Next-Generation Firewall (NGFW) Testing for Gen 6 and Gen 7 Devices
DOI:
https://doi.org/10.63282/3050-9262.IJAIDSML-V7I2P108Keywords:
Next-Generation Firewall, RFC 9411, QUIC, NGFW Benchmarking, Encrypted Clienthello, TLS Inspection, DPI, Application Identification, HTTP/3, Reproducibility, Evasion ResistanceAbstract
Next-generation firewalls (NGFWs) have to enforce the security policies and detect threats within predominantly encrypted and application traffic, while at the same time ensuring that the user performance at an enterprise scale. This paper presents a rigorous, scalable, and aligned with standards methodology for testing “Gen 6” and “Gen 7” NGFW devices. Building on the IETF’s RFC 9411 benchmarking methodology for the next-generation network security devices, the test objectives are defined, including traffic profiles, Key Performance Indicators (KPIs), testbed architecture, data collection methods, and statistical treatments necessary to evaluate the factors. The factors include security effectiveness, connection scale, throughput, latency, and the cost of TLS/SSL inspection, along with the Deep Packet Inspection (DPI) and the accuracy in the application identification. This framework also assesses the robustness of the devices against the evasion techniques. This paper includes a test matrix, sample reporting templates, and automation guidance to support the results, which can be reviewed.
References
[1] A. Morton et al., “Benchmarking Methodology for Network Security Devices,” RFC 9411, IETF, 2023.
[2] J. Iyengar and M. Thomson, “QUIC: A UDP-Based Multiplexed and Secure Transport,” RFC 9000, IETF, 2021.
[3] M. Thomson and S. Turner, “Using TLS to Secure QUIC,” RFC 9001, IETF, 2021.
[4] M. Bishop, “HTTP/3,” RFC 9114, IETF, 2022.
[5] D. Benjamin et al., “TLS Encrypted ClientHello,” RFC 9849, IETF, 2023.
[6] R. Mandeville, “Benchmarking Terminology for Firewall Performance,” RFC 2647, IETF, 1999.
[7] R. Mandeville and J. Perser, “Firewall Performance Benchmarking Methodology,” RFC 3511, IETF, 2003.
[8] National Institute of Standards and Technology (NIST), “Guidelines on Firewalls and Firewall Policy,” NIST Special Publication 800-41, 2009.
[9] University of New Hampshire InterOperability Laboratory (UNH-IOL), “NGFW Testing and Benchmarking Commentary,” 2022.
[10] SonicWall Inc., “NSv Series Documentation and Gen6/Gen7 Technical Specifications,” 2024.
[11] Google, “HTTPS Transparency Report,” https://transparencyreport.google.com/https, 2026.
[12] National Vulnerability Database (NVD), “CVE-2024-40766 and Related Entries,” https://nvd.nist.gov/, 2024.
[13] CISA, “Known Exploited Vulnerabilities Catalog,” https://www.cisa.gov/kev, 2025.
[14] ENISA, “Threat Landscape Report 2024,” European Union Agency for Cybersecurity, 2024.
[15] E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.3,” RFC 8446, IETF, 2018.
[16] X. Zhang et al., “Challenges in Application Identification and DPI Accuracy,” IEEE Security & Privacy, 2022.
[17] CCS 2025 Study, “Fingerprinting and Evasion of DPI Systems,” ACM CCS, 2025.
[18] National Vulnerability Database (NVD), “Common Vulnerabilities and Exposures Dataset,” 2024.
[19] J. Cohen, “Statistical Power Analysis for Behavioral Sciences,” 2nd ed., Lawrence Erlbaum, 1988.
[20] IEEE, “Precision Time Protocol (PTP) Standard,” IEEE 1588, 2019.
[21] D. Montgomery, “Design and Analysis of Experiments,” Wiley, 2017.
[22] NIST/SEMATECH, “e-Handbook of Statistical Methods,” https://www.itl.nist.gov/div898/handbook/, 2023.
[23] ISO, “ISO 5725-2: Accuracy (Trueness and Precision) of Measurement Methods and Results,” 1994.
[24] S. Bradner and J. McQuaid, “Benchmarking Methodology for Network Interconnect Devices,” RFC 2544, IETF, 1999.
