Educause Security Discussion mailing list archives
Re: ROI on stateful and deep-packet-inspection firewalls
From: Chris Green <cmgreen () UAB EDU>
Date: Fri, 3 Feb 2012 20:00:55 +0000
The ROI is hard to capture but I generally am in favor of it AND hardening end-points . There are several factors involved in the space. Complexity Often does go up. When going inline with Firewalls & IPS activities, we've generally had an A and a B path with L2 redundancy between them. Some scenarios worth considering both policy and technically: - If you are experiencing a mass-virus infection targeting end-point software through drive-by downloads, how do you respond and prevent? - How do you identify traffic abuse causing network issues? - Who do you rely on for finding out new attacks and mitigating issues? Most IPS/DPI/IDS/etc. all have some sort of rules base involved. At some level, the "inspection" part is a commodity (snort v. bro v. TippingPoint v. Juniper v. ....) but the results of the specific team you are paying for monitoring varies. - Do the vendors capture full packet data or just an event report? Can you get to the packets in a reasonable amount of time and meet your performance characteristics? - Can you realistically put in your own situational rules? - Do you have a policy governing your DPI efforts? Full packet is MUCH more useful in figuring out "hey, this drive by worked because it was JRE 1.3.1"; Even better is a packet/url proxy history you can go recall if you need to. I've never heard a very good opinion of the tools that lump it all in to the FW but someone will get it right one day (and may already have) -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Seth Hall Sent: Friday, February 03, 2012 8:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] ROI on stateful and deep-packet-inspection firewalls On Jan 31, 2012, at 4:16 PM, Andrew Daviel wrote:
Do you see a big dropoff in downtime and trouble tickets, or extra work creating and tuning rules ?
I would love to see the answers to this question in particular. My expectation is that downtime increases (solely due to increased inline complexity), trouble tickets remain fairly stable, and there is almost certainly going to be considerable time spent tuning rules but that's completely unavoidable. For anyone that knows me I certainly can't pretend to not be biased, but a suggestion that I tend to give people with these questions is to pay attention to the benefits that the money you spend would provide you. Would your security analysts (incident hunters!) be able to understand the network better? Would they be able to respond to problems more quickly? Would it become a tool in their toolbox or would it become a box of magic? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/
Current thread:
- ROI on stateful and deep-packet-inspection firewalls Andrew Daviel (Jan 31)
- Re: ROI on stateful and deep-packet-inspection firewalls Seth Hall (Feb 03)
- Re: ROI on stateful and deep-packet-inspection firewalls Chris Green (Feb 03)
- Re: ROI on stateful and deep-packet-inspection firewalls Brian Helman (Feb 03)
- Re: ROI on stateful and deep-packet-inspection firewalls Chris Green (Feb 03)
- Re: ROI on stateful and deep-packet-inspection firewalls Seth Hall (Feb 03)