Tendr: Provision of Firewall and Security Orchestration Solution
Contractor: International Atomic Energy Agency (IAEA), Vienna
Background: The provision of the Solution includes the supply, delivery, configuration, installation, testing and commissioning, as well as technical and consultancy services. Training will also be included as part of the Services for the purpose of managing the IAEA’s existing firewalls, network, vulnerability scanners and security systems. The Solution will be installed at IAEA Headquarters in Vienna, Austria and will allow for integration with other branch offices, as follows: • IAEA Seibersdorf Laboratories, Seibersdorf, Austria; • IAEA Environmental Laboratories Monaco; and • Microsoft Azure Infrastructure as a Service (IaaS) data center
Mandatory Requirements: 4.1 Provide firewall policy management, including the automation of firewall operations and policy push; 4.2 Provide auditing and compliance, change management, and risk analysis, across all leading vendors and devices, including at minimum Cisco, Palo Alto Networks and Tenable; 4.3 Provide actionable recommendations based on industry best practice to clean up, optimize, reorder and tighten the recommended security policy for enhancing firewall performance; 4.4 Allow for consolidation of redundant and over lapping rules, based on source, destination, service commonality; 4.5 Automatically generate a dynamic, real-time network topology of firewalls and routers, including all relevant interfaces, subnets and zones, to help visualize and analyse complete networks; 4.6 Provide and generate visualization of firewalls, network and visualization of on premise, hybrid and cloud environments; 4.7 Provide support for Microsoft Azure by allowing continuous monitoring and support of automatic implementation of rule addition and rule removal for Microsoft Azure Network Security Groups and Azure firewalls; 4.8 Support a flexible and customisable out-of-the-box baseline configuration compliance for all network devices; with an option to customise and to create custom security baselines; 4.9 Detect and notify, via channels such as email or dashboard, any compliance and firewall policy violations; 4.10 Provide support for both L2 & L3 devices with search capabilities by IP address, subnets, object names etc; 4.11 Allow creation of traffic simulation queries in order to check and verify whether the traffic flows are permitted or not; 4.12 Support clean up and optimization of firewall policy by detecting duplicated, unnecessary objects and overlapping and out-dated security rules; 4.13 Support Palo Alto and Cisco and other similar network hardware by managing firewall and network security policies across multi-vendor and hybrid environment; 4.14 Discover risky traffic flows, such as security breach or risk created by misconfigurations across different firewalls and Cloud security groups, based on firewall policy violation and detect them before the changes are implemented; 4.15 Identify network and security risks by auditing firewall polices and routing and configuring network devices on hourly/daily/monthly basis; 4.16 Identify network and system vulnerabilities; 4.17 Provide the option to look up all the potential traffic/connectivity to and from an IP address; 4.18 Support and integrate Nessus vulnerability scanners; 4.19 Allow integration with major SIEM solutions; and 4.20 Provide electronic report on business applications connectivity needs with respect to terms of firewall rules and security policy.
Desirable Requirements: The Solution should be able to: 4.21 Enable auto-matching and correlate change requests with current policy changes and ensure they are implemented in line with the requests and approvals; 4.22 Present vulnerabilities in an application context by integrating with leading vulnerabilities scanners; 4.23 Allow for customization with change management and workflow in ensuring it is completely modifiable to best match the business requirements; 4.24 Support role-based access for users; and 4.25 Integrate with a standard identity management solution for all management functions (such as RADIUS, LDAP and/or Microsoft Active Directory) with support for 2-factor authentication.
The technology underlying these services that are administered by IAEA staff includes: • 800+ Servers, physical and virtualised (highly virtualised), Windows and Linux (predominantly Windows); • 3500+ Client computers (desktop and notebook, Windows, Macintosh and Linux, predominantly Windows); • 500+ Mobile devices (phones and tablets); • MS Active Directory, multiple forests/multiple domains and additional standalone domains (such as for the DMZ); • IPv4 wired and wireless networks, supporting client and server environments and Internet access; • Network security systems providing access control; threat identification and blocking; centralised logging and Security Event and Incident Management; • Multiple inter-site network communications connections; • Multiple remote access systems; • On-site dedicated data centres and rooms; • Cloud-based and outsourced resources; • Centralised and local IT Service Desks; • Commercial and bespoke applications (client, client-server and web-based); • Specialised laboratory, remote monitoring and embedded systems; • Disaster recovery infrastructure