ADDENDUM #1. Manassas City Public Schools. Office of Purchasing and Contracting 8700 Centreville Rd., Suite 400 Manassas, VA 20108

Similar documents
November 1, 2018, RP Provision of Managed Security Services on an Annual Contract ADDENDUM #2

Administrative & Operations Network Security Assessment

Deployments and Network Topologies

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

VMworld disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Cisco NAC Network Module for Integrated Services Routers

Oracle Cloud. Using Oracle Network Cloud Service - FastConnect Standard Edition E

COMMUNITY COLLEGE OF ALLEGHENY COUNTY PURCHASING DEPARTMENT 800 ALLEGHENY AVENUE, PITTSBURGH, PA 15233

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

Unity EdgeConnect SP SD-WAN Solution

21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal. By Adeyemi Ademola E. Cloud Engineer

1. Click on "IaaS" to advance to the Windows Azure Scenario. 2. Click to configure the "CloudNet" Virtual Network

Network Service Description

MARTINSVILLE CITY PUBLIC SCHOOLS RFP FOR INTERNET SERVICES NOVEMBER 1, 2014

VPN Cloud. Mako s SD-WAN Technology

Ciprian Stroe Senior Presales Consultant, CCIE# Cisco and/or its affiliates. All rights reserved.

Questions and Answers for Request for Proposal #03588

VeloCloud Cloud-Delivered WAN Fast. Simple. Secure. KUHN CONSULTING GmbH

Corrigendum 3. Tender Number: 10/ dated

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

CompTIA Network+ Study Guide Table of Contents

31270 Networking Essentials Focus, Pre-Quiz, and Sample Exam Answers

ADDENDUM # 7 RFP DARK FIBER OPTIC CABLE INFRASTRUCTURE LEASE

Corente Cloud Services Exchange

Secure Managed Firewall

DrayTek Vigor Technical Specifications. PPPoE, PPTP, DHCP client, static IP, L2TP*, Ipv6. Redundancy. By WAN interfaces traffic volume

CRETC, BCESD, CRUHSD Unified Threat Manager The Bullhead City Elementary School District (BCESD) and Colorado River Union High School District

SD-WAN Transform Your Agency

Introduction. The Safe-T Solution

Cisco Firepower NGFW. Anticipate, block, and respond to threats

NGFW Security Management Center

Infrastructure as a Service (IaaS) Compute with Storage and Backup PRICING DOCUMENT

Feature. *1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Secure & Unified Identity

Cisco Firepower NGFW. Anticipate, block, and respond to threats

ADDENDUM 1 April 13, 2018 Request for Proposals: Professional Services for Server Backup Solution

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

Exam : Implementing Microsoft Azure Infrastructure Solutions

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Global IP Network (GIN) Connects You to the World

Disclaimer CONFIDENTIAL 2

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Configuration Example

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

ADDENDUM NUMBER: 1. Website Design & Development Services

Cloud Services. Introduction

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

NGFW Security Management Center

PIX/ASA/FWSM Platform User Interface Reference

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Managing Site-to-Site VPNs: The Basics

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

Richland County School District One Competitive Best Value Bid Amendment No. 1

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

INNOVATIVE SD-WAN TECHNOLOGY

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

Redundancy for Corporate Broadband WHITE PAPER

Comprehensive datacenter protection

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

NOTICE TO ALL PROSPECTIVE RESPONDENTS RFP 18-ITSS/CY. Addendum No. 1 issued September 7, RFI responses are in red bold print

Surat Smart City Development Ltd. Surat Municipal Corporation 1

High Availability Deployment

Zentera Systems CoIP Platform

Introducing VMware Validated Designs for Software-Defined Data Center

Building Infrastructure for Private Clouds Cloud InterOp 2014"

*Performance and capacities are measured under ideal testing conditions using PAN-OS 8.0. Additionally, for VM

Citrix CloudPlatform (powered by Apache CloudStack) Version 4.5 Concepts Guide

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Introducing VMware Validated Designs for Software-Defined Data Center

Managing Machines over the Internet with BMC FootPrints Asset Core

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Max sessions (IPv4 or IPv6) 500, , ,000

Network Services Internet VPN

Managed Internet Service (MIS) gives you these features:

Resilient WAN and Security for Distributed Networks with Cisco Meraki MX

Security Considerations for Cloud Readiness

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

MiCollab Engineering Guidelines

How Cisco IT Deployed Cisco Firewall Services Modules at Scientific Atlanta

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Copyright 2011 Nomadix, Inc. All Rights Reserved Agoura Road Suite 102 Agoura Hills CA USA White Paper

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Introducing VMware Validated Designs for Software-Defined Data Center

Network Implications of Cloud Computing Presentation to Internet2 Meeting November 4, 2010

HySecure Quick Start Guide. HySecure 5.0

Nova Scotia Liquor Corporation Addendum # 1 TENDER FOR MANAGED SECURITY SERVICES PROVIDER

NSG100 Nebula Cloud Managed Security Gateway

Designing Workspace of the Future for the Mobile Worker

Barracuda Link Balancer

Cato Cloud. Global SD-WAN with Built-in Network Security. Solution Brief. Cato Cloud Solution Brief. The Future of SD-WAN. Today.

Opengear Technical Note

Identity Firewall. About the Identity Firewall

Transcription:

Manassas City Public Schools ADDENDUM #1 Office of Purchasing and Contracting 8700 Centreville Rd., Suite 400 Manassas, VA 20108 RFP Title: RFP Number: Proposal Due Date: MCPS Firewall Replacement 19-026-RFP January 22, 2019, 2:00pm by our clock The following information is provided to all prospective Offerors and is hereby made a part of this Request for Proposal. Acknowledgment of this Addendum is required on Title Page 2 of the RFP documents. This addendum is a total of SIX (6) pages. CLARIFICATION, ADDITIONAL INFORMATION, CHANGES: Q1: Please list the estimated number and type of operating systems that you intend to provide Internet access to via the firewall solution (e.g., 500 Windows 10 PCs, 200 Windows 2016 Servers, 50 Centos Linux Servers, etc.). It is understood that mobile devices such as IOS and Android may be present as well. We do not need numbers for mobile devices. A1: MCPS has approximately 9,800 Windows 10 devices, 65 Windows 2016 & 2012 servers, 25 MacOS devices and 5 Linux-based servers. Q2: Please list the estimated number of Active Directory joined and managed devices that will traverse the firewall. A2: All Windows-based devices are managed by Active Directory. Approximately 1,400 Apple tablets are managed via our Apple MDM solution. Q3: Will the school system provide access for BYOD devices to have direct access to internal resources (i.e., servers running inside the environment), or will all devices with this level of access be managed/owned by the school system? A3: At this time, MCPS allows on campus BYOD devices to have access to the internet via ports 80 and 443. BYOD devices are not allowed to connect to internal MCPS networks and resources while on campus. Personal devices at home have limited access to internal MCPS resources through the DMZ. Example: Parents and students have access to the student information system to see grades. Q4: Does the school system currently provide web services from within the internal networks to external users/devices (e.g., the school system has web server(s) that are present behind the existing firewall, such as in a DMZ, and is DNAT to the public Internet to allow remote access of web server resources)? A4: Yes. Q5: Please define open architecture for security controls as listed on page 11, under section System Requirements, c., iii., Priority 3 Hardware and Interface Requirements. A5: MCPS wishes for an open architecture for security controls so that multiple vendor-specific tools can see and monitor the firewall. Q6: What is the minimum percentage required for the detection and identification of applications to be used within the Application Control services of the firewall? The Minimum Base Requirements state that support for stateaware filtering on all well-known applications needs to be provided for many of the standard application 1

protocols, but this gives no requirement for the firewall being able to identify any of the traffic on an application level. Page 9, section b. 8. states the Firewall shall be port agnostic and analyze all data on all ports all the time for applications identification. This statement seems to imply a 100% application identification requirement, but on page 9, section b. 14., the RFP states that the firewall must be able to filter unknown traffic by policy. These two statements seem at odds and thus our question regarding requirements of traffic identification. Please provide clarification. A6: All traffic on all ports must be identified, even if that identification is unknown (Page 9, Section b, 8). Traffic identified as unknown then may be affected by a policy (Page 9, Section b, 14). Q7: Will the appliance(s) be used for core routing services as well as edge firewall services, or will there continue to be a separate core router within the environment? A7: MCPS does not plan at this time to use proposed firewall to perform core routing services. Q8: Do you intend to leverage SSL (https) inspection on devices within the school s network? Keep in mind that this will require the deployment and management of SSL certificates on each device that you wish to provide these services to. A8: No. MCPS currently does SSL inspection via our content filtering solution. Q9: On page 9, section b. 12. it states that policy creation and enforcement will require the ability to isolate traffic based on user identification. Will this be a requirement for all traffic? (e.g., will the school system need to be able to identify users on mobile devices or non-domain joined devices such as Chromebooks)? A9: Yes. Q10: On page 11, under subsection c., i. Priority 1 Hardware and Interface Requirements, 2. the RFP states that the appliance should have a separate Ethernet interface for out-of-band device management. As out-of-band management can be defined as an established trust boundary in accessing the management functions of a device, would it be acceptable if a logical management interface were used, i.e., a standard Ethernet port that has logically been isolated for management purposes? Or is it a requirement that there be a physical interface dedicated to management? A10: MCPS would accept a standard Ethernet port that is logically isolated for management purposes. Q11: Do the switches in Technical Exhibit B illustrated to the NORTH(isp-side) support 10 Gbps throughput and 10 Gbps interfaces? To the SOUTH(edge-side)? To the REMAINING(?dmz?-side)? A11: The switches MCPS-3580X-12-Outside and MCPS-3580-12-Inside can handle 10Gbps SFP interfaces and throughput. MCPS-3560X-24-DMZ is currently trunked with 2 1Gbps interfaces. Plans are in place to upgrade this switch (MCPS-3560X-24-DMZ) in the future. Q12: IF a current directly-connected switch (NORTH/SOUTH/ETC) do not support 10 Gbps interfaces/10 Gbps throughput, is it meant that our bid is to supply a 10 Gbps replacement? A12: Offerors should only include items and interfaces for the firewall. If your proposed firewall requires 10Gbps SFP fiber modules, you should include those in your proposal and cost. MCPS will be responsible for 10Gbps SFP fiber modules for the switches. Q13: Is our bid meant to include the firewall s transceivers (for in-use slots) to the NORTH/ISP? If so, What is QTY/transceiver-types/physical-connectors? A13: Offerors should only include items and interfaces for the firewall. If your proposed firewall requires 10Gbps SFP fiber modules, you should include those in your proposal and cost. MCPS will be responsible for 10Gbps SFP fiber modules for the switches. Q14: Is our bid meant to include the firewall s transceivers (for in-use slots) to the SOUTH/ EDGE? If so, What is QTY/transceiver-types/physical-connectors? A14: Offerors should only include items and interfaces for the firewall. If your proposed firewall requires 10Gbps SFP fiber modules, you should include those in your proposal and cost. MCPS will be responsible for 10Gbps SFP fiber modules for the switches. 2

Q15: Is our bid meant to include the firewall s transceivers (for in-use slots) to the REMAINING/?dmz?? If so, What is QTY/transceiver-types/physical-connectors? A15: Offerors should only include items and interfaces for the firewall. If your proposed firewall requires 10Gbps SFP fiber modules, you should include those in your proposal and cost. MCPS will be responsible for 10Gbps SFP fiber modules for the switches. Q16: Are the firewalls physically in the same datacenter? A16: Yes. Q17: Page 8 - A-a - Is MCP expecting all existing policies to be migrated from L3 to L3 upon initial migration and a 2nd phase to migrate to L7 policy rules or is MCPS expecting the first migration to also include L3 to L7 policy migration? A17: All existing policies and rules should be migrated in the initial migration. MCPS current firewall does not have any layer 7 policies. Q18: Page 8 - A-a - Does MCPS run BGP at the perimeter to manage internet routing between the 2x separate ISPs or is the secondary ISPs used just for disaster recovery, with a change of default route if the primary ISP is unavailable? A18: Currently MCPS does not run BGP at the perimeter to manage internet routing between the two (2) separate ISPs. Q19: Page 9 B-a-xi - Is BGP routing a requirement for the present solution or in the future? A19: BGP is not a current requirement but may be a future requirement. Q20: Page 8 A-b - Should the responder only consider firewalling for North/South traffic to and from the internet or should east East/West traffic within the MCPS LAN also be considered, ie between remote sites on the mpls as illustrated in Exhibit A. If East/West traffic be considered, should the responder assume separate firewall infrastructure for EAST/WEST traffic? A20: MCPS LAN traffic to/from the internet should be firewalled. Internet traffic from/to the DMZ zone should be firewalled. MCPS LAN traffic to/from the MCPS DMZ zone should be firewalled. No separate East/West firewall is required. Q21: Page 9 b-i-18 - IDS/IPS - Does MCPS expect IPS and IDS to be considered only at the perimeter edge of the network and only for North/South traffic or is the expectation to have east/west traffic inspected by IPS/IDS for all traffic with the LAN or between the segmentation firewalls zones already established? A21: All internet traffic regardless of source/destination should be reviewed by the IPS and IDS. Q22: Page 9 b-i-13 - In section B-a-iii, it states minimum 10g throughput, Is MCPS expecting 10G throughput though the firewall with all features enabled, all while performing SSL encryption and decryption? A22: Yes. Q23: Page 10 B-ii-3 - Are site to site IPSEC VPNs currently in operation, if so how many? A23: There are currently no site to site IPSEC VPNs in operation that utilize the firewall as the VPN device. MCPS currently has three (3) vendor-specific VPN connections that all utilize separate VPN appliances located in the DMZ. Q24: Page 10 b-i-26 - Are the 250 simultaneous connections all remote access (client device) established vpns and are the vpns IPSEC or SSL? A24: Currently MCPS currently has the capacity to have 50 simultaneous remote VPN client sessions. We are expanding this to 250 simultaneous remote VPN client sessions supporting both client (IPSEC) and clientless (SSL) sessions. Q24: Page 10 b-i-26 - Does MCPS just require malware, web and dns protection for mobile / remote endpoints so that policy established at the perimeter edge firewalls also follows teleworkers who may access remote guest networks, home networks or other networks that are not under the control of MCPS? 3

A25: Remote clients accessing the MCPS network via VPN should be subjected to the same firewall policies as when they are on campus. Q26: Page 10 b-ii-12 - Does MCPS prefer on prem sandboxing or cloud based sandboxing as part of the perimeter upgrade? A26: MCPS would accept either on premise or cloud based sandboxing. Any expectations of additional equipment (servers, drive space, rack space, etc.) beyond the firewall should be detailed in vendors response Tab 3. Q27: Page 12 F-i-5 - For the RFP response decommission work (remove old Firewalls), is it safe to assume the number of devices being installed equal the number of devices to be decommissioned? A27: Yes. Q28: Does MCPS require a single pane of glass management system for the firewalls? A28: Management interface must support single pane of glass to allow issues to be quickly identified. Q29: Does MCPS require an analysis engine for log retention and traceability beyond the capacity of the firewalls ability to hold and retain logging and analysis information? If so, what is the retention time required by MCPS to hold this logging information? A29: MCPS requires seven (7) days of logs to be retained. Ability redirect logs to an in-house log server is an option for longer retention. Q30: Does MCPS present any internet facing services, like websites, intranet portals, blackboard, etc.? If so, does MCPS require WAF (web application firewall) capabilities to protect these services and assets on inbound traffic? A30: MCPS has two (2) applications that reside inside the MCPS network that present web interfaces to the public. We do not currently have a web application firewall and one is not being asked for in this RFP. However, information about a WAF could be included in the vendors response as information about additional features available. Q31: Could MCPS please inform us on the number of firewall rules that are currently established in the ASA firewalls and also the number of NAT rules established in the ASA firewall rules? A31: There is approximately 60 access rules and 30 NAT rules. Q32: How many public IP subnets does MCPS own? If any, Could you please list the public subnets here? A32: MCPS has two different blocks of public IP address. One block is a /26 (ISP#2) and the other is a /28 (ISP#1). Q33: Does MCPS leverage a SIEM solution today? If so what service or product? A33: Yes, Solarwinds. Q34: Does MCPS leverage or run their own SOC (security operations center) services? If not, Should the responder consider including a managed SOC / SIEM and uptime service into the solution? A34: Today MCPS has a contract to utilize a SOC service. We will be considering SOC/SIEM services after the award of the contract. Q35: Is it safe to assume that 'staging area' or 'spare rack space' is available per location for implementation prior to 'network cutover'? A35: Yes. MCPS will provide space in the datacenter for the vendor to stage, configure and implement per the RFP. Q36: Is MCPS considering SDN (software defined networking) as a future initiative? A36: Yes. Q37: Does MCPS leverage cloud SaaS, PaaS or IaaS? If so, could MCPS please list what cloud services they consume today? A37: Yes. MCPS currently has a multitude of cloud-based applications such as our finance and human resources system (ERP) and instructional (CMS/LMS). Q38: Does MCPS require DDoS protection? i.e cloud based scrubbing service for volumetric DOS traffic? A38: No. MCPS only requires what is inherent to the firewall. 4

Q39: How much post cutover support from the partner does MCPS require after final cutover of the perimeter edge? A39: See Section II - Scope of Work, B Statement of Work, f Installation. Q40: Does MCPS leverage 2 factor authentication for its current VPN services, if not, does MCPS require 2 factor authentication for the new remote access VPN services? A40: Currently MCPS does not leverage two-factor authentication for its current VPN services. However, information about a 2-factor authentication could be included in the vendors response as information about additional features available. Q41: Is there a required change control window for the installation/implementation of equipment at the perimeter edge site (such as weeknights, weekends only, weekday if not service impacting)? A41: See Section II - Scope of Work, B Statement of Work, f Installation. Q42: Please confirm that this project is for local breakout of internet traffic only and does not affect/touch the corporate WAN strategy. A42: Yes, this firewall replacement should only affect/touch local breakout of internet traffic. Any work/changes required to the MCPS local network will be handled by MCPS. Q43: Are there any existing automation / orchestration tools that MCPS would like the bidder to leverage? A43: No. Q44: If Bidder would be responsible for asset disposal of the equipment, is there any equipment at the sites that may require special handling, such as: battery backup, etc.? A44: MCPS will handle the asset disposal of the current firewall and associated peripherals. Q45: Does MCPS currently use any type of traffic proxying service? Is MCPS wishing to consolidate the 'traffic proxying' services into the new solution? A45: Currently MCPS does leverage a proxy/content filtering solution, but at this time are not considering consolidating the proxy/content filtering with the proposed firewall replacement. However, information about a consolidating these services with the proposed firewall could be included in the vendors response as information about additional features available. Q46: Does MCPS have any plans to move beyond 10g in the next 5 years? A46: No. Q47: Lumos provides a fully managed geo-diverse hosted solution Would you consider a hosted solution? A47: No. Q48: If the answer to Question 47 is yes, than our proposal would include us providing the Internet service as part of our hosted solution and we would include (2) diverse 1G circuits to mirror what you have today, is this acceptable? A48: Not applicable. Q49: If the answers to Question 47 and 48 are yes, than what is the physical address where current firewall services terminate (i.e. 8700 Centreville Road)? A49: Not applicable. Q50: Normally our managed firewall solutions are bundled with dedicated Internet Access (DIA). Network Background a. Each building is connected to the core switch via a 1 Gbps fiber link with the core connected to the edge/data center via a 10 Gbps link. MCPS currently has two (2) different ISPs, each providing a 1 Gbps internet circuit. MCPS anticipates that total internet bandwidth will grow to 10 Gbps within the next 3-5 years. MCPS s WAN is comprised of a private fiber-optic infrastructure leased from the City of Manassas. 1. Who are the current Internet service Providers? 2. What is the monthly recurring charge for each? 3. What is the contract expiration for each? A50: (1) Not applicable to this RFP. (2) Not applicable to this RFP. (3) Not applicable to this RFP. 5

Replace Page 45, Technical Exhibit B with the attached REVISED TECHNICAL EXHIBIT B. This Addendum No 1 for 19-026-RFP MCPS Firewall Replacement, must be signed, dated and received in the Procurement Office no later than the time and date stated above OR acknowledgement of receipt of this Addendum may be noted on the Title Page 2 of the Request for Proposal. Name of Offeror: Address of Offeror: Signature: POINT OF CONTACT: Guinevere Bruner, CPPB Purchasing Agent gbruner@mcpsva.org phone: 571-377-6042 6

SYST RPS MASTR STAT DUPLX SPEED STACK MODE Catalyst 3750 SERIES 1 2 3 4 5 6 7 8 9 10 11 12 MCPS Core Network REVISED TECHINCAL EXHIBIT B LAST REVISED: December 10, 2018 SCALE: No Scale DRAWN BY: BB/RJS Internet ISP #2 ISP #1 1GB 1GB Router Canoga NID Junipter MCPS 3580X 12 Outside (Stacked) FAILOVER SWITCH ASA 5545 X (Pri) M0/0 G0/0 G0/1 G0/2 G0/3 G0/4 G0/5 G0/6 G0/7 Trunk M0/0 G0/0 G0/1 G0/2 G0/3 G0/4 G0/5 G0/6 G0/7 ASA 5545 X (Sec) Trunk TO DMZ Switch MCPS 3580X 12 Inside (Stacked) Edge Core 4500X MCPS Traffic bound for the internet MCPS Switch Management Traffic MCPS DMZ Traffic Internet Traffic bound for ISP #1 Internet Traffic bound for ISP #2 Firewall synchronization/communication Firewall Heartbeat Traffic

MCPS DMZ Network LAST REVISED: December 10, 2018 SCALE: No Scale DRAWN BY: BB/RJS MUNIS VPN To MCPS Network Inside Switches To Internet Outside Switches To MCPS Network Inside Switches To MCPS Network Inside Switches Monitoring Service VPN/ FW Device Fingerprint VPN MCPS 3560X 24 DMZ From Firewall

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback