IT Admins Often Turn off DPI and Other Firewall Features

The stakes have never been higher for CIOs and CISOs who are charged with protecting their organizations' information assets. The combination of more elusive threats, overworked staff, risky operating procedures and legacy tools has become a significant risk factor for a major data breach. But research shows that IT administrators persist in disabling key firewall features in order to maintain network performance levels.

McAfee’s Network Performance & Security report on next-generation firewalls (NGFWs) shows that 60% of IT staffers said that the design of their company’s network was driven by security. However, more than one-third of respondents admitted to turning off firewall features or declining to enable certain security functions in an effort to increase the performance of their networks.

“Over the past 25 years, the network firewall has evolved from a relatively simple security appliance to assuming an extremely important role in enterprise cybercrime security,” the company said in its report. “There is a belief that enabling the advanced protections that firewalls now provide can adversely affect network performance and in response. This action creates a tug-of-war between security administration’s mandate to keep the business safe from intruders and network operation’s requirement to ensure employee and customer usability and productivity.”

According to the report, the most common features disabled by network administrators include deep packet inspection (DPI), anti-spam, anti-virus and VPN access.  DPI, the feature most frequently disabled, detects malicious activity within regular network traffic and prevents intrusions by blocking offending traffic automatically before any damage occurs. It is considered essential for robust in-depth threat defenses, and is a key component of next generation firewalls, which now represent 70% of all new firewall purchases, according to SANS Institute.

Many organizations choose to turn-off DPI because of the high demands it places on network resources. DPI yields upwards of a 40% degradation of throughput, according to third party research firm, Miercom, which added that there is an average of 75% or more performance degradation for DPI, anti-virus and application control when all are enabled. 

“When I hear about people turning off security they paid for because of performance decreases — this upsets me so much,” said Ray Maurer, CTO at Perket Technologies, as quoted in the report. “I get a bad feeling knowing I had to remove security in the name of performance. I have a hard time sleeping because it is not a matter of if a network will be compromised, but when.”

Not all security products result in degradation, however, and the report urges businesses to consider competing products for this metric. “It is unfortunate that turning off important firewall features because of network performance concerns has started to become common practice,” said Pat Calhoun, General Manager of Network Security at McAfee, in a statement. “At McAfee we believe this is unacceptable. Businesses shouldn’t have to make that trade-off.”

He added, “with the number of confirmed data breaches climbing more than 200% in 2014 over the previous year, it has never been more critical for organizations to embrace the advanced protections available to them with next-generation firewalls.”

What’s Hot on Infosecurity Magazine?