The forgotten side of network security

With network security, thoughts quickly turn to hackers, viruses, Trojan horses, denial-of-service attacks and other perceived threats. However, after products are developed and deployed to minimize risk and vulnerability, we may find that we are our worst enemy. Not that we left a gaping hole in our security defense but quite the contrary. The products may be sound from a security perspective, but might fail to include provisions to preserve adequate business functionality.

With increasing volumes of business traffic traversing the Internet, implementing security at the edge of the corporate network is a given. But the too-often-assumed outcome is that our security package will address the vulnerability and leave all other features intact. The reality is that security touches almost every aspect of the business operation. Failing to account for the effect of security processes on business can result in unacceptable performance of networked applications, lead to scalability issues, and create impasses when implementing new technologies.

Consider line-of-business applications delivered using thin-client technology. With sufficient bandwidth and controlled latency, organizations can rely on the Internet to transport their server-based applications to remote offices and mobile workers. But it’s the Internet, so all we have to do is introduce firewalls to filter intrusion and VPNs to protect data, right? Unfortunately, doing so could easily bog down the performance of those applications to the point where user sessions frequently drop and task execution proceeds at a snail’s pace.

Recent testing conducted as part of Tolly Research’s ITclarity research program proves this point. Using security appliances designed to support thousands of simultaneous sessions and Fast Ethernet connections, we observed excessive increases in application response times. With 80 or fewer simultaneous thin-client sessions, basic firewall and VPN functions increased response times as much as threefold.

For end users, that means waiting for application menus to appear after each click and tolerating substantial delays between text entry and display. In general, response-time fall-off of that magnitude translates into reduced productivity and lower effectiveness.

Hand-in-hand with application performance is scalability. Enterprise security products designed for many users and line-rate performance at speeds greater than T-1 may live up to their billing when used predominantly for filtering Web traffic. But introduce time-sensitive IP telephony sessions, and the specs for delivering acceptable voice quality or even achieving call completion can change substantially.

The challenge for IT when considering enterprise network security is to maximize business features. This includes managing security risks, and keeping in mind the impact on business operations. Successful network security architectures and policies will maintain adequate performance of networked applications, account for foreseeable scalability, and incorporate flexibility to integrate new applications.

Flood is senior vice president of Tolly Research. He can be reached at