Professional Documents
Culture Documents
Enterprise Firewall
February 5, 2021
V1.0
CyberRatings.org Test Methodology
Table of Contents
Introduction ......................................................................................................................................... 5
1.1 Enterprise Firewalls .......................................................................................................................5
1.2 About This Test Methodology ........................................................................................................5
1.3 Inclusion Criteria ............................................................................................................................5
1.4 Product Guidance ..........................................................................................................................6
5 Performance ............................................................................................................................... 19
5.1 Raw Packet Processing Performance (UDP Throughput)............................................................... 19
5.1.1 64 Byte Packets ..................................................................................................................................................... 19
5.1.2 128 Byte Packets ................................................................................................................................................... 19
Introduction
1.1 Enterprise Firewalls
The firewall market is one of the largest and most mature security technology segments. A firewall is a mechanism
used to protect a trusted network from an untrusted network while allowing authorized communications to pass
from one side to the other, thus facilitating secure business use of the Internet.
Firewalls have undergone several stages of development, from early packet filtering and circuit relay firewalls to
application layer (proxy-based) and dynamic packet filtering firewalls. Throughout their history the goal has been to
enforce an access control policy between two networks, and they should therefore be viewed as an implementation
of policy.
The Enterprise Firewall must be capable of performing deep packet inspection (DPI) on all packets, on all ports, and
over all protocols to determine which applications are running over which ports and thus secure them effectively. In
addition, with the expanded use of SSL/TLS in much of the traffic traversing the modern network, inspection of
encrypted content is required.
As firewalls are deployed at critical choke points in the network, their stability and reliability are imperative.
Therefore, regardless of any new deep inspection capabilities, the main requirement of any firewall is that it must
be as stable, as reliable, as fast, and as flexible as the firewall that it is replacing.
The following capabilities are considered essential in a firewall:
• Market presence
• Identified by industry analysts covering the specific technology area
• Consumer requests
• Innovative technology/solution (requires internal vetting for emerging vendors)
• Security effectiveness — How effectively does the firewall protect control network access, applications, and
users while preventing threats (exploits, malware, phishing, etc.)?
• Resistance to evasion — Failure in any evasion class permits attackers to circumvent protection.
• Stability — Long-term stability is particularly important for a firewall offering, where failure can produce crippling
network outages.
• Performance — If a firewall offering slows down users, it will never be implemented, or those users will make
the operations team miserable.
• Management — In particular, how difficult is it to configure, maintain, and operate (i.e., find information)?
• Value — Customers should seek appropriate TCO and high effectiveness and performance rankings.
PRODUCT RATINGS
RATING DEFINITION
A product rated 'AAA' has the highest rating assigned by CyberRatings. The product's capacity to meet its commitments
AAA
to consumers is extremely strong.
A product rated 'AA' differs from the highest-rated products only to a small degree. The product's capacity to meet its
AA
commitments to consumers is very strong.
A product rated 'A' is somewhat less capable than higher-rated categories. However, the product's capacity to meet its
A
commitments to consumers is still strong.
A product rated 'BBB' exhibits adequate stability and reliability. However, previously unseen events and use cases are
BBB
more likely to negatively impact the product's capacity to meet its commitments to consumers.
A product rated 'BB,' 'B,' 'CCC,' 'CC,' and 'C' is regarded as having significant risk characteristics. 'BB' indicates the least
degree of risk and 'C' the highest. While such products will likely have some specialized capability and features, these
may be outweighed by large uncertainties or major exposure to adverse conditions.
A product rated 'BB' is more susceptible to failures than products that have received higher ratings. The product has
BB the capacity to meet its commitments to consumers. However, it faces minor technical limitations that have a potential
to be exposed to risks.
A product rated 'B' is more susceptible to failures than products rated 'BB'; however, it has the minimum capacity.
B Adverse conditions will likely expose the product's technical limitations that lead to an inability to meet its
commitments to consumers.
A product rated 'CCC' is susceptible to failures and is dependent upon favorable conditions to perform expected
CCC functions. In the event of adverse conditions, the product is not likely to have the capacity to meet its commitments to
consumers.
A product rated 'CC' is highly susceptible to failures. The 'CC' rating is used when a failure has not yet occurred, but
CC
CyberRatings considers it a virtual certainty.
A product rated 'C' is highly susceptible to failures. The product is expected to fail under any abnormal operating
C conditions and does not offer a useful management systems and logging information compared with products that are
rated higher.
A product rated 'D' is actively underperforming and failing and does not meet the use-case. The 'D' rating is used when
the product is not operational without a major technical overhaul. Unless CyberRatings believes that such technical
D
fixes will be made within a stated grace period (typically 30-90 calendar days), the 'D' rating also is an indicator that
existing customers using the product have already experienced a failure and should take immediate action.
2 Access Control
Firewalls must support stateful firewalling either by managing state tables to prevent "traffic leakage" or as a
stateful proxy. The firewall must be able to manage policies across multiple interfaces/zones. CyberRatings also
requires that a single security policy be applied to all interfaces under test. At a minimum, the firewall must provide
a "trusted" internal interface, an "untrusted" external/Internet interface, and (optionally) one or more DMZ
interfaces. In addition, a dedicated management interface (virtual or otherwise) is preferred.
This section verifies that the firewall is capable of enforcing a specified security policy
effectively. The test is conducted by incrementally building upon a baseline
configuration (simple configuration with no policy restrictions and no content
inspection) to a complex, real-world, multiple-zone configuration supporting many
addressing modes, policies, applications, and inspection engines.
At each level of complexity, test traffic is sent to ensure that only specified traffic is
allowed, and the rest denied, and those appropriate log entries are recorded.
3 SSL/TLS Functionality
The use of the Secure Sockets Layer (SSL) protocol and its current iteration, Transport Layer Security (TLS), is rising
dramatically in response to an ever-increasing need for online privacy. In March 2020, data collected by Tranco on
their Top 1 Million1 showed that 60% of web traffic is being sent over HTTPS. While CyberRatings believes
encryption is a good thing, SSL/TLS is susceptible to various security attacks at multiple levels of network
communication. Attacks have been observed in the handshake protocol, record protocol, application data protocol,
and Public Key Infrastructure (PKI), to name just a few.
To address the growing threat of focused attacks using the most common web protocols and applications,
CyberRatings tests the capabilities of cloud network firewalls to provide visibility into the SSL/TLS payloads and
detect attacks concealed by encryption as well as attacks against the encryption protocols themselves. Performance
testing of SSL/TLS may be found in section 5.
3.3.1 Top 24 Cipher Suites from the Tranco Top 1 Million, as of March 2020:
TLS_AES_256_GCM_SHA384 DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256 TLS_CHACHA20_POLY1305_SHA256
1 Tranco Top 1 Million analysis performed in March 2020, by Scott Helme (https://scotthelme.co.uk/top-1-million-analysis-march-2020/)
TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA DHE-RSA-AES128-GCM-SHA256
AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305
AES256-SHA256 ECDHE-ECDSA-AES128-SHA256
AES128-SHA256 DHE-RSA-AES256-SHA256
AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA256
• TLS_AES_256_GCM_SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-RSA-AES128-GCM-SHA256
• TLS_AES_128_GCM_SHA256
• ECDHE-RSA-AES256-SHA384
• ECDHE-RSA-CHACHA20-POLY1305
Results will be reported so that customers will know what behavior(s) to expect from the tested firewall offering.
4 Threat Prevention
CyberRatings security effectiveness tests verify that an offering can accurately block and log threats while remaining
resistant to false positives. Testing leverages the deep expertise of CyberRatings engineers, utilizing multiple
commercial, open-source and proprietary tools to employ attack methods that are currently being used by
cybercriminals and other threat actors.
Vendors will be provided with a baseline sample set of malicious software ahead of testing to ensure their products
are functioning correctly. These baseline samples will be used to verify basic protection capabilities only at the start
of the test and will not count toward final security effectiveness scores.
The latest signature pack is acquired from the vendor's support site, and the device is deployed using vendor-
provided settings. The signature pack version is recorded for future reference. The vendor may not tune the device.
Once deployed, the device's inspection capabilities are governed solely through firmware and signature updates. All
signatures used must be available to the general public at the time of testing; no custom signatures are permitted.
CyberRatings research has found that this approach reflects a typical deployment and will align results from testing
with product performance in the field. The firewall is required to block and log exploit attempts and malicious
traffic.
If a device experiences false positive events, it will be tuned until no further false positive events are encountered.
4.1.1 Initial check – legitimate traffic, documents, and files
This test transmits a varied sample of legitimate application traffic, documents, and files that should be identified
and allowed or blocked based on policy rules. Testing may include but is not limited to the following file formats:
HTML, .js, .exe, .jar, .xlsm, .css, .pdf, .ppt, .pptx, .doc, .docx, .zip, .DLL, .xls, .xlsx, .chm, .rar, .Ink, .cur, .tar, .xrc.
4.1.2 Ongoing check – legitimate traffic, documents, and files
Since firewalls may include a cloud offering which utilizes machine learning to modify/tune settings in real-time,
testing for false positives requires legitimate traffic and documents to be included when testing the firewall’s ability
to block attacks. CyberRatings will introduce legitimate traffic, documents, and files into tests in sections 4.2, 4.3,
and 4.4, including but not limited to the following file formats: HTML, .js, .exe, .jar, .xlsm, .css, .pdf, .ppt, .pptx, .doc,
.docx, .zip, .DLL, .xls, .xlsx, .chm, .rar, .Ink, .cur, .tar, .xrc.
4.2 Exploits
While vulnerabilities are patched, and defenses against exploits are incorporated into new versions of operating
systems such as Windows, many organizations cannot easily upgrade due to financial, technical, or other
constraints. And often, the most valuable assets have the most stringent change control to avoid business
interruption. This creates a challenging dynamic whereby the most valuable assets tend to be the most difficult to
defend (e.g., older OS, unpatched, etc.). Therefore, as vulnerabilities are patched and defenses against exploits are
incorporated into new versions of operating systems, the value of a firewall is often associated with its ability to
protect older, unpatched, and generally more vulnerable systems.
CyberRatings security effectiveness testing leverages our engineers' deep expertise, who utilize multiple
commercial, open-source, and proprietary tools as appropriate. With thousands of exploits, this is the industry's
most comprehensive test to date. Most notably, all of the live exploits and payloads in the CyberRatings exploit test
have been validated in our lab such that one or more of the following are true:
• res-mth-mrg-ord-pay-spl-chr-wsp-003 numeric values/equations modified and/or inserted; hexadecimal values replaced with decimal
values; combine 'myarray' instantiation into single line; combine powershell command into single line; Remove runmumaa and add to
setnotsafemode function; move setnotsafemode function to bottom of script; Some strings split with "+" and "&"; some lines split with "_";
some script commands/strings converted to series of chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; nishang
bind shell obfuscated with PowerSploit's Out-EncodedCommand
• res-mth-mrg-ord-pay-spl-chr-wsp-cd-003 numeric values/equations modified and/or inserted; hexadecimal values replaced with decimal
values; combine 'myarray' instantiation into single line; combine powershell command into single line; Remove runmumaa and add to
setnotsafemode function; move setnotsafemode function to bottom of script; Some strings split with "+" and "&"; some lines split with "_";
some script commands/strings converted to series of chr()/Clng/&H using online vbscript obfuscator; both spaces and linefeeds replaced
with multiples of each; nishang bind shell obfuscated with PowerSploit's Out-EncodedCommand; chunked and deflate compressed
• res-mth-mrg-ord-pay-spl-chr-wsp-004 numeric values/equations modified and/or inserted; hexadecimal values replaced with decimal
values; combine 'myarray' instantiation into single line; combine powershell command into single line; Remove runmumaa and add to
setnotsafemode function; move setnotsafemode function to bottom of script; Some strings split with "+" and "&"; some lines split with "_";
some script commands/strings converted to series of chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; Veil
Ordnance bind shell shellcode dropped into PowerSploit's Invoke-Shellcode; then obfuscated with PowerSploit's Out-EncodedCommand
• res-mth-mrg-ord-pay-spl-chr-wsp-ch-004 numeric values/equations modified and/or inserted; hexadecimal values replaced with decimal
values; combine 'myarray' instantiation into single line; combine powershell command into single line; Remove runmumaa and add to
setnotsafemode function; move setnotsafemode function to bottom of script; Some strings split with "+" and "&"; some lines split with "_";
some script commands/strings converted to series of chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; Veil
Ordnance bind shell shellcode dropped into PowerSploit's Invoke-Shellcode; then obfuscated with PowerSploit's Out-EncodedCommand;
chunked
• res-mth-mrg-ord-pay-spl-chr-wsp-005 numeric values/equations modified and/or inserted; hexadecimal values replaced with decimal
values; combine 'myarray' instantiation into single line; combine powershell command into single line; Remove runmumaa and add to
setnotsafemode function; move setnotsafemode function to bottom of script; Some strings split with "+" and "&"; some lines split with "_";
some script commands/strings converted to series of chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; custom
bind shell shellcode obfuscated with Invoke-Obfuscation
• res-mth-mrg-ord-pay-spl-chr-wsp-cg-005 numeric values/equations modified and/or inserted; hexadecimal values replaced with decimal
values; combine 'myarray' instantiation into single line; combine powershell command into single line; Remove runmumaa and add to
setnotsafemode function; move setnotsafemode function to bottom of script; Some strings split with "+" and "&"; some lines split with "_";
some script commands/strings converted to series of chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; custom
bind shell shellcode obfuscated with Invoke-Obfuscation; chunked and gzip compressed
• res-mth-mrg-ord-pay-splc-hrw-sp-006 numeric values/equations modified and/or inserted; hexadecimal values replaced with decimal
values; combine 'myarray' instantiation into single line; combine powershell command into single line; Remove runmumaa and add to
setnotsafemode function; move setnotsafemode function to bottom of script; Some strings split with "+" and "&"; some lines split with "_";
some script commands/strings converted to series of chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; custom
bind shell shellcode with password prompt obfuscated with Invoke-Obfuscation
• res-mth-mrg-ord-pay-spl-chr-wsp-cd-006 numeric values/equations modified and/or inserted; hexadecimal values replaced with decimal
values; combine 'myarray' instantiation into single line; combine powershell command into single line; Remove runmumaa and add to
setnotsafemode function; move setnotsafemode function to bottom of script; Some strings split with "+" and "&"; some lines split with "_";
some script commands/strings converted to series of chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; custom
bind shell shellcode with password prompt obfuscated with Invoke-Obfuscation; chunked and deflate compressed
• res-ren-chr-wsp-pay-mth-spl-001 procedures and variables renamed; some script commands/strings converted to series of chr()/Clng/&H;
both spaces and linefeeds replaced with multiples of each; numeric values/equations modified and/or inserted; hexadecimal values
replaced with decimal values; Some strings split with "+" and "&"; some lines split with "_"; nishang bind shell obfuscated with Unicorn
• res-ren-chr-wsp-pay-mth-spl-ch-001 procedures and variables renamed; some script commands/strings converted to series of
chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; numeric values/equations modified and/or inserted; hexadecimal
values replaced with decimal values; Some strings split with "+" and "&"; some lines split with "_"; nishang bind shell obfuscated with
Unicorn; chunked
• res-ren-chr-wsp-pay-mth-spl-002 procedures and variables renamed; some script commands/strings converted to series of chr()/Clng/&H;
both spaces and linefeeds replaced with multiples of each; numeric values/equations modified and/or inserted; hexadecimal values
replaced with decimal values; Some strings split with "+" and "&"; some lines split with "_"; native Unicorn generated bind shell
• res-ren-chr-wsp-pay-mth-spl-cg-002 procedures and variables renamed; some script commands/strings converted to series of
chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; numeric values/equations modified and/or inserted; hexadecimal
values replaced with decimal values; Some strings split with "+" and "&"; some lines split with "_"; native Unicorn generated bind shell;
chunked and gzip compressed
• res-ren-chr-wsp-pay-mth-spl-003 procedures and variables renamed; some script commands/strings converted to series of chr()/Clng/&H;
both spaces and linefeeds replaced with multiples of each; numeric values/equations modified and/or inserted; hexadecimal values
replaced with decimal values; Some strings split with "+" and "&"; some lines split with "_"; nishang bind shell obfuscated with PowerSploit's
Out-EncodedCommand
• res-ren-chr-wsp-pay-mth-spl-cd-003 procedures and variables renamed; some script commands/strings converted to series of
chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; numeric values/equations modified and/or inserted; hexadecimal
values replaced with decimal values; Some strings split with "+" and "&"; some lines split with "_"; nishang bind shell obfuscated with
PowerSploit's Out-EncodedCommand; chunked and deflate compressed
• res-ren-chr-wsp-pay-mth-spl-004 procedures and variables renamed; some script commands/strings converted to series of chr()/Clng/&H;
both spaces and linefeeds replaced with multiples of each; numeric values/equations modified and/or inserted; hexadecimal values
replaced with decimal values; Some strings split with "+" and "&"; some lines split with "_"; Veil Ordnance bind shell shellcode dropped into
PowerSploit's Invoke-Shellcode; then obfuscated with PowerSploit's Out-EncodedCommand
• res-ren-chr-wsp-pay-mth-spl-ch-004 procedures and variables renamed; some script commands/strings converted to series of
chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; numeric values/equations modified and/or inserted; hexadecimal
values replaced with decimal values; Some strings split with "+" and "&"; some lines split with "_"; Veil Ordnance bind shell shellcode
dropped into PowerSploit's Invoke-Shellcode; then obfuscated with PowerSploit's Out-EncodedCommand; chunked
• res-ren-chr-wsp-pay-mth-spl-005 procedures and variables renamed; some script commands/strings converted to series of chr()/Clng/&H;
both spaces and linefeeds replaced with multiples of each; numeric values/equations modified and/or inserted; hexadecimal values
replaced with decimal values; Some strings split with "+" and "&"; some lines split with "_"; custom bind shell shellcode obfuscated with
Invoke-Obfuscation
• res-ren-chr-wsp-pay-mth-spl-cg-005 procedures and variables renamed; some script commands/strings converted to series of
chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; numeric values/equations modified and/or inserted; hexadecimal
values replaced with decimal values; Some strings split with "+" and "&"; some lines split with "_"; custom bind shell shellcode obfuscated
with Invoke-Obfuscation; chunked and gzip compressed
• res-ren-chr-wsp-pay-mth-spl-006 procedures and variables renamed; some script commands/strings converted to series of chr()/Clng/&H;
both spaces and linefeeds replaced with multiples of each; numeric values/equations modified and/or inserted; hexadecimal values
replaced with decimal values; Some strings split with "+" and "&"; some lines split with "_"; custom bind shell shellcode with password
prompt obfuscated with Invoke-Obfuscation
• res-ren-chr-wsp-pay-mth-spl-cd-006 procedures and variables renamed; some script commands/strings converted to series of
chr()/Clng/&H; both spaces and linefeeds replaced with multiples of each; numeric values/equations modified and/or inserted; hexadecimal
values replaced with decimal values; Some strings split with "+" and "&"; some lines split with "_"; custom bind shell shellcode with
password prompt obfuscated with Invoke-Obfuscation; chunked and deflate compressed
• res-wsp-001 both spaces and linefeeds replaced with multiples of each
• res-ren-001 procedures and variables renamed
• res-mth-001 numeric values/equations modified and/or inserted; hexadecimal values replaced with decimal values
• res-chr-001 change all chr() to chrw() and vice versa where possible
• res-chr-002 change chr() and chrw() to chrb()
• res-chr-003 some script commands/strings converted to series of chr()/Clng/&H using online vbscript obfuscator
• res-pay-007 Veil Ordnance bind shell shellcode dropped into PowerSploit's Invoke-Shellcode; then obfuscated with PowerSploit's Out-
EncodedCommand
• res-pay-008 Use wscript to call original payload (PoshRat method)
• res-pay-009 nishang bind shell obfuscated with Unicorn
• res-ord-001 Remove runmumaa and add to setnotsafemode function; move setnotsafemode function to bottom of script
• res-spl-001 Some strings split with "+" and "&"; some lines split with "_"
• res-mrg-001
• combine 'myarray' instantiation into single line; combine powershell command into single line
• res-ren-chr-001 Combination of techniques used in res-ren-001 and res-chr-003
• res-ren-chr-wsp-001 Combination of techniques used in res-ren-001; res-chr-003; and res-wsp-001
• res-ren-chr-wsp-pay-001 Combination of techniques used in res-ren-001; res-chr-003; res-wsp-001; and res-pay-004
• res-ren-pay-001 Combination of techniques used in res-ren-001 and res-pay-007
• res-ren-chr-wsp-pay-mth-001 Combination of techniques used in res-ren-001; res-chr-003; res-wsp-001; res-pay-007; and res-mth-001
• res-mth-mrg-001 Combination of techniques used in res-mth-001 and res-mrg-001
• res-mth-mrg-ord-001 Combination of techniques used in res-mth-001; res-mrg-001; and res-ord-001
• res-mth-mrg-ord-pay-001 Combination of techniques used in res-mth-001; res-mrg-001; res-ord-001; and res-pay-008
• res-mth-mrg-ord-pay-spl-001 Combination of techniques used in res-mth-001; res-mrg-001; res-ord-001; res-pay-008; and res-spl-001
• res-mth-mrg-ord-pay-spl-chr-001 Combination of techniques used in res-mth-001; res-mrg-001; res-ord-001; res-pay-008; res-spl-001; and
res-chr-003
• res-mth-mrg-ord-pay-spl-chr-002 Combination of techniques used in res-mth-001; res-mrg-001; res-ord-001; res-pay-008; res-spl-001; and
res-chr-003; plus removal of all CLng's
• res-mth-mrg-ord-pay-chr-001 Combination of techniques used in res-mth-001; res-mrg-001; res-ord-001; res-pay-008; and res-chr-003
• res-mth-mrg-ord-pay-spl-chr-wsp-007 Combination of techniques used in res-mth-001; res-mrg-001; res-ord-001; res-pay-008; res-spl-001;
res-chr-003; res-wsp-001; plus removal of all CLng's
• res-mth-mrg-ord-pay-spl-chr-wsp-008 Combination of techniques used in res-mth-001; res-mrg-001; res-ord-001; res-pay-009; res-spl-001;
res-chr-003; res-wsp-001; res-ren-001; plus removal of all CLng's; replace 'LANGUAGE="VBScript"' with 'type="text/vbScript"'
• combo-001 UTF-8 encoding; HTTP/1.1 chunked response with chunk sizes preceded by multiple zeros (hex '30'); small TCP segments; small
IP fragments; padding
• combo-002 UTF-8 encoding with BOM; HTTP/1.1 chunked response with chunk sizes followed by backspace (hex '08'); small TCP segments;
small IP fragments in reverse order; padding
• combo-003 UTF-16 encoding with BOM; HTTP/1.1 chunked response with chunk sizes followed by end of text (hex '03'); small TCP
segments in random order; small IP fragments; padding
• combo-004 UTF-8 encoding; no http or html declarations; HTTP/1.1 chunked response with chunk sizes followed by escape (hex '1b'); small
TCP segments; small IP fragments in random order; padding
• combo-005 UTF-8 encoding with BOM; no http or html declarations; HTTP/1.1 chunked response with chunk sizes followed by null (hex
'00'); small TCP segments in random order; small IP fragments in reverse order; padding
4.4 Evasions
Threat actors deploy evasions to disguise and modify attacks at the point of delivery to avoid detection by security
products. Therefore, it is imperative that a firewall offering correctly handles evasions.
Attackers can modify attacks and malicious code in a number of ways order to evade detection. If an firewall fails to
detect a single form of evasion, a attack can bypass protection, rendering it ineffective. CyberRatings verifies that
the firewall is capable of detecting and blocking exploits and malware when subjected to varying common evasion
techniques. Wherever possible, the firewall is expected to successfully decode the obfuscated traffic to provide an
accurate alert relating to the original attack, rather than alerting purely on anomalous traffic detected as a result of
the evasion technique itself.
A number of common attacks are executed to ensure that they are detected in their unmodified state. These will be
chosen from a suite of older/common basic attacks for which CyberRatings is certain that all vendors will have
protection.
4.4.1 IP Packet Fragmentation
These tests determine the effectiveness of the fragment reassembly mechanism of the firewall.
• Sequence resync requests, random initial sequence number, or out-of-window sequence numbers
• Faked retransmits, protection against wrapping sequence (PAWS) numbers, or segments containing
random data
• Endianness interchanged
• Any combination of the above methods
Some examples:
o Ordered 1 byte segments, interleaved duplicate segments with invalid TCP checksums
o Ordered 1 byte segments, interleaved duplicate segments with null TCP control flags
o Ordered 1 byte segments, interleaved duplicate segments with requests to resync sequence numbers
mid-stream
o Ordered 1 byte segments, duplicate last packet
o Ordered 2 byte segments, segment overlap (favor new)
o Ordered 1 byte segments, interleaved duplicate segments with out-of-window sequence numbers
o Out of order 1 byte segments
o Out of order 1 byte segments, interleaved duplicate segments with faked retransmits
o Ordered 1 byte segments, segment overlap (favor new)
o Out of order 1 byte segments, PAWS elimination (interleaved duplicate segments with older TCP
timestamp options)
o Ordered 16 byte segments, segment overlap (favor new (Unix))
It is a requirement of the test that the firewall submitted should have all TCP stream reassembly options enabled by
default in the shipping product.
4.4.3 HTTP Obfuscation
Web browsers request content from servers over HTTP using the ASCII character-set. HTTP encoding replaces
unsafe non-ASCII characters with a "%" followed by two hexadecimal digits. Web servers and clients understand
how to decode the request and responses. However, this mechanism can be abused to circumvent protection that is
looking to match specific strings of characters.
Chunked encoding allows the server to break a document into smaller chunks and transmit them individually. The
server needs only to specify the size of each chunk before it is transmitted and then indicate when the last chunk
has been transmitted. Since chunked encoding intersperses arbitrary numbers (chunk sizes) with the elements of
the original document, it can be used to greatly change the appearance of the content as observed "on the wire"
during transmission. In addition, the server can choose to break the document into chunks at arbitrary points. This
makes it difficult to reliably identify the original HTML content from the raw data on the network.
Below is an example list of evasions that may be used. It is not a comprehensive list, but is intended to illustrate the
kinds of evasions CyberRatings will employ during testing. Vendors should provide protection against these evasions
and others like them. Providing protection for only these evasions but not others ("studying to pass the test") will
likely result in failure of CyberRatings evasion testing.
• Declared HTTP/0.9 response; but includes response headers; chunking declared but served without chunking
• HTTP/1.1 chunked response with chunk sizes preceded by multiple zeros (hex '30')
• HTTP/1.1 chunked response with chunk sizes followed by backspace (hex '08')
• HTTP/1.1 chunked response with chunk sizes followed by end of text (hex '03')
• HTTP/1.1 chunked response with chunk sizes followed by escape (hex' 1b')
• HTTP/1.1 chunked response with chunk sizes followed by null (hex '00')
• HTTP/1.1 chunked response with chunk sizes followed by a space (hex '20') then a zero (hex '30')
• HTTP/1.1 chunked response with final chunk size of
'00000000000000000000000000000000000000000000000000000000000000000000000000000000' (rather than '0')
• HTTP/1.1 response with line folded transfer-encoding header declaring chunking ('Transfer-Encoding: ' followed by CRLF (hex '0d 0a')
followed by 'chunked' followed by CRLF (hex '0d 0a'); served without chunking
• HTTP/1.1 response with transfer-encoding header declaring chunking with lots of whitespace ('Transfer-Encoding:' followed by 8000 spaces
(hex '20' * 8000) followed by 'chunked' followed by CRLF (hex '0d 0a'); served chunked
• HTTP/1.0 response declaring chunking; served without chunking
• HTTP/1.0 response declaring chunking with invalid content-length header; served without chunking
• HTTP/1.1 response with "\tTransfer-Encoding: chunked"; served chunked
• HTTP/1.1 response with "\tTransfer-Encoding: chonked" after custom header line with "chunked" as value; served without chunking
• HTTP/1.1 response with header with no field name and colon+junk string; followed by '\tTransfer-Encoding: chunked' header; followed by
custom header; served chunked
• HTTP/1.1 response with "\r\rTransfer-Encoding: chunked"; served chunked
• HTTP/1.1 response with using single "\n"'s instead of "\r\n"'s; chunked
• HTTP/1.1 response with \r\n\r\n before first header; chunked
• HTTP/1.1 response with "SIP/2.0 200 OK\r\n" before status header; chunked
• HTTP/1.1 response with space+junk string followed by \r\n before first header; chunked
• HTTP/1.1 response with junk string before status header; chunked
• HTTP/1.1 response with header end \n\014\n\n; chunked
• HTTP/1.1 response with header end \r\n\016\r\n\r\n; chunked
• HTTP/1.1 response with header end \n\r\r\n; chunked
• HTTP/1.1 response with header end \n\017\018\n\n; chunked
• HTTP/1.1 response with header end \n\030\n\019\n\n; chunked
• HTTP/1.1 response with status code -203.030; with message-body; chunked
• HTTP/1.1 response with status code 402; with message-body; chunked
• HTTP/1.1 response with status code 403; with message-body; chunked
• HTTP/1.1 response with status code 406; with message-body; chunked
• HTTP/1.1 response with status code 505; with message-body; chunked
• HTTP/1.1 chunked response with no status indicated
• No status line; chunking indicated; served unchunked
• HTTP/1.1 response with invalid content-length header size declaration followed by space and null (hex '20 00')
• HTTP/1.01 declared; served chunked
• HTTP/01.1 declared; served chunked
• HTTP/2.B declared; served chunked
• HTTP/9.-1 declared; served chunked
• Double Transfer-Encoding: first empty; last chunked. Served with invalid content-length; not chunked.
• Relevant headers padded by preceding with hundreds of random custom headers
• HTTP/1.1 chunked response with chunk sizes followed by escape (hex' 1b'); compressed with gzip
• HTTP/1.1 chunked response with chunk sizes followed by null (hex '00'); compressed with gzip
• HTTP/1.1 chunked response with chunk sizes followed by a space (hex '20') then a zero (hex '30'); compressed with gzip
• HTTP/1.1 chunked response with chunk sizes preceded by multiple zeros (hex '30'); compressed with deflate
• HTTP/1.1 chunked response with chunk sizes followed by backspace (hex '08'); compressed with deflate
• HTTP/1.1 chunked response with chunk sizes followed by end of text (hex '03'); compressed with deflate
• HTTP/1.1 chunked response with chunk sizes followed by escape (hex' 1b'); compressed with deflate
• HTTP/1.1 chunked response with chunk sizes followed by null (hex '00'); compressed with deflate
• HTTP/1.1 chunked response with chunk sizes followed by a space (hex '20') then a zero (hex '30'); compressed with deflate
5 Performance
This section measures the performance of a device using various traffic conditions that provide metrics for real-
world performance. Individual implementations will vary based on usage; however, these quantitative metrics
provide a gauge as to whether a particular device is appropriate for a given environment.
Test cases may be configured in both uni-directional or bi-directional mode as needed to represent enterprise use
cases for various applications.
This traffic does not attempt to simulate any form of real-world network condition. No TCP sessions are created
during this test, and the detection engine has very little to do. However, each vendor will be required to write a
signature to detect the test packets to ensure that they are being passed through the detection engine and not
"fast-tracked" from the inbound port to the outbound port.
This test aims to determine the raw packet processing capability of each inline port pair of the device as well as its
effectiveness at forwarding packets quickly to provide the highest level of network performance with the lowest
latency.
5.1.1 64 Byte Packets
Maximum 1,488,000 frames per second per Gigabit of traffic. This test determines a device's ability to process
packets from the wire under the most challenging packet processing conditions.
5.1.2 128 Byte Packets
Maximum 844,000 frames per second per Gigabit of traffic
5.1.3 256 Byte Packets
Maximum 452,000 frames per second per Gigabit of traffic.
5.1.4 512 Byte Packets
Maximum 234,000 frames per second per Gigabit of traffic. This test provides a reasonable indication of a device's
ability to process packets from the wire on an "average" network.
5.1.5 1024 Byte Packets
Maximum 119,000 frames per second per Gigabit of traffic
5.1.6 1514 Byte Packets
Maximum 81,000 frames per second per Gigabit of traffic. This test has been included to demonstrate how easy it is
to achieve good results using large packets. Readers should use caution when considering those test results that
quote only performance figures using similar packet sizes.
19
Enterprise Firewall v1.0
CyberRatings.org Test Methodology
5.2 Latency
The latency and user response time test goal is to determine the effect the device has on traffic passing through it
under various load conditions. Test traffic is passed across the infrastructure switches and through all inline port
pairs of the device simultaneously (the latency of the basic infrastructure is known and is constant throughout the
tests).
Packet loss and average latency (µs) are recorded for each packet size (64, 128, 256, 512, 1,024, and 1,514 bytes) at
a load level of 90% of the maximum throughput with zero packet loss, as previously determined in section 5.1.
5.2.1 64 Byte Frames
Maximum 1,488,000 frames per second per Gigabit of traffic
5.2.2 128 Byte Frames
Maximum 844,000 frames per second per Gigabit of traffic
5.2.3 256 Byte Packets
Maximum 452,000 frames per second per Gigabit of traffic.
5.2.4 512 Byte Packets
Maximum 234,000 frames per second per Gigabit of traffic.
5.2.5 1,024 Byte Packets
Maximum 119,000 frames per second per Gigabit of traffic.
5.2.6 1,514 Byte Packets
Maximum 81,000 frames per second per Gigabit of traffic.
The goal is to stress the inspection engine and determine how it handles high volumes of TCP connections per
second, application layer transactions per second, and concurrent open connections. All packets contain valid
payload and address data, and these tests provide an excellent representation of a live network at various
connection/transaction rates.
Note that in all tests, the following critical "breaking points" – where the final measurements are taken – are used:
• Excessive concurrent TCP connections – Latency within the firewall is causing an unacceptable increase in open
connections.
• Excessive concurrent HTTP connections – Latency within the firewall is causing excessive delays and increased
response time.
• Unsuccessful HTTP transactions – Normally, there should be zero unsuccessful transactions. Once these appear,
it is an indication that excessive latency within the firewall is causing connections to time out.
5.3.1 Theoretical Maximum Concurrent TCP Connections
This test is designed to determine the device's maximum concurrent TCP connections with no data passing across
the connections. This type of traffic would not typically be found on a normal network, but it provides the means to
determine the maximum possible concurrent connections.
20
Enterprise Firewall v1.0
CyberRatings.org Test Methodology
An increasing number of Layer 4 TCP sessions are opened through the device. Each session is opened normally and
then held open for the test's duration as additional sessions are added up to the maximum possible. The load is
increased until no more connections can be established, and this number is recorded.
5.3.2 Maximum TCP Connections per Second
This test is designed to determine the maximum TCP connection rate of the device with one byte of data passing
across the connections. This type of traffic would not typically be found on a normal network, but it provides the
means to determine the maximum possible TCP connection rate.
An increasing number of new sessions are established through the device and ramped slowly to determine the exact
point of failure. Each session is opened normally, one byte of data is passed to the host, and then the session is
closed immediately. The load is increased until one or more of the breaking points defined earlier is reached.
5.3.3 Maximum HTTP Connections per Second
This test is designed to determine the maximum TCP connection rate of the device with a 1-byte HTTP response
size. The response size defines the number of bytes contained in the body, excluding any bytes associated with the
HTTP header. A 1-byte response size is designed to provide theoretical maximum HTTP connections per second rate.
Client and server are using HTTP 1.0 without keep-alive, and the client will open a TCP connection, send one HTTP
request, and close the connection. This ensures that all TCP connections are closed immediately upon the request
being satisfied; thus any concurrent TCP connections will be caused purely as a result of latency the device
introduces on the network. The load is increased until one or more of the breaking points defined earlier is reached.
5.3.4 Maximum HTTP Transactions per Second
This test is designed to determine the maximum HTTP transaction rate of the device with a 1-byte HTTP response
size. The object size defines the number of bytes contained in the body, excluding any bytes associated with the
HTTP header. A 1-byte response size is designed to provide a theoretical maximum connections per second rate.
Client and server are using HTTP 1.1 with persistence, and the client will open a TCP connection, send 10 HTTP
requests, and close the connection. This ensures that TCP connections remain open until all 10 HTTP transactions
are complete, thus eliminating the maximum connection per second rate as a bottleneck (one TCP connection = 10
HTTP transactions). The load is increased until one or more of the breaking points defined earlier is reached.
5.3.5 Maximum HTTP(S) Connections per Second
This test is designed to determine the maximum TCP connection rate of the device with a 1-byte HTTP response
size. This type of traffic would not typically be found on a normal network, but it provides the means to measure the
device's maximum possible SSL/TLS handshake rate.
An increasing number of new sessions are established through the device and ramped slowly to determine the exact
point of failure. Each session is opened normally, one byte of data is passed to the host, and then the session is
closed immediately. The load is increased until one or more of the breaking points defined earlier is reached
Each transaction consists of a single HTTP GET request, and there are no transaction delays (i.e., the web server
responds immediately to all requests). All packets contain a valid payload (a mix of binary and ASCII objects) and
21
Enterprise Firewall v1.0
CyberRatings.org Test Methodology
address data. This test provides an excellent representation of a live network (albeit one biased towards HTTP
traffic) at various network loads.
Connections / Second
Megabits per Second
800
30,000
600 25,000
20,000
400 15,000
10,000
200
5,000
0 0
44 KB 21 KB 10 KB 4.5 KB 1.7 KB
Response Response Response Response Response
CPS 2,500 5,000 10,000 20,000 40,000
Mbps 1,000 1,000 1,000 1,000 1,000
22
Enterprise Firewall v1.0
CyberRatings.org Test Methodology
each response size (44 KB, 21 KB, 10 KB, 4.5 KB, and 1.7 KB HTTP responses) at a load level of 90% of the maximum
throughput with zero packet loss as previously determined in section 5.4.
The same cipher selection methodology outlined in Section 3.2 will be used to determine testing targets under this
section. The top four ciphers as listed in Section 3.3.1:
23
Enterprise Firewall v1.0
CyberRatings.org Test Methodology
each response size (44 KB, 21 KB, 10 KB, 4.5 KB, and 1.7 KB HTTP responses) at a load level of 90% of the maximum
throughput with zero packet loss previously determined in section 5.6.
24
Enterprise Firewall v1.0
CyberRatings.org Test Methodology
A continuous stream of security policy violations mixed with legitimate traffic is transmitted through the device for
eight hours at a maximum of 100 Mbps, with no additional background traffic. This is not intended as a stress test in
terms of traffic load (covered in the previous section); it is merely a reliability test in terms of consistency of blocking
performance.
The device is expected to remain operational and stable throughout this test and to block 100% of recognizable
violations, raising an alert for each. If any recognizable policy violations are passed, caused by either the volume of
traffic or the device failing open for any reason, this will result in a FAIL.
The device is expected to remain operational and stable throughout this test and to pass most/all of the legitimate
traffic. If an excessive amount of legitimate traffic is blocked throughout this test, caused by either the volume of
traffic or by the device failing for any reason, this will result in a FAIL.
25
Enterprise Firewall v1.0
CyberRatings.org Test Methodology
6.6 Backup/Restore
Backing up and restoring a device's configuration is a critical component of deploying any managed device within a
live network. It should be possible to export configurations and store them offline for backup purposes. Additionally,
it should be possible to completely reconfigure the device using the offline configuration file(s). This includes
restoring all policies and interface information in order to deploy a device.
26
Enterprise Firewall v1.0
CyberRatings.org Test Methodology
7.1 Authentication
7.1.1 Role-Based Access Control (RBAC)
The system supports RBAC.
7.1.2 Authentication
Third-party authentication systems such as LDAP and Active Directory are supported.
7.2 Policy
7.2.1 Policy Definition
Define and save multiple security policies.
7.2.2 View Policy
When an alert is selected, the firewall provides the ability to access directly (single-click) and view the
policy and rule that triggered the event.
7.2.3 Policy Association
Once policies have been defined, is it possible to apply them to specific users and/or groups.
7.2.4 Policy Inheritance
The firewall allows (by default) the creation of groups and sub-groups such that sub-groups can inherit
certain aspects of configuration and policy definition from parent groups.
7.2.5 Policy Version and Checksums
By default, the firewall records the version and the hash of a policy (ensures policy is not tampered with by
3rd parties).
7.2.6 Bulk Operations
Ability to efficiently search for individual signatures or groups/classes of signatures, and subsequently to
apply one or more operations to an entire group in a single operation (for example, to enable or disable a
group of signatures, or to switch a group from block mode to log mode, etc.).
7.3 Logging
The use of standardized logging and reporting formats, which facilitate the fast and accurate consumption of
presented data, is imperative to enable administrators to assess conviction accuracy. The firewall offering should
allow easy generation and exportation of reports, logs, and/or alerts into one or more of these formats:
o CSV
o XML
o JSON
o Other formats may be acceptable; please coordinate with CyberRatings to ensure compatibility and
adequate capabilities.
27
Enterprise Firewall v1.0
The following will be evaluated for each firewall offering:
7.3.1 Malicious Traffic
Malicious traffic information from the firewall is logged and displayed centrally.
7.3.2 Administrator Login/Logout
Session login/logout is recorded in the logs.
7.3.3 Successful Authentication
Administrative authentication status is included in the logs.
7.3.4 Unsuccessful Authentication
An administrative authentication attempt is included in the logs.
7.3.5 Policy Change
Policy changes are included in the logs.
7.3.6 Policy Deployed
Policy deployment is included in the logs.
7.3.7 Hardware Failure
Hardware failure detected.
7.3.8 Power Cycle
Something was power cycled.
7.3.9 Log Time Normalization
If multiple time zones exist with the system, logs from multiple sources are correlated using a common
time zone to assist in administrator readability and forensics.
7.3.10 Log File Maintenance
Provides log file maintenance options (automatic rotation of log files, archiving, etc.).
7.3.11 Forensic Analysis
The firewall can capture traffic for later review.
7.5 Reporting
The following will be evaluated for each firewall offering:
7.5.1 Custom Reports
The product includes a report generator providing the ability to construct complex data filters in a search
form and summarize alerts on the specified search criteria.
7.5.2 Saved Reports
A custom report filter is available and can be saved for subsequent use.
7.5.3 Report Automation
Support report scheduling and automated delivery mechanisms.
7.5.4 Centralized Reports
Capable of providing summary reporting on all alerts from a single, central management console.
7.5.5 Built-In Reports
Provide built-in reports covering typical requirements such as a list of top attacks, top source/destination IP
addresses, top targets, etc.
7.5.6 Industry Reporting Standards
Support for reporting format standards, for example, Syslog.
29
Enterprise Firewall v1.0
CyberRatings.org Test Methodology
under compliance process controls for change management, onboard and off-board, segregation of duties, and
access control. For more information on access controls, see the section on Authentication.
7.6.1 Change Control Logging
Critical during audits of the system to track all details of a change. To score a "yes" in this section, the
firewall must demonstrate that the system contains the user name, date, and time of the changes, as well
as details of the change.
7.6.2 Roll-Back
Roll-back is dependent on maintaining a history of revisions and must allow an administrator to select a
prior security policy and restore it to current operation. To score a "yes" in this section, the firewall must
demonstrate that revisions are automatically saved and that any prior rule/policy can be restored.
7.6.3 Revision History
Revision history is required during any audit, and the data is necessary for the prior two features to work.
To earn a "yes" in this section, systems must perform an automatic backup of the policy/rule set upon a
change and provide the ability to generate an automated differential report between any two revisions.
30
Enterprise Firewall v1.0
CyberRatings.org Test Methodology
• Product Maintenance – The fees paid to the vendor, including software and hardware support, maintenance,
and other updates.
• Installation – The time required to take the device out of the box, configure it, put it into the network, apply
updates and patches, and set up desired logging and reporting.
• Upkeep – The time required to apply periodic updates and patches from vendors, including hardware, software,
and other updates.
31
Enterprise Firewall v1.0
CyberRatings.org Test Methodology
Contact Information
CyberRatings.org
2303 Ranch Road 620 South
Suite 160, #501
Austin, TX 78734
info@cyberratings.org
www.cyberratings.org
© 2021 CyberRatings.org. All rights reserved. No part of this publication may be reproduced, copied/scanned, stored on a
retrieval system, emailed or otherwise disseminated or transmitted without the express written consent of CyberRatings.org.
(“us” or “we”).
1. The information in this report is subject to change by us without notice, and we disclaim any obligation to update it.
2. The information in this report is believed by us to be accurate and reliable at the time of publication, but is not guaranteed.
All use of and reliance on this report are at your sole risk. We are not liable or responsible for any damages, losses, or
expenses of any nature whatsoever arising from any error or omission in this report.
3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY US. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, ARE HEREBY DISCLAIMED AND
EXCLUDED BY US. IN NO EVENT SHALL WE BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, EXEMPLARY,
OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF
ADVISED OF THE POSSIBILITY THEREOF.
4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or
software) tested or the hardware and/or software used in testing the products. The testing does not guarantee that there are
no errors or defects in the products or that the products will meet your expectations, requirements, needs, or specifications,
or that they will operate without interruption.
5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations
mentioned in this report.
6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of
their respective owners.
32
Enterprise Firewall v1.0