Network Computingwww.networkcomputing.com

As with any infrastructure project, implementing a SOHO firewall solution requires solid research on all hardware and software costs -- including many that may be overlooked. Among other things, these hidden costs will depend on whether the project is designed to secure Internet connectivity at your corporate headquarters, to migrate your existing frame relay network to a VPN solution or to secure servers you might have residing in a collocation facility. Let's take a look at some of the options your project team, along with your vendors, should consider when producing a solid and accurate estimate for hardware and software costs.

Consider this example:

• You are deploying a nine-site VPN solution to replace your frame relay.

• You have 400 users at your corporate office; the remaining eight offices contain between 30 and 40 users each.

• You know you will need a robust SOHO firewall at your main site and eight lower-end firewalls at the other locations.

• You will want to allow and secure other Internet traffic to and from these remote locations, so you do not want to use a strict VPN hardware solution.

Determining the costs of hardware should be a straightforward step for most large deployments. But purchasing a SOHO firewall solution presents a different set of problems, because you need to determine how your vendor sells both the components and any add-on modules. Here are some other items to consider before requesting pricing from your vendor(s) for your SOHO firewall project:

Separate encryption card: Will you need to add a separate encryption card at the corporate office to support the traffic of the approximately 230 users coming through the VPN tunnels? If so, you can expect the entry-level costs for this solution to be somewhere in the range of $66,000 to $70,000. This is obviously a rough estimate, because estimates vary based on which vendor you select.

Dial-Up Internet users who will need to VPN into the SOHO firewall: Each user will be another tunnel that your SOHO firewall will need to terminate, thus requiring more processing. Will the encryption card previously mentioned support these single users, or will the vendor require you to add a separate VPN device to your network to allow the single user VPN access?

Remote offices require a separate encryption card: At the remote offices, you might be required to add a separate encryption card. Will the SOHO firewall you place in these offices be used for general Internet traffic on top of the traffic allowed over the VPN? If so, your vendor might suggest that you offload the encryption to an add-on card here, as well, depending on the number of users and the average amount of traffic.

Authenticate individual VPN users: Asking how to authenticate VPN users actually prompts two more questions on the subject: Will you use the user database on your SOHO firewall or an internal RADIUS (Remote Authentication Dial-In User Service) server to provide authentication? And, will you also require two-factor authentication using a product such as RSA's SecurID? What hardware will be involved to do this? You might find that you will need to add a separate server to run the RADIUS functions and individual token cards for each remote user to receive his or her generated password.

Implementing an intrusion detection system: If you are implementing an intrusion detection system within your network, where will you place your sensors, and how many will you have? Does the SOHO firewall vendor provide an intrusion detection product, or will you need to look at a third-party solution?

Extra networking hardware: Will you have a DMZ (Demilitarized Zone) for external services on your network? If you will be using a fail-over SOHO firewall, will you be separating the heartbeat traffic onto a separate segment? If so, does your existing backbone support the use of VLANs (virtual LANs) for these separate networks, or will you be purchasing new switches during this implementation?

Software

When implementing a SOHO firewall solution, be sure you understand all the software necessary to fully install and manage your solution.

Fully license a fail-over firewall: Along with deploying the multisite VPN solution, you also want to add redundancy to your SOHO firewall. You are not concerned about load balancing, and your second SOHO firewall will be in constant hot-standby mode.

With that in mind, you should only need one license in your corporate office, right? In some instances, this assumption -- albeit logical -- is most likely wrong. Check with your vendor to find out if you have to fully license a fail-over SOHO firewall, as this will significantly increase your costs. You can expect this solution to add an additional $16,000 to $31,000, or more, to your total project costs depending on the options you choose.

Here are a few other questions to consider when estimating the software needed for your implementation.

Software costs for appliance-based solutions: You've decided to take the approach of utilizing an appliance-based SOHO firewall on your network. You like the idea that you will not have to support a separate OS, be it Unix or Microsoft Corp.'s Windows NT, because it will simplify support. Be aware, though, that even with an appliance-based solution you will have software costs. Unlike a true hardware solution, most appliances are simply boxes that allow you to run the SOHO firewall software. You need to purchase the appliance and the software to run on it.

Using any existing equipment currently on your network: Suppose you have Cisco Systems' 2500 series routers at each location and would like to add the SOHO firewall feature set to the existing Cisco IOS (Internetwork Operating System). Will your SOHO firewall terminate IPSec (IP Security) tunnels from other vendors? If you are using standard encryption, you might be able to mix vendors, but be careful to fully assure that your SOHO firewall will be able to terminate VPN tunnels from other vendors. Although utilizing existing equipment will reduce overall costs, don't forget to budget for the additional feature set to expand the VPN capabilities of the existing hardware.

License the VPN software for each individual user: Most SOHO firewalls are using a concurrent-server-based licensing model and allow you to freely distribute the VPN client to your users. However, be sure to budget accordingly if there are additional charges for the client software.

Monitor the logs: Most SOHO firewalls will log all network traffic or allow you to decide what traffic you want to log. The big question is what to do with the copious amount of data that a SOHO firewall generates. Does your SOHO firewall come with the tools to easily view and search the logs? With some SOHO firewalls, you will need a third-party software package to do even the most basic log viewing. Do you also want reports and alerts on traffic? More likely than not, you will need a third-party software package to do so.

Manage this solution: Does your SOHO firewall vendor provide the tools to manage these devices from a single location and push security policies to multiple devices, or will you need to purchase add-on software to perform these management functions? In the example where you have a nine-site VPN solution, it can become a management headache to remotely connect to each device to add a security policy that is consistent throughout all sites.

These days, the predominant method of securing enterprise networks is to set up a firewall. And although some SOHO firewall solutions may be pricey to implement, you can save your company money without sacrificing peace of mind by following a more economical approach.