Evaluating the real cost of an enterprise firewall

The Internet is a powerful business tool and source of revenue for many companies. However, implementing Internet access and exposing your organization’s network to the world should be approached carefully and with full knowledge that it is expensive and labor intensive to operate securely on the Net. Let’s break down the real costs of a typical installation and maintenance of an enterprise-level firewall.

The firewall question
Several people have asked me recently, “Do I need a firewall, and how much does one cost?” The answers might surprise you.

Q: Do I need a firewall?
A: If you have a constant connection to the Internet, you MUST have a firewall.

Q: How much does a firewall cost?
A: It varies from nothing (you can download a free firewall for personal or SOHO use) to a significant investment of capital.

Cost is determined by the size and complexity of your firewall and by whether you want to build a speed bump for hackers or a true fortress to protect your business data. Justification for the more substantial cost of operating the latter is simple: What would it cost your organization if your data were stolen, destroyed, or corrupted?

I recently implemented a secure network using a Raptor firewall, and here’s an outline of the major cost areas:

• Software
• Hardware
• Personnel
• Training
• Extras

Software
Choose your vendor wisely and think about the future. As your employee base grows, so will your network and the number of licensed connections. Here’s what I chose:

• Raptor Firewall NT v6.5 with virtual private network (VPN module) and unlimited mobile users: $17,579
• Standard maintenance contract: $1,194

Hardware
You’ll need a proven server platform. A fast processor, a large amount of RAM, a good backplane for the SCSI internals, and excellent NICs. I chose:
Dell PowerEdge 2400 Server with four 9.1-GB SCSI HDs, dual 1-GHZ Intel Pentium III processors, 1-GB RAM, three Alteon 10/100/1000-Mbit NICs, PERC2-DC RAIDCard with 128-MB Cache 2-Internal Channels, UPS, dual 330-watt power supply, NT Server 4.0, and three-year same day hardware support with direct line: $9,566

That brought my total to around $30,000 for software and hardware. That shouldn’t shock you, and I hope that’s not the extent of your budget, because the next three areas of cost are the difference between just having a firewall and having a secure network.

Personnel
Your network administrator is responsible for the internal operations of your network, and your security administrator is responsible for the external effects to your network. I can’t tell you how many times I’ve seen the network and the security run by the same individual. Their priority will always be the network. Because that is where the customer interfaces with the company’s product. But security must be an integral part of your network, not just an afterthought. Your goal in owning a firewall should be to proactively prevent security failures, not fix them after a security breach. Here are the base personnel costs for a secure network:

• Security administrator who should be in charge of your firewall and antiviral program: $70,000+
• Training: It’s absolutely essential to keep your security administrator well trained in the field.
  Basic and advanced firewall administration training costs: $9,000
• Manuals and literature for operation: $250

Extras
These packages are the difference between having a firewall and understanding how it is performing and having the peace of mind that your data is truly secure.

• WebTrends Firewall Suite—This is a real-time tool that manages, monitors, and reports on firewall activity so you can understand and respond to any security or network disturbances or traffic problems. It delivers an in-depth analysis of incoming and outgoing activity through your firewall, VPN, or proxy: $2,999
• WebTrends Security Analyzer—This tool discovers and fixes the known security vulnerabilities on Internet, intranet, and extranet hosts. It supports over 1,300 tests for Windows, Solaris, and Linux: $5,999
• CyberCop Sting—This creates a “honeypot” server, which is a server you’ve retired from your network that you run as a decoy system. It simulates an entire network on a single machine. You use this to redirect hackers away from your critical systems. Intrusive traffic is logged and evidence is collected against attackers. Contains various types of silent alarms: $2,500

That brings our true cost for an enterprise firewall to around $120,000 (about $50,000 up front), with the majority going toward hiring an excellent security administrator.

Other considerations
There are also a few more technical and procedural issues to consider, no matter which firewall product you implement.

Use a packet-filtering firewall. You want your firewall to make intelligent choices based on:

• Where the data is coming from.
• Where the data is going.
• The type of data carried in the packet.

Use a screening router to:

• Help to filter dangerous traffic to and from your network.
• Provide an extra layer of protection.
• Train your security people well and require daily reports on network attacks.

This provides visibility to the threats that exist both internally and externally. The reports allow you to look at trends over time and make good security decisions. Make sure your firewall can do network address translation (NAT). No internal hosts should advertise their IP address to the rest of the world. This will make it easier to detect if someone is targeting internal hosts, which can become easily populated with security holes.

Network security and network security advice are expensive. I mentioned those products above because they work for me and for the networks I help secure. But the most important thing is that you buy proven products that fit your budget, hire a good security administrator, and make sure he or she is well trained to implement the products you buy.