Determining If You Need a Firewall | Firewall Fundamentals

It is convenient (and accurate) to say that you always need a firewall if you are connecting to the Internet. Firewalls should not be relegated exclusively to the realm of providing access to and protection from Internet-based resources. Instead, you should consider implementing a firewall any time a resource needs to be protected, regardless of where the protected resource is located, or where the requesting traffic will be coming from. Firewalls can, and in many cases should, be used to control access to important servers or different subnets within the corporate network. For example, if two branch offices should never need access to each other's resources, you should consider a firewall to enforce that policy and ensure that such access is never granted.

To help determine where you can implement a firewall, define what the cost of the data you are trying to protect is. This cost includes a number of variables. One variable to consider is the cost of restoring or repairing the data. An additional variable is the cost of lost work and downtime as a result of the data being inaccessible to employees. Yet another variable is the cost in lost revenue or income that might come as a result of the loss of data.

A common way of quantifying this kind of cost is known as determining the single loss expectancy (SLE) and annual loss expectancy (ALE). SLE is the expected monetary loss every time an incident occurs. The ALE is the expected monetary loss over the course of a year. The ALE is calculated by multiplying the annual rate of occurrence (ARO) by the SLE. The ARO is the probability that something will occur during a given year. The easiest way to understand how to calculate and determine this information is to go through a fictional scenario.

Suppose that your external web server is compromised and that web server is used to process incoming requests that 100 data processors work on. The first thing to do is to define the SLE, and doing that requires that you define the variables mentioned previously. First, you need to define the cost of restoring or repairing the data. This cost can range from the time it takes someone to reboot a server and apply a patch or to restore the server from a tape backup. For this scenario, assume that the cost to recover from this compromise is $500. Next, the loss of the web server and subsequent inability of the workers to do anything productive needs to be factored into the equation. Assuming the employees are paid $12 an hour (average salary of a data-entry clerk in the Houston, Texas, area) and the server is down for a half a day being rebuilt, the cost to the company in just lost time for the users of the web server is $4800. Finally, the cost of loss of revenue or income needs to be factored into the equation. There are a number of ways to determine this, which the accounting department should be able to help in defining. For example, if the application in question generates a certain amount of money per transaction, and the average number of transactions per day is known, you can easily determine the number of lost transactions, and thus revenue, for a given period of time. For example, suppose that the loss of revenue is $1000. This gives you a grand total of $6300, which is the SLE of the given scenario.

On the surface, considering that an enterprise-class firewall with failover can be had for less than $6000 (Cisco PIX 515E unrestricted license with failover), it would seem to make perfect sense that if a firewall could have prevented the incident, that there should be no question about whether a firewall should have been purchased and implemented. However, it is not quite that simple. With the benefit of hindsight, you can easily see that the firewall was worth the cost. Rarely do we have the benefit of hindsight when it is time to determine what to spend money on, which is where the ALE comes into play.

Defining the ALE is a little bit trickier than defining the SLE because it almost always requires you to make some educated guesses as to what the ARO is. For example, it is impossible to say with certainty that an event will occur a certain number of times a year or even a certain number of times over the course of many years. The ARO is more of a method of making an educated calculation based on historic data and information to determine what the expected probability of an occurrence is. For example, suppose that in reviewing insurance data the probability of a serious fire is once every 25 years. This does not guarantee that a fire will happen in any given year, or even at all during that time, but it does allow you to put a value to the probability that a fire will occur, in this case 1/25 or 0.04 percent in any given year. When the ARO is multiplied by the SLE, you can get the ALE.

Reviewing the scenario, suppose that the ARO is defined as 1 or greater. In that case, you can easily justify spending $6000 on a firewall that could prevent the loss ($6300), because it will pay for itself by preventing a single incident. What if the ARO is less than 1 (which it frequently is)? At that point, it can be tougher to make the case that a firewall should be implemented, because the cost of the firewall may not be less than the ALE. In this case, however, keep in mind that the ALE is the expected loss, not the actual loss, and although the cost of the solution may be less than the ALE, it may still be financially viable and a worthwhile endeavor. Conversely, if the probability that an event will occur is so low, the cost of the solution may never be justified. Of course, as the saying goes in technology, it is always difficult to get money for security before an event occurs. . . but after an event does occur, the pocketbooks open right up to prevent a recurrence.

Another variable is the cost of starting over. This variable is particularly important for smaller companies, because the majority of smaller companies that experience a week of downtime as a result of a security incident are rarely able to recover from that outage, and subsequently go out of business.

The cost of legal repercussions as a result of the data loss or compromise is another real cost that you must consider. The simple reality is that we live in a litigious society, and if a company is negligent in adequately protecting their data, especially if they maintain consumer data, there will be no shortage of lawyers seeking monetary compensation for the security incident. I would not want to be on the jury of a company being sued that admitted that they decided not to use a firewall, or do anything else to protect their resources, and were subsequently hacked.

Whereas the corporate user has many justifications for protecting their resources, home users tend not to share such concerns. Some home users might think, "What do I have that I need to protect?" and not come up with anything important. This is a deceptive line of thinking, however. The home user might be unaware of data that needs protection. We have all seen the news regarding identity theft and the loss of financial information; and if home users have used their computer to make online transactions or store their financial data, protecting that data can go a long way toward preventing them from becoming a victim of these types of crimes and events. Even going beyond protecting financial data, however, many home users maintain data such as personal or family information that they probably would not want to be made publicly available. Also, although home users might legitimately not have any data of any consequence that they believe they need to protect, if they leave their system unprotected it can relatively easily be used by someone else to engage in malicious activity, particularly by using the system as a zombie, and use a home user's computer to attack other systems on the Internet. Therefore, home users really have an obligation to implement a firewall (in addition to making sure that they run current antivirus and antispyware/malware software and keep their systems patched and up-to-date) not only to protect themselves, but to protect others from their systems being used as part of an attack.