Firewall admins turning off security to boost performance
3 November 2014 | 0
A third of organisations are turning off some of their next-generation firewall’s (NGFW) security features to boost performance with the most commonly deactivated layer being intrusion prevention, a McAfee survey has discovered.
Of the 504 professional asked, 32% admitted deactivating security filtering at some point, with IPS (31%), anti-spam (29%) and VPN (28%) the first to fall as part of what McAfee characterises as an “existential tug-of-war” between network users, who bug the company about performance, and security.
Rather surprisingly, 28% also admitted turning off anti-virus, and 23% application awareness (filtering for rogue applications). A smaller group had not turned off features so much as never turned them on in the first place, so worried were they that performance would take a hit.
Part of the problem of course is that firewalls have acquired so many security layers in recent times that the idea of turning them all on at once on is almost counter-intuitive. This perception is essentially correct — turning on more security filters will impact performance in some way for older systems.
McAfee quotes research firm Miercom as estimating the hit as round 40%, which raises the question of whether the problem is with the customers or the firewalls themselves.
The firm’s answer is that not all NGFWs are the same and that its own Intel-based firewalls do not suffer from this issue as much as the competition. Unsurprisingly, McAfee advises that organisations buy a box that can handle performance without compromising security.
Having to choose one or the other is the high road to disaster.
“It is extremely concerning that companies believe they need to compromise their security in order to maintain high performance across the network,” said McAfee UK regional director, Ashish Patel.
“At McAfee we believe this is unacceptable. Enterprises should not be forced to choose between network performance and security.”
As it happens, McAfee recently overhauled its Next Generation Firewall to incorporate technology it brought on board with the purchase of Finnish firewalling firm Stonesoft in 2013. But it senses some market scepticism that more and more features have been added to firewalls as a competitive strategy as much as a security one.
Getting the performance and security argument to stick is critical for McAfee because it is the whole reason Intel bough it as a front for its venture into enterprise security. Intel supplies the horsepower in its processors and McAfee the security. It is supposed to be the firm’s strategic advantage over rivals, notwithstanding that Intel sells its technology to many of them too.
The recommendation is that CIOs stress test the next generation of systems to make sure they can keep up and simply refuse to compromise. Conduct testing for throughput, scalability (clustering), intrusion prevention (deep packet inspection), protocol-specific benchmarking (http throughput), and the ability to spot Advanced Evasion Techniques (AETs, which requires performance).
John E Dunn, IDG News Service