- Determining If You Need a Firewall
It is convenient (and accurate) to say that you always need a firewall if you are
connecting to the Internet. Firewalls should not be relegated exclusively to the realm of
providing access to and protection from Internet-based resources. Instead, you should
consider implementing a firewall any time a resource needs to be protected, regardless of
where the protected resource is located, or where the requesting traffic will be coming
from. Firewalls can, and in many cases should, be used to control access to important
servers or different subnets within the corporate network. For example, if two branch
offices should never need access to each other's resources, you should consider a firewall
to enforce that policy and ensure that such access is never granted.
To help determine where you can implement a firewall, define what the cost of the data
you are trying to protect is. This cost includes a number of variables. One variable to
consider is the cost of restoring or repairing the data. An additional variable is the cost of
lost work and downtime as a result of the data being inaccessible to employees. Yet
another variable is the cost in lost revenue or income that might come as a result of the
loss of data.
A common way of quantifying this kind of cost is known as determining the single loss
expectancy (SLE) and annual loss expectancy (ALE). SLE is the expected monetary loss
every time an incident occurs. The ALE is the expected monetary loss over the course of
a year. The ALE is calculated by multiplying the annual rate of occurrence (ARO) by the
SLE. The ARO is the probability that something will occur during a given year. The
easiest way to understand how to calculate and determine this information is to go
through a fictional scenario.
Suppose that your external web server is compromised and that web server is used to
process incoming requests that 100 data processors work on. The first thing to do is to
define the SLE, and doing that requires that you define the variables mentioned
previously. First, you need to define the cost of restoring or repairing the data. This cost
can range from the time it takes someone to reboot a server and apply a patch or to
restore the server from a tape backup. For this scenario, assume that the cost to recover
from this compromise is $500. Next, the loss of the web server and subsequent inability
of the workers to do anything productive needs to be factored into the equation.
Assuming the employees are paid $12 an hour (average salary of a data-entry clerk in the
Houston, Texas, area) and the server is down for a half a day being rebuilt, the cost to the
company in just lost time for the users of the web server is $4800. Finally, the cost of loss
of revenue or income needs to be factored into the equation. There are a number of ways
to determine this, which the accounting department should be able to help in defining.
For example, if the application in question generates a certain amount of money per
- transaction, and the average number of transactions per day is known, you can easily
determine the number of lost transactions, and thus revenue, for a given period of time.
For example, suppose that the loss of revenue is $1000. This gives you a grand total of
$6300, which is the SLE of the given scenario.
On the surface, considering that an enterprise-class firewall with failover can be had for
less than $6000 (Cisco PIX 515E unrestricted license with failover), it would seem to
make perfect sense that if a firewall could have prevented the incident, that there should
be no question about whether a firewall should have been purchased and implemented.
However, it is not quite that simple. With the benefit of hindsight, you can easily see that
the firewall was worth the cost. Rarely do we have the benefit of hindsight when it is time
to determine what to spend money on, which is where the ALE comes into play.
Defining the ALE is a little bit trickier than defining the SLE because it almost always
requires you to make some educated guesses as to what the ARO is. For example, it is
impossible to say with certainty that an event will occur a certain number of times a year
or even a certain number of times over the course of many years. The ARO is more of a
method of making an educated calculation based on historic data and information to
determine what the expected probability of an occurrence is. For example, suppose that in
reviewing insurance data the probability of a serious fire is once every 25 years. This
does not guarantee that a fire will happen in any given year, or even at all during that
time, but it does allow you to put a value to the probability that a fire will occur, in this
case 1/25 or 0.04 percent in any given year. When the ARO is multiplied by the SLE, you
can get the ALE.
Reviewing the scenario, suppose that the ARO is defined as 1 or greater. In that case, you
can easily justify spending $6000 on a firewall that could prevent the loss ($6300),
because it will pay for itself by preventing a single incident. What if the ARO is less than
1 (which it frequently is)? At that point, it can be tougher to make the case that a firewall
should be implemented, because the cost of the firewall may not be less than the ALE. In
this case, however, keep in mind that the ALE is the expected loss, not the actual loss,
and although the cost of the solution may be less than the ALE, it may still be financially
viable and a worthwhile endeavor. Conversely, if the probability that an event will occur
is so low, the cost of the solution may never be justified. Of course, as the saying goes in
technology, it is always difficult to get money for security before an event occurs. . . but
after an event does occur, the pocketbooks open right up to prevent a recurrence.
Another variable is the cost of starting over. This variable is particularly important for
smaller companies, because the majority of smaller companies that experience a week of
downtime as a result of a security incident are rarely able to recover from that outage, and
subsequently go out of business.
The cost of legal repercussions as a result of the data loss or compromise is another real
- cost that you must consider. The simple reality is that we live in a litigious society, and if
a company is negligent in adequately protecting their data, especially if they maintain
consumer data, there will be no shortage of lawyers seeking monetary compensation for
the security incident. I would not want to be on the jury of a company being sued that
admitted that they decided not to use a firewall, or do anything else to protect their
resources, and were subsequently hacked.
Whereas the corporate user has many justifications for protecting their resources, home
users tend not to share such concerns. Some home users might think, "What do I have
that I need to protect?" and not come up with anything important. This is a deceptive line
of thinking, however. The home user might be unaware of data that needs protection. We
have all seen the news regarding identity theft and the loss of financial information; and
if home users have used their computer to make online transactions or store their
financial data, protecting that data can go a long way toward preventing them from
becoming a victim of these types of crimes and events. Even going beyond protecting
financial data, however, many home users maintain data such as personal or family
information that they probably would not want to be made publicly available. Also,
although home users might legitimately not have any data of any consequence that they
believe they need to protect, if they leave their system unprotected it can relatively easily
be used by someone else to engage in malicious activity, particularly by using the system
as a zombie, and use a home user's computer to attack other systems on the Internet.
Therefore, home users really have an obligation to implement a firewall (in addition to
making sure that they run current antivirus and antispyware/malware software and keep
their systems patched and up-to-date) not only to protect themselves, but to protect others
from their systems being used as part of an attack.