Network-1 unveils fixed-price security service

Network-1 Security Solutions Inc. now offers a fixed-price consulting service to help agencies assess the vulnerabilities of their network security.

Called the Tactical Remote Access Penetration Study (TRAPS), the package involves using "white hat" hackers to test how easy it is to penetrate an organization's network defenses over the Internet. Unlike other consulting services, however, Network-1 is providing these services at a set price, rather than billing for time, the company said.

TRAPS covers penetration testing of up to three Internet connections and one "class C" address range of about 256 Transmission Control Protocol/Internet Protocol addresses for $5,995. Waltham, Mass.-based Network-1 plans to offer TRAPS on the General Services Administration schedule, said Robert Russo, vice president of Network-1's Professional Services Group, which will offer the package to the federal government.

In the few days following TRAPS' launch, the company received inquiries from several state agencies. Among the unit's past federal clients is the Architect of the Capitol.

Network-1's professional services organization also sells to the government through Wang Government Services' GSA schedule, Russo said.

In conducting tests, Network-1 has employees certified by the International Information Systems Security Certification Consortium supervising the work. Network-1 technicians do the tests using a mix of off-the-shelf products and internally developed tools, Russo said. "We don't use hackers. These are professional people who know what they're doing."

The technicians also will try to use "little pieces of code" gathered from common hacker World Wide Web sites that can be used to breach network security, he said. The company then produces executive-level and technical reports that explain the client's vulnerabilities.

"This is a great deal," said Jim Hurley, a senior analyst for network security with Aberdeen Group. Entry-level pricing of $50,000 is "not abnormal" at the information technology consulting arms of the "Big Five" accounting firms. The reason midtier companies—who hire the consulting firms—only do security testing once a year is because the service is terribly expensive, Hurley said.

"We're trying to make it easier for people to do [security testing]," said Jim Gildea, director of product marketing for Network-1. "We're laying it out for you and saying, 'Here's a list of what we're testing, and it's at a fixed price.' " Additional Internet connections, address classes and servers, as well as limited "war dialing" exercises, can be added for an additional nominal charge, according to the company.

"We've seen this type of security sweep at more than four to five times what we're charging," Russo said.

-- Adams is a free-lance writer based in Alexandria, Va.