Security Experts:

Balancing Risk and Performance: Managing Firewalls Shouldn't Push Risks to the Extreme

Some people make a living taking extreme risks. Big mountain skiers, red rock mountain bikers, free climbers, wing-suit flyers…the list goes on and on. The skill levels and creativity of today’s extreme athletes are truly remarkable. Margins of error are miniscule, and consequences can be dire.

A growing number of corporate IT and security personnel have something in common with extreme athletes: they take unnecessary security risks. A recently published report sheds some light on a common practice of corporate security and operations staff who attempt to squeeze a little more performance from networks while exposing their organizations to extreme risk.

In the survey of 504 IT professionals, 32 percent of respondents admitted to turning off firewall functions because they were impacting network performance, and another 10 percent of respondents didn’t know critical firewall features had been disabled. Some 39 percent of respondents don’t enable features from the start to avoid affecting network performance.

Firewall Features vs. PerformanceHere’s the part that should get IT executives’ hearts pounding and palms sweating: Senior CIOs and CISOs rarely find out that their staff has compromised security by disabling firewall features until it’s too late.

Pulling Out All the Stops

Why is this happening? IT security and operations teams are not adrenaline junkies tempting fate. Without solid network performance, operations staff can’t deliver required application service levels to users and customers. And without a comprehensive security solution—which includes multiple security technologies working collaboratively—security teams have little chance of combating the Advanced Persistent Threats (APTs) that increasingly use Advanced Evasion Techniques (AETs). Given today’s budget limitations and resource constraints, some IT managers think they have no choice but to maintain performance at the expense of security by turning off key firewall security features such as Deep Packet Inspection and Application Control.

The Irony of Compromise

This approach of disabling security features to gain performance is fraught with flaws. For starters, a faster, poorly secured network can actually accelerate the spread of APTs, while building protection against threats can slow down networks.  And here’s the biggest irony of all: With the right next-generation firewalls (NGFWs), there’s no need to sacrifice security in favor of performance.

Four Tips to Minimize Risk and Avoid Compromise

Here’s my advice to any CSO or CISO who is facing the security vs. performance dilemma.

1) Go beyond high-level compliance reports

Are you aware of your actual risk profile and firewall security practices? Check-box compliance reports and high-level security briefings simply perpetuate problems, or worse, offer a false sense of security. Basic compliance does not equal security because having a firewall doesn’t mean having its critical features activated. Keep in mind, almost every company that has been in recent headlines with a major security breach was compliant with security mandates. Ask your security team for details: Have security features been disabled or not activated in favor of network performance?

2) Focus your staff on advanced persistent threats

Are your defenses adequate? Are you certain? Now is a good time to beef up investment training to ensure everyone on the IT team understands advanced persistent threats, including advanced evasion techniques. This will help as you certify the adequacy of your defenses. In addition to improving security policy effectiveness, your staff can perform risk analysis and be in the best position to evaluate future technologies if needed.

3) Foster collaboration between operations and security teams

Few topics can start a finger-pointing frenzy faster than an application performance vs. network security discussion. The fact is, operations and security teams both have legitimate business needs. Slow application performance shouldn’t bleed employee productivity or strain customer relations. Likewise, security teams shouldn’t have to live on pins and needles hoping that cybercriminals don’t discover disabled firewall features. Let both teams know compromise isn’t necessary and start working on a mutually beneficial solution. These teams should work together to test and qualify potential high-performance security solutions.

4) Explore your options and timeframes for upgrading to high-performance, next-generation firewalls.

If you are not currently using or evaluating performance-enhanced NGFWs, you should be. There are many factors that can help you upgrade sooner rather than later. As you build a business case for performance-enhanced NGFWs, consider the tangible benefits of risk mitigation, increases in IT staff and business productivity, and reduced infrastructure costs.

view counter
Pat Calhoun is Senior Vice President & General Manager, Network Security at McAfee and responsible for defining and executing the strategic direction for McAfee’s Network Security business. Calhoun leads the engineering, marketing, and sales functions that drive worldwide growth for this area of the business. Calhoun was most recently at Cisco where he led the Secure Network Services business unit. Also while at Cisco, he served as Chief Technology Officer for Wireless Networking and Access Network & Services. Prior to Cisco, Pat held various CTO and senior engineering roles at US Robotics, Sun Microsystems, and Airespace, where he was a co-founder before an acquisition by Cisco. Calhoun studied Computer Science at Algonquin College of Applied Arts and Technology.