ISPs charge by the month to provide connectivity. Typical charges in Chicago for a 56kb leased line connection are $200 - $250 per month. By contrast, some national ISPs charge about $700 per month (but that's not apples to apples, as we will see). Your best bet is to select three or four to call, and get price and connectivity information.

The next step is that you need a communications link between your site and the ISP. There are two common types of connections: A leased digital line, such as a 56kb DS-0 or a 1.54mb DS-1 (or T1) circuit; or a digital dial-up ISDN circuit. The latter is usually cheaper both in set-up and in equipment; however, ISDN is normally a "metered" service, i.e., you pay by the minute. There are many exceptions to this - phone rates are almost as random as airfares! Your ISP should be able to help you in determining what the best alternative is; ISPs almost always have an opinion on the subject.

By way of comparison, we have a 56kb digital line, and are about 19 miles from our ISP (leased lines have a base charge plus a mileage charge). Our monthly phone charge is about $200.

In addition to the monthly charges, both the ISP and the phone company will have installation and set-up charges, and you will probably have to buy some local equipment. At your end, you will need a CSU/DSU (which is like a modem for digital lines) or an ISDN modem depending on the communications link, and a router, which takes data from or to the Internet and forwards it to the appropriate address. Again, your ISP will probably have some recommendations in this regard. You can get combined 56kb CSU/DSU - routers (or combined ISDN - routers) for $1000 -1500. Alternatively, you can buy a separate CSU/DSU or modem and router: A Cisco 2500 (pretty much the standard) is about $1900 and a CSU/DSU is about $300. The benefit is that if you go to a faster connection later, you only need to replace the CSU/DSU. Also, stand-alone routers have more connectivity - the Cisco 2500, for example, can have two CSU/DSUs connected, to another location for example.

Set-up charges from the ISP usually include the fact that they have to get a router and CSU/DSU or modem for their end. In Chicago, these charges are usually $1000-1500. Bigger ISPs (the national and sometimes regional or local ISPs) will frequently bundle this into the monthly charge. So they have less in set-up, but you pay more on a monthly basis.

In summary, here's what we paid: Our service provider charged $1500 setup, the phone company charged $750 installation, and we bought a Cisco 2500 and a CSU/DSU for $2200, for a total of about $4500. We pay $250 a month to the service provider, and $200 to the phone company for on-going charges of about $450 per month. Your mileage may vary.

We're connected - now what? In the simplest case, the router could be connected to an existing network. Internet mail could be sent and received, users could browse the web, or transfer files. In short, all the benefits of having an Internet connection. On the other hand, the entire Internet would also have access to your internal network. This could be a problem.

The most common approach to solving it is using a "firewall". Instead of connecting the router to the internal network, it is connected to a "perimeter" network that only has two connections: The router, and the firewall. The firewall itself is nothing more than a machine with two network cards in it, one for connection to the perimeter network, and one connected to the internal network. The firewall system is configured to block all data from passing through the Internet to the internal network, or vice versa.

Have we lost all the advantages? Not at all. Say a user on the internal network wants to look at Rubicon's web page. Web browsers, including both Netscape Navigator and Microsoft Internet Explorer, were designed after firewalls became popular, and include built-in support for what are called "proxies". The way a proxy works is this: Instead of sending the request for our home page to our server, the browser sends the request to the proxy, which is running on the firewall. It accepts the connection from the internal network, and determines the data to be retrieved. It then sends its own request on the Internet side for the requested information. Note that the external sites see all requests as coming from the firewall - they have no information about the internal network, what hosts are on it, or what their addresses are. When the information is returned to the proxy server through the Internet, it is then passed back to the original requesting machine through the internal network. The user sees the data exactly as if it had come directly from our site, but, in fact, there is no connection at all between our server and the user's PC.

Mail works in a similar way. All mail addressed to imswire.com would be sent to the firewall. It would contain a list of valid users, and would forward the mail to the appropriate internal system, which could be the application server for character terminal users, or saved for download directly to their machine for PC users. Outgoing mail would follow a similar path: Any mail directed outside would be forwarded to the firewall machine, which would then send it to the desired recipient. Again, to the Internet at large, there appears to be only one host, the firewall.

What about our web page? There are several choices here. First, you can leave your web page where it is now. For many people, this is the best idea, as long as the monthly charges for maintaining the page are reasonable. The benefit is that your network connection and server are not being used up by visitors to the web page.

If you choose to bring the page in-house, there are two alternatives. If traffic is light, it can be hosted on the firewall. As requirements dictate, it can be moved to a separate web server connected to the perimeter network. If you choose to use some of Rubicon's Internet based applications, which allow your customers to see account and order status, inventory availability and pricing, and to place orders through the Internet, you would need to have a server that could access your internal network to extract data from the application server. The firewall machine is often a good choice for this.

Of course, you can also combine these alternatives. For example, you can leave the primary web page material remotely hosted, but with a server running locally to handle the database requests.

A word of warning: Nothing is perfect. So, in addition to these measures, it is critical that users have good passwords and protect them, that there are good and frequent backups, and users and system administrators alike must be watchful for unusual events, strange crashes, missing files, and so on.

As always, there is a trade-off between providing access and losing security. As soon as you put a modem on a system, you have greatly increased its usability, but you have also greatly compromised its security. The Internet is no different.

There is no security scheme that can keep out a determined individual with sufficient time and resources. Fortunately, very few sites attract that kind of dedication. The intent of these security measures we describe is to make the effort involved in breaking in great enough that the typical hacker will move on to an easier target.