May 29, 2008

PCI Research Survey

NSS Labs is collaborating with the Aberdeen Group on a benchmark study regarding best practices for achieving and sustaining PCI DSS compliance. In exchange for your participation in this 15-minute survey, you’ll receive a full copy of the final report when it publishes on 6/30/08 (a $399 value). Individual responses will be kept strictly confidential, and data will only be used in aggregate. Take the survey.

More research from NSS Labs.

May 21, 2008

Interview with TechTarget's Neil Roiter on PCI Suitability Reports

TechTarget's Neil Roiter and I discussed our new PCI Suitability reports, and how these help merchants seeking compliance to evaluate products before they face a PCI assessment. Listen to the podcast.

May 17, 2008

PCI Compliant Products

Kurt Roemer, CTO at Citrix recently discussed PCI Compliant Products on his blog, and I agree with his points thoroughly. So, since he mentioned us so kindly, I thought I'd offer some support and clarification.

I've written before in the NSS Labs blog , there's no such thing as a PCI compliant product . No product will make you compliant, but having the wrong product, or even the right product incorrectly configured could impede validation of compliance. From a terminology perspective, we prefer to say that products address or support compliance (to varying degrees).

That's right, there's no wholesale certification. Different aspects of a product support different requirements either completely, partially, or not at all. And in some cases, the requirements are not even directly applicable to a product. To get this "factual information" that Kurt is calling for, someone has to get their hands dirty with the details. This is what we are about at NSS Labs. Our reports only contain statements of a product's ability to support the specific individual requirements of the PCI DSS that we have empirically validated in the lab. Given that there is no official PCI certification for network/security products (other than PEDs), this is a pretty good start. Note: NSS Labs has been certifying network/security productsagainst our openly published standards since the 1990's. Our new reports focus on the suitability of a product for use in merchant networks, using the PCI DSS as a reference.

In this manner, I believe we're helping security and compliance professionals get beyond broad marketing claims and make more informed buying and implementation decisions. (So far, we've released 2 public PCI Suitability reports  and have a number of others in the queue.)

PS. Eventually I will have 'the talk' with my kids about Santa Claus, Unicorns and PCI compliance. But thankfully, no time soon. ;-)

Thanks Kurt!

May 9, 2008

Keep It In The Family

I am often asked why we only have single product certifications on our Web site, and why we don't certify an entire product family from each vendor. Well we do, but the problem for the vendor is that it gets very expensive to produce such a certification.

Let me explain.

NSS is ONLY prepared to certify any product after a thorough evaluation of that product. Our view is that performance and security effectiveness BOTH need to be evaluated completely for every product. If you have a range of seven products ranging from 100Mbps to 2Gbps, the vendor might claim that they are all using the same code base, but for them to receive an NSS Approved award we have to verify that fact. After all, if someone tried to convince you that Bart and Lisa were both identical because they are both Simpsons you would be more than a little skeptical, would you not?

We need to put every device in our test rig and subject each one to the same extensive battery of tests that we would for a single product certification. That is the ONLY way to ensure that you, the reader and eventual purchaser of these products, are getting the real information on how these devices will perform in your network. The only thing that stays constant across an entire product family (usually!) is the management interface and usability.

It pains me to see so called "product family certifications" from other sources, because we know how they are produced - after all, those same vendors are our clients also. We read the "reports" and note the lack of any valid performance figures for each of the products. We note the lack of any individual security effectiveness analyses for the individual products. We note also an abundance of "as reported by vendor" statements in some of these, indicating a willingness to take vendor claims on faith without verifying them. They read like a marketing or branding exercise rather than a technical evaluation - a waste of money for the vendor and a waste of time for the reader.

As a testing house, it may be painful but you DO need to test absolutely everything for every single product in the family. A "representative sample" just does not cut it.

You, dear reader, need to know individual performance details, for example. How can you rely on manufacturers performance figures? Isn't that why you read NSS reports in the first place? You need to know if the 1Gbps device is going to give you a true 1Gbps across the wire when you load it up or if you will need to budget for the 2Gbps device instead. If you were buying a TV, wouldn't you want to know why you should consider paying 20% more for the next model in the range? You also need to know that the 100Mbps device doesn't disable fragmentation reassembly or curtail the signature set, opening up huge security holes in the process of trying to get higher performance out of low-end hardware.

That is the value NSS provides with its detailed individual product reports.

Right now, two enlightened vendors are putting their entire UTM product range through our labs, and the results will appear later this year. The advantage for the vendor is that they receive a true NSS Approved award for every device in the product line. The end result for you, dear reader, will not be a single product family report, but one complete report for every device tested, allowing you to make your purchasing or short-listing decisions with absolute confidence.

Rest assured that when you read an NSS report, you will be getting a detailed evaluation of the device under test in terms of usability, security effectiveness and performance. For every single product in the range!

-Bob Walder, CTO/Founder

Toys for Geeks

One of the best things about working in a test lab like NSS is that we get play with all the latest, coolest stuff. Well, cool if you are a geek at heart, that is. It might not be an Aston Martin or a Playstation 4 but the new BP10K from BreakingPoint Systems does at least have white "go faster" stripes on the British racing green front panel....
And go faster it does. NSS has spent almost a year evaluating this equipment for use in its labs, and has been using it in earnest for the last few months. This has been a considerable commitment by NSS, given that our extensive methodologies consist of literally hundreds of different performance tests, and moving them to a new platform is no mean feat.

BreakingPoint has made this possible with a software architecture and GUI design that abstracts as much of the physical layer of the test rig from the logical requirements of the test. As just one example, converting an existing test between in-line layer 2 to routed layer 3 is the work of only a couple of mouse clicks - no need to go through hundreds of test scripts altering IP addresses and default gateways. And there are lots of new cool bells and whistles which will allow us to create incredibly complex tests.

But software isn't cool, is it guys? It's the hardware that gets us excited. And the BP10K can generate complex multi-protocol real-world traffic at line speeds - and that means at 20Gbps (40Gbps full duplex), with 7.5 million concurrent connections and rates of up to 750,000 connections per second from a single appliance with four fiber 10Gbps ports. And you can incorporate multiple appliances in a single test to scale up to hundreds of Gigabits.

In our lab, we have mixed 'n' matched BP10K's and the 2Gbps (4Gbps full duplex) BP1000's to provide us with a total of 60Gbps of traffic generation capability over both 10Gbps fiber and 1Gbps copper interfaces, and this will allow us to standardize on the BPS kit for our Layer 4-7 testing going forward.

All it needs now is a twin exhaust and flashy alloy wheels and we are all set...

-Bob Walder, CTO/Founder

May 8, 2008

RFI for leading network/test tools

NSS Labs continually evaluates and validates testing tools and best practices. This is a necessary step prior to selecting and implementing the best tools in our test methodologies, which result in our publicly published test reports. Our lab engineering team is thus requesting leading test tool, network infrastructure product and service providers to brief them on their offerings and roadmap. Best in class products will be selected for use in NSS Labs' next generation test facility. More info

May 7, 2008

Fastest Public Test of a Network IPS

As network traffic continues to grow, so too do the demands on network infrastructures. As a result, multi-gigabit network IPS devices are gaining traction, and providing essential protection in a switched core environment.

Yesterday, NSS Labs released a milestone report on what is the fastest independently verified Network IPS product on the market, to date - the IBM/ISS GX6116. (I say to-date because there are certainly a couple of 10Gig devices that have recently debuted, and we look forward to also testing these). What is notable here is that our tests are not based merely on RFC 2544 (UDP packet blasting), which can inflate a vendor’s performance metrics due to the stateless nature of UDP and typically large packet sizes used. (See our white paper on Pitfalls of Performance Testing). Rather, NSS Labs dedicates a lot of attention to creating real-world multi-protocol test suites across a wide range of use cases.

In our real world tests, we create a complex mix of protocols including HTTP, FTP, SMTP, DNS, etc and pass these through the device under (DUT) test at speeds up to 30 Gbps. This is a live test with deep packet inspection and default or recommended rules turned on. The Proventia GX6116 displayed excellent performance up to 6 Gbps coupled with extremely low latency under all normal traffic conditions.Security effectiveness was also impressive, with excellent coverage above 95% for the most critical vulnerabilities, out of a set of 579 – the largest set of exploits run in any public test.

Read the full report here:

May 6, 2008

PCI Self-Assessment Questionnaires Embrace Use-Case Philosophy!

I have been meaning to comment on this for a while, but better late than never. Earlier this year, the PCI SSC released an updated, and well-thought out collection of self-assessment questionnaires to replace the previous, single questionnaire. This is a very welcome enhancement for a number of reasons, not the least of which is because it shows a clear support for a use-case-based approach - something NSS Labs has been working towards in its own testing.

In fact, we've written a white paper outlining how use cases can help IT Security and Compliance professionals evaluate products for appropriate usage in their environments. In short, know your environment, and specifically what you're trying to protect, and this will help you define more granular (and thus more useful) protection requirements for your control selections (i.e. security products).

There is no silver bullet or magic product, and in fact, as products are increasingly differentiating themselves, defining the requirements early on in the process is increasingly important. For buyers, this means being better prepared, and more discerning in the evaluation process. For vendors, this should be a welcome opportunity to claim some higher ground (in terms of positioning and differentiation) in some very 'mushy' crowded markets where customers turn quickly to price as a differentiator when they can't tell the difference in benefits.

May 5, 2008 interview with Rick Moy on Product Testing

My interview with Tom Field of at RSA about NSS Labs and how our product evaluations are helping the banking and payment card industry with security and compliance.

Listen to the interview
View page at