Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Transcription

1 Appendix 1 1st Tier Firewall The Solution shall be rack-mountable into standard 19-inch (482.6-mm) EIA rack. The firewall shall minimally support the following technologies and features: (a) Stateful inspection; (b) URL filtering; (c) Provide audit trail of firewall administrator; (d) Network Address Translation (NAT, RFC1631); (e) Accounting, auditing and statistics of firewall traffics and security events; (f) Secure communication channel for remote administration of the firewalls; (g) Security event alerting; and (h) Event Correlation and Reporting. If the firewall appliance supports hardware modules, they shall hot-swappable. Management of the entire Solution including real-time monitoring, event logs collection, policy enforcement etc should be from a single device only (management server/appliance) The firewall should support Identity Access for Granular User/ Group and machine based visibility. The Solution shall provide stateful failover among devices for all components and should be completely automatic without any sort of manual intervention. Each appliance of Solution should have hardened OS for both appliance and management platform. The Solution shall have attained Common Criteria (CC) certification or equivalent, or have been tested and recommended by the NSS Labs ( for their security, stability and reliability. The Solution should have capability to store Logs and configuration of all devices, centrally in the Solution and should also have capability to send logs of all devices to the generic central log collection servers. The Solution shall provide IPv4 and IPv6, dual stack support. The Solution shall support the complete stack of IPv4 and IPv6 services. The Solution shall support multiple security levels/zones Hardware Specifications: Signatures, Patches & updates being received from OEM should be from trusted sites The firewall shall minimally have fiber interfaces of 6 x Gigabit Ethernet ports. The firewall shall have console port. The firewall shall provide the threat prevention throughput scalable to 700Mbps The firewall shall minimally support 3 Million concurrent connections The firewall shall minimally support 48,000 new sessions per second The firewall shall support the deployment of Routed mode and Transparent mode. The firewall shall support the mixture of virtual instances running in both Routed mode and Transparent mode within the same appliance. Page 1 of 11

2 The firewall shall support IEEE 802.1Q VLAN Trunking in Routed mode and Transparent mode. The firewall shall support IEEE 802.3ad Link Aggregation to group multiple ports for redundancy. The firewall shall support DHCP, server and relay. The firewall shall minimally support 1,024 VLANs. The firewall shall support jumbo frames up to 9,000 bytes. The firewall shall support the following IPv4 routing protocols: (a) Static route; (b) RIPv2; (c) OSPFv2; and (d) BGP version 4. The firewall shall support the following IPv6 routing protocols: (a) Static route; (b) OSPFv3; and (c) BGPv6. The firewall shall support the following Multicast features: (a) PIM-SM; and (b) PIM-SSM. The firewall shall be able to classify unknown applications and apply actions (i.e. Deny, Allow, etc.) in the firewall rules. The firewall shall be able to warn the end-user with a customizable page when the application is blocked. The firewall shall minimally support the following Network Address Translation (NAT) functionality: (a) Static NAT; (b) Dynamic NAT; and (c) PAT (Port Address Translation). The firewall shall provide filtering capability based on these parameters: (a) Source address; (b) Destination address; (c) Source port; (d) Destination port; (e) User/group role (Integration with AD); (f) FQDN or URL; (g) Protocol type; and (h) Time-based. The firewall shall allow security rules to be enforced within time intervals to be configured with an expiry date/time. The firewall shall support user, client and session authentication methods. The following user authentication schemes must be supported by the firewall: (a) Directory services: Microsoft Active Directory, OpenLDAP and Kerberos. (b) Tokens (ie -SecureID); Page 2 of 11

3 (c) TACACS; and (d) RADIUS; The firewall shall support user identification in policy without installing an agent on individual endpoints. The firewall shall populate and correlate all logs with user identity (traffic, IDPS, URL, data, etc) without any additional products or modules in real-time. The firewall shall support filtering traffics even if the packets are fragmented. The firewall shall support identifying, decrypting and evaluating SSL & SSH traffic in an outbound and inbound connection. The firewall shall support protection against Denial of Service (DoS), brute force attack, IP Spoofing, fragmented packet, Transmission Control Protocol reassembly, Sync cookie, malformed packet, flooding (ICMP/UDP, SYN), port scan, TCP/UDP sweep to the firewall interfaces. Software Features IDPS: The IDPS and firewall module shall be integrated on one platform. Integrated IDPS functionality shall be available that can be activated and de-activated as and when required on the firewall. The IDPS module shall be based on the following detection mechanisms: exploit signatures, protocol anomalies, application controls and behavior-based detection. The IDPS module shall have facility to enable/disable each individual signature. The IDPS module shall have options to create profiles for either client or server based protections, or a combination of both. The IDPS module shall have a software based fail-open mechanism, configurable based on thresholds of firewall s CPU and memory usage. The IDPS updates shall have an option of automatic/manual downloads and scheduled updates so that it can be scheduled for specific days and time. The IDPS module shall support network exceptions based on source, destination, service or a combination of the three. The IDPS application shall have a centralized event correlation and reporting mechanism. The IDPS module shall support detecting and preventing the following threats: Protocol misuse, malware communications, tunneling attempts and generic attack types without predefined signatures. The IDPS module shall support packet capturing of specific threats for forensic evidence or investigation. The IDPS module shall support detecting and blocking network and application layer attacks, protecting at least the following services: services, DNS, FTP, Windows services (Microsoft Networking), SNMP. The IDPS module shall include the ability to detect and block peer to peer traffic using evasion techniques. The administrator must be able to define network and host exclusions from IDPS inspection. The IDPS module shall detect and block remote controls applications, including those that are capable tunneling over HTTP traffic. Software Features Quality of Service (QoS): The firewall shall support per policy Differentiated Services (DiffServ) marking. The firewall (physical or virtual instances) shall provide up to eight (8) traffic classes with guaranteed, maximum and priority bandwidth parameters. The firewall shall support real-time bandwidth monitor. Page 3 of 11

4 Software Features Management: The firewall shall be managed from Graphical User Interface (GUI) and Command-Line Interface (CLI) as a single view to manage security policies, network configurations (Eg routing table, interface setup). The firewall shall come with dedicated Out-Of-Band Management Port that are not included in the number of stated interfaces mentioned in the earlier section used for production traffic. In addition, this Management Port should contain a different routing table from the production traffic. The firewall or management station shall support role-based access control (RBAC) and operation to limit access to control and limit administrators to specific functions within the firewall or its virtual instances, allowing each administrator group to freely perform its tasks without affecting the other groups. The firewall or the management station shall provide security hit count statistics. The firewall or the management station shall have the ability to view, filter and export traffic, threat, URL and data filtering logs. The logs displayed on the firewall or the management station shall minimally contain the following fields on the same page: (a) Timestamp; (b) Source IP and source port; (c) Destination IP and destination port/service; and (d) Description i.e. URL, hit counts, action. The firewalls shall support sorting and filtering of logs by selecting the desired field to be sorted or filtered i.e. source IP, destination IP, timestamp, port, accept/deny etc. The firewalls shall support export of security policies, firewall rules and configuration in a readable format. The firewall or the management station shall have the ability to present graphical summary of applications, URL categories, threats and data accounting. The firewall or the management station management station shall provide a wide range of informative, real-time, and historical reports that give critical insight into usage trends, performance baselines, and security events. The central management system shall provide an audit logging capability to an external syslog server. The firewall shall support SNMPv2 and SNMPv3. The firewall shall support NTPv3 and synchronise its system clock to a NTP server. The firewall shall support below methods of configuration: (a) Console to command-line interface (CLI); (b) Secure Shell Protocol (SSH) to CLI; (c) GUI-based management either via a HTTPS web interface or via a management tool. The firewall shall support manual and scheduled backup of configurations. The firewall shall support exporting configuration data through secure channel (authenticated and encrypted) for off-device configuration storage or equivalent. The firewall shall support the following flexible syslog and event monitoring features: (a) Enable the real time monitoring of the firewall through the firewall itself, management station or through external syslog servers; (b) Delivers accurate time stamping and numbering of syslog messages; Page 4 of 11

5 (c) Supports forwarding of logs to multiple syslog servers over either TCP or UDP as the transport protocol; (d) Ensure critical messages are not lost under busy network conditions by providing message buffering locally on the appliance; and (e) Support fine-grain control over syslog messages through a variety of methods, including support for changing priority of syslog messages, the ability to disable specific syslog messages, enabling or suppressing logging on a per- ACL entry basis. High Availability Features: The firewall shall support active/active and active/passive HA configuration. The firewall shall be support detecting link and path failure in addition to device failure. The firewall shall support encryption of HA heartbeat and control traffics. The firewall shall synchronize all sessions, decryption certificates, all VPN security associations, all threat and application signatures, all configuration changes and Forwarding Information Base (FIB) tables for HA. Page 5 of 11

6 2nd Tier Firewall The Solution shall be rack-mountable into standard 19-inch (482.6-mm) EIA rack. The firewall shall minimally support the following technologies and features: (a) Stateful inspection; (b) Provide audit trail of firewall administrator; (c) Network Address Translation (NAT, RFC1631); (d) Accounting, auditing and statistics of firewall traffics and security events; (e) Secure communication channel for remote administration of the firewalls; (f) Security event alerting; and (g) Event Correlation and Reporting. If the firewall appliance supports hardware modules, they shall hot-swappable. Management of the entire Solution including real-time monitoring, event logs collection, policy enforcement etc should be from a single device only (management server/appliance) The firewall should support Identity Access for Granular User/ Group and machine based visibility. The Solution shall provide stateful failover among devices for all components and should be completely automatic without any sort of manual intervention. Each appliance of Solution should have hardened OS for both appliance and management platform. The Solution shall have attained Common Criteria (CC) certification or equivalent, or have been tested and recommended by the NSS Labs ( for their security, stability and reliability. The Solution should have capability to store Logs and configuration of all devices, centrally in the Solution and should also have capability to send logs of all devices to the generic central log collection servers. The Solution shall provide IPv4 and IPv6, dual stack support. The Solution shall support the complete stack of IPv4 and IPv6 services. The Solution shall support multiple security levels/zones Signatures, Patches & updates being received from OEM should be from trusted sites Hardware Specifications: The firewall shall minimally have fiber interfaces of 8 x Gigabit Ethernet ports. The firewall shall have console port. The firewall shall provide the threat prevention throughput scalable to 2Gbps The firewall shall minimally support 2 Million concurrent connections The firewall shall minimally support 40,000 new sessions per second Software Features Firewall: The firewall shall support the deployment of Routed mode and Transparent mode. The firewall shall support the mixture of virtual instances running in both Routed mode and Transparent mode within the same appliance. The firewall shall support IEEE 802.1Q VLAN Trunking in Routed mode and Transparent mode. The firewall shall support IEEE 802.3ad Link Aggregation to group multiple ports for redundancy. Page 6 of 11

7 The firewall shall support DHCP, server and relay. The firewall shall minimally support 1,024 VLANs. The firewall shall support jumbo frames up to 9,000 bytes. The firewall shall support the following IPv4 routing protocols: (a) Static route; (b) RIPv2; (c) OSPFv2; and (d) BGP version 4. The firewall shall support the following IPv6 routing protocols: (a) Static route; (b) OSPFv3; and (c) BGPv6. The firewall shall support the following Multicast features: (a) PIM-SM; and (b) PIM-SSM. The firewall shall be able to classify unknown applications and apply actions (i.e. Deny, Allow, etc.) in the firewall rules. The firewall shall be able to warn the end-user with a customizable page when the application is blocked. The firewall shall minimally support the following Network Address Translation (NAT) functionality: (a) Static NAT; (b) Dynamic NAT; and (c) PAT (Port Address Translation). The firewall shall provide filtering capability based on these parameters: (a) Source address; (b) Destination address; (c) Source port; (d) Destination port; (e) User/group role (Integration with AD); (f) FQDN or URL; (g) Protocol type; and (h) Time-based. The firewall shall allow security rules to be enforced within time intervals to be configured with an expiry date/time. The firewall shall support user, client and session authentication methods. The following user authentication schemes must be supported by the firewall: (a) Directory services: Microsoft Active Directory, OpenLDAP and Kerberos. (b) Tokens (ie -SecureID); (c) TACACS; and (d) RADIUS; The firewall shall support user identification in policy without installing an agent on individual endpoints. Page 7 of 11

8 The firewall shall populate and correlate all logs with user identity (traffic, data, etc) without any additional products or modules in real-time. The firewall shall support filtering traffics even if the packets are fragmented. The firewall shall support identifying, decrypting and evaluating SSL & SSH traffic in an outbound and inbound connection. The firewall shall support protection against Denial of Service (DoS), brute force attack, IP Spoofing, fragmented packet, Transmission Control Protocol reassembly, Sync cookie, malformed packet, flooding (ICMP/UDP, SYN), port scan, TCP/UDP sweep to the firewall interfaces. Software Features Quality of Service (QoS): The firewall shall support per policy Differentiated Services (DiffServ) marking. The firewall shall support real-time bandwidth monitor. Software Features Management: The firewall shall be managed from Graphical User Interface (GUI) and Command-Line Interface (CLI) as a single view to manage security policies, network configurations (Eg routing table, interface setup). The firewall shall come with dedicated Out-Of-Band Management Port that are not included in the number of stated interfaces mentioned in the earlier section used for production traffic. In addition, this Management Port should contain a different routing table from the production traffic. The firewall or management station shall support role-based access control (RBAC) and operation to limit access to control and limit administrators to specific functions within the firewall or its virtual instances, allowing each administrator group to freely perform its tasks without affecting the other groups. The firewall or the management station shall provide security hit count statistics. The firewall or the management station shall have the ability to view, filter and export traffic, threat, URL and data filtering logs. The logs displayed on the firewall or the management station shall minimally contain the following fields on the same page: (a) Timestamp; (b) Source IP and source port; (c) Destination IP and destination port/service; and (d) Description i.e. URL, hit counts, action. The firewalls shall support sorting and filtering of logs by selecting the desired field to be sorted or filtered i.e. source IP, destination IP, timestamp, port, accept/deny etc. The firewalls shall support export of security policies, firewall rules and configuration in a readable format. The firewall or the management station shall have the ability to present graphical summary of applications, URL categories, threats and data accounting. The firewall or the management station management station shall provide a wide range of informative, real-time, and historical reports that give critical insight into usage trends, performance baselines, and security events. The central management system shall provide an audit logging capability to an external syslog server. The firewall shall support SNMPv2 and SNMPv3. The firewall shall support NTPv3 and synchronise its system clock to a NTP server. The firewall shall support below methods of configuration: Page 8 of 11

9 (a) Console to command-line interface (CLI); (b) Secure Shell Protocol (SSH) to CLI; (c) GUI-based management either via a HTTPS web interface or via a management tool. The firewall shall support manual and scheduled backup of configurations. The firewall shall support exporting configuration data through secure channel (authenticated and encrypted) for off-device configuration storage or equivalent. The firewall shall support the following flexible syslog and event monitoring features: (a) Enable the real time monitoring of the firewall through the firewall itself, management station or through external syslog servers; (b) Delivers accurate time stamping and numbering of syslog messages; (c) Supports forwarding of logs to multiple syslog servers over either TCP or UDP as the transport protocol; (d) Ensure critical messages are not lost under busy network conditions by providing message buffering locally on the appliance; and (e) Support fine-grain control over syslog messages through a variety of methods, including support for changing priority of syslog messages, the ability to disable specific syslog messages, enabling or suppressing logging on a per- ACL entry basis. High Availability Features: The firewall shall support active/active and active/passive HA configuration. The firewall shall be support detecting link and path failure in addition to device failure. The firewall shall support encryption of HA heartbeat and control traffics. The firewall shall synchronize all sessions, decryption certificates, all VPN security associations, all threat and application signatures, all configuration changes and Forwarding Information Base (FIB) tables for HA. Page 9 of 11

10 Appendix 2 Overall Internet DMZ Functional Requirement Internet DMZ design (Demiliterize zone) protected by 2 tier of firewall from 2 different firewall vendor Hardware High availability is required on every tier Proposed high level logical diagram for the Internet DMZ segment in Middle Road Office as below Supplier shall configure security policy for 1st tier firewalls on this new DMZ segment Supplier shall configure NAT required on this 1st fier firewalls of this new DMZ segment Supplier shall configure infrastructure to ensure both internet ISP link will be load shared utilize and Provides full redundancy Supplier shall enable configuration on all NGTP functions/modules if needed by Singapore pools. Page 10 of 11

11 Supplier shall configure security policy for 2nd tier firewalls on this new DMZ segment Supplier need to ensure on the normal situation Office 365 traffic will go out from Middle Road internet ISPs while the other traffic will go out via Kranji existing internet segment Deliverable Supplier shall provide detail project implementation plan latest 2 weeks after award Supplier shall provide low level design document Supplier shall provide migration plan / implementation plan document Supplier shall provide UAT Document Supplier shall provide As built documentation Page 11 of 11