Palo Alto Networks unexpectedly gets low score on firewall test

By Jim Finkle BOSTON (Reuters) - Palo Alto Networks Inc's flagship next-generation security firewall ranks as the least effective in a new test of such equipment by NSS Labs, results that surprised some analysts because the product is widely considered an industry leader. NSS, which reviews technology products for Fortune 500 companies, gave Palo Alto's firewall a "caution" rating in a survey released to clients Tuesday. It had rated the product "recommended" in its last survey, released in February 2013. NSS recommended rival firewalls from Check Point Software Technologies Ltd, Cisco Systems Inc, Dell Inc [DI.UL], Fortinet Inc, Intel Corp's McAfee division and WatchGuard. A Palo Alto Networks representative declined comment. NSS Chief Executive Officer Vikram Phatak said that Palo Alto had issued two major revisions to its firewall operating system since the last test. "They broke something in the process," he said. NSS marked down Palo Alto heavily for failing key tests that determine how easily hackers could evade a firewall's security, Phatak said. "They have a fundamental problem in how they are handling TCP/IP traffic, which is the foundation of the Internet," he said. Greg Young, an analyst with Gartner which closely follows the next-generation firewall market, said he was surprised by the results. "Generally NSS stuff has been pretty good, but I need more information to help me understand this one," he said. "I have a lot of questions about the placement. They are really sort of divergent from where we placed the products." The findings come in the wake of a controversial report released by NSS in April that said FireEye Inc's breach detection system did not work as well as products from rivals including Cisco and Trend Micro. FireEye disputed those claims but shares in the company that went public in one of last year's hottest IPO dropped significantly in the weeks after the report's publication. Securosis analyst Mike Rothman, who advises businesses in selecting firewalls, said that buyers often review NSS surveys when picking products. Yet he said laboratory tests may not be as relevant as they used to be because security has become extremely complex, making it difficult for a test like the one released this week by NSS to be a good indicator of how a product will work for any particular company. "As security has gotten a lot more complicated, it is not as easy to set up a generic test bed and have the results replicated in the real world," he said. Rothman said that businesses need to come up with a "short list" of several products that look like they will meet their needs, and then ask the manufacturers to lend them the equipment for a trial. "You've got to test them out in your environment," he said. NSS also gave "neutral" ratings to firewall models from Barracuda Networks Inc, Cisco and Sophos Cyberoam. (Reporting by Jim Finkle; Editing by Richard Chang and Lisa Shumaker)