Greg Young

DMZs are expensive to begin with.   It is remarkable the growth in the amount and variety of security equipment we need provide web access, send emails, and give staff access to some information the need: multiple firewalls, IPS, anti-spam, anti-virus, SSL termination, web application firewalls, SSL VPNs, … a lot of expensive stuff.   This is the “1x” cost.   Adding a few more firewalls or a new safeguard is additive but not really a multiplier.

What availability model will you choose, or has been chosen for you?  Sometimes security gets to choose it, and other times the business lines will direct what model applies.  Active-Passive means a nearly 2x cost, even if the passive equipment is not as robust as the active side and often with a less expensive support fee.   Active-Active means at least a 2x cost, more when you consider the equipment to maintain state and heartbeat in case of equipment failure.  Now when you add in geography, and you want to have a second site in case of flood, fire, pestilence, or attacking-radioactive-daschunds.  That means 4x.  There are some options to scale down parts of this on one side of the balance sheet (e.g. having your second site use smaller equipment), but often there are neutralizers on the other side of the sheet (e.g. needing equipment in a test/devel environment).  There are also variants of security high availability that are not trivial.

Your availability model has significant security cost and delivery implications.