Provision of Next Generation IAEA Statement of Work

Network Firewall

RFP 146289-SIS Dated 2018-07-12

STATEMENT OF WORK

Provision of Next Generation Network Firewall

1. Scope
This Statement of Work (SoW) describes the International Atomic Energy Agency’s
(IAEA) requirement for the establishment of a Contract Purchase Agreement (the
Agreement) for the provision of Next Generation Firewall hardware, related hardware
components, and software and maintenance components, (hereinafter referred to as
the “Solution”) including technician and consultant services and training for the purpose
of replacing the IAEA’s existing firewalls, VPN services, forward proxies and intrusion
prevention system.
The tentative timeline for the design and implementation of the Solution is mid-January
2019. Testing and quality checking will be carried out by the IAEA no later than mid-
February 2019.
The Solution will be located in three (3) of the IAEA offices and the IAEA’s cloud data
centre:
 IAEA Headquarters, Vienna International Centre, Vienna, Austria;
 IAEA Seibersdorf Laboratories, Seibersdorf, Austria;
 IAEA Environmental Laboratories Monaco; and
 Microsoft Azure Infrastructure as a Service (IaaS) data centre.
The attached Annex 1 covers the Current System Specification.
The Contractor shall provide the following under the Agreement:
(a) Hardware, software and licenses;
(b) Engineering and support services (including architecture and design workshops);
(c) Maintenance and warranty of the Solution; and
(d) Training of IAEA staff on the Solution.

2 Applicable Documents

2.1 Annex 1, Current System Specification;

2.2 Annex 2, IT Environment; and
2.3 Annex 3, Compliance Matrix.

3 Definitions, Acronyms and Abbreviations

3.1 API – Application Programming Interface

3.2 BGP – Border Gateway Protocol
3.3 DoS – Denial of Service
3.4 DTLS – Datagram Transport Layer Security
3.5 EU GDPR – European Union General Data Protection Regulation
3.6 FIPS 140-2 – Federal Information Processing Standard Publication 140-2
3.7 IPS – Intrusion Prevention System
3.8 ISO/IEC - International Organization for Standardization and the International
Electrotechnical Commission
3.9 LDAP – Lightweight Directory Access Protocol
3.10 MPLS – Multiprotocol Label Switching

Page 1 of 13
Provision of Next Generation IAEA Statement of Work
Network Firewall

RFP 146289-SIS Dated 2018-07-12

3.11 NAT – Network Address Translation

3.12 OEM – Original Equipment Manufacturer
3.13 OSI Model – Open Systems Interconnection Model
3.14 OSPFv3 – Open Shortest Path First version 3
3.15 PAT – Port Address Translation
3.16 RADIUS – Remote Authentication Dial-in User Service
3.17 RIP – Routing Information Protocol
3.18 RSA – Public Key Cryptosystem
3.19 SIEM – Security Information and Event Management
3.20 SNMP – Simple Network Management Protocol
3.21 SNORT – Open Source Network Intrusion Prevention System
3.22 SSL – Secure Sockets Layer
3.23 TLS – Transport Layer Security
3.24 VLAN – Virtual Local Area Network
3.25 VPN – Virtual Private Network

4 Requirements

4.1 Availability

Mandatory
The Solution shall:
4.1.1 Support highly available configuration in an active/passive mode;
4.1.2 Have redundancy in physical appliances;
4.1.3 Provide out-of-band management capabilities; and
4.1.4 Support hot-swap of components in physical appliances.

Desirable
The Solution should:
4.1.5 Support highly available configuration in an active/active mode; and
4.1.6 Provide high availability functionality across different models or versions of
hardware.

4.2 Management

Mandatory
The Solution shall:
4.2.1 Provide a centralized firewall policy management console that supports all
firewalls deployed in the System;
4.2.2 Provide a graphical user interface for the centralized management console;
4.2.3 Provide high availability of the centralized firewall policy management
console;
4.2.4 Support object-based configuration of firewall policy and rules;
4.2.5 Provide support for dynamic object types;
4.2.6 Provide support for “review and then commit” of firewall policy changes;
4.2.7 Provide a facility for logging the reason and tracking of all changes;
4.2.8 Support revision history and policy roll back;
4.2.9 Integrate with a standard identity management solution for all management
functions (such as RADIUS, LDAP and/or Microsoft Active Directory) with
support for 2-factor authentication;
4.2.10 Provide statistics on rule usage;
4.2.11 Support role based management for administrative activities;
4.2.12 Support lateral management roles to segregate administrator duties;

Page 2 of 13
Provision of Next Generation IAEA Statement of Work
Network Firewall

RFP 146289-SIS Dated 2018-07-12

4.2.13 Provide an XML or JSON based API to perform administrative and

operational tasks and integrate with third party firewall management and
ticketing systems;
4.2.14 Implement controls to require multiple authorizations for rule changes (e.g.:
the “four-eye” principle);
4.2.15 Provide continuous threat intelligence information to identify new and
emerging threats within the network; and
4.2.16 Provide a capability to import bespoke threat intelligence data using industry
standards such as STIX/TAXII.
Desirable
The Solution should:
4.2.17 Provide a mechanism for rule verification;
4.2.18 Support an approval process with multiple roles for firewall policy changes
either natively or through a third-party tool;
4.2.19 Provide a unified management interface for VPNs;
4.2.20 Support simultaneous administrative access and allow simultaneous
changes to the solution’s configuration;
4.2.21 Allow for creation and automation of workflows; and
4.2.22 Integrate with the Axios Assyst service management platform for automated
rule deployment and tracking.

4.3 Logging and Audit

Mandatory
The Solution shall:
4.3.1 Provide a tamper proof log and audit capability of all administrative activity;
4.3.2 Provide a reporting capability with option to export reports in various formats
(e.g.: CSV, PDF, XLS, XML);
4.3.3 Provide a set of standard reports that may be used for audit purposes and
firewall performance management;
4.3.4 Provide an alerting capability designed to alert administrators of security
and performance relevant events;
4.3.5 Integrate with SIEM products such as ArcSight; and
4.3.6 Provide capability to export logs to a centralized syslog server.

Desirable
The Solution should:
4.3.7 Provide a mechanism to export traffic flow information in industry standard
formats such as Netflow, Sflow and/or IPFIX; and
4.3.8 Provide a capability to mask personal information as defined in the EU
GDPR.

4.4 Network Integration

Mandatory
The Solution shall:
4.4.1 Integrate with Microsoft Active Directory services to provide user and
system identification;
4.4.2 Support VLAN and MPLS tagging technologies;
4.4.3 Support IPv6 network traffic;
4.4.4 Support the following dynamic routing protocols: RIP, OSPFv3, BGP;
4.4.5 Support static routing and source/policy based routing;
4.4.6 Support Quality of Service (QoS) for services and applications;

Page 3 of 13
Provision of Next Generation IAEA Statement of Work
Network Firewall

RFP 146289-SIS Dated 2018-07-12

4.4.7 Support SNMP;

4.4.8 Provide PAT and NAT functionality including the definition of NAT pools;
4.4.9 Support multi-link or multi-Contractor with the capability to provide internet
breakout at branch office locations;
4.4.10 Support DHCP services including DHCP relay and the ability to act as a
DHCP server; and
4.4.11 Provide the requisite number of SFP, SFP+ or QSFP+ interfaces and
transceivers as identified during the exercise prescribed in requirement 7.3.

4.5 Assurance and Standards

Mandatory
The Solution shall:
4.5.1 Attest to compliance with ISO/IEC 15408 Common Criteria of EAL4+ or
higher; and
4.5.2 Contain cryptographic components validated to FIPS 140-2.

4.6 Encryption

Mandatory
The Solution shall:
4.6.1 Provide the capability to establish client-to-site SSL, TLS, DTLS or IPSEC
VPN;
4.6.2 Provide the capability to establish site-to-site IPSEC VPN;
4.6.3 Support certificate based VPN user identity recognition; and
4.6.4 Support username and password based VPN user identity recognition
utilizing Active Directory and RSA 2-factor authentication.

Desirable
The Solution should:
4.6.5 Support hardware security module for encryption key management;
4.6.6 Support load balancing of VPN clients across multiple appliances;
4.6.7 Provide a global network of managed VPN servers that can protected
network connections on roaming endpoints; and
4.6.8 Provide an always-on VPN capability for Microsoft Windows endpoints as
well as Android and Apple iOS mobile devices.

4.7 Intrusion Prevention

Mandatory
The Solution shall:
4.7.1 Include signature based detection and prevention of network attacks;
4.7.2 Provide the ability to modify existing IPS signatures;
4.7.3 Provide protection against DoS attacks;
4.7.4 Provide protection features for encapsulated traffic; and
4.7.5 Provide automatic updates to signature ruleset based on known
vulnerabilities identified in the wild.

Desirable
The Solution should:
4.7.6 Support user developed signatures;
4.7.7 Support open signature standards such as SNORT;

Page 4 of 13
Provision of Next Generation IAEA Statement of Work
Network Firewall

RFP 146289-SIS Dated 2018-07-12

4.7.8 Support extraction of executables from network streams; and

4.7.9 Support sandboxing of extracted executables.

4.8 Application Control

Mandatory
The Solution shall:
4.8.1 Provide malware protection within application streams such as the HTTP
protocol;
4.8.2 Identify applications in the HTTP protocol (i.e. browser based applications);
4.8.3 Identify applications outside of the HTTP protocol (i.e. desktop and server
based applications);
4.8.4 Support the application of policy on individual users and user groups;
4.8.5 Provide capability to apply bandwidth control and restriction;
4.8.6 Support all application control features for encapsulated traffic;
4.8.7 Support all application control features for 4over6 and 6over4 tunnels;
4.8.8 Provide a continuously updated feed to improve application detection;
4.8.9 Support the development of user defined application signatures;
4.8.10 Provide application whitelist and blacklist functionality;
4.8.11 Provide URL filtering capabilities including:
4.8.11.1 Control of URL access based on website category;
4.8.11.2 Capability to whitelist or blacklist based on web application type, URL
and category; and
4.8.11.3 Capability to build custom rulesets based on user groups, networks
and zones.
4.8.12 Provide a facility to submit URLs to the Contractor for categorization within
twenty-four (24) hours;
4.8.13 Identify and apply rules to applications within the SSL protocol;
4.8.14 Perform high-speed and policy-driven SSL decryption utilizing hardware
acceleration;
4.8.15 Provide port mirroring capability for decrypted traffic as intercepted by the
SSL decryption engine on the firewall; and
4.8.16 Provide a capability to specifically categorize IAEA corporate Office 365
traffic and exclude from application control.

Desirable
The Solution should:
4.8.17 Provide data exfiltration protection by blocking upload of data even while
allowing access to a site;
4.8.18 Provide capability to detect and block unauthorized browser plugins;
4.8.19 Provide capability to block specific browser versions; and
4.8.20 Provide a capability to enable all application control features on mobile
devices (including laptops, Android and Apple iOS devices) when roaming
on public wireless and wired networks.

4.9 Virtualization

Mandatory
The Solution shall:
4.9.1 Be available as a software virtual appliance within Microsoft Azure; and
4.9.2 Provide a licensing model that allows the customer to bring their own license
to a Microsoft Azure cloud based virtual appliance.

Page 5 of 13
Provision of Next Generation IAEA Statement of Work
Network Firewall

RFP 146289-SIS Dated 2018-07-12

Desirable
The Solution should:
4.9.3 Offer both on premise and cloud based virtualization options (e.g.: ESXi,
Microsoft Azure, Amazon AWS) along with licensing models to support
virtualization;
4.9.4 Support virtual environment management systems and integrate with the
underlying hypervisor networking stack; and
4.9.5 Be available via cloud marketplaces and stores.

5 Capacity and Performance Requirements

The Solution, as delivered, shall be capable of protecting 125% of the IAEA’s anticipated
traffic volume, including enterprise cloud services such as Office 365 for 4000 users over
the expected life of the hardware. The expected traffic volumes and corresponding growth
can be found in Annex 1.

6 Implementation Services, Engineering Services and Support

Mandatory
The Contractor shall:
6.1 Provide a 24/7 technical support hotline;
6.2 Provide a technical support website that is available for 24/7 problem logging;
6.3 Provide technical workshops to cover technical implementation aspects;
6.4 Provide design and engineering services (including planning and
implementation support for upgrades and expansion; configuration and
performance analysis) by certified professionals with a minimum of five (5) years
of experience on the proposed solution and holding the highest expert
certification level on the proposed solution;
6.5 Provide on-site hardware and software configuration;
6.6 Perform problem determination;
6.7 Provide support on all covered products, protocols and features;
6.8 Provide services to troubleshoot and simulate complex configuration, hardware,
and software problems; support problem isolation and determine product
defects; define an action plan to resolve problems;
6.9 Provide a quarterly review of the status of all support requests with the IAEA;
6.10 Conduct quarterly service review meetings with IAEA staff to review the status
of the account and reports generated by the Contractor;
6.11 Maintain the highest level of partner status for the duration of the contract;
6.12 Provide staff with the OEM specific expert (highest) certification for all
installation and project work;
6.13 Provide periodic health check services on the firewall environment with reports
on recommendations for improvement annually or as requested by the IAEA;
6.14 Provide monthly reports on the support hours provided;
6.15 Provide the following account management structure (English speaking):
6.15.1 Account Manager;
6.15.2 Customer Support Account Manager as a single point of contact for support
issues;
6.15.3 Engineering Manager; and
6.15.4 A pool of at least three (3) certified engineers, having at least five (5) years
of experience in OEM specific technology, assigned to the account.
6.16 Meet the following support targets:
6.16.1 The Contractor shall acknowledge all reported tickets/incidents by either
email or phone call within one hour of being reported by the IAEA;

Page 6 of 13
Provision of Next Generation IAEA Statement of Work
Network Firewall

RFP 146289-SIS Dated 2018-07-12

6.16.2 The Contractor shall provide a certified engineer on-site within two (2) hours
of designation of an incident at the highest severity level as determined by
the IAEA;
6.16.3 The Contractor shall provide resolution within four (4) hours of designation
of an incident at the highest severity level as determined by the IAEA; and
6.16.4 The Contractor shall actively participate in the resolution of identified
problems and root cause analysis in which the Contractor-provided
components are involved.
Desirable
The Solution should:
6.17 Provide an automatic notification to the Contractor in case of failure resulting in
creation of a service ticket.

7 Deliverable Data Items

Mandatory
The Contractor shall deliver the following data items:
7.1 Access to an online knowledge base containing reference material and a
continuously updated database of common support issues and corresponding
solutions;
7.2 All requisite software licenses and subscriptions as well as the annual
maintenance contracts of all covered products;
7.3 After consultation with IAEA engineering staff (via technical workshops), a
qualified and validated design indicating all technical and architectural elements
to achieve fully supported implementation of the Solution;
7.4 Project plan for implementation and migration to the Solution (including
migration of rulesets);
7.5 Complete set of technical design documents, operation and servicing manuals
and technical drawings in the English language;
7.6 Deployment documents and technical drawings;
7.7 Testing and acceptance document; and
7.8 Standard operating procedures for day-to-day operations.

8 Training

Mandatory
The Contractor shall:
8.1 As part of the implementation project, provide vendor authorized one-time
training (at least one (1) week, up to maximum two (2) weeks, presented in
English) in Vienna, either at the IAEA headquarters premises or another location
for up to five (5) IAEA Staff.

Desirable
The Contractor should:
8.2 Provide an option for certification of IAEA staff on the proposed technology; and
8.3 Provide vendor authorized training options (presented in English) with
certification at basic, advanced and expert levels on the proposed solution.
8.3.1 Training options should be offered in Vienna or as an online computer-
based course.

Page 7 of 13
Provision of Next Generation IAEA Statement of Work
Network Firewall

RFP 146289-SIS Dated 2018-07-12

9 Quality Requirements

9.1 The hardware elements of the Solution shall be manufactured, shipped and
installed in accordance with the Contractor’s ISO quality assurance system or
an equivalent quality assurance system;
9.2 All hardware shall be new and unused;
9.3 Proposed hardware shall be supportable with an end-of-life date no earlier than
the expiration of this contract and any subsequent renewals;
9.4 The Contractor shall document the compliance with this quality assurance
system;
9.5 The Contractor’s performance under the Agreement shall be measured as
follows:
9.5.1 Mean time to arrive on site per support call no longer than two (2) hours;
9.5.2 Mean time to repair per support call no longer than four (4) hours;
9.5.3 Number of hardware failures per year less than two (2) with no single failure
resulting in an outage;
9.5.4 Mean time to repair for send-in equipment from time of collection until return
to site no longer than one (1) business day; and
9.5.5 The Contractor shall provide quarterly reports on these performance
indicators.
10 Marking
The Solution shall have all safety markings in English language.
11 IAEA Testing and Acceptance
11.1 The hardware elements of the Solution, prior to shipment, shall be tested by the
Contractor for conformance with manufacturer’s performance specifications and
the minimum requirements specified herein.
11.2 The Solution, after installation, shall be tested by the Contractor together with
the IAEA to demonstrate that the performance meets the manufacturer’s
performance specifications and the minimum requirements specified herein as
determined by the IAEA.
11.3 The results of the testing of the Solution shall be documented by the Contractor
in an acceptance protocol that shall be signed by the IAEA.

Page 8 of 13
Provision of Next Generation IAEA Statement of Work
Network Firewall

RFP 146289-SIS Dated 2018-07-12

Annex 1
Current System Specification

IAEA Confidentiality Agreement

For the purpose of facilitating preparation of the Proposal, Bidders may request the
IAEA to provide Annex 1.
To obtain this document, Bidders shall complete and sign the IAEA Confidentiality
Agreement and send it via e-mail to [email protected] with the subject line: “RFP
146289-SIS Provision of Next Generation Network Firewall – Request for Additional
Documents”.

Page 9 of 13
Provision of Next Generation IAEA Statement of Work
Network Firewall

RFP 146289-SIS Dated 2018-07-12

Annex 2
IAEA Information and Information Technology Environment Description

1.1. Information and communication systems are central to the IAEA’s mission and daily
business activities, as they are utilised to routinely exchange information among
management and staff, with member states and other third parties in the public and
private sectors. This is accomplished through the normal enterprise business and
communications systems, restricted access and public web and collaboration
services and staff remote access systems that are hosted both internally and in
cloud-based systems. In addition to the systems supporting daily business
activities, the IAEA has information and communications systems supporting the
highly sensitive Nuclear Security and Safeguards activities.

1.2. The information technology infrastructure supports ~3000 users (staff and
consultants) located at one primary location (Vienna International Centre) with five
additional permanent facilities located in Austria, Canada, Monaco and Japan.

1.3. The IAEA has a partially centralised IT management organizational structure.

Centralised IT management provides network, server, end-point and security
operations planning and administration as well as software development and
maintenance. Additionally, there are staff members within divisions throughout the
IAEA providing software development, server-based applications administration
and local IT client support.

1.4. While all staff members have information security responsibilities, the IAEA has a
number of staff positions dedicated to security functions. These include:

 Central Security Coordinator (responsible for all aspects of security except for
Information Security)
 Chief Information Security Officer
 Information Security Office
 Safeguards Information Security Officer
 Security operations groups, supporting
o Access control
o Threat management
o Incident response
o IT security engineering
1.5. The IAEA has a formal information security policy; however, the elements that
underlie the policy in terms of IAEA-wide processes, procedures, standards and
guidelines are limited. There are also IAEA policies for various information security
related activities. Additionally, each Department may also issue additional policies.
For instance, the Department of Safeguards has policy and procedures focused
on protecting the confidentiality and integrity of the sensitive information that is
central to their mission. On an ongoing basis, both internal and external audits and
security assessments are performed.

Page 10 of 13
Provision of Next Generation IAEA Statement of Work
Network Firewall

RFP 146289-SIS Dated 2018-07-12

The technology underlying these services that are administered by IAEA staff
includes:

 800+ Servers, physical and virtualised (highly virtualised), Windows and Linux
(predominantly Windows);
 3500+ Client computers (desktop and notebook, Windows, Macintosh and
Linux, predominantly Windows);
 500+ Mobile devices (phones and tablets);
 MS Active Directory, multiple forests/multiple domains and additional
standalone domains (such as for the DMZ);
 IPv4 wired and wireless networks, supporting client and server environments
and Internet access;
 Network security systems providing access control; threat identification and
blocking; centralised logging and Security Event and Incident Management;
 Multiple inter-site network communications connections;
 Multiple remote access systems;
 On-site dedicated data centres and rooms;
 Cloud-based and outsourced resources;
 Centralised and local IT Service Desks;
 Commercial and bespoke applications (client, client-server and web-based);
 Specialised laboratory, remote monitoring and embedded systems; and
 Disaster recovery infrastructure.

1.6. Application and system development is provided by IAEA staff and consultants for
in-house and technology transfer projects, utilizing multiple platforms and
languages that include but are not limited to:

 Java Enterprise Edition (Java Servlets, JSP, JSF, Spring Framework);

 JavaScript (e.g. Angular);
 LAMP (Linux/Apache/MySQL/Perl/PHP/Python);
 Microsoft .NET, ASP.NET and ASP.NET MVC;
 Microsoft SharePoint;
 Oracle E-Business Suite and Oracle ADF;
 Ruby on Rails; and
 Various languages (C, C++, script, java) used with specialised and embedded
systems.

Page 11 of 13
 RFP 146289‐SIS Provision of Next Generation Network Firewall
ARCHITECTURE Option a ‐ indicating collapsed dmz and core two tier

Annex 3: Next Generation Network Firewall Technical Requirements
ARCHITECTURE Option a ‐ indicating collapsed dmz and core two tier
Fully met
Compliance with the  Customization required (Yes/No)
Area Ref.No. Requirements Evaluation Level (without customization) Bidder's Response If yes please indicate the effort required
requirement (Yes/No) 
(yes/no)
04.01 Availability Requirements 04.01.01 Support highly available configuration in an active/passive mode; Mandatory
04.01 Availability Requirements 04.01.02  Have redundancy in physical appliances; Mandatory
04.01 Availability Requirements 04.01.03 Provide out of band management capabilities; and Mandatory
04.01 Availability Requirements 04.01.04 Support hot swap of components in physical appliances. Mandatory
04.01 Availability Requirements 04.01.05 Support highly available configuration in an active/active  mode; and Desirable
04.01 Availability Requirements 04.01.06 Provide high availability functionality across different models or versions of hardware. Desirable
04.02 Management Requirements 04.02.01 Provide a centralized firewall policy management console that supports  all firewalls deployed in the System; Mandatory
04.02 Management Requirements 04.02.02 Provide a graphical user interface    for the centralized management console; Mandatory
04.02 Management Requirements 04.02.03 Provide high availability of the centralized firewall policy management console;  Mandatory
04.02 Management Requirements 04.02.04 Support object‐based   configuration of firewall policy and rules; Mandatory
04.02 Management Requirements 04.02.05 Provide support for dynamic object types; Mandatory
04.02 Management Requirements 04.02.06 Provide support for “review and then commit” of firewall policy changes; Mandatory
04.02 Management Requirements 04.02.07 Provide a facility for logging the reason and tracking of all changes; Mandatory
04.02 Management Requirements 04.02.08 Support revision history and policy roll back; Mandatory
Integrate with a standard identity management solution for all management functions (such as RADIUS, LDAP and/or Microsoft Active
04.02 Management Requirements 04.02.09 Mandatory
Directory) with support for 2 factor authentication;
04.02 Management Requirements 04.02.10 Provide statistics on rule usage; Mandatory
04.02 Management Requirements 04.02.11 Support role based management for administrative activities; Mandatory
04.02 Management Requirements 04.02.12 Support lateral management roles to segregate administrator duties; Mandatory
Provide an XML or JSON based API to perform administrative and operational tasks and integrate with third party firewall management
04.02 Management Requirements 04.02.13 Mandatory
and ticketing systems;
04.02 Management Requirements 04.02.14 Implement controls to require multiple authorizations for rule changes (e.g.: the “four eye” principle); Mandatory
04.02 Management Requirements 04.02.15 Provide continuous threat intelligence information to identify new and emerging threats within the network; and Mandatory
04.02 Management Requirements 04.02.16 Provide a capability to import bespoke threat intelligence data using industry standards such as STIX/TAXII. Mandatory
04.02 Management Requirements 04.02.17 Provide a mechanism for rule verification; Desirable
04.02 Management Requirements 04.02.18 Support an approval process with multiple roles for firewall policy changes either natively or through a third party tool; Desirable
04.02 Management Requirements 04.02.19 Provide a unified management interface for VPNs; Desirable
04.02 Management Requirements 04.02.20 Support simultaneous administrative access and allow simultaneous changes to the solution’s configuration; Desirable
04.02 Management Requirements 04.02.21 Allow for creation and automation of workflows; and Desirable
04.02 Management Requirements 04.02.22 Integrate with the Axios Assyst service management platform for automated rule deployment and tracking.  Desirable
04.03 Logging and Audit Requirements 04.03.01 Provide a tamper proof log and audit capability of all administrative activity; Mandatory
04.03 Logging and Audit Requirements 04.03.02 Provide a reporting capability with option to export reports in various formats (e.g.: CSV, PDF, XLS, XML); Mandatory
04.03 Logging and Audit Requirements 04.03.03 Provide a set of standard reports that may be used for audit purposes and firewall performance management; Mandatory
04.03 Logging and Audit Requirements 04.03.04 Provide an alerting capability designed to alert administrators of security and performance relevant events; Mandatory
04.03 Logging and Audit Requirements 04.03.05 Integrate with SIEM    products such as ArcSight; and Mandatory
04.03 Logging and Audit Requirements 04.03.06  Provide capability to export logs to a centralized syslog server. Mandatory
04.03 Logging and Audit Requirements 04.03.07 Provide a mechanism to export traffic flow information in industry standard formats such as Netflow, Sflow and/or IPFIX; and Desirable
04.03 Logging and Audit Requirements 04.03.08 Provide a capability to mask personal information as defined in the EU GDPR.  Desirable
04.04 Network Integration Requirements 04.04.01 Integrate with Microsoft Active Directory services to provide user and system identification. Mandatory
04.04 Network Integration Requirements 04.04.02 Support VLAN and MPLS tagging technologies; Mandatory
04.04 Network Integration Requirements 04.04.03 Support IPv6 network traffic; Mandatory
04.04 Network Integration Requirements 04.04.04 Support the following dynamic routing protocols: RIP, OSPFv3, BGP; Mandatory
04.04 Network Integration Requirements 04.04.05 Support static routing and source/policy based routing; Mandatory
04.04 Network Integration Requirements 04.04.06 Support Quality of Service (QoS) for services and applications; Mandatory
04.04 Network Integration Requirements 04.04.07  Support SNMP;  Mandatory
04.04 Network Integration Requirements 04.04.08 Provide PAT and NAT functionality including the definition of NAT pools; Mandatory
04.04 Network Integration Requirements 04.04.09 Support multi‐link or multi‐ISP with the capability to provide internet breakout at branch office locations; Mandatory
04.04 Network Integration Requirements 04.04.10 Support DHCP services including DHCP relay and the ability to act as a DHCP server; and Mandatory
Provide the requisite number of SFP, SFP+ or QSFP+ interfaces and transceivers as identified during the exercise prescribed in 
04.04 Network Integration Requirements 04.04.11 Mandatory
requirement 7.3.
04.05 Assurance and Standards Requirements 04.05.01 Attest to compliance with ISO/IEC 15408 Common Criteria of EAL4+ or higher; and Mandatory
04.05 Assurance and Standards Requirements 04.05.02 Contain cryptographic components validated to FIPS 140‐2. Mandatory
04.06 Encryption Requirements 04.06.01 Provide the capability to establish client‐to‐site SSL, TLS, DTLS or IPSEC VPN; Mandatory
04.06 Encryption Requirements 04.06.02 Provide the capability to establish site‐to‐site IPSEC VPN; Mandatory
04.06 Encryption Requirements 04.06.03 Support certificate based VPN user identity recognition; and Mandatory
04.06 Encryption Requirements 04.06.04 Support username and password based VPN user identity recognition utilizing Active Directory and RSA 2 factor authentication. Mandatory
04.06 Encryption Requirements 04.06.05 Support hardware security module for encryption key management; Desirable
04.06 Encryption Requirements 04.06.06 Support load balancing of VPN clients across multiple appliances; Desirable
04.06 Encryption Requirements 04.06.07 Provide a global network of managed VPN servers that can protected network connections on roaming endpoints; and Desirable
04.06 Encryption Requirements 04.06.08 Provide an always‐on VPN capability for Microsoft Windows endpoints as well as Android and Apple iOS mobile devices. Desirable
04.07 Intrusion Prevention Requirements 04.07.01 Include signature based detection and prevention of network attacks; Mandatory
04.07 Intrusion Prevention Requirements 04.07.02 Provide the ability to modify existing IPS signatures; Mandatory
04.07 Intrusion Prevention Requirements 04.07.03 Provide protection against DoS attacks; Mandatory
Provide protection features for encapsulated traffic (please specify how all protection features operate when traffic is encapsulated);
04.07 Intrusion Prevention Requirements 04.07.04 Mandatory
and
04.07 Intrusion Prevention Requirements 04.07.05  Provide automatic updates to signature ruleset based on known vulnerabilities identified in the wild  . Mandatory
04.07 Intrusion Prevention Requirements 04.07.06 Support user developed signatures; Desirable
04.07 Intrusion Prevention Requirements 04.07.07 Support open signature standards such as SNORT; Desirable
04.07 Intrusion Prevention Requirements 04.07.08 Support extraction of executables from network streams; and Desirable
04.07 Intrusion Prevention Requirements 04.07.09 Support sandboxing of extracted executables.   Desirable
04.08 Application Control Requirements 04.08.01 Provide malware protection within application streams such as the HTTP protocol; Mandatory
04.08 Application Control Requirements 04.08.02 Identify applications in the HTTP protocol (i.e.: browser based applications); Mandatory
04.08 Application Control Requirements 04.08.03 Identify applications outside of the HTTP protocol (i.e.: desktop and server based applications); Mandatory
04.08 Application Control Requirements 04.08.04  Support the application of policy on individual users and user groups; Mandatory
04.08 Application Control Requirements 04.08.05 Provide capability to apply bandwidth control and restriction; Mandatory
04.08 Application Control Requirements 04.08.06 Support all application control features for encapsulated traffic; Mandatory
04.08 Application Control Requirements 04.08.07 Support all application control features for 4over6 and 6over4 tunnels; Mandatory
04.08 Application Control Requirements 04.08.08 Provide a continuously updated feed to improve application detection; Mandatory
04.08 Application Control Requirements 04.08.09 Support the development of user defined application signatures; Mandatory
04.08 Application Control Requirements 04.08.10 Provide application whitelist and blacklist functionality; Mandatory
04.08 Application Control Requirements 04.08.11 Provide URL filtering capabilities including: Mandatory
04.08 Application Control Requirements 04.08.11.01 Control of URL access based on website category; Mandatory

Page 12 of 13
 RFP 146289‐SIS Provision of Next Generation Network Firewall
ARCHITECTURE Option b ‐ indicating dmz and core

Annex 3: Next Generation Network Firewall Technical Requirements
ARCHITECTURE Option b ‐ indicating dmz and core
Fully met
Compliance with the  Customization required (Yes/No)
Area Ref.No. Requirements Evaluation Level (without customization) Bidder's Response If yes please indicate the effort required
requirement (Yes/No) 
(yes/no)
04.01 Availability Requirements 04.01.01 Support highly available configuration in an active/passive mode; Mandatory
04.01 Availability Requirements 04.01.02  Have redundancy in physical appliances; Mandatory
04.01 Availability Requirements 04.01.03 Provide out of band management capabilities; and Mandatory
04.01 Availability Requirements 04.01.04 Support hot swap of components in physical appliances. Mandatory
04.01 Availability Requirements 04.01.05 Support highly available configuration in an active/active  mode; and Desirable
04.01 Availability Requirements 04.01.06 Provide high availability functionality across different models or versions of hardware. Desirable
04.02 Management Requirements 04.02.01 Provide a centralized firewall policy management console that supports  all firewalls deployed in the System; Mandatory
04.02 Management Requirements 04.02.02 Provide a graphical user interface    for the centralized management console; Mandatory
04.02 Management Requirements 04.02.03 Provide high availability of the centralized firewall policy management console;  Mandatory
04.02 Management Requirements 04.02.04 Support object‐based   configuration of firewall policy and rules; Mandatory
04.02 Management Requirements 04.02.05 Provide support for dynamic object types; Mandatory
04.02 Management Requirements 04.02.06 Provide support for “review and then commit” of firewall policy changes; Mandatory
04.02 Management Requirements 04.02.07 Provide a facility for logging the reason and tracking of all changes; Mandatory
04.02 Management Requirements 04.02.08 Support revision history and policy roll back; Mandatory
Integrate with a standard identity management solution for all management functions (such as RADIUS, LDAP and/or Microsoft Active
04.02 Management Requirements 04.02.09 Mandatory
Directory) with support for 2 factor authentication;
04.02 Management Requirements 04.02.10 Provide statistics on rule usage; Mandatory
04.02 Management Requirements 04.02.11 Support role based management for administrative activities; Mandatory
04.02 Management Requirements 04.02.12 Support lateral management roles to segregate administrator duties; Mandatory
Provide an XML or JSON based API to perform administrative and operational tasks and integrate with third party firewall management
04.02 Management Requirements 04.02.13 Mandatory
and ticketing systems;
04.02 Management Requirements 04.02.14 Implement controls to require multiple authorizations for rule changes (e.g.: the “four eye” principle); Mandatory
04.02 Management Requirements 04.02.15 Provide continuous threat intelligence information to identify new and emerging threats within the network; and Mandatory
04.02 Management Requirements 04.02.16 Provide a capability to import bespoke threat intelligence data using industry standards such as STIX/TAXII. Mandatory
04.02 Management Requirements 04.02.17 Provide a mechanism for rule verification; Desirable
04.02 Management Requirements 04.02.18 Support an approval process with multiple roles for firewall policy changes either natively or through a third party tool; Desirable
04.02 Management Requirements 04.02.19 Provide a unified management interface for VPNs; Desirable
04.02 Management Requirements 04.02.20 Support simultaneous administrative access and allow simultaneous changes to the solution’s configuration; Desirable
04.02 Management Requirements 04.02.21 Allow for creation and automation of workflows; and Desirable
04.02 Management Requirements 04.02.22 Integrate with the Axios Assyst service management platform for automated rule deployment and tracking.  Desirable
04.03 Logging and Audit Requirements 04.03.01 Provide a tamper proof log and audit capability of all administrative activity; Mandatory
04.03 Logging and Audit Requirements 04.03.02 Provide a reporting capability with option to export reports in various formats (e.g.: CSV, PDF, XLS, XML); Mandatory
04.03 Logging and Audit Requirements 04.03.03 Provide a set of standard reports that may be used for audit purposes and firewall performance management; Mandatory
04.03 Logging and Audit Requirements 04.03.04 Provide an alerting capability designed to alert administrators of security and performance relevant events; Mandatory
04.03 Logging and Audit Requirements 04.03.05 Integrate with SIEM    products such as ArcSight; and Mandatory
04.03 Logging and Audit Requirements 04.03.06  Provide capability to export logs to a centralized syslog server. Mandatory
04.03 Logging and Audit Requirements 04.03.07 Provide a mechanism to export traffic flow information in industry standard formats such as Netflow, Sflow and/or IPFIX; and Desirable
04.03 Logging and Audit Requirements 04.03.08 Provide a capability to mask personal information as defined in the EU GDPR.  Desirable
04.04 Network Integration Requirements 04.04.01 Integrate with Microsoft Active Directory services to provide user and system identification. Mandatory
04.04 Network Integration Requirements 04.04.02 Support VLAN and MPLS tagging technologies; Mandatory
04.04 Network Integration Requirements 04.04.03 Support IPv6 network traffic; Mandatory
04.04 Network Integration Requirements 04.04.04 Support the following dynamic routing protocols: RIP, OSPFv3, BGP; Mandatory
04.04 Network Integration Requirements 04.04.05 Support static routing and source/policy based routing; Mandatory
04.04 Network Integration Requirements 04.04.06 Support Quality of Service (QoS) for services and applications; Mandatory
04.04 Network Integration Requirements 04.04.07  Support SNMP;  Mandatory
04.04 Network Integration Requirements 04.04.08 Provide PAT and NAT functionality including the definition of NAT pools; Mandatory
04.04 Network Integration Requirements 04.04.09 Support multi‐link or multi‐ISP with the capability to provide internet breakout at branch office locations; Mandatory
04.04 Network Integration Requirements 04.04.10 Support DHCP services including DHCP relay and the ability to act as a DHCP server; and Mandatory
Provide the requisite number of SFP, SFP+ or QSFP+ interfaces and transceivers as identified during the exercise prescribed in 
04.04 Network Integration Requirements 04.04.11 Mandatory
requirement 7.3.
04.05 Assurance and Standards Requirements 04.05.01 Attest to compliance with ISO/IEC 15408 Common Criteria of EAL4+ or higher; and Mandatory
04.05 Assurance and Standards Requirements 04.05.02 Contain cryptographic components validated to FIPS 140‐2. Mandatory
04.06 Encryption Requirements 04.06.01 Provide the capability to establish client‐to‐site SSL, TLS, DTLS or IPSEC VPN; Mandatory
04.06 Encryption Requirements 04.06.02 Provide the capability to establish site‐to‐site IPSEC VPN; Mandatory
04.06 Encryption Requirements 04.06.03 Support certificate based VPN user identity recognition; and Mandatory
04.06 Encryption Requirements 04.06.04 Support username and password based VPN user identity recognition utilizing Active Directory and RSA 2 factor authentication. Mandatory
04.06 Encryption Requirements 04.06.05 Support hardware security module for encryption key management; Desirable
04.06 Encryption Requirements 04.06.06 Support load balancing of VPN clients across multiple appliances; Desirable
04.06 Encryption Requirements 04.06.07 Provide a global network of managed VPN servers that can protected network connections on roaming endpoints; and Desirable
04.06 Encryption Requirements 04.06.08 Provide an always‐on VPN capability for Microsoft Windows endpoints as well as Android and Apple iOS mobile devices. Desirable
04.07 Intrusion Prevention Requirements 04.07.01 Include signature based detection and prevention of network attacks; Mandatory
04.07 Intrusion Prevention Requirements 04.07.02 Provide the ability to modify existing IPS signatures; Mandatory
04.07 Intrusion Prevention Requirements 04.07.03 Provide protection against DoS attacks; Mandatory
Provide protection features for encapsulated traffic (please specify how all protection features operate when traffic is encapsulated);
04.07 Intrusion Prevention Requirements 04.07.04 Mandatory
and
04.07 Intrusion Prevention Requirements 04.07.05  Provide automatic updates to signature ruleset based on known vulnerabilities identified in the wild  . Mandatory
04.07 Intrusion Prevention Requirements 04.07.06 Support user developed signatures; Desirable
04.07 Intrusion Prevention Requirements 04.07.07 Support open signature standards such as SNORT; Desirable
04.07 Intrusion Prevention Requirements 04.07.08 Support extraction of executables from network streams; and Desirable
04.07 Intrusion Prevention Requirements 04.07.09 Support sandboxing of extracted executables.   Desirable
04.08 Application Control Requirements 04.08.01 Provide malware protection within application streams such as the HTTP protocol; Mandatory
04.08 Application Control Requirements 04.08.02 Identify applications in the HTTP protocol (i.e.: browser based applications); Mandatory
04.08 Application Control Requirements 04.08.03 Identify applications outside of the HTTP protocol (i.e.: desktop and server based applications); Mandatory
04.08 Application Control Requirements 04.08.04  Support the application of policy on individual users and user groups; Mandatory
04.08 Application Control Requirements 04.08.05 Provide capability to apply bandwidth control and restriction; Mandatory
04.08 Application Control Requirements 04.08.06 Support all application control features for encapsulated traffic; Mandatory
04.08 Application Control Requirements 04.08.07 Support all application control features for 4over6 and 6over4 tunnels; Mandatory
04.08 Application Control Requirements 04.08.08 Provide a continuously updated feed to improve application detection; Mandatory
04.08 Application Control Requirements 04.08.09 Support the development of user defined application signatures; Mandatory
04.08 Application Control Requirements 04.08.10 Provide application whitelist and blacklist functionality; Mandatory
04.08 Application Control Requirements 04.08.11 Provide URL filtering capabilities including: Mandatory
04.08 Application Control Requirements 04.08.11.01 Control of URL access based on website category; Mandatory

Page 13 of 13