From: "Glenn Meadows" 

It's really quite effective and efficient.  At some point, you've to trust
someone, and Qwest is a pretty large company.  The ONLY people that have
access, are those in the Managed Firewall Department.  The data folks, the
ones that supply our data service, can't get past the router.  I've got
access to a general management website, that I can download access reports
and logs and such from the firewall, see the current access rules (ports
open, closed, mappings etc.)  I can file a "ticket" via that site
to request changes, or I can call an 800 number and talk directly to one of
the tech people.

I've even had calls to my cell phone in the middle of the night reporting
that the MFW folks have lost monitor contact with our site, and that
they've traced it back to the T-1 being down, then I get an additional call
when the lines are back up and the monitor is working again.

The box works with the VPN-1 Secure Remote software from Checkpoint.  Any
traffic from my laptop when outside our 10.x.x.x network (hooked up at
home, or on the road) tries to connect to a 10.x.x.x resource, pops up the
Logon box, for UID and Password, then it authenticates, and opens a secure
connection into our lan, and all internal resources are available.  I've
got our mail server set to not accept any SMTP connections from any machine
that is not in our internal subnet.  The VPN assigns an internal IP address
for the connection is a reserved range, so you can send email that way,
through the tunnel,and out the server.  Or, you can use the webmail
interface, but since all our company mail is typically done in Outlook,
it's easier to work this way.  Everyone who has a laptop, and works from
home or on the road has the Secure Remote software installed.  We also use
the Quest Business Dial service for times when there is no direct internet
connection.  I believe that we pay a base rate of $10.00/month per user,
and they have to go over 600 minutes before any extra $$$'s are charged.

--
Glenn M.


"Geo"  wrote in message
news:41ddc4d0$1{at}w3.nls.net...
> Very nice setup, the only part I don't care for is where Qwest has full
> access since they manage the nokia but since that's all the equipment they
> have passwords to it's not bad at all.
>
> Geo.
>
> "Glenn Meadows"  wrote in message
> news:41dd5aae$1{at}w3.nls.net...
> > Yea, and if they monitor for intrusions, and all that, I think it's
worth
> > it. We have a small Nokia box supplied by Qwest, and it also handles the
> DMX
> > for the mail server (3 ethernet ports on the box).  They setup all the
> > access rules, map the external IP addresses and such.  We have one
> external
> > contractor who does maintenance on one high dollar application, that
needs
> > PCAnywhere access to one internal machine.  They setup a separate IP
> Address
> > from our public IP address, that maps directly to the internal 10.1.1.x,
> and
> > only has the PCAnywhere ports available on that IP address.  We just
turn
> on
> > PCA when they need access.  Then, when they're on that box, they run
> > Terminal Services onto the server that has the application, and they
don't
> > know the Terminal services login passwords.
> >
> >
> > --
> > Glenn M.
> >
> >
> > "Geo"  wrote in message
news:41dcb3a4{at}w3.nls.net...
> > > "Frank Haber"  wrote in message
> > > news:41dc898b$1{at}w3.nls.net...
> > >
> > > > to sniff around and see whether there are satisfied customers.  A
> grand
> > a
> > > year
> > > > seems a bit stiff, since there won't be much manging
here - I doubt
> > > they're
> > > > going to open a bunch of different ports every week and
play server.
> > >
> > > If they take care of all security patches for the devices and such
then
> it
> > > might be worth it.
> > >
> > > Geo.
> > >
> > >
> >
> >
>
>

--- BBBS/NT v4.01 Flag-5