USDA, ARS, North Atlantic Area, Contracting Office, 600 East Mermaid Lane, Wyndmoor, PA 19038

70 -- CHECK POINT SOFTWARE TECHNOLOGIES SOFTWARE, HARDWARE, AND MAINTENANCE SUPPORT FOR TWO (2) LOCAL AREA NETWORKS SOL 35-3615-99 DUE 092199 POC Lisa M. Botella, (215) 233-6551, (215) 233-6558, Contracting Officer and Point of Contact This requirement was initially synopsized and corrected in the CBD on September 1, 1999. This amendment answers questions received in response to the subject solicitation. QUESTION 1: Can you clarify the network configuration of the two networks, (NAA and ERRC LANs) specifically how are they using the same hubs as mentioned in the General Specifications (Same IP addresses/Different IP addresses?). ANSWER: All users are on the same cabling (wire). LAN users are determined by different Class C IP addresses. Each LAN has a separate Gateway (router) to the Internet utilizing. See Section A.7 General Specifications. QUESTION 2: Do the two networks utilize separate TCP/IP network addresses. ANSWER: Yes. QUESTION 3: How many IP network addresses are utilized in the two LANs located in the USDA, Eastern Regional Research Center? ANSWER: The ERRC LAN has 2 Class C address groups, allowing up to 512 addresses. The NAA LAN has 1 Class C address group, allowing up to 256 addresses. QUESTION 4: Is the training formal (classroom setting) or informal (individual sessions at the user workstation)? ANSWER: Training can be performed in the ARS-ERRC ADP Training facility on the third floor or utilizing the individual sessions at the users' workstations. QUESTION 5: Do you require that CheckPoint software manuals be delivered as part of the proposal? If yes, why are the manuals needed prior to an award? ANSWER: No. Delete requirement for submission of the software manual with the proposal in Sections A.13 and D.2 in the solicitation and replace with the Software manuals are required upon delivery. QUESTION 6: Items 4-13 appear to expand the scope of the work from firewall implementation and support to general network support. Are we interpreting this correctly? Who currently provides support in these areas? Is it done by in-house staff or by a contractor? If the latter, who is the current contractor? ANSWER: No, the In-house staff will support the entire network. There is no outside contractor supporting the network. QUESTION 7: Would it be possible to extend the closing date by one week? ANSWER: The hour and date specified for receipt of offers has been changed to 3:30 p.m. on September 21, 1999. QUESTION 8: [Page 5, Item No. 5, and Item No. 13 Requirement for 24 hour/day, 7 day/week Maintenance Services and Support]. Is this requirement for full time on site maintenance support or is the requirement for off site on call support? If the requirement is for off site support on call, what is the response time requirement? ANSWER: The requirement is for off-site on call support. The requirement for response time and any available optional response time categories should be included as part of your proposal. If the contractor offers multiple response time categories, the information should be included as optional information to the firewall and attached to the proposal. The Options shall include item description, price and delivery information. QUESTION9: [Page 5, Item No. 5, and Item No. 13 Requirement for 24 hour/day, 7 day/week Maintenance Services and Support]. Is there a requirement for system administration under the support section of the full time maintenance and support requirement? ANSWER: The requirement is for off-site on call support for other than routine system maintenance. QUESTION 10: The networks describe appear to be one physical network with nodes that are performing two separate functions, differentiated only by their default gateway. Also, it appears that nodes on both the NAA and ERRC networks access the Internet through the same router. If this is the case, the firewall that will be placed between the Synoptics hub and the ERRC Internet router will provide protection for the entire facility (both NAA and ERRC LANs) from the standpoint of Internet access. What, then, is the planned role of the second firewall? The only other possible location for a firewall would be on the WAN connection that goes to the USDA in DC. This would provide filtering of the traffic entering from the Washington, D.C. facility, nothing more. Of course, if it turns out that the NAA accesses the Internet through the NAA router, then there would be the need for a firewall on that exit point as well. If the traffic coming and going through the NAA router is considered trusted, however, then there would be little need for the second firewall. ANSWER: The ERRC network accesses the Internet through the ERRC 4500 router. The NAA network accesses the Internet through the NAA 4500 router. Two different ISPs are involved. QUESTION 11: [Items 5, 10, and 13 on Maintenance Service Support]. What is the desired response time for this Support Contract, both phone/email and on-site response? ANSWER: See response the question 8 above. QUESTION 12: Does USDA have a preferred hardware platform (i.e. Compaq, HP, etc.)? ANSWER: No, the Government will furnish any PCs required for the firewall installation. These PCs will have Windows NT installed on them and meet required specifications. QUESTION 13: The version of CheckPoint that is to be installed is CheckPointversion 4.0, which has additional features not included in the 3.0 version. If other USDA and Agricultural Research Service sites are using version 3.0 software, there may be some limitations, particularly in the area of VPN encryption algorithms. If the other sites have already upgraded to 4.0, then there is no such issue. Is it known what version of CheckPoint is implemented at other sites, and are there plans to implement a VPN? ANSWER: CheckPoint 4.0 is either planned or installed at the Department and Agency levels. There are no plans currently in place to implement a VPN. QUESTION 14: CheckPoint supports the IP protocol. The only compatibility issue would be if one of the above-mentioned software needed to pass through the firewall using some other protocol. More information on the role of the VersaPath product would be helpful in designing the firewall rules and in determining if it presents a security risk or other issues. ANSWER: Access to the VersaPath Gateway is via the Internet. The Gateway itself utilized a dedicated point-to-point X.25 circuit to a Government site in New Orleans. All traffic through both routers is IP. All information required to implement the firewall will be shared with the contractor who is awarded this procurement. QUESTION 15: [Items a through k in the Technical Specifications]. Item "a" cites the ability to "screen malicious content, such as viruses and malevolent Java/ActiveX applets." This is a capability that is not included with CheckPoint Firewall-1, but rather a 3rd party application (there are several to choose from) that works in conjunction with the Firewall-1 product via the CVP protocol. This software will work in conjunction with the firewall but is a separate software that needs its own platform. Item "b" cites "Detect network attacks and misuse in real time and respond automatically to defeat an attack." The role of a firewall is to screen out those protocols and services not allowed by the security policy/firewall rule base. The firewall has no inherent intrusion detection or "response" capabilities. This type of intelligent response is provided by a separate system running Intrusion Detection Software (IDS), such as RealSecure, a product OEMed by Checkpoint. This software will work in conjunction with the firewall, but is separate software that needs its own platform. Item "c" cites "Ensure the privacy and integrity of communications over the Internet." While there is no specific mention of Virtual Private Networks (VPNs), this requirement describes the role of a VPN connection. Is there a desire to support VPNs with this firewall implementation? If this is the case, then CheckPoint VPN-1 should be designated rather than CheckPoint Firewall-1. Item "f" requests "high availability of services." High availability with CheckPoint firewalls is best accomplished with special software and a second firewall module that will be installed in paralleled to the primary firewall. This will provide a fail-over capability to the primary firewall in case of failure of some subsystem. The second firewall module, sensing the failure, would transparently take over for the primary, maintaining all existing connections. Again, this is accomplished by use of 3rd party software that in this case would run on the firewall itself. It would also require the purchase of a second firewall module and supporting hardware and OS. ANSWER: At the present time we are interested in the implementation of the CheckPoint Firewall with its standard capabilities and the ability to incorporate selected add-ons (options) (including 3rd party software) in the future. A single Firewall and single computer for each network satisfies our requirements for high availability. The proposal shall include information, pricing and delivery information for any software/hardware required to implement your Firewall package. QUESTION 16: What is the role of the X.25 network? This could present security issues that could not be addressed by the firewall, depending on its role and topology. Is IP routed on this network? Is it attached to the primary LAN, or only to stand-alone systems? ANSWER: See response to question 14. QUESTION 17: Does your site have a Security Policy? Would you entertain consultation to develop one to improve overall security and ensure the proper implementation of the firewalls and other security measures? ANSWER: Yes, we have a Security Policy in place. At the present time we are not entertaining the use of security consulting services. QUESTION 18: How many IP nodes are on the internal (NAA/ERRC) networks (including printers, anything with an IP address). ANSWER: See response to Question 3. QUESTION 19: What protocols are on the LAN internal (NAA/ERRC) networks, and which protocols actually leave the site via which router? ANSWER: NAA LAN -- IP and IPX internal and only IP passes through the NAA router. ERRC LAN -- IP, DECNET and APPLETALK internal and only IP passes through the ERRC router. QUESTION 20: I would like to know if we should respond to the RFP using CheckPoint FW-1 on Solaris? ANSWER: No. Only Windows NT is acceptable. See Technical Specifications in the solicitation. QUESTION21: As there are no specific products mentioned to address the capability-related issues, and there is only space in the Addenda for pricing for the firewalls and related installation, training, and support, it is assumed that this information will alter the scope of this Solicitation. How should we, the bidders, address this? ANSWER: See response to question 15. Also, insert your pricing for the items listed on all line items in Section A.2. Additional information can be provided as an attachment for optional software and equipment which would be required to enhance the proposed system. The attachment for options shall include the item and description, price, and delivery information. This additional information will be used to evaluate the overall cost to implement the entire system. THE HOUR AND DATE SPECIFIED FOR RECEIPT OF OFFERS HAS BEEN CHANGED TO 3:30 P.M. ON SEPTEMBER 21, 1999. Posted 09/13/99 (W-SN379548). (0256)

Loren Data Corp. http://www.ld.com (SYN# 0316 19990915\70-0003.SOL)