Re: post firewall deployment ROI numbers

[Russell Fulton - ISO <r.fulton () AUCKLAND AC NZ>]

Karen Duncanson wrote:
> The metrics for this, if you can find meaningful ones, will be very difficult to determine due to the variables

Karen makes a very important point, there are firewalls and there are
firewalls, they may look the same on the outside...

I once heard from a colleague who worked for a *large* software house
who was doing work for a bank.  They required access to the bank's
internal network for testing and the bank required them to install a
firewall on the link.   The software house did so, fulfilling the letter
of their contract. Can you guess how the firewall was configured?


We have had some form of firewalling on our network since we joined the
Internet nearly 20 years ago.  Initially it was mainly there to enforce
our billing requirements (traffic cost were $2 per MB! -- 7 universities
and several govt research organisations sharing a analogue circuit to
Hawaii -- we started out with 9k6 modems!).  The focus of the firewall
has changed over the last 7 years and access controls have been
gradually tightened to the point where we now deny all inbound traffic
except what is explicitly allowed.  We have around 8000 machines with
explicit entries on the firewall.  The vast majority (95-99%) are
desktops which are configured to have outbound access and no inbound
access.  All these machines are covered by just two firewall rules and
some very large address tables which pf hashes for very fast lookup.

Like many other institutions we maintain a list of banned ports on which
the MS protocols figure highly.  This is probably the most effective
rules on the firewall.

Because we have had this set up for a long time I can't give any before
and after numbers.  I do know that for all the recent network based
worms infections have reached our network not from the Internet but from
laptops infected elsewhere.  This has given us valuable extra time to to
prepare for these unwelcome visitors (a point Gary made).  In some cased
we waited weeks before something popped up on the network.

Don't forget about outbound traffic!  We have always blocked tftp in
both directions.  When Nimda struck I spent several weeks congratulating
myself that we had not had a single infection.  Then Anne Bennett from
Concordia modified a code red scanner written by ? to look for the Nimda
vulnerabilities and posted it to the unisog list.  When I ran it on our
network I found about 20 vulnerable systems that had been repeatedly
(100s of times) compromised but the worm failed to install because it
failed to get its body via tftp from the infecting host.

Lastly we allow our Faculty IT staff to do the firewall configuration
for their own machines via a home grown web interface (the firewall is
OpenBSD BTW).   This works very well for us -- it is the local IT staff
who have to clean up the mess when things get compromised so they have
an incentive to get it right.  Academics like it because they deal with
their local staff who understand much more about their real needs than
we in security ever will.

We have very few network based compromises -- a hand full per year.
These are almost invariably web servers running vulnerable apps,
something no firewall can help with.

Russell
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand