Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall



Similar documents
Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

Securing Networks with PIX and ASA

Government of Canada Managed Security Service (GCMSS) Annex A-7: Statement of Work - Security Information and Event Management (SIEM)

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

BorderWare Firewall Server 7.1. Release Notes

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Cisco ASA, PIX, and FWSM Firewall Handbook

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Firewall Defaults and Some Basic Rules

Configuring the Transparent or Routed Firewall

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewall. FortiOS Handbook v3 for FortiOS 4.0 MR3

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

LifeSize Transit Deployment Guide June 2011

Government of Canada Managed Security Service (GCMSS) Annex A-6: Statement of Work - Data Loss Prevention (DLP)

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Source-Connect Network Configuration Last updated May 2009

Unified Services Routers

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

Security Technology: Firewalls and VPNs

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Availability Digest. Redundant Load Balancing for High Availability July 2013

Polycom. RealPresence Ready Firewall Traversal Tips

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

Executive Summary and Purpose

Cisco RV 120W Wireless-N VPN Firewall

Voice over IP Security

Stonesoft 5.5. Firewall/VPN Reference Guide. Firewall Virtual Private Networks

/ /Res Dated INVITATION FOR BIDS

Application Note. Onsight TeamLink And Firewall Detect v6.3

TLS and SRTP for Skype Connect. Technical Datasheet

nexvortex Setup Guide

IP Ports and Protocols used by H.323 Devices

SIP Security Controllers. Product Overview

Layer-2 Design: Link Balancers Simplified

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Chapter 1 Personal Computer Hardware hours

Network Security Auditing April 2015

Release Notes. SonicOS is the initial release for the Dell SonicWALL NSA 2600 network security appliance.

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

White Paper. Traversing Firewalls with Video over IP: Issues and Solutions

EarthLink Business SIP Trunking. Switchvox SMB 5.5 & Adtran SIP Proxy Implementation Guide

Simple security is better security Or: How complexity became the biggest security threat

BroadCloud PBX Customer Minimum Requirements

F IREWALL/VPN REFERENCE GUIDE

athenahealth Interface Connectivity SSH Implementation Guide

Multi-Homing Security Gateway

Advanced Internetworking

Firewall Environments. Name

APV9650. Application Delivery Controller

Foreword Introduction Product Overview Introduction to Network Security Firewall Technologies Network Firewalls Packet-Filtering Techniques

Voice Over IP and Firewalls

Layer 2 Networking. Overview. VLANs. Tech Note

NEFSIS DEDICATED SERVER

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

ASA/PIX: Load balancing between two ISP - options

Chapter 3 LAN Configuration

Chapter 11 Cloud Application Development

A Network Design Primer

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Troubleshooting and Maintaining Cisco IP Networks Volume 1

Firewall and Router Policy

Move over, TMG! Replacing TMG with Sophos UTM

Configuring Windows Server 2008 Network Infrastructure

SonicWALL PCI 1.1 Implementation Guide

Citrix NetScaler 10 Essentials and Networking

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Configuring the Edgewater 4550 for use with the Bluestone Hosted PBX

Fireware Essentials Exam Study Guide

Unified Services Routers

Routing Security Server failure detection and recovery Protocol support Redundancy

Unified Communications in RealPresence Access Director System Environments

(d-5273) CCIE Security v3.0 Written Exam Topics

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Securing SIP Trunks APPLICATION NOTE.

Installation of the On Site Server (OSS)

Implementing Cisco IOS Network Security

McAfee NGFW Reference Guide for Firewall/VPN Role 5.7. NGFW Engine in the Firewall/VPN Role

CCIE Security Written Exam ( ) version 4.0

Computer Networks. Introduc)on to Naming, Addressing, and Rou)ng. Week 09. College of Information Science and Engineering Ritsumeikan University

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

F IREWALL/VPN REFERENCE GUIDE

Palo Alto Networks Certified Network Security Engineer (PCNSE6) Study Guide

Customer Guide. BT Business - BT SIP Trunks. BT SIP Trunks: Firewall and LAN Guide. Issued by: BT Business Date Issue: v1.

How will the Migration from IPv4 to IPv6 Impact Voice and Visual Communication?

Secure and Optimize Application Delivery, Performance, and Reliability

Juniper Networks Certified Internet Associate (JNCIA-Junos) Exam.

Network Security Topologies. Chapter 11

Fonality. Optimum Business Trunking and the Fonality Trixbox Pro IP PBX Standard Edition V p13 Configuration Guide

CSET 4750 Computer Networks and Data Communications (4 semester credit hours) CSET Required IT Required

UIP1868P User Interface Guide

SIP Trunking using the EdgeMarc Network Services Gateway and the Mitel 3300 ICP IP-PBX

IINS Implementing Cisco Network Security 3.0 (IINS)

IP Office Technical Tip

Fortigate Features & Demo

Building Secure Network Infrastructure For LANs

Clustering. Configuration Guide IPSO 6.2

Transcription:

Government of Canada Managed Security Service (GCMSS) Date: July 12, 2012

TABLE OF CONTENTS 1 FIREWALL... 1 1.1 SECURITY...1 1.2 STANDARDS...1 1.3 FAILOVER...2 1.4 PERFORMANCE...3 1.5 REPORTING...3 1.6 IMPLEMENTATION...4 1.7 CHANGE MANAGEMENT...4 REFERENCE Please refer to Annex A - Appendix C: Definitions and Acronyms for a definition of terms and acronyms utilized throughout this annex. Page: i

1 FIREWALL (1) The Firewall is one of the GCMSS Threat Management Services. When ordered by Canada, by issuing a Task Authorization, the Firewall, as managed and implemented by the Contractor, must meet or exceed all of the requirements listed in this annex, in the balance of the SOW and elsewhere in the Contract prior to acceptance by Canada and during the entire period of the Contract. 1.1 Security (2) The Firewall must be ICSA Labs certified for ICSA 4.0 or Common Criteria certification to at least EAL-2. (3) The Firewall platform must use a hardened operating system according to FIPS 140-2. (4) The Firewall fail-safe state must be configurable to open or close as specified by Canada. 1.2 Standards (5) The Firewall must support packet level filtering. (6) The Firewall must support proxy-based data inspection for: a) HTTP including: i) authentication; ii) transparent proxy; iii) non-transparent proxy; iv) protocol enforcement; and v) granular control over what HTTP calls are permitted; b) HTTPS including: i) transparent proxy; ii) non-transparent proxy; and iii) protocol enforcement. (7) The Firewall must support Open Shortest Path First (OSPF) Version 2 for IPv4 [RFC 2328]. (8) The Firewall must support Open Shortest Path First (OSPF) Version 3 for IPv6 [RFC 5340]. (9) The Firewall must support multi-protocol Border Gateway Protocol 4 (BGP-4) [RFC 4271], including route announcements. (10) The Firewall must operate in the following modes: a) stealth mode; b) bridging mode; and c) transparent mode. Page 1

(11) The Firewall must support the standard OSI Layer 3 mode of configuration with Interface IP s. (12) The Firewall must provide NAT functionality including: a) dynamic NAT translation; b) static NAT translation; c) SIP/H.323 NAT Traversal; d) NAT over VPN; and e) DNS Translation. (13) The Firewall must support: a) Path MTU Discovery [RFC 1191], [RFC 1981], [RFC 4443]; b) Port Forwarding; c) PAT; and d) IETF Best Current Practice 38 [RFC 2827]. (14) The Firewall must support these authentication methods: a) LDAP; b) Passwords; c) RSA SecurID ; and d) X.509 digital certificates. (15) The Firewall must support authentication servers including: a) RADIUS; and b) TACACS+. (16) The Firewall must support Voice over IP based protocols including but not limited to: a) H.323; b) SIP; c) SCCP; d) MGCP. (17) The Firewall must support Static routing. (18) The Firewall must support Policy based routing. (19) The Firewall must support RIPv1 and RIPv2 routing. (20) The Firewall must support multicast routing. 1.3 Failover (21) The Firewall must support Active-Active as well as Active-Passive failover modes. (22) The Firewall must support automatic failover as well as load balancing for outbound traffic with a minimum of 2 network interfaces. Page 2

1.4 Performance (23) The Firewall must support a minimum of 4096 VLANs in NAT/Route mode. (24) The Firewall must support, without limitations, throughputs corresponding to the Threat Management Capacity it runs under. 1.5 Reporting 1.5.1 Monthly Reports (25) The Contractor must provide a monthly Firewall report to Canada in tabular and graphical format by Client Organization that includes: a) SDP; b) Service Platform; c) an allowed connection (inbound and outbound) summary in column-chart format; i) day of the month in the x axis; and ii) number of allowed connections in the y axis; d) a dropped connection (inbound and outbound) summary in column-chart format; i) day of the month in the x axis; and ii) number of dropped connections in the y axis; e) an accepted connection summary in column-chart format for the top 10 source i) source IP/Hostname on the x axis; and ii) total number of accepted connections for the source IP/Hostname on the y axis; f) a dropped connection summary in column-chart format for the top 10 source i) source IP/Hostname on the x axis; and ii) total number of dropped connections for the source IP/Hostname on the y axis; g) an accepted connection summary in column-chart format for the top 10 destination i) destination IP/Hostname on the x axis; and ii) total number of accepted connections for the destination IP/Hostname on the y axis; h) a dropped connection summary in column-chart format for the top 10 destination i) destination IP/Hostname on the x axis; and ii) total number of dropped connections for the destination IP/Hostname on the y axis; Page 3

i) an accepted connection summary in column-chart format for the top 10 Service/Port; i) Service/Port on the x axis; and ii) total number of accepted connections for the Service/Port on the y axis; j) a dropped connection summary in column-chart format for the top 10 Service/Port; i) Service/Port on the x axis; and ii) total number of dropped connections for the Service/Port on the y axis. (26) The Contractor must provide a monthly Firewall active rules report to Canada in tabular and graphical format by Client Organization that includes: a) SDP; b) Service Platform; c) rule id; and d) number of times the rule has fired. (27) The Contractor must provide a monthly Firewall dead rules report to Canada in tabular and graphical format by Client Organization that includes: a) SDP; b) Service Platform; c) rule id; and d) number of days since the rule has fired. 1.6 Implementation (28) The Contractor must inventory, review, optimize and implement, in GCMSS, existing rules, policies, and any other configuration of the existing firewall solution of the Client Organization. (29) The Contractor must document, review, optimize and implement, in GCMSS, configuration requirements of the Client Organization for the Firewall. 1.7 Change Management (30) The Contractor must configure Firewall rules, policies and features, as requested by Canada, in accordance with priority levels as specified by Canada. Page 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information