Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Balancing Risk and Performance: Managing Firewalls Shouldn’t Push Risks to the Extreme

Some people make a living taking extreme risks. Big mountain skiers, red rock mountain bikers, free climbers, wing-suit flyers…the list goes on and on. The skill levels and creativity of today’s extreme athletes are truly remarkable. Margins of error are miniscule, and consequences can be dire.

Some people make a living taking extreme risks. Big mountain skiers, red rock mountain bikers, free climbers, wing-suit flyers…the list goes on and on. The skill levels and creativity of today’s extreme athletes are truly remarkable. Margins of error are miniscule, and consequences can be dire.

A growing number of corporate IT and security personnel have something in common with extreme athletes: they take unnecessary security risks. A recently published report sheds some light on a common practice of corporate security and operations staff who attempt to squeeze a little more performance from networks while exposing their organizations to extreme risk.

In the survey of 504 IT professionals, 32 percent of respondents admitted to turning off firewall functions because they were impacting network performance, and another 10 percent of respondents didn’t know critical firewall features had been disabled. Some 39 percent of respondents don’t enable features from the start to avoid affecting network performance.

Firewall Features vs. PerformanceHere’s the part that should get IT executives’ hearts pounding and palms sweating: Senior CIOs and CISOs rarely find out that their staff has compromised security by disabling firewall features until it’s too late.

Pulling Out All the Stops

Why is this happening? IT security and operations teams are not adrenaline junkies tempting fate. Without solid network performance, operations staff can’t deliver required application service levels to users and customers. And without a comprehensive security solution—which includes multiple security technologies working collaboratively—security teams have little chance of combating the Advanced Persistent Threats (APTs) that increasingly use Advanced Evasion Techniques (AETs). Given today’s budget limitations and resource constraints, some IT managers think they have no choice but to maintain performance at the expense of security by turning off key firewall security features such as Deep Packet Inspection and Application Control.

The Irony of Compromise

This approach of disabling security features to gain performance is fraught with flaws. For starters, a faster, poorly secured network can actually accelerate the spread of APTs, while building protection against threats can slow down networks.  And here’s the biggest irony of all: With the right next-generation firewalls (NGFWs), there’s no need to sacrifice security in favor of performance.

Four Tips to Minimize Risk and Avoid Compromise

Here’s my advice to any CSO or CISO who is facing the security vs. performance dilemma.

1) Go beyond high-level compliance reports

Are you aware of your actual risk profile and firewall security practices? Check-box compliance reports and high-level security briefings simply perpetuate problems, or worse, offer a false sense of security. Basic compliance does not equal security because having a firewall doesn’t mean having its critical features activated. Keep in mind, almost every company that has been in recent headlines with a major security breach was compliant with security mandates. Ask your security team for details: Have security features been disabled or not activated in favor of network performance?

2) Focus your staff on advanced persistent threats

Are your defenses adequate? Are you certain? Now is a good time to beef up investment training to ensure everyone on the IT team understands advanced persistent threats, including advanced evasion techniques. This will help as you certify the adequacy of your defenses. In addition to improving security policy effectiveness, your staff can perform risk analysis and be in the best position to evaluate future technologies if needed.

3) Foster collaboration between operations and security teams

Few topics can start a finger-pointing frenzy faster than an application performance vs. network security discussion. The fact is, operations and security teams both have legitimate business needs. Slow application performance shouldn’t bleed employee productivity or strain customer relations. Likewise, security teams shouldn’t have to live on pins and needles hoping that cybercriminals don’t discover disabled firewall features. Let both teams know compromise isn’t necessary and start working on a mutually beneficial solution. These teams should work together to test and qualify potential high-performance security solutions.

4) Explore your options and timeframes for upgrading to high-performance, next-generation firewalls.

If you are not currently using or evaluating performance-enhanced NGFWs, you should be. There are many factors that can help you upgrade sooner rather than later. As you build a business case for performance-enhanced NGFWs, consider the tangible benefits of risk mitigation, increases in IT staff and business productivity, and reduced infrastructure costs.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...