Re: Firewall administration.

[Bennett Todd <bet () rahul net>]

On Sun, Oct 12, 1997 at 10:57:05AM -0400, Ted Doty wrote:
> Let me clarify my earlier posting: what most customers don't realize is
> that the biggest part of the firewall's cost is the administration.

``It doesn't have to be!'' ``Yes it does!'' ``No it doesn't!''.
        - Monty Python's Flying Circus

> Even if you assume a simple and unchanging policy, someone still needs to
> cruise thru the logs to see what's happening on the connection.

It's better if some does, yes. But if they can't afford to have some one do
it, that doesn't mean they won't still be better off with the firewall, even
ignoring the logs.

> They also need to periodically update the configuration just to protect
> against new forms of attacks.

That is more true the more complex their configuration are, or the more
concerned they are about really subtle and tricky attacks.

> Never mind reading Bugtraq to see just what those new attacks are. This
> doesn't come for free.

Once again, the more complex the security policy you try to implement, the
more likely the rules will get changed by some new bug discovery down the
road. You _can_ have a fire-and-forget, zero-maintenance firewall; you just
have to live with reduced functionality (less sophisticated and subtle
security policy) and increased risk (the possibility that some bug may
compromise your current implementation, and not get fixed, and get exploited).
That's life; TANSTAAFL; you get what you pay for; etc. This doesn't mean a
tiny company with no budget can't have a firewall, it just means that they get
less firewall than a big company that can pay for administrator time and
expertise.

> For a midling sized company, with a midling Internet feed (say dedicated 64
> k), this can pretty easily average an hour a day for an administrator.  If
> you assume that a decent admin will make around $60k a year (use $90 k for
> a burdened rate), one eighth of this is $10-$12k administration cost each
> year.

If you're spending one man-hour a day, either you've got a truly humongous
setup --- dozens of firewalls protecting tens of thousands of internal hosts
--- or you have an unskilled admin who doesn't know how to automate routine
tasks. Unskilled help shouldn't get paid $60K/yr. If they are, it's your own
fault:-).

> Given that a low end Intel/NT-or-Linux firewall will cost less than $10k to
> install, [...]

I dunno where NT came in; this is the first I've heard of it. If you're gonna
put NT on the firewall box, why bother at all? Just put in a plain old router
with no screening rules and invite the hoi-polloi in to party. Jeez.

> and will last 3 years,

Why would that be? It'll last until the hardware dies --- which may easily be
10 years --- or until the data comm requirements grow to exceed the handling
capacity of the box, which might happen in 2 months, or might never happen.
Where does the figure 3 years come from?

> the admin cost is at least 3 time the system cost.

Or less, or more, depending on what you want to spend. The admin cost can be
very very close to zero, and you can still have a tight firewall.

-Bennett