By Bill Sintiris

As with any infrastructure project, implementing a firewall solution requires solid research on all hardware and software costs. But estimating the costs of a firewall involves many costs that may be overlooked, depending on whether the project is designed to secure Internet connectivity at your corporate headquarters, migrate your existing frame relay network to a virtual private network (VPN) solution, or secure servers you might have residing in a colocation facility.

Here are some of the questions you should ask your project team and your vendors to help produce a solid and accurate estimate for hardware and software costs.

Determining the costs of hardware should be a straightforward step for most large deployments. But purchasing a firewall solution presents a different set of problems because you need to determine how your vendor sells the components and add-on modules.

Consider this example:

  • You are deploying a nine-site VPN solution to replace your frame relay.
  • You have 300 users at your corporate office.
  • The remaining eight offices each contain between 10 and 20 users.
  • You know you will need a robust firewall at your main site and eight lower-end firewalls at the other locations.
  • You will want to allow and secure other Internet traffic to and from these remote locations, so you do not want to use a strict VPN hardware solution.

Will you need a separate encryption card?
One of the first questions to ask is “Will you need to add a separate encryption card at the corporate office to support the traffic of the approximate 120 users coming through the VPN tunnels?” You can expect the entry-level costs for this solution to be somewhere in the range of $55,000 to $60,000. This is obviously a rough estimate because estimates vary based on which vendor you select.

Here are some other items to consider before requesting pricing from your vendor for your firewall project:

Will you have any dial-up Internet users that will need to VPN into the firewall?
Each user will be another tunnel that your corporate firewall will need to terminate, thus requiring more processing. Will the encryption card mentioned above support these single users, or will the vendor require you to add a separate VPN device to your network to allow the single user VPN access?

Will remote offices require a separate encryption card?
At the remote offices, you might be required to add a separate encryption card. Will the firewall you place in these offices be used for general Internet traffic on top of the traffic allowed over the VPN?

If so, your vendor might suggest that you offload the encryption to an add-on card here as well, depending on the number of users and the average amount of traffic.

How will you authenticate the individual VPN users?
Asking how to authenticate VPN users actually prompts two more questions on the subject:

  • Will you use the user database on your corporate firewall or use an internal Remote Authentication Dial-In User Service (RADIUS) server to provide authentication?
  • Will you also require two-factor authentication using a product such as RSA’s SecurID? What hardware will be involved to do this?

You might find that you will need to add a separate server to run the RADIUS functions and individual “token” cards for each remote user to receive his or her generated password.

Will you be implementing an intrusion detection system?
If you are implementing an intrusion detection system within your network, where will you place your sensors, and how many will you have? Does the firewall vendor provide an intrusion detection product, or will you need to look at a third-party solution?

Will you need extra networking hardware?

  • Will you have a Demilitarized Zone (DMZ) for external services on your network?
  • If you will be using a fail-over firewall, will you be separating the heartbeat traffic onto a separate segment?

If so, does your existing backbone support the use of virtual LANs (VLANs) for these separate networks, or will you be purchasing new switches during this implementation?

When implementing a firewall solution, be sure you understand all the software needed to fully install and manage your solution.

Do you have to fully license a fail-over firewall?
Along with deploying the multisite VPN solution, you also want to add redundancy to your corporate firewall.

  • You are not concerned about load balancing.
  • Your second firewall will be in constant hot standby mode.

With that in mind, you should only need one license in your corporate office, right?

In some instances, this assumption, albeit logical, is most likely wrong. Check with your vendor to find out if you have to fully license a fail-over firewall, as this will significantly increase your costs. You can expect this solution to add an additional $15,000 to $30,000 to your total project costs or even higher depending on the options you choose.

Here are a few other questions to consider when estimating the software needed for your implementation.

Will there be software costs for appliance-based solutions?
You’ve decided to take the approach of utilizing an appliance-based firewall on your network. You like the idea that you will not have to support a separate OS, be it UNIX or NT, because it will simplify support. Be aware, even with an appliance-based solution, that you will have software costs. Unlike a true hardware solution, most appliances are simply boxes that allow you to run the firewall software. You need to purchase the appliance and the software to run on it.

Do you plan on using any existing equipment currently on your network?
Suppose you have Cisco 2500 series routers at each location and would like to add the firewall feature set to the existing Cisco IOS. Will your corporate firewall terminate IPSec tunnels from other vendors? If you are using standard encryption, you might be able to mix vendors but be careful to fully assure that your corporate firewall will be able to terminate VPN tunnels from other vendors. Although utilizing existing equipment will reduce overall costs, don’t forget to budget for the additional feature set to expand the VPN capabilities of the existing hardware.

Will you need to license the VPN software for each individual user?
Most firewalls are using a concurrent-server-based licensing model and allow you to freely distribute the VPN client to your users. However, be sure to budget accordingly if there are additional charges for the client software.

How will you monitor the logs?
Most firewalls will log all network traffic or allow you to decide what traffic you want to log. The big question is what to do with the copious amount of data that a firewall generates. Does your firewall come with the tools to easily view and search the logs? With some firewalls, you will need a third-party software package to do even the most basic log viewing. Do you also want reports and alerts on traffic? More likely than not, you will need a third-party software package to do so.

How will you manage this solution?
Does your firewall vendor provide the tools to manage these devices from a single location and push security policies to multiple devices, or will you need to purchase add-on software to perform these management functions? In the example where you have a nine-site VPN solution, it can become a management headache to remotely connect to each device to add a security policy that is consistent throughout all sites.

Support/maintenance agreements
Let’s not forget about the support and maintenance agreements you’ll be purchasing at the same time as the hardware and software. Although your accounting department will probably treat the agreements differently than depreciable assets, such as hardware and software, it is worth reviewing prior to making your final decision.

For example, during your VPN deployment you would like to create a VPN connection to your colocation provider. Your company is running four e-commerce servers, and you are currently paying a substantial fee to your provider for their managed firewall service. You estimate you could deploy an appliance-based firewall in your existing rack, manage the policies remotely, and realize a return on your capital investment within six months of stopping the managed firewall service.

If the colocation facility is a significant distance from your corporate headquarters, you’ll want to obtain an agreement from your provider to provide “remote” hands to install an advanced replacement appliance in case of failure. This way, you could have your firewall vendor ship directly to the facility, have your provider swap the advanced replacement appliance with your existing appliance, and you could remotely upload your image and be back up and running. Here are a few other considerations when comparing agreements:

How many agreements do you need to purchase?
When choosing an appliance-based firewall, you will likely need to purchase separate agreements from the appliance vendor and from the software vendor.

This would be similar to buying a software-based firewall to run on NT or UNIX, where you would purchase an agreement with your hardware vendor and then one for the firewall vendor. The advantage to some hardware-based firewalls, such as the Cisco PIX, is that you will only need to purchase one agreement that will cover both the hardware and software.

Should you purchase support from resellers?
Some firewall resellers will offer you the choice of purchasing support from their company rather than receiving support directly from the firewall maker.

You might pay a premium for this agreement, but it could help you connect more quickly with the reseller and shorten the time it takes to resolve a problem. However, if you have strong firewall skill sets within your organization, it may be better to purchase directly from the firewall maker, as most calls to support will involve large issues that you cannot solve internally and would probably be handed off to them anyway. This can help you avoid having the “middle man” involved in the troubleshooting process, which at times serves to only slow down the resolution.

The bottom line: Be prepared
As you can tell, or may have already experienced, these variables can quickly add to your total project costs and need to be fully considered prior to implementation. The best advice is to detail your requirements fully before going to the vendors for information. Every vendor will tell you that their way is the best way to secure your network. Although some are better than others, all firewalls perform the same basic function of permitting or denying network traffic. The best way to get what you want from an implementation is to know what is important to you prior to meeting with the vendors.
What has added unexpected costs to your firewall project? Post a comment or send us a letter.

Bill Sintiris is the information technology manager for Newmarket International in Portsmouth, NH. He’s worked in IT for seven years and holds CNE and MCP certifications.