 |
In DIGEX's Own Words: Solution Summary
The DIGEXSecure solution for MediaFlights is an active policy-based approach to security. The latest stateful inspection, virtual private networking and adaptive security management technologies are employed to ensure the premier Internet security solution set.
Each of the DIGEXSecure offerings is designed to accomplish effective, secure risk management. DIGEX views security as a process, not an event.
DIGEX recommends a staged approach to securing the MediaFlights WAN:
· DIGEXSecure Site Assessment, the first element of our solutions suite, investigates risks and vulnerabilities in the current security posture.
· DIGEXSecure Turnkey Firewall delivers on-site firewall installation and integration. Security engineers install the firewall systems and use the DIGEX Acceptance Test for quality assurance. Engineers work with MediaFlights to manage the risks identified in the assessment.
· DIGEXSecure Managed Firewall is the complete solution for MediaFlights because it ensures comprehensive and adaptive security management.
The DIGEX metric for success is customer confidence with Internet access. DIGEX is unrelenting in securing unique redundancies for Managed Firewall customers. Many providers offer basic configuration management and remote-controlled firewalls. However, DIGEX delivers comprehensive, adaptive security where customers receive tangible benefits daily.
The DIGEXSecure solution is fully scalable to meet MediaFlights' needs now and in the future.
 For an Adobe Acrobat format version of DIGEX's Proposed Network unabridiged, click here.
|
|
|
|
Network Computing's Evaluation of DIGEX's Proposal
DIGEX brings a best-of-breed approach to managed firewall services that surpasses those of the other vendors, with such equipment as Check Point's Firewall-1, Cisco's NetRanger intrusion detection systems and WebTrends' reporting software--as well as site assessment by Nichols Research. Are these brand-name products and services expensive? Not once you consider their merits. DIGEX charges $139,000 for one year of service--about $13,000 more than MediaFlights' own calculated costs--but the premium is well worth the price when you consider DIGEX's highly detailed plan, wide range of services, and superbly developed procedures for customer-initiated changes, event reporting and problem escalation. These strengths, along with a superior SLA, secured the company MediaFlights' bid.
 DIGEX's Check Point Firewall-1 replaces MediaFlights' internal routers where possible, while external routers remain in place. Public servers, external campus network connections and MediaFlights' remote-access server move from current subnets to demilitarized zones (DMZs)--that is, subnets that are separated from both internal and external networks. Furthermore, DIGEX sets up a VPN for connections to MediaFlights' other remote networks. The Firewall-1's SecuRemote client secures this type of access by encrypting data on the remote computer whether the user is dialing into the ISP or one of MediaFlights' remote-access servers.
Uniquely, DIGEX's security doesn't stop outside the firewall. Of the four bidders, only DIGEX places an intrusion-detection system, Cisco's Net Ranger, on MediaFlights' internal networks. Used in conjunction with Firewall-1, NetRanger monitors internal hosts and alerts DIGEX personnel of suspicious activity behind the firewall, where most computer break-ins occur.
We also liked the vendor's clear communication strategy, from the description of its and MediaFlights' roles and responsibilities to its robust reporting methods. Because DIGEX requires MediaFlights to provide a primary contact and at least two backups, communication between the two companies remains open even if the primary contact is unavailable.
DIGEX's firewall reporting is also more complete than Technologic's, WorldCom's or PSINet's. Using WebTrends' reporting tool, DIGEX supplies both summarized event data and detailed reports. Beyond noting connection rejections and their causes, such as "can't verify address," "invalid protocol" or "access denied," the reports show how many times a particular source IP address triggered a security event or an access rule. Such information is invaluable for tracking configuration errors and attacks.
To back up its plan, DIGEX includes an SLA that illustrates a strong commitment to solid service and fast response times. Where PSINet focuses on network access connectivity, DIGEX's SLA guarantees specific response times for configuration changes, network breaches and hardware failures. Engineers begin working on the problem as soon as they establish that it's due to a DIGEX-provided service, and problem-resolution escalates to the vice president of customer service within two hours for single-system failures and four hours for multiple-system outages.
In evaluating DIGEX's proposal, we see only two potential problems. First, unlike WorldCom, DIGEX performs only one perimeter audit during the initial rollout. As MediaFlights changes OSes and adds servers, services and other network devices, the potential holes can grow considerably. The greatest danger lies with servers close to the firewall; therefore, we would like to see a periodic perimeter audit.
Second, policy and service-change procedures are predefined and uniform for all DIGEX customers: MediaFlights' contact would verify the changes on a voicemail line, using a predefined password. We would prefer a digitally signed and encrypted written request procedure, to mitigate the possibility of a password being overheard.
For an Adobe Acrobat format version of DIGEX's Proposed Network graphic, click here.
|
|
REPORTS
ANALYTICS
Follow 
