Determining If You Need a Firewall

Firewalls should not be relegated exclusively to the realm of providing access to and protection from Internet-based resources
Nội dung trích xuất từ tài liệu:
Determining If You Need a FirewallDetermining If You Need a FirewallIt is convenient (and accurate) to say that you always need a firewall if you areconnecting to the Internet. Firewalls should not be relegated exclusively to the realm ofproviding access to and protection from Internet-based resources. Instead, you shouldconsider implementing a firewall any time a resource needs to be protected, regardless ofwhere the protected resource is located, or where the requesting traffic will be comingfrom. Firewalls can, and in many cases should, be used to control access to importantservers or different subnets within the corporate network. For example, if two branchoffices should never need access to each others resources, you should consider a firewallto enforce that policy and ensure that such access is never granted.To help determine where you can implement a firewall, define what the cost of the datayou are trying to protect is. This cost includes a number of variables. One variable toconsider is the cost of restoring or repairing the data. An additional variable is the cost oflost work and downtime as a result of the data being inaccessible to employees. Yetanother variable is the cost in lost revenue or income that might come as a result of theloss of data.A common way of quantifying this kind of cost is known as determining the single lossexpectancy (SLE) and annual loss expectancy (ALE). SLE is the expected monetary lossevery time an incident occurs. The ALE is the expected monetary loss over the course ofa year. The ALE is calculated by multiplying the annual rate of occurrence (ARO) by theSLE. The ARO is the probability that something will occur during a given year. Theeasiest way to understand how to calculate and determine this information is to gothrough a fictional scenario.Suppose that your external web server is compromised and that web server is used toprocess incoming requests that 100 data processors work on. The first thing to do is todefine the SLE, and doing that requires that you define the variables mentionedpreviously. First, you need to define the cost of restoring or repairing the data. This costcan range from the time it takes someone to reboot a server and apply a patch or torestore the server from a tape backup. For this scenario, assume that the cost to recoverfrom this compromise is $500. Next, the loss of the web server and subsequent inabilityof the workers to do anything productive needs to be factored into the equation.Assuming the employees are paid $12 an hour (average salary of a data-entry clerk in theHouston, Texas, area) and the server is down for a half a day being rebuilt, the cost to thecompany in just lost time for the users of the web server is $4800. Finally, the cost of lossof revenue or income needs to be factored into the equation. There are a number of waysto determine this, which the accounting department should be able to help in defining.For example, if the application in question generates a certain amount of money pertransaction, and the average number of transactions per day is known, you can easilydetermine the number of lost transactions, and thus revenue, for a given period of time.For example, suppose that the loss of revenue is $1000. This gives you a grand total of$6300, which is the SLE of the given scenario.On the surface, considering that an enterprise-class firewall with failover can be had forless than $6000 (Cisco PIX 515E unrestricted license with failover), it would seem tomake perfect sense that if a firewall could have prevented the incident, that there shouldbe no question about whether a firewall should have been purchased and implemented.However, it is not quite that simple. With the benefit of hindsight, you can easily see thatthe firewall was worth the cost. Rarely do we have the benefit of hindsight when it is timeto determine what to spend money on, which is where the ALE comes into play.Defining the ALE is a little bit trickier than defining the SLE because it almost alwaysrequires you to make some educated guesses as to what the ARO is. For example, it isimpossible to say with certainty that an event will occur a certain number of times a yearor even a certain number of times over the course of many years. The ARO is more of amethod of making an educated calculation based on historic data and information todetermine what the expected probability of an occurrence is. For example, suppose that inreviewing insurance data the probability of a serious fire is once every 25 years. Thisdoes not guarantee that a fire will happen in any given year, or even at all during thattime, but it does allow you to put a value to the probability that a fire will occur, in thiscase 1/25 or 0.04 percent in any given year. When the ARO is multiplied by the SLE, youcan get the ALE.Reviewing the scenario, suppose that the ARO is defined as 1 or greater. In that case, youcan easily justify spending $6000 on a firewall that could prevent the loss ($6300),because it will pay for itself by preventing a single incident. What if the ARO is less than1 (which it frequently is)? At that point, it can be tougher to make the case that a firewallshould be implemented, because the cost of the firewall may not be less than the ALE. Inthis case, however, keep in mind that the ALE is the expected loss, not the actual loss,and although the cost of the solution may be less than the ALE, it may still be financiallyviable and a worthwhile endeavor. Conversely, if the probability that an event will occuris so low, the cost of the solution may never be justified. Of course, as the saying goes intechnology, it is always difficult to get money for security before an event occurs. . . butafter an event does occur, the pocketbooks open right up to prevent a recurrence.Another variable is the cost of starting over. This variable is particularly ...