The proposed solution for MediaFlights incorporates three service offerings--SecureSweepPerimeter, a vulnerability scan subscription service; InterManage, a suite of fully managed security services; and ConsultingAudits, which provides risk assessments, policy developments, controlled penetration studies and other security-related projects.

Our philosophy as a managed security provider is to extend and augment the capabilities of the in-house security staff. We provide a completely bundled solution that includes all necessary hardware, software, and ongoing maintenance, monitoring and administration.

As part of InterManage, WAN will:

· Create VPN tunnels as necessary to allow MediaFlights' sites to interconnect securely over public service provider infrastructure;

· Add users, create groups, define security policy, run system backups, apply patches and upgrades, and complete other security-related configuration changes;

· Archive log data and backup information for six months;

· Update hacker patterns on an ongoing basis;

· Generate a comprehensive set of management reports that identify who is doing what, when and for how long; and

· Monitor the firewall systems for security events and intruders attempting to access MediaFlights' network using SYN attacks, spoofing attempts, vulnerability scans and mail spams.

For an Adobe Acrobat format version of WorldCom's Proposed Network unabridiged, click here.

By giving MediaFlights a choice of ANS Communications' Interlock or Check Point's Firewall-1 ICSA-certified firewall appliance, WorldCom offers a more customizable security plan than its three competitors. Depending on specific needs, either of these firewalls can be used. In addition, WorldCom allows MediaFlights to switch appliances later, at no extra cost, if a change becomes necessary.

WorldCom doesn't replace any of MediaFlights' existing network infrastructure; rather, each firewall contains enough interfaces to interconnect all subnets. However, once the firewalls are in place, the resulting networks require IP address changes (as did the other vendors' solutions). WorldCom doesn't address this issue at all, nor does the company provide details on its proposal to install VPNs at MediaFlights' remote network sites.

The installation process typically takes 12 working days. MediaFlights must submit a template to describe its system configuration information and Internet security policy. While a WorldCom engineer can answer any of MediaFlights' questions, the company does not provide consultation for developing the customer's security policy itself.

With the firewall in place and active, WorldCom assumes 24x7 management of every aspect of the firewall. This includes adding or changing users, modifying the security policy and running custom reports. The proposal doesn't specify procedures for requesting modifications, but we believe this is a wise choice, since fixed procedures such as DIGEX's don't adapt well to every enterprise environment.

To monitor the firewall and traffic patterns, WorldCom offers a fairly standard series of daily, weekly and monthly reports via a secure Web server. These reports run the usual gamut from HTTP and FTP statistics and accounting chargeback costs to security alerts and attack signatures. The specific reports and their frequency are initially configured during the installation process, and WorldCom adjusts these reports as the client specifies them. However, getting such customized documents takes more time than it does with DIGEX's standard reporting package or Technologic's InterView tools, because each one is generated on the fly, rather than as a part of the original managed firewall package.

WorldCom takes an innovative approach to the monthly perimeter security audits that it recommends for an additional $12,000 per year. This service, called SecureSweep, employs a different security vendor each month.

While these vendors all use Internet Security Systems' (ISS) Internet Scanner for basic firewall and host scanning, they bring their own proprietary auditing tools to capture the widest number of vulnerabilities. Clean results are sent to the MediaFlights contact person; if SecureSweep finds any weaknesses, the reports are forwarded to WorldCom's support staff.

While WorldCom's proposal doesn't offer an SLA per se, the vendor does address maintenance issues. Most tasks can be run remotely, though a MediaFlights person may be needed to run commands from the console at the direction of WorldCom support staff. WorldCom says it can complete most maintenance tasks and replace failed hardware by the end of next business day; this schedule may leave changes uncompleted over weekends and holidays.

However, if MediaFlights' needs are time-sensitive, WorldCom says it will provide a level of service with four-hour turnaround--for a higher, but unspecified, price.

Although WorldCom offers some attractive ý la carte services, its basic managed firewall program isn't superior enough to justify its high premium over the other companies' bids. For the prices the company lists, we think stronger initial consulting and faster maintenance and repair service are a must, and should not require additional expenses.

For an Adobe Acrobat format version of the WorldCom's Proposed Network, click here.