Re: ROI on stateful and deep-packet-inspection firewalls

[Chris Green <cmgreen () UAB EDU>]

The ROI is hard to capture but I generally am in favor of it AND hardening end-points .   There are several factors 
involved in the space.

Complexity Often does go up.  When going inline with Firewalls & IPS activities, we've generally had an A and a B path 
with L2 redundancy between them.     

Some scenarios worth considering both policy and technically:

- If you are experiencing a mass-virus infection targeting end-point software through drive-by downloads,  how do you 
respond and prevent?   
- How do you identify traffic abuse causing network issues?
- Who do you rely on for finding out new attacks and mitigating issues?    Most IPS/DPI/IDS/etc. all have some sort of 
rules base involved.    At some level, the "inspection" part is a commodity (snort v. bro v. TippingPoint v. Juniper v. 
....) but the results of the specific team you are paying for monitoring varies.  
- Do the vendors capture full packet data or just an event report?    Can you get to the packets in a reasonable amount 
of time and meet your performance characteristics?
- Can you realistically put in your own situational rules?
- Do you have a policy governing your DPI efforts?

Full packet is MUCH more useful in figuring out "hey, this drive by worked because it was JRE 1.3.1";  Even better is a 
packet/url proxy history you can go recall if you need to.

I've never heard a very good opinion of the tools that lump it all in to the FW but someone will get it right one day 
(and may already have)

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Seth Hall
Sent: Friday, February 03, 2012 8:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] ROI on stateful and deep-packet-inspection firewalls

On Jan 31, 2012, at 4:16 PM, Andrew Daviel wrote:

> Do you see a big dropoff in downtime and trouble tickets, or extra work creating and tuning rules ?

I would love to see the answers to this question in particular.  My expectation is that downtime increases (solely due 
to increased inline complexity), trouble tickets remain fairly stable, and there is almost certainly going to be 
considerable time spent tuning rules but that's completely unavoidable.

For anyone that knows me I certainly can't pretend to not be biased, but a suggestion that I tend to give people with 
these questions is to pay attention to the benefits that the money you spend would provide you.  Would your security 
analysts (incident hunters!) be able to understand the network better?  Would they be able to respond to problems more 
quickly?  Would it become a tool in their toolbox or would it become a box of magic?

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/