Do firewalls and anti-virus software affect a server's performance?
Solution 1:
Forgoing software firewalls and anti virus tools on a server for reasons of performance is like choosing to forgo a harness while racing in the Le Mans because it's scratchy. Your parents need to find a new IT outsourcing company. Quickly.
Yes there are performance hits, but a properly sized server will be able to manage that performance degradation. The risks of not having proper security software are far, far worse than a sluggish server.
Solution 2:
Both affect performance. How much they do, versus how much load the server is under, is a balancing act.
ENCRYPTION - Something has to do encryption/decryption on the fly as you access files, save files, etc. That's generally done in software, though there are hard drives that do encryption as well. Since it generally IS software, there is some load on the server as it encrypts/decrypts files. Is that load significant? It can be. As with all things, it depends on how beefy the server is, what it's doing, etc. Would you see a noticeable performance hit in, say, an office of 15 people accessing Word documents off a fileshare? Presuming the server is fairly new, probably not. If you had 1500 people accessing the same server, you would likely see slowdown. So it's a tradeoff.
ANTIVIRUS - Generally with antivirus you see on-demand scans. That is, when a file is accessed, the AV program scans it to make sure it isn't infected. It will also generally run periodic scans of the OS, and will look at tasks being performed to make sure they don't match virus definitions. This, too, is a software process that takes system resources. Generally if you're running a Windows server, you want AV on it, case closed. Linux you can probably get away without running one - the way Linux is architected gives it pretty good resistance to viruses.
Without knowing the exact environment your parents are running on their server, it's hard to say what they should/shouldn't be doing. In general, though, if they're running Windows, and it can see the internet (or other machines on the network can), it should at least be running AV. Encryption may well be overkill. Most of my clients don't encrypt data, sensitive or no, preferring to rely on NTFS access controls, good firewalls, and AV. Your mileage may vary, though.
Solution 3:
Overhead of a firewall is generally pretty minimal, particularly on linux-based systems. If you start doing really funky things, it may start to grow a bit, but it shouldn't get out of hand under normal circumstances.
AV scanning can add significant overhead, depending on the amount of traffic you get and the scanner being used. However, this is generally a good tradeoff on, for example, a mail server. Ditching virus-laden attachments before they make it to your users is worth a bit of extra processor usage. Likewise for a web server that allows user uploads.