Educause Security Discussion mailing list archives
ROI on stateful and deep-packet-inspection firewalls
From: Andrew Daviel <advax () TRIUMF CA>
Date: Tue, 31 Jan 2012 13:16:02 -0800
We are upgrading our core routers, and I've been wading thrpough vendor bumf ...
It seems that routers generally support stateless firewalling (ingress/egress filters, port blocking) at full line rate as part of the default configuration.
Then you can layer stateful protocol-aware firewalling on top of that for more money, at reduced bandwidth. And then again, deep inspection, antivirus and app tracking for yet more money and yet less bandwidth.
I'm wondering what the ROI is for installing these products, apart from what the vendors tell us.
I'm a bit wary of sinking a lot of time and money into a digital Maginot Line, in an academic environment where we can't easily categorize network connections into good and bad. I'm more in favour of hardening sensitive assets close in.
What experience do others have of deploying firewall products like Cisco ASA 5000's or Juniper SRX ? Do you see a big dropoff in downtime and trouble tickets, or extra work creating and tuning rules ?
Do you have IPS or application filtering ?(seems like some of these products would let us do backstop asset hardening using VLANs - probably a good idea, even if we could not afford to filter all links at full rate)
-- Andrew Daviel, TRIUMF, Canada
Current thread:
- ROI on stateful and deep-packet-inspection firewalls Andrew Daviel (Jan 31)
- Re: ROI on stateful and deep-packet-inspection firewalls Seth Hall (Feb 03)
- Re: ROI on stateful and deep-packet-inspection firewalls Chris Green (Feb 03)
- Re: ROI on stateful and deep-packet-inspection firewalls Brian Helman (Feb 03)
- Re: ROI on stateful and deep-packet-inspection firewalls Chris Green (Feb 03)
- Re: ROI on stateful and deep-packet-inspection firewalls Seth Hall (Feb 03)