LAS VEGAS – It happens every day in almost every work environment in the world. The IT trade-off of turning off advanced firewall protection to improve overall network performance.
According to a new study, called Network Performance and Security, released at the Focus 14 conference, more than one-third of the 504 IT professionals surveyed admitted to switching off firewall features or forgoing security functions upon deployment because of the pressure from users that the network runs too slowly.
The most common firewall feature to be disabled, according to the finds of the report commissioned by Intel Security, are deep packet inspection, anti-spam, anti-virus and VPN access. Some of these features detect malware and prevents intrusions by blocking offending traffic automatically before any damage occurs.
Neil Campbell, group general manager, security for solution provider Dimension Data, said this situation is a melting pot of conflict that can get political and impact budgets. “The networking guys are all about availability and throughputs and the security guys are looked at as bumps in the road. It can get edgy in terms of getting the security in line,” Campbell said.
Market analyst Zeus Kerravala, founder of ZK Research, said he himself faced these trade-offs when he worked in network administration during his career. “I too would set the firewall and turn it off when it did not meet the performance mandates of the company.”
About 44 per cent of IT professionals agreed or strongly agreed the organization must make trade-offs between network performance and security.
Kerravala said this issues should be about how much risk a company is willing to take on. “If you work in a bank; they want limited risk. No one wants to be the person with the slow network, but they also don’t want to be that person who was responsible for a breach,” he added.
Another factor is lack of knowledge. According to the new study, 42 per cent of organizations either knowingly or un-knowingly turn off certain firewall functions. About 50 per cent said “yes” or “did not know” the organization declined to enable certain firewall functions to avoid impacting network performance. Most companies tend to go with stock configurations. On the opposite side larger organizations throw money on the Catch-22 situation by having dedicated security teams and do cost over performance valuations, Kerravala said.
Campbell agreed comparing next generation firewalls to a Swiss Army knife. “They have scissors, but they are awful. It needs to get better,” he said.
“The temptation is to look at all the features. Tick off all those boxes and see if it’s right with my budget. What they should look at is what my risk level is?”
Campbell, an Australian national, cited a home grown example. The Australian Parliament thought they had a denial of service attack, but found that it was a Web site protesting a new building and it was flooded with emails that caused the denial of service attack. This prevented parliamentarians from communicating with its constituents. The problem is does the IT department shut down impeding the democratic process and potentially blocking free speech?
“That’s what they did and they got chastised for it, but the IT department should not have been put in that position to make this decision,” Campbell said.
Campbell suggested to introduce a consumptive licensing model, where a channel partner sells a chassis that can deliver the requirements you’ll need from a networking and security performance and protection standpoint for three-years, but you pay for what you need in year one.
“Buying the box is not a massive cost when you compare it to the entire scale of the purchase factoring deployment costs and maintenance costs. A more interesting model is consumptive licensing because it allows you pay for what you need now and enable you to grow, while reducing costs,” Campbell said.