Re: post firewall deployment ROI numbers

[Gary Flynn <flynngn () JMU EDU>]

Tina Darmohray wrote:

> I'm looking for Return On Investment numbers from universities who have
> deployed firewalls.  E.g., one university has shared that they reduced
> their incidents by > 90% by firewalling their campus.  Another university
> reduced their incident response staffing from 1.25 FTE to 1 FTE [10K
> node network] through firewallng.
>
> Do you have similar numbers you'd be willing to share?  I can summarize
> to the group, or if you'd prefer your numbers not be widely posted, let
> me know that too.

Hi,

I don't have any numbers for you but when the MS03-026 exploits
and Blaster came through, due to our network access controls, we
didn't have any compromises or infections until late August when
the students came back. This provided a few extra weeks of
planning and response time.

I have a very general definition of "firewall" as anything
that allows some sort of network access control at whatever
layer using whatever method. We've considered the purchase of
a box labeled by sales people as a "firewall" many times but
backed off as we analyzed the functionality we desired and
ways to implement it with existing capabilities.

Router ACLs combined with the deep inspection of an IDP reduces
incidents regularly and limits the severity of others.

Our IDP stops visits to malicious web sites daily which would
often result in spyware/virus/BOT infections and which would
be transparent to most boxes labeled as firewalls. It also
regularly deflects inbound web attacks. It also helps detect
and inhibit IRCBOT activity.

On a broader note, around the time of MS03-026, we implemented
a default deny policy inbound to the student networks. A year
later, to the IT desktop networks. And last November, to the
entire campus. Anyone desiring to run a server has to request
that ports be opened or use the VPN. I haven't tried to correlate
these changes to drops in calls, but I have seen traffic bound
for machines with open back doors, out of date software, and
vulnerable configurations stopped many times. And before the
cross-campus policy, I'd seen machines not covered compromised
while machines with identical vulnerabilities that were covered
went uncompromised. How much is that worth?

A couple years ago during a period of heavy Windows Messenger
SPAM, reflexive UDP ACLs kept it from entering our network
and provided some protection against high port RPC attacks.

Last month we implemented the IOS FW on the border to
avoid having to allow packets with source port 20 into campus
which bypassed our default deny rules. The IDPs are inspecting
inbound traffic to identd to try to avoid rogue servers there.

Until last year, one technical security FTE handled campus
security incident response, security monitoring, and security
engineering. I don't think this would have been possible
without network access controls.

I would not be surprised at all about a 90% reduction in calls
if a campus that is completely open converts to a more
protective network access policy. And even if an FTE that may
be gained by a reduction in incidents is lost to administration of
network access controls, it would probably be preferable to
spend labor and resources on protection rather than responding
to compromised computers and data with the associated implications
for constituents and the organization. How much does one data
disclosure notification cost?

Another type of network access control "firewall" to consider is
a "Network Admittance Control" system such as the Cisco/Perfigo,
StillSecure, and Netreg based products. These enforce
configuration management policies and provide some intrusion
detection/prevention capabilities for clients as they connect to
the network. Instead of attempting to firewall network access of
direct threats, they primarily attempt to firewall network access
of vulnerabilities reducing risk by reducing a different variable
of the risk equation. Expending labor and resources there would
probably have positive incident reduction effects similar to
border firewalls though client variability in an unmanaged
network would likely cause end user support costs and the number
of headaches to be higher. Of course, a two pronged approach,
denying network access to both attacks and vulnerabilities,
would be ideal.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature