Most of us are familiar with those popular Internet speed testing services out there. What these sites do is allow you to test your upload and download bandwidth, giving you an idea of the quality of your Internet connection. But are they really accurate if we are on a corporate network?

Unfortunately, they are often not accurate at all. There are many factors to consider, such as whether additional traffic is being generated to the Internet at the time of testing, the state of the computer being launched, the latency and fluctuation of the network delay, and perhaps most importantly the firewall or UTM in place and the layers of security we have in place at the moment. Often, the biggest drawback we have in getting real results is a detail that is often overlooked.

We agree that any scanning or filtering function in a Firewall/UTM will undoubtedly affect the performance of the network. Of all the security features available in a Firewall/UTM, the Intrusion Prevention System (IPS) is known to have the greatest impact on a network’s performance (throughput).

When a Netflix OOKLA Speedtest or (my favorite) is run under the conditions described below, the performance impact can be much greater than expected.


  1. We have IPS activated
  2. We use a high-speed network, such as an Internet connection via Fiber, Gigabit or Gigabit LAN
  3. One or more connections share the same source IP and destination IP (this point is very relevant in terms of IPS performance)

This is based on how the IPS process handles traffic and test constraints instead of effectively reflecting throughput.

The IPS scanning engine can initiate multiple processes in multiple CPU cores; however, only one process is used for each IP source and destination pair. As the speed of the connection increases, the demand for system resources also increases to process the increased packet flow.

By using a high-speed connection, there will come a point where the available network bandwidth is greater than the speed at which the IPS process can scan the traffic, which causes the CPU core to execute the process to reach 100%. There are no exact figures for this impact because it depends on the UTM model and what else the system is doing at that moment.

Whenever the new connections originate from a different source or are directed to a different destination, they will go through a new IPS process in a separate CPU core. This would allow, therefore, that a simultaneous connection only have its limited speed when its CPU core reaches 100% or when the available network bandwidth has become saturated.

In real terms, this means that the actual impact on network performance will not be as dramatic as the speed test results show, and end users will not notice any impact on network performance unless they transfer very big files. Yuuuge files.

To keep up with cyber-security issues, news highlights, and other stuff, join me on Twitter.

Wajdi A. Ayach

Author Wajdi A. Ayach

Changes are challenging, and cybersecurity is like a moving target that we have to mitigate through continuous adjustments.

More posts by Wajdi A. Ayach

Copyright 2017, TresW