Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Independent & unsponsored test report. Reprints Licensed to: Check Point Software Technologies This and other related documents available at: http://www.nsslabs.com/research/network-security/firewall-ngfw/ To receive a licensed copy or report misuse, please contact NSS Labs at +1 (512) 961-5300 or advisor@nsslabs.com.
2011 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the readers sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY THE NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the readers expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners.
CONTACT INFORMATION
NSS Labs, Inc. P.O. Box 130573 Carlsbad, CA 92013 USA +1 (512) 961-5300 info@nsslabs.com www.nsslabs.com
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
TABLE OF CONTENTS
1 Introduction................................................................................. 1
1.1 What is an NGFW? ....................................................................................... 2
3.2
3.3 3.4 3.5 4.1 4.2 4.3 4.4 5.1 5.2 5.3
Resistance to Evasion ................................................................................. 8 Application Control...................................................................................... 9 User/Group ID Aware Policies .................................................................... 9 Connection Dynamics Concurrency and Connection Rates ...................... HTTP Connections per Second and Capacity .............................................. Real-World Traffic Mixes ........................................................................... UDP Throughput ........................................................................................ 11 12 12 13
4 Performance .............................................................................. 11
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
TABLE OF FIGURES
Figure Figure Figure Figure Figure Figure 1: 2: 4: 5: 6: 3: Coverage by Attack Vector ..................................................................................... 7 Product Coverage by Impact .................................................................................. 8 Concurrency and Connection Rates .......................................................................11 HTTP Connections per Second and Capacity ..........................................................12 Real-World Traffic Mixes .......................................................................................13 UDP Throughput ....................................................................................................13
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
1 INTRODUCTION
The Firewall is increasingly up for renewal in a growing number of organizations. Technology and contract cycles are coinciding with increased throughput rates and driving enterprises to re-evaluate current firewall technology and vendor options. No longer a commodity device, firewalls are being called to fulfill greater mandates in light of web 2.0 and other business drivers. Many enterprise IT managers are now faced with some difficult choices regarding one of information securitys oldest technologies. Should I upgrade this model to a faster one from the same vendor, switch vendors, or upgrade to a so-called NGFW? This report analyzes the key technology issues and actual capabilities of the first Next Generation Firewall to be evaluated by NSS Labs. Firewall technology has been around for at least 25 years, and undergone several stages of development; from early packet and circuit firewalls to application layer and dynamic packet firewalls. Across these stages, the goal has continued to be to provide a protective barrier between internal and external networks, while allowing for productive communications to pass from one side to the other. With the emergence of new web applications and security threats, firewalls are again evolving. Whereas in the past we could say with a reasonable degree of certainty that application X runs over TCP port 552, and web traffic (and web traffic alone) runs over TCP port 80, this is no longer true today. Add to that, the rise of Web 2.0 and the proliferation of applications which bypass traditional firewall controls by tunneling over HTTP and HTTPS, and it becomes apparent that additional security controls (based upon the application vs. the port) must be added to firewalls. This means that relying on port and protocol combinations to define network applications is no longer enough. Firewalls need to be capable of performing deep packet inspection of all packets, on all ports and over all protocols in order to determine which applications are running over which ports. NSS Labs research indicates that over the past 18 months, the sophistication and strategic capabilities of cybercriminals has outstripped the pace of advancement within information security products. In addition to traditional remote attacks against servers, cybercriminals are increasingly waging highly targeted campaigns against desktop client applications. These campaigns include the use of encrypted websites (such as Gmail), social networking sites, advertising networks, and a long list of compromised websites. The Wall Street Journal, the New York Times,ESPN, and NASDAQ were all found to have been (inadvertently) dishing up exploits to their clients. As such, users need not venture into a dark corner of the Internet to be exploited. Some high profile examples of desktop clients being the primary attack vector are the Operation Aurora attack against Google and the numerous variants of the Zeus attack against financial institutions. Further, compromised systems often communicate back to command and control servers via ports 80 (HTTP) 443 (HTTPS), or DNS (53) since those ports are most likely not blocked by traditional firewalls, which define security policies in terms of IP Addresses, ports, protocols and services. Correspondingly, vendors have begun to market evolving technologies known as Next Generation Firewalls, based on nomenclature coined by Gartner. As a result, the team at NSS Labs decided to investigate the level to which different vendors are delivering next generation capabilities, and what the trade-offs are. As part of this research, we are conducting a group test to provide the industry with a current scientific baseline of NGFW effectiveness. Check Point was the first vendor to submit their solution for evaluation.
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 1
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 2
In this test, our engineers took the same approach that modern cyber criminals or hackers would in trying to breach the firewall. These efforts go far beyond replaying PCAPs or pressing the button on a single test tool. In short, our engineers executed fully weaponized attacks against the device under test. Performance: NGFW devices exhibit an inverse correlation between security effectiveness and performance. The more deep packet inspection is performed, the longer it takes to forward packets. Furthermore, it is important to consider a real-world mix of traffic that a device will encounter. NSS Labs utilizes a range of traffic types and mixes. Tuning: Security engineers tune an IPS to ensure its protection coverage matches the needs of the environment where it is being placed. This strategy works well for datacenters and DMZs. However, protecting desktops is a whole different matter. In surveying enterprises, we found most enterprises do not strictly control the desktop and that in larger enterprises it is safe to assume that pretty much anything can be running. As such, enterprises are expecting IPS and NGFW vendors to provide maximum security for desktop client applications with their recommended policies. Further, research indicates that enterprises are not ready to replace their dedicated IPS solutions in the datacenter. Simple deduction therefore tells us that intrusion prevention functionality within an NGFW needs to protect desktop clients with optimal protection pre-defined via a vendor recommended policy.
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 3
2 SUMMARY RESULTS
During Q4 2010, NSS Labs performed an independent test of the Check Point Power-1 11065 NGFW. The product was subjected to thorough testing at the NSS Labs facility in Austin, Texas, based on methodology v4.0 available on www.nsslabs.com. This test was conducted free of charge and NSS Labs did not receive any compensation in return for Check Points participation. While the upcoming Next-Generation Firewall Group Test Report will provide comparative information about all tested products, this Individual Test Report provides detailed information not available elsewhere. As noted in the introduction to this report, enterprises do not plan on tuning the IPS within their NGFW for a variety of reasons. Therefore, NSS Labs evaluation of NGFW products is configured with the vendor pre-defined or default, out-of-the-box settings, in order to provide readers with relevant security effectiveness and performance dimensions based upon their expected usage. As part of this test, Check Point Software Technologies submitted the Power-1 11065
Using the default policy, the Power-1 11065 blocked 83.3% of attacks against client applications and 86.6% overall. In addition, the Check Point Power-1 11065 correctly identified 100% of our evasion attempts without error. The product successfully passed 2.6 Gbps of inspected traffic. NSS Labs rates throughput based upon tuned settingsaveraging out the results from tests 6.5.1, 6.5.2, and 6.4.2: Real World Protocol Mix (Perimeter), Real World Protocol Mix (Core), and 21 KB HTTP Response respectively. Check Points management interface was well designed and intuitive. For users of Check Point firewalls, there will not be much of a learning curve. Tuning and maintenance is simple and wellthought out. For multi-gigabit environments looking to upgrade defenses from their current firewall to a NGFW, the Check Point Software Technologies Power-1 11065 provides excellent protection and an outstanding 3year TCO (including labor).
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 4
3 SECURITY EFFECTIVENESS
This section verifies that the DUT is capable of enforcing a specified security policy effectively. NSS Labs NGFW testing is conducted by incrementally building upon a baseline configuration (simple routing with no policy restrictions and no content inspection) to a complex real world multiple zone configuration supporting many addressing modes, policies, applications, and inspection engines. At each level of complexity, test traffic is passed across the DUT to ensure that only specified traffic is allowed and the rest is denied, and that appropriate log entries are recorded. The DUT must support stateful firewalling either by managing state tables to prevent traffic leakage or as a stateful proxy. The ability to manage firewall policy across multiple interfaces/zones is a required. At a minimum, the DUT must provide a trusted internal interface, an untrusted external/Internet interface, and one or more DMZ interfaces. In addition, a dedicated management interface is preferred.
NSS Labs tests the ability to enforce policy between the following: Trusted to Untrusted Trusted to DMZ Untrusted to DMZ Untrusted to Trusted
Policy management was concise and intuitive. We were able to quickly implement our ANY-ANY baseline policy. Our testing determined that all traffic flowed correctly.
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 5
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 6
100% 90% 80% Block Rate 70% 60% 50% 40% 30% 20% 10% 0% Attempted Caught Coverage
90%
700 83% 600 500 400 300 200 100 Exploits Attempted/Caught
p. 7
1200
100% 90%
1000
800 Exploits
60% 600 50% 40% 400 30% 20% 10% 0 System Exposure 962 823 86% Service Exposure 115 108 94%
Figure 2: Product Coverage by Impact
200
0%
Resistance to known evasion techniques was perfect, with the Check Point Power-1 11065 achieving a 100% score across the board in all related tests. IP fragmentation, TCP stream segmentation, RPC fragmentation, URL obfuscation, HTML Evasion and FTP evasion all failed to trick the product into ignoring valid attacks. Not only were the fragmented and obfuscated attacks blocked successfully, but all of them were also decoded accurately.
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 8
However, while CheckPoint was able to correctly identify and control applications, through the course of testing we found that the application identification telemetry was not being provided to the IPS Blade. As such, IPS protection is limited to standard ports (i.e. HTTP = Port 80). Attacks using nonstandard ports are not inspected by the IPS. (i.e. HTTP over port 8327 may contain an exploit against a common web browser, but will not be inspected). This product limitation means that administrators should still create policies limiting outbound access to standard ports such as 80 and 443. Alternatively, there is a check box which allows an administrator to enable application control on every port and another which enables http inspection on every port. These are not enabled by default, and therefore the impact on performance is unknown since the device was tested using the vendor pre-defined / default settings.
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 9
The following table illustrates Users & Groups + Firewall and Application Control Policies that were defined and successfully verified. Users David (Sales Person) Jay (DB Administrator) Jeff (Operations) Pam (Controller) Richard (VP of Marketing) Scott (Auditor) Application Salesforce.com MySQL DB + SSH ERP Accounting software ALL Accounting software
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 10
4 PERFORMANCE
There is frequently a trade-off between security effectiveness and performance. Because of this tradeoff, it is important to judge a products security effectiveness within the context of its performance (and vice versa). This ensures that new security protections do not adversely impact performance and security shortcuts are not taken to maintain or improve performance.
401,000
with data
401,000
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 11
CPS Mbps
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 12
4,000 3,500 3,000 Mbps 2,500 2,000 1,500 1,000 500 0 Real World Protocol Mix (Perimeter) 3,800
Figure 5: Real-World Traffic Mixes
3,800
1,970
Mbps
14,000 12,000 Megabits per Second 10,000 8,000 6,000 4,000 2,000 0 3,500 1,900 6,750 11,400
12,050
Mbps
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 13
5 TOTAL COST
OF
OWNERSHIP
Next-Generation Firewall solutions can be complex projects with several factors affecting the overall cost of deployment, maintenance and upkeep. All of these should be considered over the course of the useful life of the solution. Product Purchase the cost of acquisition. Product Maintenance the fees paid to the vendor. Installation the time required to take the device out of the box, configure it, put it into the network, apply updates and patches, initial tuning, and set up desired logging and reporting. Upkeep the time required to apply periodic updates and patches from vendors, including hardware, software, and protection (signature/filter/rules) updates. Tuning the time required to configure the policy such that the best possible protection is applied while reducing or eliminating false alarms and false positives. NSS Labs assumes enterprises will use pre-defined vendor policies and therefore eliminating tuning.
Year One TCO was determined by multiplying the Labor Rate ($75 per hour fully loaded) x (Installation + Upkeep + Tuning) and then adding the Purchase Price + Maintenance. Year Two TCO was determined by multiplying the Labor Rate ($75 per hour fully loaded) x (Upkeep + Tuning) and then adding Year One TCO. Year Three TCO was determined by multiplying the Labor Rate ($75per hour fully loaded x (Upkeep + Tuning) and then adding Year Two TCO.
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 14
5.3 VALUE: COST PER MBPS AND EXPLOIT BLOCKED TUNED POLICY
There is a clear difference between price and value. The least expensive product does not necessarily offer the greatest value if it blocks fewer exploits than competitors. The best value is a product with a low TCO and high level of secure throughput (security effectiveness x performance). The following table illustrates the relative cost per unit of work performed: Mbps-Protected Product Check Point Power-1 11065 Protection 86.6.3% Throughput 2,607 3 Year TCO $111,225 Price / Mbps-Protected $49
Price per Protected Mbps was calculated by taking the Three-Year TCO and dividing it by the product of Protection x Throughput. Three-Year TCO/(Protection x Throughput) = Price/Mbps-Protected.
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 15
90% 83.3% 86.6% 86% 94% 88% *See Vulnerability Scope *See Vulnerability Scope *See Vulnerability Scope 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 16
Test ID 3.3.2.11 3.3.3 3.3.3.1 3.3.3.2 3.3.3.3 3.3.3.4 3.3.3.5 3.3.3.6 3.3.3.7 3.3.3.8 3.3.3.9 3.3.3.10 3.3.3.11 3.3.3.12 3.3.3.13 3.3.3.14 3.3.3.15 3.3.3.16 3.3.4 3.3.4.1 3.3.4.2 3.3.4.3 3.3.4.4 3.3.4.5 3.3.4.6 3.3.4.7 3.3.4.8 3.3.4.9 3.3.4.10 3.3.4.11 3.3.4.12 3.3.4.13 3.3.4.14 3.3.4.15 3.3.5 3.3.5.1 3.3.5.2 3.3.5.3 3.3.5.4 3.3.3.3 3.3.5.6 3.3.5.7 3.3.5.8 3.3.5.9 3.3.5.10 3.3.5.11 3.3.5.12 3.3.5.13 3.3.5.14 3.3.5.15 3.3.6 3.3.6.1 3.3.6.2 3.3.6.3
Description Ordered 16 byte segs, seg overlap (favor new (Unix)) RPC Fragmentation One-byte fragmentation (ONC) Two-byte fragmentation (ONC) All fragments, including Last Fragment (LF) will be sent in one TCP segment (ONC) All frags except Last Fragment (LF) will be sent in one TCP segment. LF will be sent in separate TCP seg (ONC) One RPC fragment will be sent per TCP segment (ONC) One LF split over more than one TCP segment. In this case no RPC fragmentation is performed (ONC) Canvas Reference Implementation Level 1 (MS) Canvas Reference Implementation Level 2 (MS) Canvas Reference Implementation Level 3 (MS) Canvas Reference Implementation Level 4 (MS) Canvas Reference Implementation Level 5 (MS) Canvas Reference Implementation Level 6 (MS) Canvas Reference Implementation Level 7 (MS) Canvas Reference Implementation Level 8 (MS) Canvas Reference Implementation Level 9 (MS) Canvas Reference Implementation Level 10 (MS) URL Obfuscation URL encoding - Level 1 (minimal) URL encoding - Level 2 URL encoding - Level 3 URL encoding - Level 4 URL encoding - Level 5 URL encoding - Level 6 URL encoding - Level 7 URL encoding - Level 8 (extreme) Premature URL ending Long URL Fake parameter TAB separation Case sensitivity Windows \ delimiter Session splicing HTML Obfuscation UTF-16 character set encoding (big-endian) UTF-16 character set encoding (little-endian) UTF-32 character set encoding (big-endian) UTF-32 character set encoding (little-endian) UTF-7 character set encoding Chunked encoding (random chunk size) Chunked encoding (fixed chunk size) Chunked encoding (chaffing) Compression (Deflate) Compression (Gzip) Base-64 Encoding Base-64 Encoding (shifting 1 bit) Base-64 Encoding (shifting 2 bits) Base-64 Encoding (chaffing) Combination UTF-7 + Gzip FTP Evasion Inserting spaces in FTP command lines Inserting non-text Telnet opcodes - Level 1 (minimal) Inserting non-text Telnet opcodes - Level 2
Result 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 17
Test ID 3.3.6.4 3.3.6.5 3.3.6.6 3.3.6.7 3.3.6.8 3.3.6.9 3.4 3.4.1 3.4.2 3.5 3.5.1 3.5.2 4 4.1 4.1.1 4.1.2 4.1.3 4.1.4 4.1.5 4.2 4.2.1 4.2.2 4.2.3 4.2.4 4.2.5 4.2.6 4.3 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.4 4.4.1 4.4.2 4.5 4.5.1 4.5.2 4.5.3 4.5.4 4.5.5 4.6 4.6.1 4.6.2 4.6.3 4.6.4 4.6.5 4.7 4.7.1 4.7.2 4.7.3 4.7.4 4.7.5 5 5.1 5.2 5.3
Description Inserting non-text Telnet opcodes - Level 3 Inserting non-text Telnet opcodes - Level 4 Inserting non-text Telnet opcodes - Level 5 Inserting non-text Telnet opcodes - Level 6 Inserting non-text Telnet opcodes - Level 7 Inserting non-text Telnet opcodes - Level 8 (extreme) Application Control Block Unwanted Applications Block Specific Action User / Group ID Aware Policies Users Defined via NGFW Integration with Active Directory Users Defined in NGFW DB (Alternate to 5.3.1) Performance Raw Packet Processing Performance (UDP Traffic) 128 Byte Packets 256 Byte Packets 512 Byte Packets 1024 Byte Packets 1514 Byte Packets Maximum Capacity Theoretical Max. Concurrent TCP Connections Theoretical Max. Concurrent TCP Connections w/Data Stateful Protection at Max Concurrent Connections Maximum TCP Connections Per Second Maximum HTTP Connections Per Second Maximum HTTP Transactions Per Second HTTP Capacity With No Transaction Delays 2.500 Connections Per Second 44Kbyte Response 5,000 Connections Per Second 21Kbyte Response 10,000 Connections Per Second 10Kbyte Response 20,000 Connections Per Second 4.5Kbyte Response 40,000 Connections Per Second 1.7Kbyte Response Real World Traffic Real World Protocol Mix (Perimeter) Real World Protocol Mix (Core) Latency - UDP 128 Byte Packets 256 Byte Packets 512 Byte Packets 1024 Byte Packets 1514 Byte Packets Application Average Response Time - HTTP 2.500 Connections Per Second 44Kbyte Response 5,000 Connections Per Second 21Kbyte Response 10,000 Connections Per Second 10Kbyte Response 20,000 Connections Per Second 4.5Kbyte Response 40,000 Connections Per Second 1.7Kbyte Response Behavior Of The State Engine Under Load Attack Detection/Blocking - Normal Load State Preservation - Normal Load Pass Legitimate Traffic - Normal Load State Preservation - Maximum Exceeded Drop Traffic - Maximum Exceeded Stability & Reliability Blocking Under Extended Attack Passing Legitimate Traffic Under Extended Attack Protocol Fuzzing
Result 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% Mbps 1,900 3,500 6,750 11,400 12,050 413,000 401,000 PASS 20,000 14,700 58,000 6,250 10,250 11,500 12,800 13,200 Mbps 3,800 1,970 Microseconds 60 62 65 67 68 Milliseconds 3.9 2.6 1.4 1.1 0.7 100% 100% 100% 100% 100% Yes Yes Resilient
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 18
Test ID 5.4 5.5 5.6 5.7 6 6.1 6.1.1 6.1.2 6.1.3 6.2 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.3 6.3.1 6.3.2 6.3.3 6.3.4
Description Protocol Mutation Power Fail Redundancy Persistence of Data Management & Configuration Costs Ease of Use Initial Setup (Hours) Time Required for Upkeep (Hours per Year) Time Required to Tune (Hours per Year) Expected Costs Initial Purchase Ongoing Maintenance & Support (Annual) Installation Labor Cost (@$75/hr) Management Labor Cost (per Year @$75/hr) Tuning Labor Cost (per Year @$75/hr) Total Cost of Ownership Year 1 Year 2 Year 3 3 Year Total Cost of Ownership
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 19
Reprints Licensed to Check Point Software Technologies Next-Generation Firewall Individual Product Test Results 2011 NSS Labs, Inc. All rights reserved.
p. 20