Our solution calls for categorizing each of these points of access as mission-critical or noncritical. Noncritical connections should be removed. Mission-critical connections should be secured with a firewall and/or some combination of strong authentication and encryption.

Technologic security experts begin by conducting a comprehensive site assessment of a company's business and technical environments, learning about the company's security policy and making recommendations for improving security. The security policy is implemented on the firewall or firewalls, which are then shipped to the customer.

We monitor the firewalls 24 hours a day, seven days a week from our NOC (network operations center) in Atlanta. Our engineers are notified immediately of any connectivity or security issues, and take appropriate action.

The most visible component of the Managed Firewall Service is the reporting. Every month, the customer receives a comprehensive, easy-to-read report that documents all network activity.

For an Adobe Acrobat format version of Technologic's Proposed Network unabridiged, click here.

Unlike WorldCom and PSINet, Technologic begins the installation process with a thorough security assessment of MediaFlights' protected sites and business and technical requirements. Armed with this information, engineers work with Media Flights to make recommendations to secure the perimeter and develop a comprehensive security policy. The resulting policy is implemented on preconfigured Technologic Interceptor Appliances and shipped to the site for installation.

Each Interceptor Appliance consolidates both routing and firewalling, thereby eliminating the need for internal routers and allowing some services to be reconfigured. The Interceptor in Madison, Wis., can handle mail redirection, for example. When the mail server is relieved of that task, network load decreases. Moreover, all access points, including MediaFlights' university networks and remote-access servers, are terminated at the Interceptor firewall. While this strategy simplifies network topology, it also means a single point of failure could disable an entire site.

Notably, Technologic directly connects existing remote-access servers in San Mateo, Calif., and Manhasset, N.Y., to an interface on the Interceptor firewall. We liked this configuration because it provides tight access control of remote users through the same rule base used for the firewall. Technologic goes even further to secure remote users, using a combination of S/KEY, SecureID and CryptoCard for strong authentication, as well as encrypted remote connectivity with Sun Microsystems' SunScreen SKIP ($124 per user). We would have liked to see support for more standard VPN services, such as IPSec (IP Security) or PPTP, as PSINet offers, for example.

Once the security policy is in place, Technologic provides an annual security review, similar to the initial site assessment, to keep MediaFlights informed of the state of security on its network. The company can then make changes as needed.

Technologic says it will respond to emergencies immediately, implement routine changes to the firewall policy within one day, perform firewall maintenance within three days, and replace broken hardware within 24 hours. Unfortunately, the vendor's guarantees don't provide nearly the detail of DIGEX's SLA, so we wonder how MediaFlights would be compensated in the event of service outages.

While Technologic handles consulting especially well, the vendor's reporting procedures are a mixed bag. Some are remarkably thorough--such as reports of user connections based on DNS names or applications, and "Top Talkers" reports that help reveal potential abuse by users. Other reports are nearly meaningless. For example, the "Top 30 URL Destinations" report includes a useless count of embedded images per page.

Still other reports seem incomplete. For instance, Technologic provides a Top 20 detail report and a security report that summarizes the number of rejected services per TCP port number. These two reports can indicate a problem such as misconfiguration or an attack if a particular service turns up a high number of rejections. Unfortunately, the reports don't clearly indicate whether the connection is inbound or outbound, so reviewers of the security report need to be intimately familiar with the network address scheme. The security report also doesn't say why the connections fail--an important issue when managing a firewall.

Finally, Technologic charges extra for InterView, a tool that provides more detailed, customizable reports. The inconsistent nature of the standard reports, along with the extra charge for InterView, left us wanting more.

Despite these shortcomings, Technologic's strong stated commitment to preinstallation consulting is a big plus for MediaFlights. This level of service helped Technologic make MediaFlights' short list, and with more useful reporting and a better SLA, the vendor's managed firewall service would be a fine choice.

For an Adobe Acrobat format version of the Technologic's Proposed Network, click here.