In article , Simon Wigzell wrote: :Sorry if this question has been asked and answered before, my first time :here.
:I "admiister" a dedicated server running MS server200. The company that :looks after the server installed a firewall after we were hacked that needs :it's own domain, "fw.[company].com". For this they are billing us $180 PER :MONTH. Is this reasonable?
In my opinion, that would depend on what the firewall does for you, on how fast it is, on what level of security your company indicates was important to your company, and on how much customization the company is willing to do for that $180. Circumstances differ, and $180 could be an outrage or it could be dirt cheap.
[By the way, I see your email address is in Canada: is that $C180, or $US180 ?]
- At least a portion of the firewall is dedicated to your use: what was the cost of the firewall and associated licenses? If you were to amoratize it over 1 year (Revenue Canada depreciation class 10A), how much would you be paying per month?
- what kind of data rate is there going through the firewall? Firewall prices increase noticably once you get beyond a level sufficient to serve a typical broadband connection.
- $C180 a month buys (e.g.) less than 2 hours of my time per month.
- How much did your company effectively lose by having the system hacked before? How much would it lose next time if it were hacked again? In words, what is the penalty for getting it wrong?
- How does the manner in which the crackers were able to get through before inform your company about the security expertise available within your company? e.g., was it something that your people never expected, or was it something that was a calculated gamble that didn't pay off, or was it something that your people didn't happen to get around to fixing because of the pressures of other tasks, or was it something that some of your people knew how to deal with and wanted to fix but other parts of the organizations did not want the time and money expended in that manner?
- Considering the important business nature of your server, how many hours would it take you to research and configure and test alternatives that were sufficiently secure for your organization? How much would that cost in salary for you? How much would your company lose in "opportunity costs" because you weren't working on something that contributed more directly to revenue enhancement? Could you do it in less than 2 weeks, start to finish If not, then assuming your salary is reasonable but not unremarkable, then the cost to your company would likely exceed ($C180/month for a year).