An alarming number of organizations are disabling advanced firewall features in order to avoid significant network performance degradation, say the results of the Network Performance and Security report unveiled today by McAfee today at the FOCUS 14 conference, which Help Net Security is also attending.
As part of the report, 504 IT professionals were surveyed, with 60 percent stating that the design of their company’s network was driven by security. However, more than one-third of respondents admitted to turning off firewall features or declining to enable certain security functions in an effort to increase the performance of their networks.
“It is unfortunate that turning off important firewall features because of network performance concerns has started to become common practice,” said Pat Calhoun, General Manager of Network Security at McAfee, part of Intel Security. “At McAfee we believe this is unacceptable. Companies simply should not have to make that kind of trade-off.”
According to the report, the most common features disabled by network administrators include deep packet inspection (DPI), anti-spam, anti-virus, and VPN access. DPI, the feature most frequently disabled, detects malicious activity within regular network traffic and prevents intrusions by blocking offending traffic automatically before any damage occurs. It is essential for robust threat defenses, and is a key component of next generation firewalls, which now represent 70 percent of all new firewall purchases.
“When I hear about people turning off security they paid for because of performance decreases — this upsets me so much,” said Ray Maurer, Chief Technology Officer at Perket Technologies. “I get a bad feeling knowing I had to remove security in the name of performance. I have a hard time sleeping because it is not a matter of if a network will be compromised, but when.”
Many organizations choose to turn-off DPI because of the high demands it places on network resources, yielding upwards of a 40 percent degradation of throughput, according to third-party research firm, Miercom2. McAfee Next Generation Firewall, however, with DPI enabled sustained one of the highest firewall throughputs in Miercom’s testing.