· A four-site PSINet intranet with Secure Dial Access option;

· PSINet InterFrame with Net Service connectivity service to connect each of MediaFlights' four corporate sites directly to PSINet's IP-based worldwide frame relay backbone;

· Redundancy of each site to each of the other three sites through a meshed PVC (Permanent Virtual Circuit); and

· PSINet SecurityCentral-Premier Service Level managed security service installed at each site.

The PSINet service includes preconfiguration and remote installation and troubleshooting of PSINet-owned equipment deployed on the customer's premises.

The service's centrally managed configuration provides dynamic stateful packet-filtering; robust application-level proxies; strong authentication of remote users; optional client/server encryption for remote users; optional firewall-to-firewall encryption for intrasite traffic; real-time security alarms and content monitoring capabilities; historical reporting and analyses; and centrally managed periodic scanning and follow-up consultations.

This solution guarantees that MediaFlights can meet and exceed its required level of security for both intrasite and extrasite communications without overburdening its available resources.

For an Adobe Acrobat format version of PSINet's Proposed Network unabridiged, click here.

For a full breakdown of PSINet's pricing

PSINet proposed using a two-tiered approach to security--an OpenRoute GT-62 router connected to a WatchGuard Firebox II firewall. The GT-62 performs dynamic packet-filtering and authenticates remote users who are outfitted with a CryptoCard authentication mechanism. Users can dial into one of PSINet's POPs (points of presence) or use their own ISPs.

The Firebox II offers transparent proxy services, PPTP (Point-to-Point Tunneling Protocol) termination and firewall-to-firewall encryption. Because much of the Firebox's security is implemented as transparent proxies, clients never create direct connections to servers. This allows tight control on inbound and outbound traffic, as well as access to the network layers above Layer 3.

PSINet's re-engineered network should reduce both WAN and security costs. In fact, while PSINet's solution has a $164,740 price tag--higher than all but WorldCom's--it's the only solution that appears to save MediaFlights money, by eliminating $84,120 in WAN costs.

PSINet also would increase bandwidth performance between MediaFlights sites by redirecting traffic from PSINet's internal IP routers to the dedicated frame-relay PVC that connects the remote sites. Because the PVC connections are snoop-resistant, PSINet feels no encryption is necessary for MediaFlights, although PSINet offers site-to-site encryption at Layer 2 if a company requests it. Running the network through PSINet's backbone would provide other benefits for MediaFlights, as well. Using internal IP addresses reserved under RFC 1918 and NAT (network address translation) on the Firebox, MediaFlights' internal networks would enjoy a larger address space, which would provide room for future network expansion.

Unfortunately, for every benefit PSINet's solution offers, there's a corresponding disadvantage. The replacement of the existing WAN drives up MediaFlights' investment in terms of switching service providers and renumbering its network. Such renumbering may break some legacy applications, in which licensing and authentication are tied to IP addresses. Also, if PSINet's backbone fails, MediaFlights may be cut off from the Internet during the outage.

PSINet's inability to secure the campus networks poses a distinct problem. The university router is not under MediaFlights' control; thus, another firewall is necessary. Though PSINet proposed to send all traffic bound for the university networks through its own network, such a solution imposes performance problems with connections traveling across the Internet. When we pointed this out, PSINet promised to secure access from the university networks as well.

PSINet rivals DIGEX with its use of WatchGuard Technologies' package for real-time and historical reporting. Network utilization and activity reports provide a summary of traffic patterns at any time. Detailed data, such as a listing of user connections, bandwidth utilization and traffic direction, also is available. For historical information, there are several "Top 10" reports, time-series reports and exception reports that list denied connection requests.

Unlike DIGEX's SLA, however, PSINet's proposed SLA doesn't address security or management issues. PSINet's SLA focuses on network connectivity rather than enforced security and management time-line commitments. While connectivity SLAs are important for a service provider, they don't serve the same function as DIGEX's. Furthermore, the service metric for troubleshooting is ill-defined: While PSINet guarantees that it will complete 90 percent of trouble tickets with 24 hours, the remaining 10 percent can severely hamper connectivity for long periods.

PSINet also doesn't do any initial consultation to develop a security policy. Rather, MediaFlights must bring such a policy to PSINet for implementation.

For an Adobe Acrobat format version of PSINet's Proposed Network, click here.