Issue TOC Print full article Print this page Download as PDF E-Mail this URL Discuss this article Flame the author     In this article Introduction Measuring Protection Sygate Secure Enterprise 3.0 Other Products Reviewed Executive Summary Beyond the Initial Expense The Layering Effect Report Card

Firewall client licenses average about $50 per seat. Cut the free soda program for a month and you'll find the funds to pay for it. From a pure operational standpoint, however, unless you are constantly repairing hacked machines, rolling out desktop firewalls will probably yield a negative return. But, remember, you're not just interested in protecting mobile users against Internet script kiddies. Intellectual property theft is costly, embarrassing and could put you out of business. The most common losses were from R&D at $404,375 loss per incident, and financial data at $356,035 per incident, according to a report by ASIS and PricewaterhouseCoopers. Preventing one loss may pay for the entire program.

Of course, the initial cost is just one part of the story. Maintenance is time-consuming but necessary. To maintain policy files, for example, you must keep a list of applications and their DLL checksums, and a separate list of people who may access that information. Furthermore, you must track users' needs, as well as their whereabouts within the company. Products that tie into existing directory services (such as Active Directory or LDAP) for user/group configuration can help reduce this cost. However, you must also keep updating executables' signatures when you upgrade. The desktop firewall won't let IE 6.0 launch if it contains only IE 5.0 signatures, for instance.

Helpdesk calls are bound to bog you down once you roll out a desktop firewall. Some users will be locked out of critical applications for a few days. Others may want to use forbidden programs, and you'll have to convince them that the security policy is more important than their individual wants. And heaven forbid you accidentally block DNS or DHCP.

Letting users see the attack report in real time may also be problematic, especially since many of them don't know what they're seeing. For example, ISS RealSecure showed overnight some 8,000 attempted attacks from one of our SNMP servers. These attacks, however, were harmless, generic scans that require no action, though they'll light up a desktop firewall on the Internet like matches dipped in gasoline. Denying users the ability to see scans and minor attacks will save your helpdesk a few phone calls.