Firewall Wizards mailing list archives
Re: Firewall administration.
From: Bennett Todd <bet () rahul net>
Date: Sun, 12 Oct 1997 09:33:30 -0700
On Sun, Oct 12, 1997 at 10:57:05AM -0400, Ted Doty wrote:
Let me clarify my earlier posting: what most customers don't realize is that the biggest part of the firewall's cost is the administration.
``It doesn't have to be!'' ``Yes it does!'' ``No it doesn't!''. - Monty Python's Flying Circus
Even if you assume a simple and unchanging policy, someone still needs to cruise thru the logs to see what's happening on the connection.
It's better if some does, yes. But if they can't afford to have some one do it, that doesn't mean they won't still be better off with the firewall, even ignoring the logs.
They also need to periodically update the configuration just to protect against new forms of attacks.
That is more true the more complex their configuration are, or the more concerned they are about really subtle and tricky attacks.
Never mind reading Bugtraq to see just what those new attacks are. This doesn't come for free.
Once again, the more complex the security policy you try to implement, the more likely the rules will get changed by some new bug discovery down the road. You _can_ have a fire-and-forget, zero-maintenance firewall; you just have to live with reduced functionality (less sophisticated and subtle security policy) and increased risk (the possibility that some bug may compromise your current implementation, and not get fixed, and get exploited). That's life; TANSTAAFL; you get what you pay for; etc. This doesn't mean a tiny company with no budget can't have a firewall, it just means that they get less firewall than a big company that can pay for administrator time and expertise.
For a midling sized company, with a midling Internet feed (say dedicated 64 k), this can pretty easily average an hour a day for an administrator. If you assume that a decent admin will make around $60k a year (use $90 k for a burdened rate), one eighth of this is $10-$12k administration cost each year.
If you're spending one man-hour a day, either you've got a truly humongous setup --- dozens of firewalls protecting tens of thousands of internal hosts --- or you have an unskilled admin who doesn't know how to automate routine tasks. Unskilled help shouldn't get paid $60K/yr. If they are, it's your own fault:-).
Given that a low end Intel/NT-or-Linux firewall will cost less than $10k to install, [...]
I dunno where NT came in; this is the first I've heard of it. If you're gonna put NT on the firewall box, why bother at all? Just put in a plain old router with no screening rules and invite the hoi-polloi in to party. Jeez.
and will last 3 years,
Why would that be? It'll last until the hardware dies --- which may easily be 10 years --- or until the data comm requirements grow to exceed the handling capacity of the box, which might happen in 2 months, or might never happen. Where does the figure 3 years come from?
the admin cost is at least 3 time the system cost.
Or less, or more, depending on what you want to spend. The admin cost can be very very close to zero, and you can still have a tight firewall. -Bennett
Current thread:
- Re: Firewall administration., (continued)
- Re: Firewall administration. Bennett Todd (Oct 06)
- Re: Firewall administration. Adam Shostack (Oct 07)
- Re: Firewall administration. Bennett Todd (Oct 07)
- Re: Firewall administration. Marcus J. Ranum (Oct 07)
- Re: Small company question was Re: Firewall administration. Mark Teicher (Oct 09)
- Re: Small company question was Re: Firewall administration. Bennett Todd (Oct 10)
- Re: Firewall administration. Bennett Todd (Oct 06)
- Re: Firewall administration. Larry J. Hughes Jr. (Oct 09)
- Re: Firewall administration. Ted Doty (Oct 07)
- Re: Firewall administration. Bennett Todd (Oct 07)
- Re: Firewall administration. Ted Doty (Oct 12)
- Re: Firewall administration. Bennett Todd (Oct 12)
- Re: Firewall administration. Ted Doty (Oct 12)
- Internet Security Review Mark Teicher (Oct 13)
- Re: Internet Security Review Bennett Todd (Oct 13)
- Re: Internet Security Review Marcus J. Ranum (Oct 14)
- Securing Staff (was Re: Internet Security Review) Jeff Sedayao (Oct 15)
- Re: Internet Security Review Steve Kruse (Oct 13)
- Re: Policy and administration was Re: Firewall administration. Ted Doty (Oct 13)