Operators disable firewall features to increase network performance, survey finds

McAfee released its “Network and Performance Security” report on Wednesday.

In a recent survey of 504 IT professionals, McAfee found that 60 percent prioritize security as the primary driver of network design – something the company did not find too surprising considering recent high-profile breaches.

In roughly a third of organizations surveyed, operators admitted that they attempt to increase network performance by routinely disabling firewall security features, the report indicates.

“The way that most firewalls [and next-generation firewalls (NGFW)] are designed, it forces the trade-off so this is not a negative reflection on the administrator,” Jennifer Geisler, senior director of network security, told in a Wednesday email correspondence.

With multiple selections permitted, 31 percent disabled deep packet inspection (DPI), 29 percent disabled anti-spam, and 27 percent disabled URL filtering. VPN, data filtering and anti-virus were disabled by 28 percent of respondents, and user visibility and application awareness were disabled by 23 percent of respondents.

Geisler said that a feature such as DPI would be turned off because it is very intensive, consumes a lot of processing power and causes performance problems, but added she is surprised it is number one because it is such a key security value of a NGFW.

Advanced threats put increasing pressure on the network, according to the report.

Citing separate McAfee findings, the report indicates that 40 percent of IT experts believe that advanced evasion techniques (AET) played a pivotal role in breaches that they experienced. Further, the report indicates that 61 percent of IT professionals felt protected against AETs, even though half of those defenses were determined by AET experts as being unable to detect AETs.

“[AETs] is a way for APTs to masquerade in order to bypass security devices,” Geisler said. “They take advantage of [the] way most firewalls/NGFWs are designed based on the way that these devices look at the flow. APTs now [have] another way of bypassing most security devices which just makes it easier for more APTs to sneak in. There are over 800M AETs.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.