Every department in an enterprise is under pressure these days to increase performance, which sometimes means taking shortcuts. But a new report from McAfee suggests that many IT departments are putting their organizations’ security at risk.
The report, issued Wednesday, found that more than one-third of the 504 IT pros surveyed admitted to turning off firewall features or refusing to enable certain security functions to increase network performance.
The most common features disabled by network administrators include deep packet inspection (DPI), anti-spam, anti-virus, and VPN access. DPI is the feature most frequently disabled, although it blocks suspicious traffic automatically. However DPI can put high demands on network resources.
“It is unfortunate that turning off important firewall features because of network performance concerns has started to become common practice,” Pat Calhoun, McAfee’s general manager of network security, said in a statement. “At McAfee we believe this is unacceptable. Companies simply should not have to make that kind of trade-off.”
However, a Canadian IT security consultant says this part of the report is old news. “They’re not telling us anything we don’t already know,” James Arlen, Hamilton, Ont.,-based director of risk and advisory services at Leviathan Security Group, said in an interview.
“It’s taking a cheap way out of solving an actual problem. It fulfills the compliance requirements — ‘Yes we have a firewall’ — but it doesn’t fulfill the fiduciary duty checkbox that says .. ‘and it’s configured correctly according to the manufacturers’ specifications and actually doing something about security.'”
The problem is network speeds need to increase, he said, and security vendors need to be more upfront about their products’ performance demands. “You need to be able to run at wire speed with all (defensive) features enabled. Most security product vendors give you a performance specification number that is based on a minimal rule set — not ‘We turned on everything.'”
Arlen dubs this “malicious compliance” — following the rules to the letter, and no more. The Payment Card Industry (PCI) rules that retailers have to follow to be able to process credit and debit cards, is a typical problem, he said. The standard asks the organization to confirm it has a firewall, but not that it is patched.
Half the blame is on IT departments for turning features off, he said, but the other half is on vendors and security resellers who recommend insufficiently-powerful hardware to handle the demands of security software.
“Unless we can change the checkbox-compliance culture, which is endemic across the industry and across all countries, we’re not going to see a material change.”