Integrating Internet & Firewall: The Art of Balancing Stability and Security
The story of a logistics company in Ho Chi Minh City might surprise you. They had just invested nearly $8,000 in the most advanced firewall system on the market, with all cutting-edge security features enabled. The result? Just one week later, the Board of Directors asked the IT Manager to… turn off the entire firewall.
The reason was simple: Internet speeds dropped from 500Mbps to 150Mbps. The ERP system constantly timed out. Video meetings with European partners suffered severe lag. Technical staff complained they couldn’t download blueprints from the cloud. This company made a mistake that hundreds of others are also making: They misunderstood how Internet and Firewall need to work together.
The paradox every business must face
“The stronger the firewall, the slower the network” – Is this an immutable law? According to 2024 Gartner data, 73% of businesses configure their firewalls suboptimally, leading to two serious consequences: 40% experience unnecessary performance bottlenecks, while 28% expose critical security gaps. More worryingly, 32% of businesses suffer from both issues simultaneously. The reality shows that the problem isn’t about choosing an expensive or cheap firewall, nor is it about high or low Internet bandwidth. The issue lies in this: These two systems need to be integrated scientifically, based on deep understanding of actual business needs. This is exactly what BYN has accomplished for dozens of clients over the years.
Lessons from costly mistakes
Let’s look at the story of a garment export company with 200 employees. Initially, they tried to deploy the system themselves following advice from IT forums: Buy the best firewall, enable all security features, subscribe to the highest bandwidth Internet. Total investment reached $12,000.
But after a month of operation, they faced a painful reality. Video meetings with European customers – the company’s main revenue source – were constantly interrupted. Images lagged, audio broke up, sometimes losing connection entirely. Managers began complaining about their inability to work effectively. A few important clients even expressed dissatisfaction with the company’s “professionalism.”
When BYN was invited to consult, we only needed one week to discover the problem. Their firewall was decrypting all SSL/TLS traffic – including Zoom and Microsoft Teams traffic. This meant every video packet had to go through a complex processing procedure: decrypt, inspect, re-encrypt. The result was 25 milliseconds of added latency and jitter three times higher than acceptable levels. For video conferencing, this was a disaster.
Our solution wasn’t to disable the firewall or buy more expensive equipment. Instead, we created an intelligent “selective decryption” policy. Traffic to Zoom and Teams servers was clearly identified, then exempted from SSL decryption while still passing through other lighter security inspection layers. Simultaneously, we configured QoS to prioritize these video packets in the processing queue.
The results were remarkable. Call quality improved significantly, with no more lag or disconnections. But that wasn’t all. Bandwidth was saved by 30% thanks to blocking non-work-related applications like online games and personal video streaming. More importantly, the company’s security posture increased fourfold according to an independent audit, because now the firewall could focus resources on thoroughly inspecting truly dangerous traffic types.
Understanding data flows: The first step to success
One of the biggest mistakes businesses commonly make is treating all traffic the same. They think that just buying a powerful enough firewall and fast enough Internet is sufficient. Reality is completely different. Not all data passing through your network has the same level of importance, nor does it all need the same level of security.
Think of it like an airport. You can’t require everyone – from business class passengers, regular tourists, to airport staff – to all go through the exact same security screening process. Some people need to be prioritized to ensure they don’t miss their flights, while others can accept waiting a bit longer for more thorough inspection.
At BYN, we always begin each project with a “traffic profiling” phase lasting one to two weeks. This is not a step that can be skipped. We use professional tools like Wireshark, NetFlow, and integrated firewall analytics systems to collect detailed data about how the client’s network actually operates.
What are we looking for? We want to know exactly which applications are consuming what percentage of bandwidth, at what times of day, and most importantly – what is their business impact. A company might have 20 different applications running, but typically only 3-5 applications are so critical that if they encounter problems, the business must halt operations.
In the case of the garment export company we mentioned, analysis showed 60% of bandwidth was used for Zoom and Microsoft Teams – absolutely critical customer meeting tools. Another 25% went to cloud-based ERP for real-time inventory management. Only 10% was actually work-related web browsing, and notably, a full 5% of bandwidth was wasted on non-work activities like personal YouTube viewing.
With this information in hand, we could create an intelligent integration strategy. The most critical traffic needed highest priority for both speed and reliability, but could apply lighter security measures if they didn’t affect performance. Conversely, less important traffic could go through the strictest security inspection layers without worrying about a bit of latency.
“Right-sizing”: The art of choosing the right capacity
One of the questions BYN clients often ask is: “How many Gbps firewall do we need for a 500 Mbps Internet connection?” The answer isn’t simply “500 Mbps” or even “1 Gbps to be safe.” Reality is much more complex, and this is where hands-on experience makes the difference.
Let’s understand a truth that firewall manufacturers often don’t clearly state. When they advertise a device with “10 Gbps throughput,” that number is usually only accurate under the most ideal conditions – when the firewall only performs the most basic function of filtering packets by IP address and port. This is what we call “marketing throughput.”
But in reality, you don’t buy a firewall just to filter IPs and ports. You need it to detect and block malware, you need it to prevent intrusion attacks, you need it to control applications, and most importantly – you need it capable of inspecting SSL/TLS encrypted traffic. Each feature you enable will reduce actual throughput.
According to BYN’s experience after many years deploying hundreds of systems, here are the real numbers. When you enable IPS (Intrusion Prevention System), throughput decreases by about 30%. Add application control, you lose another 20%. But the most “killer” feature is SSL decryption – it can reduce throughput by 60% to even 70% depending on hardware. What does this mean? If you have a 500 Mbps Internet connection and need to run the firewall in full-featured NGFW mode, you can’t just buy a firewall with “500 Mbps” throughput. You need a device capable of handling at least 2 to 2.5 Gbps throughput in basic firewall mode. Only then, after enabling full features, can you maintain actual 500 Mbps speed.
Three integration models: From basic to enterprise
Through many years of experience, BYN has successfully deployed three main integration models, each suitable for a different group of businesses. Choosing the right model not only determines the level of stability and security but also directly affects investment budget.
The first model, which we call “Single Point Integration,” is really only suitable for very small businesses or unimportant branch offices. In this model, you have one Internet connection from a single provider, going into a single firewall, then distributing to the internal network. It’s simple, easy to manage, and most importantly, low cost.
But simple doesn’t mean good. We’re always honest with clients about the risks of this model. If the Internet connection encounters a problem – and trust me, this happens more often than you think – your entire company loses connectivity. If the firewall has a hardware failure, you also lose connectivity. No backup, no redundancy, nothing. Downtime can last several hours, even days if you’re unlucky.
The most advanced model BYN deploys for large enterprises is “Dual ISP with HA Firewall.” This is the solution for those who truly cannot accept any downtime. You not only have two firewalls but also two Internet connections from two different providers.
The power of this model lies in its ability to handle every scenario. Primary Internet connection fails? The system automatically switches to backup in 30-90 seconds. Primary firewall has issues? The second firewall takes over in 2-5 seconds. Even in the worst case – both primary Internet and primary firewall fail simultaneously – you still have backup Internet and backup firewall to maintain operations.
We calculated the reliability level of each model. With single point, you get about 99% uptime, equivalent to 87.6 hours of downtime per year. With HA firewall or dual ISP, this improves to 99.5%, or 43.8 hours downtime. But when you combine both – dual ISP and HA firewall – you achieve 99.997% uptime, only 2.6 hours of downtime in the entire year. This is the number that banks and financial institutions require.
Of course, this model requires higher investment. But think about it from a business perspective. If your company has $2 million in annual revenue, each hour of downtime means you lose about $230 in revenue, not to mention damage to reputation and customers. Just reducing downtime from 87 hours to 3 hours per year saves you nearly $20,000. Compared to the initial investment, this is an extremely worthwhile deal.
BYN offers FREE assessment of your Internet and Firewall systems. We will:
– Analyze actual traffic for 1 week
– Identify bottlenecks and security vulnerabilities
– Provide specific recommendations with clear ROI calculations
– No pressure sales – just honest consulting
