Firewall Security Services

OF THIS SECTION, "DRUG-FREE WORKPLACE" MEANS A SITE FOR THE PERFORMANCE OR WORK DONE IN CONNECTION WITH A SPECIFIC CONTRACT AWARDED TO A SUCCESSFUL OFFEROR IN ACCORDANCE WITH FEDERAL LAW, THE EMPLOYEES OF WHOM ARE PROHIBITED FROM ENGAGING IN THE UNLAWFUL MANUFACTURE, SALE, DISTRIBUTION, DISPENSATION, POSSESSION OR USE OF ANY CONTROLLED SUBSTANCE OR MARIJUANA DURING THE PERFORMANCE OF THE CONTRACT. EMPLOYMENT DISCRIMINATION BY THE SUCESSFUL OFFEROR SHALL BE PROHIBITED: 1. DURING THE PERFORMANCE OF THIS CONTRACT, THE SUCCESSFUL OFFEROR AGREES AS FOLLOWS: a THE OFFEROR, SHALL NOT DISCRIMINATE AGAINST ANY EMPLOYEE OR APPLICANT FOR EMPLOYMENT BECAUSE OF RACE, RELIGION, COLOR, SEX, NATIONAL ORIGIN, AGE, DISABILITY, OR ANY OTHER BASIS PROHIBITED BY STATE LAW RELATING TO DISCRIMINATION IN EMPLOYMENT, EXCEPT WHERE THERE IS A BONA FIDE OCCUPATIONAL QUALIFICATION REASONABLY NECESSARY TO THE NORMAL OPERATION OF THE SUCCESSFUL OFFEROR. THE SUCCESSFUL OFFEROR AGREES TO POST IN CONSPICUOUS PLACES,

AVAILABLE TO EMPLOYEES AND APPLICANTS FOR EMPLOYMENT, NOTICES SETTING FORTH THE PROVISIONS OF THIS NONDISCRIMINATION CLAUSE. b. THE SUCCESSFUL OFFEROR, IN ALL SOLICITATIONS OR ADVERTISEMENTS FOR EMPLOYEES PLACED BY OR ON BEHALF OF THE SUCCESSFUL OFFEROR, SHALL STATE THAT SUCH SUCCESSFUL OFFEROR IS AN EQUAL OPPORTUNITY EMPLOYER. c. NOTICES, ADVERTISEMENTS, AND SOLICITATIONS PLACED IN ACCORDANCE WITH FEDERAL LAW, RULE OR REGULATION SHALL BE DEEMED SUFFICIENT FOR THE PURPOSE OF MEETING THE REQUIREMENTS OF THIS SECTION. 2. THE SUCCESSFUL OFFEROR WILL INCLUDE THE PROVISIONS OF THE FOREGOING PARAGRAPHS A, B, AND C IN EVERY SUBCONTRACT OR PURCHASE ORDER OF OVER $10,000, SO THAT THE PROVISIONS WILL BE BINDING UPON EACH SUBCONTRACTOR OR VENDOR. Name and Address of OFFEROR: Date: Authorized Signature Printed Name: Title: Phone Number: Fax Number: Email Address: Federal Tax Identification Number/Social Security Number: _ Is Offeror a "minority" business? Yes No If yes, please indicate the "minority" classification below: □ African American Hispanic American American Indian Eskimo Asian American Aleut Other; Please Explain: Is Offeror Woman Owned? Yes No Is Offeror a Small Business? Yes No Is Offeror a Faith-Based Organization? Yes No 3 | P a g e TABLE OF CONTENTS PAGE I. PURPOSE 4 II. BACKGROUND 4 III. STATEMENT OF NEEDS 4 VI. PROPOSAL PREPARATION AND SUBMISSION REQUIREMENTS 9 V. EVALUATION AND AWARD CRITERIA 12 VI. GENERAL TERMS AND CONDITIONS 12 VII. SPECIAL TERMS AND CONDITIONS 19 VIII. METHOD OF PAYMENT 20 The following shall be submitted as part of your RFP submission: ATTACHMENTS: Attachment A – Pricing Schedule (Must submit with proposal) Attachment B – Firewall Diagram 4 | P a g e I. PURPOSE The purpose of this RFP is to solicit sealed proposals for firewall security services. Newport News Public Schools (“NNPS”) is seeking Offerors to provide upgrades to its existing Firewall Solution. NNPS is looking for Offerors who can provide a solution that will address its current and future firewall needs. II. BACKGROUND The Newport News Public Schools division educates 26,000 children in 42 schools: 5 early childhood centers, 24 elementary schools, 7 middle schools, 5 high schools, 1 middle/high combination school. NNPS employees’ number 4,688. The network design for NNPS consists of two, geographically diverse data centers, across a fiber optic wide area network (“WAN”). The WAN serves 50+ individual facilities to provide connectivity across the district. The district currently utilizes two Checkpoint 23800 Security Appliances running software code R81. These devices are configured in High Availability mode (Split Core). OSPF is used between the core, firewall, and our internet routers. The device has IPS, Anti-Bot, Anti-Virus, URL Filtering, Application Control, and VPN next generation firewall features configured. PRICING Pricing for the requested items under this contract must be provided to NNPS in the format of the table in the attached Pricing Schedule “Attachment A – Pricing Schedule”. All items offered must be in new, unused condition. EQUIPMENT REQUESTED This RFP seeks a company that can provide NNPS with firewall, firewall services, management, hardware, and professional services. The offeror should provide a turnkey, full solution which is inclusive of any software. The proposed solution should include threat protection, cloud management, and log analytics/analysis. III. STATEMENT OF NEEDS 1. MINIMUM REQUIREMENTS Utilizing E-rate funds, Newport News Public Schools (“NNPS”) is seeking to upgrade/replace its current firewall solution with next generation firewall hardware, software, support, and related services. The goals of the proposed solution are to provide: • Full Data Inspection (Deep Packet Inspection) services to all inbound/outbound traffic with at least 40 GBs of combined throughput. • Protect the districts users, network, and data from internal and external threats. • Create firewall policies based on authentication of internal users and devices. • Integration with the district’s existing network hardware and software solutions. 2. CONNECTIVITY AND HARDWARE REQUIREMENTS • Support at a minimum 40 Gbps sustained throughput with all threat management extensions enabled. The proposed firewall solution must be extensible to accommodate the school division’s growing needs and keep up with higher throughput requirements. • Per firewall, include a minimum of four (4) 10 Gbps SFP+ ports. Additional ports along with the ability to utilize QSFP+ are desired. All ports must compatible and work with the existing network equipment. • Hardware compatibility with 60km SFP+ modules that support single mode fiber (SMF). 5 | P a g e • The proposed solution should provide a modular hot swappable (1+1 redundant) dual power supply. • It is preferred that the proposed firewall solution should utilize solid-state hard drives (SSD), with sufficient storage to retain the operational data on the device. • The proposed solution must support dual stacking of IPv4 and IPv6 protocols for all firewall features and functions. It should also support the implementation of IPv6 in the future. • The proposed solution must offer platforms including Windows operating system, Linux operating system, and all virtual environments including but not limited to VMWare, Azure, and Hyper-V. • The proposed solution must support stateful protocol filtering, deep packet inspection, and detection of attacks within the payload. • It is desired that the proposed solution provides micro segmentation capabilities to block the lateral movement of nefarious network traffic in the data center network. • It is desired that the proposed solution integrates with the school divisions’ SIEM solution and other 3rd party logging tools. •A minimum of 8 network interfaces on the proposed device for connections to the internet, network core, and other switch gear. 3. FIREWALL MANAGEMENT a. The proposed solution must be fully CIPA, COPPA, HIPPA and PCI compliant and capable. b. Centralized Management - The proposed solution must be manageable via one management console for all proposed features that are included. c. Firewall Rule Verification – The proposed solution should notify the administrator in the when a new rule either masks another rule, duplicates, and overlaps or interferes with existing configuration. d. Encryption – Communication between management servers, interfaces and all appliances must be encrypted. e. Device Monitoring - The proposed solution must offer real-time monitoring, proactive alerts, historical reporting, and troubleshooting tools; preferably utilizing artificial intelligence (AI) or cloud. f. Software Updates - The proposed solution must offer the ability for updates to be scheduled individually by each component, device, or globally. g. Support Tickets - It is desired that the solution provide an ability to launch/open service tickets with support from the management interface. h. Automation – It is desired that the proposed solution provides the ability to automate routine tasks and drill-downs to produce maximum efficiency with minimal effort. i. Administrator Management - The proposed solution must offer the ability must allow administrative functions to be delegated to users based on roles/permissions and or groupings of endpoints they are responsible for managing. j. Cloud Management – The proposed solution must offer cloud management capability. Some examples of cloud management include, but are not limited to configuration management, reporting, and analytics. Proposals should include a detailed explanation of the offeror’s cloud management solution. 6 | P a g e k. Log Analysis – The proposed solution must include features to search, analyze, and visualize data to obtain operational insights. Proposals should include a detailed explanation of the various types of log analysis that can be compiled through their solution.\ l. Virtual Systems / Domains – It is desired that the proposed solution have the ability to support VDOMs or multiple contexts for potential future use. 4. USER IDENTITY AND REPORTING a. The solution must have the ability to utilize multiple authentication and security methods and identity stores to include local user data base, TACACS+, Microsoft Active Directory, Microsoft Azure Active Directory, LDAP-compliant directory, Radius, and SAML. b. The proposed solution must provide an interface to Active Directory (AD) to pull user IDs and groups that can then be used in firewall rules. Must support cloud connectivity on Azure Active Directory. c. The proposed solution must provide integrated and customizable search with, at minimum, the ability to search data from all systems for information relevant to an incident investigation or risk analysis. d. The proposed solution must provide manual and scheduled scans of specified systems for indicators derived from threat intelligence or other sources. e. The proposed solution must provide integrated analytics (including visualization) and support the creation of custom analytics, in order to identify anomalous endpoint behaviors, support incident investigation, and perform event analysis. 5. THREAT MANAGEMENT - The solution must have the ability to segment our server/service infrastructure from internal and external threats; to include (not limited to): a. Threat Prevention (IPS/IDS) – Inspection of traffic for threats, regardless of protocol, port of encryption. Block known vulnerabilities, malware, exploits, spyware, and command and control (C2) b. Application Control – Identify and manage user network application activity based on users, group, or IP range. c. Anti-Bot and Anti-Virus - Leverage cloud-based malware detection, sandboxing and multiple analysis techniques to identify and protect against unknown file-based threats while resisting evasion techniques. d. URL Filtering i. Categorize and Filter URLs: The solution must be able to block, allow and limit available bandwidth specific URL categories and/or reputation of the URL ii. Protect against web-based phishing, malware, and command-and control sites. iii. Offer granular filtering controls for individual users, groups, applications, and network ranges. iv. Log all the URLs that are passing through the URL filter, both blocked and permitted. Provide the history/report of URLs a user has accessed (whether blocked or allowed) over a certain period. v. It is desirable that the solution provide an ability for users to submit URLs that may be miscategorized. vi. SSL Decryption - the proposed device should have the capability to do SSL decryption/TLS deep inspection. e. Internet of Things (IOT) Security – It is desired that the solution offers threat protection for IOT devices. 7 | P a g e f. DNS Security – It is desired that the solution offers threat protection from DNS and malicious domain-based attacks. g. Threat Intelligence - The proposed solution must provide integration with vendor and/or third-party threat intelligence databases. Please describe how this information is obtained, managed, and updated within the solution. Please specify if there are any additional components needed for this feature. h. Third Party AV – It is desired that the firewall solution is able to work with the school divisions existing desktop and server antivirus solutions in addition to other third party antivirus vendors. 6. SUPPORT a. Provide manufacturer 24x7x365 dial-in support for all features with an initial response time of one hour or less. b. Provide a Return Merchandise Authorization (“RMA”) for defective/failed equipment. c. Pricing for any additional maintenance and support for hardware and/or software must be specified in the proposal and include options for 1-, 3-, and 5-year renewals. d. Please provide a three- year product road map and all proposed systems and sub-components must be guaranteed not to be End-of-Life for at least five years. 7. OTHER REQUIREMENTS a. System configuration – Assistance in the setup, configuration, and optimization of the management solution. The proposed solution should be configured using industry best practices. i. Migration of all current firewall settings, network configurations, rules, policies, and other information from the current Firewall solution. The existing solution has the following configuration that will need to be migrated to the proposed solution. i. 1200 Security Objects ii. 104 Security Policies iii. 163 NAT Statements iv. 3 Firewall Zones v. 1 DMZ vi. 8 VPN / Teleworker Groups ii. Provide a list of the printed documentation provided for operation, use, and administration of the implemented solution. b. Professional Training and Learning Opportunities i. Provide manufacturer certified training, along with vouchers for four NNPS employees to be trained to configure and maintain the proposed solution. ii. The training should include a full knowledge transfer of the setup and configuration of the device, along with any information needed to support the proposed solution. 8.