Transcription
January 12, 2018Bethel Park School District Firewall Bid ProjectFor use with 2018-2019 eRate bid process and / or as a general purpose bidcompliant with the laws of the state of Pennsylvania for Public School DistrictsIdeas and Concepts expressed herein are property of the Bethel Park School District and / orthe respective referenced vendors and except for the public nature of this bid, this informationis otherwise proprietary and confidential – Except by vendors responding to this bid request;this bid is not to be copied, duplicated, excerpted or otherwise replicated for private or publicuse beyond this intended use without written permission from the Bethel Park School District
BPSD Firewall Bid Objectives and Specifications 20181.) Bid Purpose Introduction StatementThe Bethel Park School District seeks bids for firewall and closely related solutions via the eRate Category 2process. The solutions we seek will by necessity include hardware, software and licensing for at least a fiveyear term (where applicable). Some of these will be eRate discount eligible and some will not. Our evaluationwill require selection of the most cost effective five year solution (after eligible discounts) that substantiallymeets our specifications and is able to demonstrably satisfy our intended purposes. The 2018 eRate eligibilitylist for both Category 1 and Category 2 can be found here:https://apps.fcc.gov/edocs public/attachmatch/DA-17-973A1.pdf (remember, this bid is for Category 2)2.) eRate Eligibility StatementThe first step of this process is to post a 470 form (along with these more detailed specifications) which is theeRate version of the public bid process. Because a substantial portion of what we are seeking is likely eligiblefor eRate category 2 funding discounts we are requiring any vendor wishing to participate in this bid to beauthorized and eligible to participate in the eRate process; i.e. having an eRate SPIN number and currently ingood standing with eRate and having no pending or past eRate investigation or litigation regarding accusationsof wrongdoing or improper conduct. If you are not an eRate qualified or eligible service provider you can learnmore here - lt.aspx. Under no circumstance will Bethel ParkSchool District delay our process nor do we have the authority to delay the eRate process due to providereligibility issues or providers awaiting eligibility certification. If a non-eRate eligible or certified vendorwould like to bid and believes that they can provide a comparable or lower cost solution without theuse of Bethel Park’s anticipated 40% eRate reimbursement on eligible purchases then you arewelcome to do so.3.) Local Presence and Vendor Qualification RequirementBecause Bethel Park School District resides in a Pittsburgh suburban location we have access to manyqualifiable local vendors as well as qualifiable national vendors with a strong local presence. All vendors (bothnational and local) interested in submitting a proposal for this request must have a strong local presence. Forpurposes of this bid specification, strong local presence is defined by the following: Having a local sales and support office within 50 miles of the Bethel Park School District Having a local sales presence with at least one full time sales person residing and operatingcontinuously for at least 2 years in the South Western Pennsylvania region. Having a local engineering presence with at least one and preferably two certified engineers who arecertified in the products, software and licensing being proposed Having a local engineering presence operating from within the Southwestern Pennsylvania Region forat least two years. Verifiably manufacturer certified and approved as a reseller on all aspects of proposed solution. Extensive prior experience migrating from Palo Alto firewalls to proposed solution - references will berequired. Vendors are required to have at least one currently certified or recently past certified (with in18 months) former Palo Alto engineer(s) on staff.4.) Current Environment and Future HorizonBethel Park School District presently has an existing Palo Alto 3050N next generation firewall. Our currentFirewall WAN connection consists of a single 1GB WAN link to a Fatpipe appliance that aggregates incomingWAN connections from three separate ISPs. The ISPs are DQE RWAN (up to 10Gb link, 500Mb commodity,Page 2 of 11
BPSD Firewall Bid Objectives and Specifications 2018up to 10Gb Internet2 traffic), Comcast Business Class Internet (150Mb/s fixed IP cable modem), Verizon Fios(75Mb/s fixed IP fiber modem) This firewall has a maximum throughput capacity of 1Gb/s and is currentlynearing the end of its fourth year of service. When this firewall was selected the district had not yet fullyembraced 1:1 computing and had much lower Internet bandwidth requirements than is true today. The currentfirewall is nearing capacity and incapable of being upgraded. It also lacks adequate CPU processing capacityto decrypt, inspect, next gen filter and re encrypt all likely future encrypted Internet traffic. The only viablesolution is to procure a new firewall with adequate current and future capacity. Our future horizon for thelifespan of the new firewall is at least five years from the date of acquisition. We anticipate the date ofacquisition to be as soon as April of 2018 pending Board approval. Receiving expected eRate approvals inadvance would be ideal but is not anticipated. Due to time constraints available for firewall projectimplementation the district intends to purchase in advance of and regardless of hoped for eRate approval andseek reimbursement if and when approval is received based on a selected solution offered by an eRate vendorcomplying with all requirements previously identified in this document and according to eRate vendor eligibilityrules.5.) Intent and Evaluation of Requested SolutionIn this new solution we have several objectives which we need to accomplish. The bid specifications listed willbe evaluated with regards to meeting the specific ability of being able to accomplish each of these objectives.Because vendor products vary widely with regards to the mechanisms used to implement functionality andfeatures we anticipate that it will not be possible to create a direct comparison of the various products andsolutions that will likely be proposed for consideration based on features alone. As a result of the difficulty ofcomparing specific feature or function with specific feature or function we will also be evaluating on the abilityto accomplish our objectives. Vendor written statements accompanied by their agreement to demonstratestated functionality or objective achievement will be counted as having met the objective for purposes ofsubstantial consideration. If a vendor makes a statement that their solution complies with a requested featureor addresses an objective they must be able to identify, within the manufacturer literature, where this feature isimplemented or how it addresses our objective. Final selection will require successful demonstration or writtenperformance assurance of what has been stated and / or agreed to by earlier submission of their bid. Asrequired by Pennsylvania State Law, the bidder proposing the lowest responsible overall five year bid cost(initial acquisition of hardware and licensing services support for each of 5 years) which contains musthave features and accomplishes the stated objectives will be recommended for approval to the School Boardof Directors.6.) Security and ClearancesAll personnel (contractors and subcontractors) that will be working on this project in the schools must observeall security and safety procedures of each school facility and must secure all record checks required by law(and submit the results thereof) such as:1. For Pennsylvania Residents: Form SP4-164-Pennsylvania State Police “Request for Criminal RecordCheck” – Call 717-783-5494; Act 342. Pennsylvania “Child Abuse History Clearance” – Call 717-783-6211; Act 1513. Fingerprints, as required, Act 114Page 3 of 11
BPSD Firewall Bid Objectives and Specifications 2018On-site work at the school sites cannot commence until the Vendor / Vendor employees have obtained allrelevant clearances. If the vendor is unable to obtain or maintain clearances for required certified engineers orother personnel by the anticipated project start date and through the end of the project (no earlier than4/1/2018) the district will have grounds to disqualify the vendor.7.) Certification Regarding Debarment, Suspension, Ineligibility and Voluntary ExclusionBy signing and submitting this proposal, Vendor certifies that neither it nor its principals is presently debarred,suspended, proposed for debarment, declared ineligible, or voluntarily excluded from participation, by the Stateof Pennsylvania or by any Federal department or agency, from transactions involving the use of Federal funds.Where Vendor is unable to certify to any of the Statements in this certification, Vendor shall attach anexplanation to their offer.8.) Additional Information for VendorsThe District reserves the right to: Reject and cancel or amend and repost this proposal or not award any contract. Subject the Administration’s recommended vendor solution for Board Approval Utilize any and all ideas submitted in the proposals received; Request providers to clarify their proposals; Request vendors to physically demonstrate requested and stated functionality within the Bethel ParkSchool District network environment; Purchase the most cost-effective proposal(s) meeting the bid specifications and able to satisfy thestated Bethel Park objectives, including relevant specifications, and in accordance with E-Rate rulesand bidding rules within the State of Pennsylvania.9.) Stated Objectives Bid Specification CriteriaWith the replacement of our current Palo Alto firewall, Bethel Park School District intends to satisfy thefollowing objectives irregardless of specification. Satisfaction of these objectives is seen as essential to asuccessful bid. The Bid Specification Feature Criteria further enumerated below these objectives are believedto be those most relevant to satisfy these objectives.a.) Next Generation Firewall (NGFW)We recognize and accept that the future of firewalls and securing our organization will require a NextGeneration Firewall complete with Next Generation Firewall features and functionality.NGFW as defined by Gartner - “Next-generation firewalls (NGFWs) are deep-packet inspectionfirewalls that move beyond port/protocol inspection and blocking to add application-levelinspection, intrusion prevention, and bringing intelligence from outside the firewall. An NGFWshould not be confused with a stand-alone network intrusion prevention system (IPS), whichincludes a commodity or nonenterprise firewall, or a firewall and IPS in the same appliance thatare not closely integrated.” on-firewalls-ngfws)For this project we are requiring that the proposed solution must be classified by Gartner or NSS as aNext Generation Firewall on their 2016 or 2017 Security Value Map or Magic Quadrant as madeavailable by the firewall vendor when submitting this bid and is shown as performing in either of the topPage 4 of 11
BPSD Firewall Bid Objectives and Specifications 2018two quadrants (challengers or leaders) of either Gartner or NSS Labs tner-nss-labs-alpha-tong/Vendor submission must include licensed copy of referenced report for Bethel Park use in conductingbid compliance evaluation.b.) Load balancing and aggregationAggregate and load balance three incoming WAN connections (see specifications below for WANconnection requirements) so that they appear and act as one connection for purposes of accessing theInternet and operating various services from within the district. Load balancer must support ‘sticky’ or‘persistent’ connections throughout conclusion of each established Internet communication session viaeither HTTP or HTTPS. Proposed load balancing solutions must support both static and dynamiccaching and caching must be configurable or bypassable based on site accessed, group accessing orcontent type.c.) Single Sign On - Radius replacement for Cisco wirelessWith this objective we are seeking to integrate our wireless authentication and firewall captive portalsign on to one place and one sign on. Presently users must authenticate using Active Directorycredentials via 802.1x EAP through our Cisco Wireless and then must additionally login using thosesame credentials on our Palo Alto Captive Portal. Originally this was set up as a single sign on using‘log scraping’. We have found log scraping to be unreliable and when it does work, the useridentification data provided is inaccurate. In no way will the Bethel Park School District accept anysolution that relies in whole or in part on “scraping logs”. This solution must be able to provide visibilityinto the specific user who has authenticated to the firewall and know from what unique device and / ordevice type that they authenticated. In a Cisco environment this functionality is provided through ISEand associated licensing. In the Fortinet world this functionality is provided by Fortiauthenticator. Anysolution presented to meet this objective will need to be demonstrated in the Bethel Park School Districtenvironment and be found to work as expected.d.) Single Sign On for off domain users / Social Networking LoginOur solution must also support sign in for guests on our network who will also need secure, filteredaccess to wireless access and Internet. One such solution that has recently been made available issocial networking login via Google, Instagram, Facebook, etc. We are looking for this capability so thatusers may authenticate via one of these accounts external to the district and receive a predeterminedlevel of Internet access that is able to be rate limited and otherwise controlled as necessary. Thissolution must be able to work for all classes of wireless devices; including Chromebooks, iPads,Android tablets, Macbooks, PC laptops, etc.e.) Enablement of social networking login must be configurable based on time, day or preference so asto limit its availability during afterhours or other specialized school event activities.f.) Device Registration - aka NACBethel Park School District seeks to prepare for a future where thousands of devices appear on ournetwork with or without an associated Bethel Park School District users. Because we are aneducational organization that often hosts outside groups requiring the use of technology it is essentialPage 5 of 11
BPSD Firewall Bid Objectives and Specifications 2018that we make it both easy and secure for ‘foreign’ users to login to our network based on device typeand / or based on user class. For this purpose we are in need of a solution that is able to identify orprovide basic classification information by Mac address and other network available evidence. Weexpect to be able to automatically classify and provide basic access initially with the ability to allowusers to self-register to gain greater access based on meeting certain criteria; i.e. allowing an client,profile or supplicant to be installed or by submitting to a full profile analysis before access is granted.The process of identifying the security profile of a client is known as posturing in Cisco ISE or SecurityPosture Assessment via Fortinet. The end result of registering a device on your network must producea permanent device record that is able to be tracked in perpetuity or as long as deemed necessary byBethel Park School District regardless of whether no user or a specific user logs into the device. Thisfeature set is essential to allow secure network admission, visibility and control for IoT devices; i.e.Google Chromecast, Raspberry Pi, Arduino, Amazon Echo, Google Home, Blood Glucose monitors,LCD projectors, HVAC systems, etc. We also expect that registered devices will be identifiable by thefirewall in the event the network intelligent malware protection identifies malware specific traffic on thenetwork and is able to trace the origination back to a registered device. We will need adequatelicensing to allow for students to register all district issued as well as student owned devices. The totalnumber of devices to be seen and managed is up to 10,000. The number of simultaneous devices willbe 5,000 or less.g.) Email FilteringBethel Park School District presently uses Google Mail for email services for approximately 700 staff,4,200 student accounts and up to 500 retired pending deletion / miscellaneous service accounts. Wehave manually implemented all available spam, malware and virus filtering options that are available inGMail. Even still, we are faced with an increasing number of bogus, spam, malware and virus ladenemails attempting to gain access to our network resources by appealing to user traits that cause usersto make decisions that increase district risk for data exposure by compromising systems. Continuing toincrease available filtering in Google also creates a corresponding and undesirable increase in falsepositives which must be manually reviewed and approved or denied. While the district continues toemphasize user education we also recognize that stronger, automated and more intelligent preventionmeasures are required.Most new NGFW firewalls are available with embedded or additional service offerings that includeemail filtering. In so much that Bethel Park seeks to better secure our environment from all outsidethreats and as such we recognize email filtering as a natural extension of the firewall function, we arerequesting that all proposals include email filtering as a separate line item based on a user count ofeither 800 or 5,500 users. This solution must seamlessly integrate within the firewall, inform the firewallof emails containing malware files (so the firewall can block hosted malware sites) and be informed bythe firewall of any sites previously identified to be malware hosts and subsequently block delivery ofthat email permanently or until further inspection can be performed. The solution may be appliancebased, on firewall, separate but fully integrated or in the cloud and fully integrated. In the Cisco worldthis is known as AMP (Advanced Malware Protection) and AMP for email security and needs to becoupled with the AMP Sandbox for complete effectiveness. In the Fortinet world this is known asFortimail or Forticloud and needs to be coupled with Fortisandbox for complete effectiveness. Thepurpose of the sandbox is for further evaluation by the vendor’s security organization based onPage 6 of 11
BPSD Firewall Bid Objectives and Specifications 2018platform; i.e. Windows, Mac, Android, iOS, to determine affected platforms, virulence of any identifiedmalware or virus code and await updates to the firewall and email block lists from the firewall vendor’ssecurity organization. Regardless of proposed solution; sandboxing must be a part of it.h.) Application and Content FilteringPer the first objective regarding the need to meet defined NGFW criteria, a common feature of NGFWfirewalls is Internet content filtering. Since Bethel Park School District is a public K12 school districtreceiving eRate reimbursement funds for Internet access we must comply fully with the federal CIPAlaw (Children’s Internet Protection Act). This law at least requires comprehensive filtering of studentInternet access. Bethel Park more comprehensively also chooses to extend this filtering to studentowned devices within the Bethel Park School District network and for Bethel Park provided devices onor off the Bethel Park School District network. Content filtering must allow for the establishment ofmultiple content filtering groups based on Active Director
b.) Load balancing and aggregation Aggregate and load balance three incoming WAN connections (see specifications below for WAN connection requirements) so that they appear and act as one connection for purposes of accessing the Internet and operating various services from within the district
