SOLICITATION NOTICE
70 -- RFI - Additional Gateway Funcationality
- Notice Date
- 6/28/2007
- Notice Type
- Solicitation Notice
- NAICS
- 511210
— Software Publishers
- Contracting Office
- Department of Veterans Affairs;Acquisition Management Section/00D;1615 Woodward Street;Austin TX 78772
- ZIP Code
- 78772
- Solicitation Number
- VA-200-07-RI-0034
- Archive Date
- 7/13/2007
- Small Business Set-Aside
- N/A
- Description
- Request for Information VA-200-07-RI-0034 The Department of Veterans Affairs, VA Network and Security Operations Center, Falling Waters WV., is requesting information for a capability to perform various tasks relating to HTTP, HTTPS, FTP over HTTP, native FTP, IM and P2P protocols. The VA has a requirement to evaluate the content of all protocols passing through its gateways from the intranet to the Internet to ensure that data leaving the VA's intranet complies with the VA's data exchange policies for: VA Protected Information (VAPI); information protected by the security and privacy provisions of the Healthcare Insurance Portability and Accountability Act (HIPAA); and the VA's Acceptable Use Policy (AUP) for the Internet. The objective of this request is to identify an appliance or appliances that are capable of performing a set of general functions as outlined in section 2.1 and will provide the additional specific functionality: " HTTP / HTTPS User Authentication Functionality (see section 2.2 below) " Antivirus / Anti-Malware Scanning Functionality (see section 2.3 below) " HTTP, HTTPS and FTP Content Evaluation Functionality (see section 2.4 below) " Detailed Usage Log Functionality (see section 2.5 below) " URL Filtering Functionality (see section 2.6 below) " IM and P2P Filtering Functionality (see section 2.7 below) 1.0 Architecture Background The VA infrastructure consists of four national gateways that process outbound and inbound Internet traffic. Traffic from internal VA users destined for Internet resources travels through the VA internal network to one of the national gateways. Each national gateway is built to have identical capabilities and consists of appliances from multiple vendors which provide existing capabilities. The national gateways utilize routing and content switching to direct traffic through the gateways. The VA has a requirement to positively identify internal VA users who utilize the national gateways for Internet resources and ensure all traffic adheres to VA Internet usage policies. The additional functionality the VA seeks must be hosted on appliances that effectively interoperate with existing gateway components; must be manageable by existing gateway management systems; must be capable of lights out operation; and must be able to scale to the VA's throughput and performance requirements. 2.0 Added Functionality 2.1 General Only appliances will be considered. Server based applications will not be considered during this RFI process due to the maintenance support overhead and workload associated with maintaining server based applications. Please do not submit an appliance for consideration if the appliance is unable to satisfy those requirements identified as "MUST support . . ." or "MUST be capable of . . ." or "MUST have ability to . . ." and so forth as listed here in this general requirements paragraph AND as listed in the functionality specific requirements paragraph found in the remainder of section 2. Please specifically identify by RFI paragraph number the functionality your appliance is able to support. The following general requirements have been identified as either mandatory or desirable: " If solution provides remote command line access it MUST support SSH Version 2. " Solutions that access websites via HTTP MUST be capable of caching data to optimize bandwidth utilization. " All appliances MUST support remote upgrade, restore, and downgrade functionality without physical access to the appliance being required. " Selected vendor MUST be willing to establish a FIPS 140-2 compliant secure access from their Tier 2/3 engineering support group to the VA Gateway if remote support is required by such vendor." Actual access to the vendor's device will be controlled by the VA through the use of ACLs. " Solution should support 2-factor authentication in those cases where authentication with the appliance is required. " Solution should be able to log configuration changes and positively identify by their VA Active Directory credentials the user making the change, timestamp and specific details on the configuration change made. " Solution should have the ability to require the use of FIPS 140-2 TLS protocol for all HTTPS sessions " Solution should support RADIUS or TACACS for management authentication and authorization " Solution should have a dedicated Ethernet port to be used for device management traffic " Solution should have copper Gigabit Ethernet ports used for production traffic " Solution should either have a serial console compatible with standard asynchronous terminal servers or be compatible with remote KVM access and be equipped with lights out management " Solution should currently support IPv6 or have a documented roadmap to IPv6 with full support by June 2008 without requiring hardware upgrades or hardware changes " Solution should be able to support SNMP Version 2 although support for SNMP Version 3 is preferred " Solution should support transparent proxy via WCCP or content switching " Solution should provide automated alerts for hardware, system, and application levels such as syslog, SNMP traps or email notification " Solution should allow downgrades to previous releases " Solution should allow configuration backup and restore options " Solution should be based on a hardened appliance " Solution should provide a centralized configuration management capability such that configuration changes only need to be made to one appliance or on a central management console and those changes are then replicated to the other like devices in the gateways. " There should be a way to verify that configuration changes have been successful replication to the other like devices in the gateways. " Any software upgrade, restore, or downgrade should not require physical access to the device in question. All appliances MUST support remote upgrade, restore, and downgrade. 2.2 HTTP / HTTPS User Authentication Functionality Content filtering web proxy appliances in the gateway are configured to enforce the VA's AUP. The devices currently record the IP address of the user along with access information in a format similar to a Squid log. There are, however, a number of devices throughout the VA network that perform network address translation (NAT) on the source IP address obscuring the original source of Internet traffic. Additionally shared workstations and the use of Dynamic Host Configuration Protocol (DHCP) further complicate positive identification of users. The VA has a requirement to positively identify the VA Active Directory credentials not simply the source IP address, of individuals accessing the Internet and positively linking a user to logged access attempts. The solution must be able to record this information for use in investigations and disciplinary action where necessary. In addition to satisfying the general requirements identified in paragraph 2.1 above, the solution submitted in support of the HTTP / HTTPS User Authentication Functionality requirement the following functionality specific requirements have been identified as either mandatory or desirable: " Solution MUST positively identify the VA Active Directory credentials, not simply the source IP address, of individuals accessing the internet and positively link user to logged access attempts. " Solution MUST create audit entries documenting specific user activity of sufficient detail to allow for positive identification of user activity in an investigation. " Solution MUST not require end-user browser configuration to support this requirement. " Solution should not require the installation of a client on the end-user system to support this requirement. " Solution should be configurable to permit access to predetermined URLs without positive identification. " Solution should not require the user to re-entering their credentials every time a site is accessed. " Solution should support secure web form authentication. " Solution should support accurate user authentication while in transparent proxy mode. " Solution should support monitoring and active modes. " Solution should support IP spoofing. " Solution should support use of the HTTP X-forwarding header. " Solution should support on-box URL filtering as well as caching. 2.3 Antivirus / Anti-Malware Scanning Functionality The VA national gateways currently provide antivirus scanning for SMTP traffic and limited scanning for HTTP, HTTPS, and FTP traffic. The VA has a requirement to scan all HTTP, HTTPS, FTP over HTTP and native FTP protocols in order to identify, thwart and eliminate computer viruses and other malicious software passing through the gateway. In addition to satisfying the general requirements identified in paragraph 2.1 above, solution submitted in support of the HTTP / HTTPS User Authentication Functionality requirement the following functionality specific requirements have been identified as either mandatory or desirable: " Solution MUST have the ability to identify and filter malicious code transmitted over the HTTP protocol. This includes all HTTP traffic using non-standard ports and TCP port 80. " Solution MUST have the ability to identify and filter malicious code transmitted over the HTTPS protocol. This includes all HTTPS traffic using non-standard ports and TCP port 443. " Solution MUST have the ability to identify and filter malicious code transmitted over the FTP protocol. This includes all FTP traffic using non-standard ports and TCP ports 20 and 21. " Solution should provide centralized configuration management, system monitoring and reporting of all devices. " Solution should support monitoring and active modes " Solution should support IP spoofing " Solution should support use of the HTTP X-forwarding header " Solution should have ability to distinguish and block any IM or P2P traffic transmitted over ports 80 and 443 " Solution should support on-box URL filtering as well as caching. " Solution should be able to scan 2,500 to 5,000 connections per second per appliance 2.4 HTTP, HTTPS and FTP Content Evaluation Functionality Currently the gateways provide content filtering for HTTP traffic. HTTPS and FTP traffic pass through the gateway without content filtering. The VA has a requirement to evaluate the content of HTTP, HTTPS, and FTP traffic to ensure that data content complies with the VA data exchange policy regarding the protection of VAPI and enforcement of the VA's AUP for the Internet as defined by VA Directive 6001, Limited Personal Use of Government Office Equipment Including Information Technology. In addition to satisfying the general requirements identified in paragraph 2.1 above, solution submitted in support of the HTTP, HTTPS and FTP Content Evaluation Functionality requirement the following functionality specific requirements have been identified as either mandatory or desirable: " Solution MUST have ability to identify and block VAPI transmitted in clear text (unencrypted) over the HTTP protocol. This includes all HTTP traffic using non-standard ports and TCP port 80. " Solution MUST have ability to identify and block VAPI transmitted over the HTTPS protocol. This includes all HTTPS traffic using non-standard ports and TCP port 443. " Solution should have ability to identify and block VAPI transmitted in clear text over the FTP protocol. This includes all FTP traffic using non-standard ports and TCP port 20/21. " Solution should be configurable to ignore content filtering of HTTPS traffic being passed to URLs of valid financial institutions. " Solution should have ability to identify and act upon non-RFC compliant HTTP and HTTPS traffic tunneled over ports 80 and 443 " Solution should provide centralized configuration management and system monitoring of all devices. " Solution should support monitoring and active modes " Solution should be able to scan 2,500 to 5,000 connections per second per appliance 2.5 Detailed Usage Log Functionality Devices in the gateway currently log information to a syslog server. That information is available to the VA for audit review and forensic purposes. The VA has a requirement to collect user access and activity information from the devices in the gateway, consolidate that information, and download the information to a central location to allow the generation of VA defined detailed reports and ad hoc inquires and reports. In addition to satisfying the general requirements identified in paragraph 2.1 above, appliances submitted in support of the Detailed Usage Log Functionality requirement the following functionality specific requirements have been identified as mandatory: " Solution MUST be able to identify authenticated VA Active Directory credentials, timestamps, source IP address, protocol and method (HTTP GET, HTTPS CONNECT) and should provide duration of connectivity. " Solution MUST have ability to provide multiple levels of administrative access. " Solution MUST support centralized customized reporting capabilities. 2.6 URL Filtering Functionality The VA has a requirement for URL filtering. In addition to satisfying the general requirements identified in paragraph 2.1 above, appliances submitted in support of the URL Filtering Functionality requirement the following functionality specific requirements have been identified as either mandatory or desirable: " Solution MUST be capable of blocking HTTP, HTTPS or FTP traffic, as appropriate, and provide URL filtering capabilities based on VA content policies " Solution MUST have ability to distinguish and block any IM or P2P sessions transmitted over ports 80 and 443 " Solution MUST support categorization filtering " Solution MUST support configurable white list and black list filtering " Solution should support monitoring-only (transparent) and active modes " Solution should selectively provide rate limiting functionality based on URL and other criteria. " It is desirable that the solution be capable of scanning other protocols beyond HTTP, HTTPS, and FTP " It is desirable that the solution will be able to distinguish and block any IM or P2P sessions transmitted over other ports and protocols. 2.7 IM and P2P Filtering Functionality The VA has a requirement to filter IM and P2P traffic. In addition to satisfying the general requirements identified in paragraph 2.1 above, appliances submitted in support of the IM and P2P Filtering Functionality requirement the following functionality specific requirements have been identified as either mandatory or desirable: " Solution MUST have ability to distinguish and block any IM or P2P sessions transmitted over ports 80 and 443 " Solution should support monitoring and active modes " It is desirable that the solution will be able to distinguish and block any IM or P2P sessions transmitted over other ports and protocols. 3.0 Contact Information for this RFI Interested parties shall submit a capability statement for a decision support solution, company name, point of contact, address, DUNS number, and a brief company background. It is requested that sufficient documentation be provided to allow evaluation of the proposed solution to meet the Government's requirements. Please include a list-price model based on the information provided herein, inclusive of the cost of maintenance and support. A list of resellers and any Government contracts (NASA, GSA, DOD, ect.) is also requested. There is no solicitation document available at this time. All documentation should be submitted electronically to kari.cozzens@va.gov or via fax at 512-326-6028 no later than 3 pm CST on July 13, 2007. Any questions related to this request for information shall be submitted to Kari Cozzens at kari.cozzens@va.gov no later than 3 pm CST on July 6, 2007. 4.0 FAR 52.215-3 Request for Information or Solicitation for Planning Purposes (Oct 1997) (a) The Government does not intend to award a contract on the basis of this solicitation or to otherwise pay for the information solicited except as an allowable cost under other contracts as provided in subsection 31.205-18, Bid and proposal costs, of the Federal Acquisition Regulation. (b) Although "proposal" and "offer" are used in this Request for Information, your response will be treated as information only. It shall not be used as a proposal. (c) This solicitation is issued for the purpose of additional gateway functionality. (End of provision)
- Record
- SN01330305-W 20070630/070628221012 (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |