Educause Security Discussion mailing list archives
Re: post firewall deployment ROI numbers
From: Gary Flynn <flynngn () JMU EDU>
Date: Mon, 12 Jun 2006 10:37:16 -0400
Tina Darmohray wrote:
I'm looking for Return On Investment numbers from universities who have deployed firewalls. E.g., one university has shared that they reduced their incidents by > 90% by firewalling their campus. Another university reduced their incident response staffing from 1.25 FTE to 1 FTE [10K node network] through firewallng. Do you have similar numbers you'd be willing to share? I can summarize to the group, or if you'd prefer your numbers not be widely posted, let me know that too.
Hi, I don't have any numbers for you but when the MS03-026 exploits and Blaster came through, due to our network access controls, we didn't have any compromises or infections until late August when the students came back. This provided a few extra weeks of planning and response time. I have a very general definition of "firewall" as anything that allows some sort of network access control at whatever layer using whatever method. We've considered the purchase of a box labeled by sales people as a "firewall" many times but backed off as we analyzed the functionality we desired and ways to implement it with existing capabilities. Router ACLs combined with the deep inspection of an IDP reduces incidents regularly and limits the severity of others. Our IDP stops visits to malicious web sites daily which would often result in spyware/virus/BOT infections and which would be transparent to most boxes labeled as firewalls. It also regularly deflects inbound web attacks. It also helps detect and inhibit IRCBOT activity. On a broader note, around the time of MS03-026, we implemented a default deny policy inbound to the student networks. A year later, to the IT desktop networks. And last November, to the entire campus. Anyone desiring to run a server has to request that ports be opened or use the VPN. I haven't tried to correlate these changes to drops in calls, but I have seen traffic bound for machines with open back doors, out of date software, and vulnerable configurations stopped many times. And before the cross-campus policy, I'd seen machines not covered compromised while machines with identical vulnerabilities that were covered went uncompromised. How much is that worth? A couple years ago during a period of heavy Windows Messenger SPAM, reflexive UDP ACLs kept it from entering our network and provided some protection against high port RPC attacks. Last month we implemented the IOS FW on the border to avoid having to allow packets with source port 20 into campus which bypassed our default deny rules. The IDPs are inspecting inbound traffic to identd to try to avoid rogue servers there. Until last year, one technical security FTE handled campus security incident response, security monitoring, and security engineering. I don't think this would have been possible without network access controls. I would not be surprised at all about a 90% reduction in calls if a campus that is completely open converts to a more protective network access policy. And even if an FTE that may be gained by a reduction in incidents is lost to administration of network access controls, it would probably be preferable to spend labor and resources on protection rather than responding to compromised computers and data with the associated implications for constituents and the organization. How much does one data disclosure notification cost? Another type of network access control "firewall" to consider is a "Network Admittance Control" system such as the Cisco/Perfigo, StillSecure, and Netreg based products. These enforce configuration management policies and provide some intrusion detection/prevention capabilities for clients as they connect to the network. Instead of attempting to firewall network access of direct threats, they primarily attempt to firewall network access of vulnerabilities reducing risk by reducing a different variable of the risk equation. Expending labor and resources there would probably have positive incident reduction effects similar to border firewalls though client variability in an unmanaged network would likely cause end user support costs and the number of headaches to be higher. Of course, a two pronged approach, denying network access to both attacks and vulnerabilities, would be ideal. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- post firewall deployment ROI numbers Tina Darmohray (Jun 09)
- <Possible follow-ups>
- Re: post firewall deployment ROI numbers Karen Duncanson (Jun 12)
- Re: post firewall deployment ROI numbers Flagg, Martin D. (Jun 12)
- Re: post firewall deployment ROI numbers Gary Flynn (Jun 12)
- Re: post firewall deployment ROI numbers Russell Fulton - ISO (Jun 12)