique rule sets and other requirements that ultimately have an impact on every appliance's performance, said J.D. Butt, vice president of solutions at Chicago-based solution provider Nexum, a Palo Alto Networks partner that also specializes in selling and deploying a variety of networking security vendor appliances. Butt said none of his clients roll out their Palo Alto Networks appliances in default configuration.

"Performance is a paramount thing for us," Butt said. "There's nothing worse than a customer coming back to you three or six months after a purchase saying the product is not meeting their performance requirements."

NEXT: Check Point Could Gain In Customer Evaluations, Say Partners

Some solution providers say the NSS Labs test results may have a significant impact on customer evaluations and point to Palo Alto Networks' closest rival, Check Point Software Technologies, as the company that could benefit most. The Israeli company is continually spending on research and development and building out refined management capabilities, they say. Check Point, which has been called a more expensive option, is increasingly beating competitors on feature availability and on entry price, according to some solution providers.

"They are in every conversation that we have been in," said a Palo Alto Networks partner who requested not to be identified. "Check Point is retooling a lot of its product line to be more standards-based with more integration points from an API perspective."

Palo Alto Networks has been extremely aggressive over the past four or five years capturing market share from Check Point, Juniper and Fortinet, said Stuart Maskell of San Diego-based managed services provider NWTech. Maskell said part of Palo Alto Networks' secret sauce is its throughput. McAfee, which has integrated its acquisition of Stonesoft, also is a strong appliance, especially for McAfee's customer base, which can integrate it into the rest of its product portfolio, Maskell said.

Next-generation firewall appliances continue to experience strong sales, but the market for networking gear is changing rapidly, said Terry Kurzynski, a senior partner at Chicago-based solution provider Halock Security Labs. Palo Alto Networks and others are catching up and adding components similar to FireEye's virtual sandbox, which detonates and examines suspicious files, Kurzynski said.

The time is now for solution providers to examine complementary solutions as the industry shifts from network security appliances to visibility and control over the endpoint, Kurzynski said.

"Clients are experiencing a lot of challenges with systems infected with malware and FireEye and others have made the problem much more visible," Kurzynski said.

A number of vendors have criticized NSS Labs following poor performance ratings in previous studies. FireEye heavily criticized the legitimacy of a test of breach detection vendors in March. In a similar next-generation firewall study conducted by NSS Labs last year, Watchguard performed poorly and criticized the study. NSS Labs executives said its researchers perform tests on behalf of its end clients and buys equipment when vendors choose not to participate in competitive studies.

PUBLISHED OCT. 2, 2014

Palo Alto Networks Appliance Vulnerable To Evasion, Was Tested Thoroughly, Says NSS Labs | CRN (2024)
Top Articles
Compare
Best Crypto Trading Bots • Benzinga
Ups Customer Center Locations
Pangphip Application
Kokichi's Day At The Zoo
Erika Kullberg Wikipedia
How Many Cc's Is A 96 Cubic Inch Engine
Federal Fusion 308 165 Grain Ballistics Chart
Remnant Graveyard Elf
Large storage units
Craigslist/Phx
Brutál jó vegán torta! – Kókusz-málna-csoki trió
Methodist Laborworkx
David Turner Evangelist Net Worth
2024 Non-Homestead Millage - Clarkston Community Schools
Gmail Psu
Powerball winning numbers for Saturday, Sept. 14. Check tickets for $152 million drawing
Craigslist In Flagstaff
Paychex Pricing And Fees (2024 Guide)
Spoilers: Impact 1000 Taping Results For 9/14/2023 - PWMania - Wrestling News
Dirt Removal in Burnet, TX ~ Instant Upfront Pricing
Trivago Sf
Cocaine Bear Showtimes Near Regal Opry Mills
Weepinbell Gen 3 Learnset
Metro Pcs.near Me
Kayky Fifa 22 Potential
Finalize Teams Yahoo Fantasy Football
Sussyclassroom
Employee Health Upmc
Craigslist Dubuque Iowa Pets
At 25 Years, Understanding The Longevity Of Craigslist
Foodsmart Jonesboro Ar Weekly Ad
Labcorp.leavepro.com
Buhl Park Summer Concert Series 2023 Schedule
They Cloned Tyrone Showtimes Near Showbiz Cinemas - Kingwood
Rs3 Bring Leela To The Tomb
Gt7 Roadster Shop Rampage Engine Swap
United E Gift Card
Vistatech Quadcopter Drone With Camera Reviews
Marcus Roberts 1040 Answers
Columbia Ms Buy Sell Trade
Jasgotgass2
Www.craigslist.com Waco
Pulitzer And Tony Winning Play About A Mathematical Genius Crossword
Doublelist Paducah Ky
Petra Gorski Obituary (2024)
Movie Hax
Jane Powell, MGM musical star of 'Seven Brides for Seven Brothers,' 'Royal Wedding,' dead at 92
Is Chanel West Coast Pregnant Due Date
Campaign Blacksmith Bench
18443168434
Bones And All Showtimes Near Emagine Canton
Latest Posts
Article information

Author: Manual Maggio

Last Updated:

Views: 6416

Rating: 4.9 / 5 (69 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Manual Maggio

Birthday: 1998-01-20

Address: 359 Kelvin Stream, Lake Eldonview, MT 33517-1242

Phone: +577037762465

Job: Product Hospitality Supervisor

Hobby: Gardening, Web surfing, Video gaming, Amateur radio, Flag Football, Reading, Table tennis

Introduction: My name is Manual Maggio, I am a thankful, tender, adventurous, delightful, fantastic, proud, graceful person who loves writing and wants to share my knowledge and understanding with you.