Firewalls have traditionally served as the first line of defense in safeguarding computer networks. The name speaks for itself - walls of digial fire. These security tools are gatekeepers; they filter incoming and outgoing traffic based on predefined rules.

But, as cloud adoption has accelerated, a new breed of firewalls has emerged: Cloud Network Firewalls, or CNFWs.

CNFWs offer a critical layer of security by controlling traffic flow between an organization's cloud resources and the broader internet. That said, with a multitude of CNFW vendors vying for market share, how can businesses make informed decisions about which solution best suits their needs?

Independent cybersecurity product evaluation organizations play a crucial role in assisting businesses with this selection process. And independent cybersecurity product evaluation organization CyberRatings.org recently released the results of a comprehensive analysis on 11 CNFW vendors. The report, titled "Cloud Network Firewall Effectiveness Report," assessed the ability of these firewalls to safeguard against cyber threats and evaluated their overall value proposition.

The 11 tested were AWS Network Firewall, Barracude CloudGen Firewall, Check Point Cloud Guard, Cisco Secure Firewall Threat Defense Virtual, Forcepoint NGFW, Fortinet FortiGate-VM, Juniper Networks (News - Alert) vSRX, Palo Alto Networks VM-Series Next-Generation Firewall with Advanced Threat Protection, Sophos Firewall, Versa Networks NGFW and WatchGuard Firebox Cloud.

Before we get into the results, let’s break down how the report assessed these firewall vendors.

The evaluation scrutinized how each firewall handled essential security protocols such as Transport Layer Security/Secure Sockets Layer 1.2 and 1.3 cipher suites, their effectiveness in blocking 984 known exploits and their ability to prevent 1,645 potential evasion techniques. All testing was conducted on the AWS public cloud platform under simulated real-world network traffic conditions, encompassing unencrypted (HTTP) and encrypted (HTTPS) data streams.

CyberRatings placed particular emphasis on a product's ability to maintain stability under pressure. This ensures that firewalls can effectively function even during periods of heavy network activity or cyber attacks.

The Value score considered the total cost per protected Mbps to determine the product's economic viability. Products were then positioned on a Security Value Map based on the combined results of these two evaluations.

Six of the eleven evaluated products received a "Recommended" rating, achieving Security Effectiveness scores between 99.70% and a perfect 100%. They are Check Point Cloud Guard, Forcepoint NGFW, Fortinet FortiGate-VM, Juniper Networks vSRX, Palo Alto (News - Alert) Networks VM-Series Next-Generation Firewall with Advanced Threat Protection and Versa Networks NGFW.

These top performers effectively prevented a vast majority of threats while demonstrating competitive pricing models.

One product, WatchGuard Firebox Cloud, was categorized as "Neutral" with a Security Effectiveness score of 48.44%.

The remaining four vendors received a "Caution" rating, with scores ranging from 5.39% to 48.37%. These products exhibited varying degrees of vulnerability to cyber attacks.

Although this was an assessment of only 11 vendors, the report reveal that there are CNFW vendors out there that do not enable certain firewall evasion protection measures by default. This oversight leaves customers exposed to security risks.

The report also highlights the importance of encryption in modern network traffic, with roughly 80% of web traffic being encrypted. The top four TLS/SSL cipher suites account for over 95% of HTTPS traffic. However, some firewalls were not configured to decrypt traffic by default, potentially rendering them blind to attacks delivered via HTTPS. Additionally, performance can be impacted when TLS/SSL is enabled.

“All of the products chosen were market leaders and the range of scores clearly shows that building a product for the cloud is different than building a product on an appliance where you control the environment,” said Vikram Phatak, CEO of CyberRatings.org. “We recommend that enterprises check with their service providers or IT teams to see which cloud firewall products are currently deployed in their networks.”

Besides checking what products are deployed in their networks, CyberRatings also recommends that enterprises maintain consistent monitoring of their CNFWs' security and performance capabilities. Regular updates are essential to address evolving threats and vulnerabilities within the dynamic cloud environment.