Firewall Wizards mailing list archives
Re: performance vs. security (was Cisco PIX ...)
From: borkin () netquest com ((NetQuest) Borkin, Michael)
Date: Sun, 30 Aug 1998 00:35:53 -0400
Ryan Russell wrote:
[performance reasons snipped] If I may also make a sweeping statement: Performance isn't relevant to security applications. I.e. you can't say "it will hurt performance, so we'll leave out some security." If that were a consideration, we wouldn't use firewalls. Realistically, that means that if it's too slow we buy bigger boxes or suffer along at a slower pace.
Ryan, I couldn't disagree more firmly with your sweeping statement (although your explanation is close to what I will say, only from the other side of the argument). The level of security in a system has to be balanced with the performance level you need to operate. You want ultimate security, keep the computer locked in a vault and never turn it on. Anything less is a compromise for performance. The biggest key is deciding which security measures are truly needed and whether their performance costs are worth it. You use firewalls as an example of why performance isn't a consideration, I turn it back to you. Is remote access to network (whether dial-in or internet) an important enough application that it is worth the security costs? Obviously, since this is a discussion list about firewalls, the general consensus is yes. I use these examples b/c people will not argue about whether or not these things are a good idea, but whether they are even truly relevant (they probably aren't). I use them only to illustrate that the basic premise of your sweeping statement is false. Security needs to be a balancing act between pre-cautions against possible hazards and the ability of the users to make proper use of the system. Ease of use is of course the whole point of using computers in a networked environment in the first place. If it wasn't then everything would still be done on standalones b/c the only security that you need to worry about is physical security. Therefore the debate has to begin at what are the reasonable security threats that must be guarded against no matter what it does to system performance. An example that I think we would all agree on is virus protection. This is such a critical security measure that it must happen in all circumstances. But, what about other security applications that aren't as critical? Its easy to sit back and just say "security above all else." But is security against some speculated possible threat by someone who is malicious, knowledgeable, and has the right tools worth slowing your network to a crawl? In some cases it may be, but not in all. This is the balancing act that I am referring to. IMHO, each situation needs to be considered on a case by case basis. If a security application creates a performance hit that makes your network hard to work with, is the added security worth the costs for the organization? Lesser performance directly translates into lost productivity and employee frustration. Its easy to say, "just buy new computers." But, obviously, there are cost factors involved in that. Are these costs worth the added security? If the application adds a level of security that is important enough, then the costs are. But, not all security is worth these costs, and therefore performance does matter. Mike Borkin ----------------------------------------------------------------------------------------- Anything written above this line is to be taken as the personal opinion of the person who wrote it and should not be taken as the opinion or thoughts of any affiliated organization, family members, friends or acquaintances. In fact, nobody who has ever met him agrees with a damn thing he has said, I know, I've taken a poll. So don't go blaming us for the fact that he's a crackpot. We got nothing to do with it.
Current thread:
- Re: Cisco PIX bug, discussions (lenghty), (continued)
- Re: Cisco PIX bug, discussions (lenghty) Ryan Russell (Aug 25)
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Kevin Steves (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- Re: Cisco PIX bug, discussions (lengthy) Frank Willoughby (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Euan (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Aleph One (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Message not available
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Ryan Russell (Aug 25)
- Re: Cisco PIX bug, discussions (lenghty) Joseph S. D. Yao (Aug 26)
- Re: performance vs. security (was Cisco PIX ...) (NetQuest) Borkin, Michael (Aug 30)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Aleph One (Aug 28)