Our experience is everything contributes to performance and applying something to the front end of the web server will definitely effect performance.
When you discount performance off-hand, I can only assume you do not operate a web server with thousands of concurrent users and millions of PVs a month.
Everything effects performance. Everything. Web operators talk performance. It is one of our favorite topics!
I think you may be arguing for the sake of argument. Just a simple Google search yields the article,
4 reasons not to use mod_security, concluding,
Quote:
And they're built to scale, which means the scenario in which mod_security is used as a reverse proxy to protect all web servers from harm but quickly becomes a bottleneck and impediment to performance doesn't happen with purpose-built web application firewalls.
So, my impression is that you don't operate a web server with millions of PVs a month and thousands of concurrent users at peak, because even off loading tiny gif and jpg icons, which seems trival and small, can significantly reduce Apache2 workers and CPU load, etc.
Computing is all about performance optimization.
Having said that, we are considering mod_security for emergencies and temporary stop gaps until we can put a better performing solution in place in certain scenarios. It is certainly possible the performance hit will be small; but from what I have read about mod_security, and experiences here, it will certainly have
an impact on performance.
---------- Post updated at 21:04 ---------- Previous update was at 20:56 ----------
Speaking of mod_security performance quotes, I think this quote from
Securing Apache Web Server with mod_security in the Linux Gazette sums it up nicely:
Quote:
Performance and Deployment
Everything has a price and so does filtering HTTP requests. mod_security needs to holds the request in a buffer or has to store it to a temporary file. You have to take this into account. The parsing add a little overhead in terms of CPU cycles to the web server as well. If you install the module on a server that already has performance issues things won't get better. That's what the reverse proxy method is for. Hard hit sites probably won't go anywhere without additional proxies.
---------- Post updated at 21:16 ---------- Previous update was at 21:04 ----------
I like parts of this quote from
Basics of mod_security:
Quote:
Mod_Security does come with a performance cost, however, the security benefits far outweight the performance cost
.
Regarding the second statement, that is really relative to overall performance of the server. It is very easy for big servers will smallish loads to say "security over performance".
Editorial Comments:
If security was always preferable to performance, then F1 race cars would be built with heavier material
There is no shortage of self-proclaimed security experts in the world who ignore performance, in my experience in IT security most of my career.