Educause Security Discussion mailing list archives

Re: post firewall deployment ROI numbers

From: Karen Duncanson <duncans2 () OAKLAND EDU>
Date: Mon, 12 Jun 2006 08:51:15 -0400

The metrics for this, if you can find meaningful ones, will be very difficult to determine due to the variables
involved in utilizing a firewall. After 10 years of deploying various firewalls, I have found that they tend to be
viewed as monlithic, when in fact they are not. The manpower going into deploying, maintaining and utilizing firewall
depends on how you want to use it and on how much service you want to get from it. I find that the more effective you
want that firewall to be, the more time is required to configure, maintain and monitor it. (more FTE). A better metric
might be to visit the site http://www.dshild.org or similar site. There you will find, reports regarding the number of
attacks originating from various ip address spaces. These can be easily mapped to various sites that have, or do not
have a firewall (you will need to ask around). In this way you can map the firewall FTE to effectiveness. You may also
want to ask generic questions regarding basic configu!
ration. For example, a firewall configured to deny all except that specifically specified will require fewer FTEs from
the admin and result in fewer FTEs from the on staff and allow fewer attacks paths into and out of the site.

Historically, I have occaisonally observed organizations putting up firewalls that do little, require little attention
(few FTEs) and provide a false sense of security which encourages users and admins to become lax about desktop
maintanance. In the extreme this will be a negative firewall. These should not be in your report :-)

Hope this perspective helps you with your report.

---- Original message ----

Date: Fri, 9 Jun 2006 13:20:55 -0700
From: Tina Darmohray <tmd () STANFORD EDU>
Subject: [SECURITY] post firewall deployment ROI numbers
To: SECURITY () LISTSERV EDUCAUSE EDU

I'm looking for Return On Investment numbers from universities who have
deployed firewalls.  E.g., one university has shared that they reduced
their incidents by > 90% by firewalling their campus.  Another university
reduced their incident response staffing from 1.25 FTE to 1 FTE [10K
node network] through firewallng.

Do you have similar numbers you'd be willing to share?  I can summarize
to the group, or if you'd prefer your numbers not be widely posted, let
me know that too.

Thank you for your help!

--

Tina Darmohray
Information Security Officer
tmd () stanford edu
(650) 724-7661

Karen Duncanson, CISSP, CCNA
UTS/Network Security Analyst
www.oakland.edu/uts
248-370-2675

Current thread:

post firewall deployment ROI numbers Tina Darmohray (Jun 09)
- <Possible follow-ups>
- Re: post firewall deployment ROI numbers Karen Duncanson (Jun 12)
- Re: post firewall deployment ROI numbers Flagg, Martin D. (Jun 12)
- Re: post firewall deployment ROI numbers Gary Flynn (Jun 12)
- Re: post firewall deployment ROI numbers Russell Fulton - ISO (Jun 12)