I am often asked why we only have single product certifications on our Web site, and why we don't certify an entire product family from each vendor. Well we do, but the problem for the vendor is that it gets very expensive to produce such a certification.
Let me explain.
NSS is ONLY prepared to certify any product after a thorough evaluation of that product. Our view is that performance and security effectiveness BOTH need to be evaluated completely for every product. If you have a range of seven products ranging from 100Mbps to 2Gbps, the vendor might claim that they are all using the same code base, but for them to receive an NSS Approved award we have to verify that fact. After all, if someone tried to convince you that Bart and Lisa were both identical because they are both Simpsons you would be more than a little skeptical, would you not?
We need to put every device in our test rig and subject each one to the same extensive battery of tests that we would for a single product certification. That is the ONLY way to ensure that you, the reader and eventual purchaser of these products, are getting the real information on how these devices will perform in your network. The only thing that stays constant across an entire product family (usually!) is the management interface and usability.
It pains me to see so called "product family certifications" from other sources, because we know how they are produced - after all, those same vendors are our clients also. We read the "reports" and note the lack of any valid performance figures for each of the products. We note the lack of any individual security effectiveness analyses for the individual products. We note also an abundance of "as reported by vendor" statements in some of these, indicating a willingness to take vendor claims on faith without verifying them. They read like a marketing or branding exercise rather than a technical evaluation - a waste of money for the vendor and a waste of time for the reader.
As a testing house, it may be painful but you DO need to test absolutely everything for every single product in the family. A "representative sample" just does not cut it.
You, dear reader, need to know individual performance details, for example. How can you rely on manufacturers performance figures? Isn't that why you read NSS reports in the first place? You need to know if the 1Gbps device is going to give you a true 1Gbps across the wire when you load it up or if you will need to budget for the 2Gbps device instead. If you were buying a TV, wouldn't you want to know why you should consider paying 20% more for the next model in the range? You also need to know that the 100Mbps device doesn't disable fragmentation reassembly or curtail the signature set, opening up huge security holes in the process of trying to get higher performance out of low-end hardware.
That is the value NSS provides with its detailed individual product reports.
Right now, two enlightened vendors are putting their entire UTM product range through our labs, and the results will appear later this year. The advantage for the vendor is that they receive a true NSS Approved award for every device in the product line. The end result for you, dear reader, will not be a single product family report, but one complete report for every device tested, allowing you to make your purchasing or short-listing decisions with absolute confidence.
Rest assured that when you read an NSS report, you will be getting a detailed evaluation of the device under test in terms of usability, security effectiveness and performance. For every single product in the range!
-Bob Walder, CTO/Founder