Feature Article

Balancing Security, Performance and Cost in the Real World

This article originally appeared in the Nov. 2011 issue of INTERNET TELEPHONY.

Service providers’ IT organizations are tasked with building infrastructure that can scale to meet growing network demands at a reasonable cost while ensuring fast and secure communications. Maintaining a high level of performance while applying stringent security technology has never been easy, and with the confluence of new multi-purpose security technologies such as unified threat management devices and next-generation firewalls and the changing profile of network traffic, budgeting for the correct amount of hardware is becoming a very difficult practice.

As a result of the evolving threat landscape and the ever-growing sophistication of attacks, security vendors have been busy creating better defenses that combine several protection technologies such as firewalls, intrusion prevention systems, application control and event behavioral analysis. The simple idea is that if these technologies can talk to each other intelligently, then there is a better chance of detecting and removing threats. Although the idea is sound, the reality is that when all these services are combined on a single device, two things start to happen: Performance degrades substantially due to the additional amount of required processing power; and due to the large number of application features that can be enabled or disabled – and the resulting changes in performance levels – performance budgeting becomes very difficult.

Because of performance degradation and budgeting issues, many service providers have simply turned off multiple security features to ensure reliable and predictable network performance. The result is reduced security efficacy and increased risk.

Another contributing factor to the problem is the changing profile of network traffic. Smart mobile devices have caused a tremendous increase in the amount of video and web-enabled HTTP traffic. This can shrink the average packet size down to 330 bytes, dramatically degrading network security device efficiency because many more inspections are necessary for the same amount of throughput. Interestingly, this can also impact latency, connection set-up rates and total application processing speed.

The bottom line is that all of these elements tax service providers’ ability to protect users and maintain high levels of service quality and performance.

Crossbeam (News - Alert) conducted a primary research study of large organizations in June 2011. Most respondents belonged to companies with $100 million-plus in revenues, and 40 percent came from $1 billion-plus revenue companies. Close to 500 companies took part in the survey, with 32 percent of the respondents coming from the telecommunications and service provider community.

The most striking statistic from the research was that 90 percent of the respondents had to make a trade-off between security and performance. Twenty-five percent of respondents from the telecommunications industry stated that they always had to make trade-offs. Eighty-one percent of the companies surveyed simply disabled certain security features to hit required performance levels, even though two-thirds of respondents from the telecommunications industry ranked security as their top priority.

The key problem highlighted by the survey is understanding how network security devices will perform in production environments. The due diligence necessary to provide this level of understanding is not only time consuming, it requires a specialized skill set that includes working knowledge of networking, security and performance measurement tools. The survey found that 43 percent of companies never performed any performance testing before going into production, and 50 percent of those who claimed to test their products in real-world conditions never enabled simple security functions such as intrusion prevention, which has become a mandatory technology for many telecommunications vendors.

A disconcerting part of the story is that the operators are still in catch-up mode, deploying two- to three-year-old technology that does not take advantage of the intelligence and functionality in newer-generation security products. Two-thirds of respondents were not enabling the web filtering, anti-malware, anti-virus, application control or user identity control that is required to protect against modern application-based attacks.

The speed vs. security challenge is particularly vexing to telecommunication providers. Because they have to meet strict security mandates, basic security applications – such as firewall, VPN and IDS – must remain enabled. Given the nature of their business, performance degradation is also unacceptable. The result is that service providers are forced to buy more and more equipment to compensate for unexpected performance degradation. Survey results showed that 70 percent of fixed operators and 83 percent of mobile operators had to purchase additional equipment after initial deployment, impacting capital and operational budgets. The engineering and planning teams have to re-architect their designs to add more equipment.

The following are recommendations for addressing the security-performance-cost challenge.

While service providers are leading the way in terms of expanding for evolved packet core and 4G-enabled, IP-only networks, there has been notable lack of foresight when it comes to network security. Many operators are still thinking short term. Twenty percent of the service provider survey respondents said that when evaluating network security equipment, they only looked 12 months out for anticipated performance needs, and 30 percent only looked one to two years ahead. If service providers evaluate and plan for network security with the same level of scrutiny they do other aspects of their business, many of these issues could be alleviated or better managed.

Data sheet facts and marketing hype have contributed to the overall lack of understanding of what’s required to achieve a high-performance security infrastructure. It’s not unusual these days to see a performance claim of 120gbps on a data sheet that, when tested under real-world conditions, achieves only 8gbps throughput performance levels. This is because network security vendors are still using archaic performance measurements such as large-packet UDP (News - Alert) forwarding without any firewall rules enabled. These bogus raw throughput numbers are meaningless when it comes to a live implementation.

The survey found that that 47 percent of fixed operators and 78 percent of mobile operators did not trust performance data from vendors, with 94 percent of all organizations finding data sheets extremely misleading. It is going to be important for every telecommunication company to hold vendors accountable to their claims and require real-world performance data metrics up front.

If security vendors cannot be fully trusted to provide accurate performance numbers, then it is up to IT security personnel to ensure the security products can deliver as promised and gain a more accurate understanding of what their networks really require. This would mean ensuring that the test environment:

* mimics the exact application mix and packet sizes of today’s data traffic;
* reflects the security coverage required, including the exact rules and security applications; and
* takes into account other network factors, such as protocol mix (i.e., IPv6 and IPv4), VLAN tagging and the amount of attack traffic.

Finally, since network infrastructure equipment depreciates over a period of time that is generally at least 36 months long, performance testing should take into account device scalability to support growth over this time period. With global IP traffic expected to increase fourfold over the next five years, four times the current throughput is a good starting point for minimum requirements.

If the required skill sets or resources are not available to test accurately the capabilities of high-performance security solutions, many specialist resellers and integrators have the capabilities and equipment necessary to create real-world test environments.

Network security is a highly unpredictable and changeable landscape, so it’s no wonder that we find trade-offs being made even within service provider environments, where IT organizations are among the most sophisticated and forward-thinking. The challenges inherent in trying to run a highly performance-sensitive business – in which there is exponential growth in the volume and variety of data traffic and security threats – are going to continue to plague IT organizations. However, there is an opportunity to ease these challenges, by breaking the industry’s complacency, demanding more and taking the steps to prove that you’re getting it.

Peter Doggart is the director of product marketing at Crossbeam (www.crossbeam.com).