ROI on stateful and deep-packet-inspection firewalls

[Andrew Daviel <advax () TRIUMF CA>]

We are upgrading our core routers, and I've been wading thrpough vendor 
bumf ...

It seems that routers generally support stateless firewalling 
(ingress/egress filters, port blocking) at full line rate as part of the 
default configuration.

Then you can layer stateful protocol-aware firewalling on top of that for 
more money, at reduced bandwidth.
And then again, deep inspection, antivirus and app tracking for yet more 
money and yet less bandwidth.

I'm wondering what the ROI is for installing these products, apart from 
what the vendors tell us.

I'm a bit wary of sinking a lot of time and money into a digital Maginot 
Line, in an academic environment where we can't easily categorize 
network connections into good and bad. I'm more in favour of hardening 
sensitive assets close in.

What experience do others have of deploying firewall products like Cisco 
ASA 5000's or Juniper SRX ? Do you see a big dropoff in downtime and 
trouble tickets, or extra work creating and tuning rules ?
Do you have IPS or application filtering ?


(seems like some of these products would let us do backstop asset 
hardening using VLANs - probably a good idea, even if we could not afford 
to filter all links at full rate)

--
Andrew Daviel, TRIUMF, Canada