Firewall admins turning off security to boost performance - bad move

Survey uncovers "existential tug-of-war".

tug of war
toffehoff (Creative Commons BY or BY-SA)

A third of organizations are turning off some of their next-generation firewall's (NGFW) security features to boost performance with the most commonly deactivated layer being intrusion prevention, a McAfee survey has discovered.

Of the 504 professional asked, 32 percent admitted deactivating security filtering at some point, with IPS (31 percent), anti-spam (29 percent) and VPN (28 percent) the first to fall as part of what McAfee characterizes as an "existential tug-of-war" between network users - who bug the company about performance - and security.

Rather surprisingly, 28 percent also admitted turning off anti-virus, and 23 percent application awareness (filtering for rogue applications). A smaller group hadn't turned off features so much as never turned them on in the first place so worried were they that performance would take a hit.

Part of the problem of course is that firewalls have acquired so many security layers in recent times that the idea of turning them all on at once on is almost counter-intuitive. This perception is essentially correct - turning on more security filters will impact performance in some way for older systems.

McAfee quotes research from Miercom which puts the 'hit' at around 40 percent, which raises the question of whether the problem is with the customers or the firewalls themselves.

The firm's answer is that not all NGFWs are the same and that its own Intel-based firewalls don't suffer from this issue as much as the competition. Here comes the marketing - it wants people to buy a box that can handle performance WITHOUT compromising security.

Having to choose one or the other is the high road to disaster.

"It is extremely concerning that companies believe they need to compromise their security in order to maintain high performance across the network," said McAfee UK regional director, Ashish Patel.

"At McAfee we believe this is unacceptable. Enterprises should not be forced to choose between network performance and security."

As it happens, McAfee recently overhauled its Next Generation Firewall to incorporate technology it brought on board with the purchase of Finnish firewalling firm Stonesoft in 2013. But it senses some market skepticism that more and more features have been added to firewalls as a competitive strategy as much as a security one.

Getting the performance and security argument to stick is critical for McAfee because it is the whole reason Intel bought it as a front for its venture into enterprise security. Intel supplies the horsepower in its processors and McAfee the security. It is supposed to be the firm's strategic advantage over rivals, notwithstanding that Intel sells its silicon to many of them as well.

The recommendation is that CIOs stress test the next generation of systems to make sure they can keep up and simply refuse to compromise. They should conduct testing for throughput, scalability (clustering), intrusion prevention (deep packet inspection), protocol-specific benchmarking (http throughput), and the ability to spot Advanced Evasion Techniques (AETs, which requires performance), McAfee said.

This story, "Firewall admins turning off security to boost performance - bad move" was originally published by

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!