Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall

Transcription

1 Government of Canada Managed Security Service (GCMSS) Date: July 12, 2012

2 TABLE OF CONTENTS 1 FIREWALL SECURITY STANDARDS FAILOVER PERFORMANCE REPORTING IMPLEMENTATION CHANGE MANAGEMENT...4 REFERENCE Please refer to Annex A - Appendix C: Definitions and Acronyms for a definition of terms and acronyms utilized throughout this annex. Page: i

3 1 FIREWALL (1) The Firewall is one of the GCMSS Threat Management Services. When ordered by Canada, by issuing a Task Authorization, the Firewall, as managed and implemented by the Contractor, must meet or exceed all of the requirements listed in this annex, in the balance of the SOW and elsewhere in the Contract prior to acceptance by Canada and during the entire period of the Contract. 1.1 Security (2) The Firewall must be ICSA Labs certified for ICSA 4.0 or Common Criteria certification to at least EAL-2. (3) The Firewall platform must use a hardened operating system according to FIPS (4) The Firewall fail-safe state must be configurable to open or close as specified by Canada. 1.2 Standards (5) The Firewall must support packet level filtering. (6) The Firewall must support proxy-based data inspection for: a) HTTP including: i) authentication; ii) transparent proxy; iii) non-transparent proxy; iv) protocol enforcement; and v) granular control over what HTTP calls are permitted; b) HTTPS including: i) transparent proxy; ii) non-transparent proxy; and iii) protocol enforcement. (7) The Firewall must support Open Shortest Path First (OSPF) Version 2 for IPv4 [RFC 2328]. (8) The Firewall must support Open Shortest Path First (OSPF) Version 3 for IPv6 [RFC 5340]. (9) The Firewall must support multi-protocol Border Gateway Protocol 4 (BGP-4) [RFC 4271], including route announcements. (10) The Firewall must operate in the following modes: a) stealth mode; b) bridging mode; and c) transparent mode. Page 1

4 (11) The Firewall must support the standard OSI Layer 3 mode of configuration with Interface IP s. (12) The Firewall must provide NAT functionality including: a) dynamic NAT translation; b) static NAT translation; c) SIP/H.323 NAT Traversal; d) NAT over VPN; and e) DNS Translation. (13) The Firewall must support: a) Path MTU Discovery [RFC 1191], [RFC 1981], [RFC 4443]; b) Port Forwarding; c) PAT; and d) IETF Best Current Practice 38 [RFC 2827]. (14) The Firewall must support these authentication methods: a) LDAP; b) Passwords; c) RSA SecurID ; and d) X.509 digital certificates. (15) The Firewall must support authentication servers including: a) RADIUS; and b) TACACS+. (16) The Firewall must support Voice over IP based protocols including but not limited to: a) H.323; b) SIP; c) SCCP; d) MGCP. (17) The Firewall must support Static routing. (18) The Firewall must support Policy based routing. (19) The Firewall must support RIPv1 and RIPv2 routing. (20) The Firewall must support multicast routing. 1.3 Failover (21) The Firewall must support Active-Active as well as Active-Passive failover modes. (22) The Firewall must support automatic failover as well as load balancing for outbound traffic with a minimum of 2 network interfaces. Page 2

5 1.4 Performance (23) The Firewall must support a minimum of 4096 VLANs in NAT/Route mode. (24) The Firewall must support, without limitations, throughputs corresponding to the Threat Management Capacity it runs under. 1.5 Reporting Monthly Reports (25) The Contractor must provide a monthly Firewall report to Canada in tabular and graphical format by Client Organization that includes: a) SDP; b) Service Platform; c) an allowed connection (inbound and outbound) summary in column-chart format; i) day of the month in the x axis; and ii) number of allowed connections in the y axis; d) a dropped connection (inbound and outbound) summary in column-chart format; i) day of the month in the x axis; and ii) number of dropped connections in the y axis; e) an accepted connection summary in column-chart format for the top 10 source i) source IP/Hostname on the x axis; and ii) total number of accepted connections for the source IP/Hostname on the y axis; f) a dropped connection summary in column-chart format for the top 10 source i) source IP/Hostname on the x axis; and ii) total number of dropped connections for the source IP/Hostname on the y axis; g) an accepted connection summary in column-chart format for the top 10 destination i) destination IP/Hostname on the x axis; and ii) total number of accepted connections for the destination IP/Hostname on the y axis; h) a dropped connection summary in column-chart format for the top 10 destination i) destination IP/Hostname on the x axis; and ii) total number of dropped connections for the destination IP/Hostname on the y axis; Page 3

6 i) an accepted connection summary in column-chart format for the top 10 Service/Port; i) Service/Port on the x axis; and ii) total number of accepted connections for the Service/Port on the y axis; j) a dropped connection summary in column-chart format for the top 10 Service/Port; i) Service/Port on the x axis; and ii) total number of dropped connections for the Service/Port on the y axis. (26) The Contractor must provide a monthly Firewall active rules report to Canada in tabular and graphical format by Client Organization that includes: a) SDP; b) Service Platform; c) rule id; and d) number of times the rule has fired. (27) The Contractor must provide a monthly Firewall dead rules report to Canada in tabular and graphical format by Client Organization that includes: a) SDP; b) Service Platform; c) rule id; and d) number of days since the rule has fired. 1.6 Implementation (28) The Contractor must inventory, review, optimize and implement, in GCMSS, existing rules, policies, and any other configuration of the existing firewall solution of the Client Organization. (29) The Contractor must document, review, optimize and implement, in GCMSS, configuration requirements of the Client Organization for the Firewall. 1.7 Change Management (30) The Contractor must configure Firewall rules, policies and features, as requested by Canada, in accordance with priority levels as specified by Canada. Page 4