[unisog] staffing levels

Russell Fulton r.fulton at auckland.ac.nz
Wed Jul 6 04:56:51 GMT 2005

Christopher Arnold wrote:
> For those of you who maintain/manage your own FW/IDS/IPS systems (not 
> routers nor switches nor WiFi APs), do you have an approximate headcount 
> you could share with me of dedicated resources (person hours/week?) you 
> require to keep things running?

This is very difficult to answer in any useful way.  The problem being that it depends just how much effort you put into these activities.  The support effort for a firewall will vary depending on the type of policy you are enforcing and the interface software you are using.  We have home grown software that ties into out network configuration database and allows IT support staff to look after firewall settings for their own machines.  Overhead of keeping the firewalls going is a few hours a year to install a new version of OBSD and the occasional had adjustment to rule sets to handle  really special cases.

I also run a bunch of snort sensors (ones on both sides of the perimeter firewall -- with different rules and some more scattered around the network).  I'd estimate I spend about 1-2 hours a day monitoring and keeping it going, but I *could* spend much more.  I primarily use snort as a sort of weather vane to see which way the wind is blowing.  So, although I see 1000s of alerts, I rarely follow stuff up.  There are a few exceptions -- when I see a local machine attacking lots of others then we know that we have a bot and it gets taken off the network.  There are a few other things that I do look for (like ftp servers running on high numbered ports).

Currently we are waging war on music sharing and I have been directed to follow up all p2p traffic, this takes quite a lot of time.


More information about the unisog mailing list