GUEST ESSAY: A Roadmap to Achieving a Better Balance Between Network Security and Performance

Here’s a frustrating reality about securing a corporate network: the closer you inspect network traffic, the more it degrades the user experience.

Related: Take a risk assessment approach to vulnerabilities

Slow down app performance a bit and you’ll have frustrated users. Slow down a lot, and most likely, whatever knob you just turned will quickly backfire, potentially leaving your business exposed.

It’s a delicate balance. But there is something you can do to improve: build this balance into your network testing and policy management.

Navigate Threats

Why do so many companies struggle to balance network security and user experience? Because recent trends are creating new challenges on both sides of the equation. Trends like:

More distributed users and applications. Even before COVID, businesses were seeing a huge increase in the number of people working outside of the traditional corporate firewall. Today, users can work anywhere, access applications and data from any number of potentially vulnerable public and private clouds. This adds to a much larger potential attack surface.

• More dynamic environments. Security has always been a moving target, with new threat vectors constantly emerging. Today, however, the corporate network itself changes just as frequently. With software-defined networks, changing cloud infrastructures, and continuous integration/continuous delivery (CI/CD) pipelines, the network you have today could look very different tomorrow.

• Generalized encryption: Most applications and internet traffic are now encrypted by default, making it much more difficult to protect the network from malicious traffic. Inspecting encrypted traffic adds significant latency, sometimes cutting application performance in half. If you don’t have much better security controls than you used before, your latency-sensitive applications can become effectively unusable.

These are big challenges, and most organizations are still looking for answers. For example, half of the enterprise firewalls capable of inspecting encrypted traffic do not have this feature enabled due to performance issues. You can preserve user quality of experience (QoE) this way, but you leave your business vulnerable.

A smarter approach


The constant back and forth between safety and performance is not an anomaly. It’s integrated with Network Threat Defense, and there’s no silver bullet to make the problem go away. But that doesn’t mean you can’t do anything about it. In fact, the smartest thing to do is simply recognize that this will always be an issue and adapt your change management processes accordingly. You do this via synthetic tests.

Using modern emulation assessment tools, you can deploy test agents at strategic points in your environment—within the on-premises network, in public and private clouds, at branch offices, and more. ) to simulate the network topology. You can then inject emulated traffic to test the performance limits of your network devices, web applications, and media services with all security controls enabled.

With this approach, you can establish a baseline for application performance on the network and ensure that users’ QoE remains good, even when network threat controls are fully enabled. You can identify the right mix and size of security solutions to deploy and verify that you are getting what you pay for. Then, and this is key, you can proactively check performance and security against the established baseline whenever something changes in the network.

Balancing security and QoE

This approach is already widely used by organizations that cannot tolerate performance issues, such as service providers and financial firms in areas such as high-speed trading. With the ever-growing cyber threats, encryption, and distributed users and applications, businesses across all industries should follow their lead.

If you’re ready to implement continuous testing, here are four principles to keep in mind:

• Look beyond vendor data sheets. Organizations often devote considerable effort to evaluating network security solutions before they are implemented, but surprisingly little to validating their performance once deployed. It’s a good way to be surprised. In too many cases, network and security organizations don’t even realize they have a performance problem until users start complaining.

• Emulate your unique environment. Even when the specifications reported by a security vendor reflect reality, they are based on ideal conditions, not your network. When designing your test scenarios, be sure to emulate the real production environment, with all applications and security controls configured as they will be for real users. You can then explore exactly what the throughput looks like, the latencies experienced by different network applications, and verify that you support your business practices.

•Think like an attacker. In this sense, to validate the effectiveness of security, be sure to test a realistic set of threat vectors against which you seek to protect. Keep in mind that attackers won’t just send basic threats; they will use evasions and obfuscations to try to hide what they are doing. Your network security simulations should do the same.

•Test and retest. The most important step you can take to balance network security and performance: adopt a posture of continuous assessment. Start by identifying your baseline: what the environment looks like when everything is working as it should, when the security controls important to your business are active, and when your users have a good quality of experience, QoE. Then test against that baseline whenever something changes.

Whether it’s a new network security solution, software upgrade, policy or configuration update, or any other change, you need to immediately measure the effects of that change. on the user experience. Now you can identify problems immediately, before your users. And, since you’re measuring performance from multiple points in your environment, you can quickly focus on the root cause.

Taking these steps may not permanently solve the problem of balancing network security and performance. But you solved it for today and you have the tools and procedures in place to continue to solve it in the future.

About the essayist: Sashi Jeyaretnam is Senior Director of Product Management for Security Solutions, Spirent, a British multinational telecommunications testing company headquartered in Crawley, West Sussex, UK.

*** This is a syndicated Security Bloggers Network blog from The Last Watchdog written by bacohido. Read the original post at:

Kevin M. Risinger