Celgene N-IDPS RFP Request for Proposal
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. Copyright All rights reserved.
Revision 1.0 (Draft)
Project: N-IDPS Printed on: 6/17/09 Last Saved: 10/30/2009
CONTENTS 1 Corporate Information.......................................................................3 2 Purpose and Scope...........................................................................4 2.1 EXECUTIVE SUMMARY............................................................4 2.2 ISSUE..................................................................................5 3 Instructions and Considerations..........................................................6 3.1 DESIGNATED POINT OF CONTACT............................................6 3.2 RELEVANT DATES..................................................................6 3.3 PUBLICITY............................................................................6 3.4 CELGENE CONFIDENTIAL INFORMATION...................................6 3.5 OWNERSHIP OF MATERIAL......................................................6 3.6 RESPONSE SUBMISSION........................................................6 3.7 DISCLAIMER.........................................................................7 4 Solution Overview............................................................................8 5 Functional Requirements...................................................................9 5.1 CENTRALIZED MANAGEMENT..................................................9 5.2 PHYSICAL REQUIREMENTS....................................................11 5.3 RELIABILITY AND AVAILABILITY............................................12 5.4 DETECTION ENGINE AND RULES............................................12 5.5 NETWORK AND USER INTELLIGENCE......................................14 5.6 IDS/IPS AUTOMATION..........................................................14 5.7 IT POLICY COMPLIANCE........................................................14 5.8 NETWORK BEHAVIOR ANALYSIS (NBA)...................................15 5.9 THIRD-PARTY INTEGRATION.................................................15 5.10 TARGET LOCATIONS AND THROUGHPUT REQUIREMENTS........16
ii
Revision 1.0 (Proposal)
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
1 CORPORATE INFORMATION Celgene is a multinational biopharmaceutical company committed to improving the lives of patients worldwide. Celgene strives to deliver truly innovative and life-changing drugs for patients. Your mission as a company is to build a major global biopharmaceutical corporation while focusing on the discovery, the development, and the commercialization of products for the treatment of cancer and other severe, immune, inflammatory conditions. There are numerous clinical trials at major medical centers using compounds from Celgene. Investigational compounds are being studied for patients with incurable hematological and solid tumor cancers, including multiple myeloma, myelodysplastic syndromes, chronic lymphocyte leukemia (CLL), non-Hodgkin's lymphoma (NHL), glioblastoma, and ovarian, pancreatic and prostate cancer.
-- www.celgene.com With clear commitment to clinical accomplishment, Celgene is equally committed to patient support as a guiding principle. Celgene believes all who can benefit from its discoveries should have the opportunity to do so. Celgene puts patients first with industry-leading programs that provide information, support and access to our innovative therapies. With an ethics-driven culture, Celgene has demonstrated the need and responsibility to protect information assets, their own, their customers’, their patients’, and their partner/suppliers’.
Page 3
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
2 PURPOSE
AND
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
SCOPE
Celgene provides this request with the objective to obtain a Global Network Based Intrusion Detection/Prevention System (N-IDPS) solution that meets comprehensive and enterprise-scaleable requirements documented in this RFP. Please provide your responses to this RFP to address two stages of deployment: POC (Proof of Concept) and Production Implementation. Break out the associated costs for each stage with applicable equipment and consulting services. For example: Proof of Concept: Equipment = Quote for 30 day evaluation Consulting Services = administrator training
Quote
for
POC
installation,
configuration,
testing,
and
Production Implementation: Equipment = Quote for 4 major site deployment Consulting Services = Quote for installation, configuration, testing, and administrator training
2.1
EXECUTIVE SUMMARY
Celgene has assessed the need for network security tools that will enable it to identify network-based attacks that target system and software vulnerabilities. Network-based IDPS can detect and block such attacks, as well as act as pre-patch shields for systems and applications. N-IDPS can alert Security and IT Support personnel to locate and remove culprit systems and/or remediate vulnerable systems. Furthermore, a robust NIDPS will enable Security to conduct forensic investigations and produce accountability reports. In summary, an N-IDPS will give Celgene visibility into the type of traffic that is flowing through its network. With this diagnostic tool, Celgene can detect and prevent security risks from external and internal threats that can result in compromised systems, loss of data, productivity, and possible harm to reputation.
Page 4
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
2.2
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
ISSUE
Currently, Celgene has robust firewalls that deny all network traffic, except that which is explicitly permitted. While they perform this role satisfactorily, traffic from hosts and protocols that are explicated permitted still present a risk to Celgene network resources. Additionally, compromises from internal threats would not be addressed by perimeter firewall rules. Moreover, when there are incidents of deliberate or inadvertent violations, the tools to identify tools offending devices are either inadequate or dispersed across several systems. A security tool that could identify and preemptively stop such attacks would be a valuable asset to Celgene.
Page 5
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
3 INSTRUCTIONS 3.1
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
AND
CONSIDERATIONS
DESIGNATED POINT OF CONTACT
Please contact Dennis Novak – Procurement Analyst –
[email protected] (908)-8607738 with any questions that you might require. We would like to thank you for prompt attention to this request.
3.2 RELEVANT DATES Milestone Date 10/05/09 10/08/09
3.3
Event
10/12/09
Celgene RFP is issued Bidders must email, through e-sourcing tool, Intent to Respond by 5:00 PM EST Deadline for submitting RFP questions by 5:00 PM EST
10/19/09
Final date to submit proposal by 2:00 PM EST
PUBLICITY
Supplier agrees not to publish or use any advertising, sales, promotional, press releases or publicity materials, wherein the name or trademark of Celgene is used or language is employed from which the connection of said name of mark could be inferred or implied without prior written approval of Celgene.
3.4
CELGENE CONFIDENTIAL INFORMATION
Supplier agrees that all information will be kept confidential. This information will only be used for proposals to Celgene for furnishing material, software, documentation or services hereunder, and may not be used for other purposes except as may be agreed upon between the bidder and Celgene in writing.
3.5
OWNERSHIP OF MATERIAL
All materials submitted in response to this RFP shall become the property of Celgene and may be returned only at Celgene’s option.
3.6
RESPONSE SUBMISSION
Supplier will provide responses to this proposal in a single Microsoft Word or Adobe PDF document electronically. Page 6
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
3.7
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
DISCLAIMER
The purpose of this RFP is to solicit vendor responses to stated requirements for a project that Celgene intends to execute; however, receipt of this RFP is not to be interpreted as a commitment on the part of Celgene to purchase any product or service, or to be executed on the intended project in any manner. Celgene reserves the right to choose to proceed with and/or cease negotiations with any recipient of this RFP at any time during this process for any reason. The Vendor is required to indicate agreement with the conditions stated in this disclaimer by signing below:
___________________________________________________ Signature _Supplier’s Company Name_____________________________ ____________________________________
___________
Title
Date
Page 7
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
4 SOLUTION OVERVIEW Celgene is seeking bids for a network based IDPS solution that employs inline and/or passive sensors (appliances) with centralized management for analysis, alerting, and reporting on critical network segments and devices of any suspicious activity that may be external or internal to Celgene. The solution should be capable of analyzing network, transport, and application protocols using a variety of detection methods i.e. signaturebased, anomaly-based; as well as stateful protocol analysis techniques. A successful solution would also include an NBA (Network Behavior Analysis) system, which examines network traffic or statistics on network traffic to identify unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware (e.g., worms, backdoors), and policy violations (e.g., a client system providing network services to other systems). While the focus of this RFP is for in house solutions that are owned and managed by Celgene employees and consultants, Celgene is open to a fee for service solution that includes external vendor monitoring, alerting, and reporting of internal devices that are owned by the vendor or Celgene. Describe the general approach/strategy your N-IDPS solution is based on. Summarize all of the key components and highlight any competitive advantages your solution may have. Ideally, provide network diagrams. Explain the solution’s ability to defend virtual environments.
Page 8
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
5 FUNCTIONAL REQUIREMENTS The following is an outline of functional requirements that a successful bid for N-IDPS consideration at Celgene should meet or exceed:
5.1
CENTRALIZED MANAGEMENT
The solution must feature centralized management design that is scalable for a global implementation. Management console should be customizable and easy to use, while providing effective analysis & alerts, robust reports, and secured access:
A. Design features (physical and logical): 1) The solution must support a centralized management design with hierarchical features: a. Each N-IDPS appliance (sensor) can be managed with a local administrative interface. b. A management console can manage multiple sensors. c. The management platform supports “Manager of Managers” capability, whereby one management console can manage multiple management consoles and push down global IPS, system, and appliance health policies to individual sensors 2) All traffic between N-IDPS appliances and the management console must be secure (i.e. authentication via key exchange or shared secret and encryption.) 3) The management platform must be capable of centralized, life cycle management and configuration of all sensors, with the ability to group sensors e.g. by location, function, support team. 4) The management platform must support both internal and external databases/systems for storage of event data, logs, and other system-generated information. 5) The management platform must be capable of synchronizing time between all components of the system via NTP. B. Administration and Access Management: 1) The solution should support LDAP for single sign-on to sensors and the management console. 2) Management console should support comprehensive administrative access management. 3) The solution must support individual user accounts. 4) Password strength, complexity, and expiration for management user accounts must be enforceable. 5) The management platform must be capable of role-based administration, enabling different sets of views and configuration capabilities for different administrators subsequent to their authentication. 6) Access to the management console must be accomplished using secure (encrypted) protocols. 7) The management platform must be capable of logging all administrator activities, Page 9
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
both locally and to a remote log server. C.
Analysis, Alert, and Report Capabilities:
1) The management console must have comprehensive analysis and baselining 2)
3) 4)
5) 6) 7) 8)
9)
capability. Provide a full description of your product’s analysis and baselining capabilities. The management platform must provide robust reporting capabilities, including a selection of pre-defined reports and the ability for complete customization and generation of new reports. Provide a full description of your product’s reporting abilities and any ‘canned reports’ that your product can produce. Reports should be able to be generated in a readily presentable and protected format (such as .pdf and .html) as well as editable formats (such as .doc, .xls, and .csv). The solution should also have efficient alerting tools based on thresholds (default and customizable). Provide a full description of your product’s alerting features. a. Alert analysis should provide the capability to identify the exact content observed that triggered the alert. b. The product should provide real-time alerting and support multiple mechanisms for issuing alerts (e.g., SNMP, e-mail, SYSLOG, SMS) to appropriate personnel. c. The alerting should be configurable based on standard and custom parameters. d. The criteria (or thresholds) should be configurable per alert type and alert destination (individual email addresses, syslog, SNMP, etc.) Views should have filter and sort capabilities; e.g. by signature, date/time, device name, IP address subnet. Each view should be able to be exported for reporting and offline analysis purposes. The management platform must include flexible workflow capabilities for managing the complete life cycle of an event, from initial notification through to any response and resolution activities that might be required. The management platform must be capable of aggregating IDS/IPS events and centralized, real-time monitoring and forensic analysis of detected events. Event syslogs should be generated, with the capability of them being sent and analyzed by Security Incident/Event Monitoring (SIEM) and/or IT Global Operations Monitoring (GOM) network tools.
Page 10
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
D.
Ease of use and customization capabilities: 1) The solution must be easy to install and configure. 2) The management platform must provide a highly customizable dashboard 3) The management platform must be accessible via a Web-based interface and ideally with no need for a JRE or additional client software 4) The management platform must provide the capability to easily view, enable, disable, and modify individual rules, as well as groups or categories of rules. 5) The management platform must be capable of automatically receiving rule updates published by the vendor and automatically distributing and applying rules to updates sensors. 6) The management platform should include a scheduling subsystem to facilitate automation of routine tasks, such as backups, upgrades, report creation, and policy application
5.2
PHYSICAL REQUIREMENTS
A.
The management console hard drive capacity should be capable of storing a minimum of 6 months of data online while operating at a reasonable performance level and should have a facility for archival of data and transfer of archived data to external media or online system. (Note: It is understood that the amount of data generated by 6 months of activity at Celgene cannot be adequately determined from this RFP. It is also understood that performance level will be largely based on the hardware and software configuration of the management consol. Thus, describe a reasonable level of events that can be processed and stored by the management console and your solution’s reasonable archival capability. Include typical management console hardware and software configurations that would achieve the performance levels described.) B. The product should provide Layer 2 inline capability, supporting either 802.1q or ISL trunking, with Gigabit and/or Fast-Ethernet connectivity between 2 Cisco Catalyst series switches. C. The preferred cabling for the implementation is category 5 or 6, but other cabling types such as fiber could be considered. D. The solution should be able to utilize Cisco’s Gigabit Etherchannel or LACP channel technology to scale the bandwidth between the protected switch and the core switch if 1Gbps of bandwidth is insufficient at some point in the future. The N-IDPS solution should support this strategy for scaling bandwidth across 1 or more appliances as growth demands.
Page 11
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
5.3
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
RELIABILITY AND AVAILABILITY
A. Sensors must be capable of failing open, such that communications traffic is still allowed to pass if the inline sensor goes down. B. The management platform must be capable of monitoring the health of all components and issuing alerts for anomalous conditions. C. The management platform must be capable of backup and rollback for sensor configurations and the management platform itself. D. Sensors and management appliances must include redundant hardware components, such as power supplies, disks, and fans, to help ensure non-stop operations. E. The management platform must be capable of a High Availability (HA) configuration. F. Describe how your sensors can accommodate dual fail-over firewalls. Can your solution employ two input interfaces, either working concurrently or in a fail-over strategy? G. The IDS/IPS sensors and management console must be based on a hardened operating system H. The supplier must have a detailed process for assuring the quality and reliability of its products.
5.4
DETECTION ENGINE AND RULES
A. The detection engine must have a long-standing track record of success. B. The detection engine must be capable of operating in both passive (i.e., monitoring) and inline (i.e., blocking) modes. C. The solution must be supported by a dedicated and highly experienced team responsible for threat and vulnerability research and generation and testing of new detection rules. D. The management platform must include one or more default (i.e., predefined) detection policy configurations (or signature-based rules) to help simplify initial deployment. E. Updated rules must be supplied by the product vendor at a reasonable frequency to ensure that protection against new threats is provided, typically within 48 hours of public disclosure. (Specify your SLA in this regard.) F. Detection rules must be based on an extensible, open language that enables users to create their own rules, as well as to customize any vendor-provided rules. G. Detection rules provided by the vendor must be documented, with full descriptions of the identity, nature, and severity of the associated vulnerabilities and threats being protected against. H. The detection engine must be capable of detecting and preventing a wide variety of threats (e.g., malware, network probes/reconnaissance, VoIP attacks, buffer overflows, P2P attacks, zero-day threats, etc.). Page 12
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
I. The detection engine must be capable of detecting variants of known threats, as well as new threats (i.e., so-called “unknown threats”). J. The detection engine must incorporate multiple approaches for detecting threats, including at a minimum exploit-based signatures, vulnerability-based rules, protocol anomaly detection, and behavioral anomaly detection techniques. Identify and explain each type of detection mechanism supported. K. The detection engine must inspect not only network-layer details and information resident in packet headers, but a broad range of protocols across all layers of the computing stack and packet payloads as well. L. The detection engine must be resistant to various URL obfuscation techniques common to HTML-based attacks. M. The solution must incorporate measures to minimize the occurrence of both false positives and false negatives (i.e., mistaken and missed detection events, respectively). N. The solution must be capable of detecting multi-part or extended threats by aggregating and correlating the multiple, disparate events associated with them. O. Sensors must be capable of performing packet-level forensics and capturing raw packet data in response to individual events without significant performance degradation. P. The detection engine must support multiple options for directly responding to events, such as monitor only, block offending traffic, replace packet payload, and capture packets. Q. The management platform must be capable of setting thresholds such that multiple instances of specific events are required before an alert is issued. R. The solution must be capable of detecting IPv6 attacks. S. Solution should provide signature baselining capability; with the following options: 1) Signature globally turned on or off 2) Signature response set to ignore, log, alert, or block 3) Signature turned off by source and/or destination address 4) Signature response set to ignore, log, alert, or block by source and/or destination address T. In addition to “standard” signature, additional “intelligent’ capability to identify and alert/block zero-day attacks without a matching signature, such as anomaly or heuristics-based threats, is required. U. Please provide the complete detail regarding what your product supports for signatures and baselining as well as direct responses to the requirements stated above.
Page 13
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
5.5
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
NETWORK AND USER INTELLIGENCE
A. The solution must be able to passively gather information about network hosts and
their activities, such as operating system, services, open ports, client applications, and vulnerabilities, to assist with multiple activities, such as intrusion event data correlation, elimination of false positives, and policy compliance. B. The solution must be able to passively gather information about session flows for all monitored hosts, including start/end time, ports, services, and amount of data. C. The solution must be able to passively detect pre-defined services, such as FTP, HTTP, POP3, Telnet, etc., as well as custom services. D. The solution must be capable of storing user-defined host attributes, such as host criticality or administrator contact information, to assist with compliance monitoring. E. The solution should be able to passively gather user identity information, mapping IP addresses to username, and making this information available for event management purposes. F. The aforementioned network and user intelligence should be passively gathered using existing IPS appliances (no separate appliances required).
5.6
IDS/IPS AUTOMATION
A. The solution must be capable of employing an extensive set of contextual information (e.g., pertaining to the composition, configuration, and behavior of the network and its hosts) to improve the efficiency and accuracy of both manual and automatic analysis of detected events. B. The solution must be capable of significantly reducing operator effort and accelerating response to threats by automatically prioritizing alerts, ideally based on the potential for correlated threats to successfully impact the specific hosts they are directed toward. C. The solution must be capable of dynamically tuning IDS/IPS sensors (e.g., selecting rules, configuring policies, updating policies, etc.) with minimal human intervention. D. The solution must be capable of automatically providing the appropriate inspections and protections for traffic sent over non-standard communications ports. E. The solution must be capable of defending against IPS-evasion attacks by automatically using the most appropriate de-fragmentation and stream reassembly routines for all traffic based on the characteristics of each destination host.
5.7
IT POLICY COMPLIANCE
A. The solution must provide capabilities for establishing and enforcing host compliance policies and alerting on violations. B. The solution must be capable of exempting specific hosts from specific compliance rules and suppressing corresponding compliance events and alerts. C. The solution must be capable of easily identifying all hosts that exhibit a specific attribute or non-compliance condition. Page 14
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
5.8
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
NETWORK BEHAVIOR ANALYSIS (NBA)
A. The system must provide a full-featured NBA capability to detect threats emerging from inside the network (i.e., ones that have not passed through a perimeter IPS). This includes the ability to establish “normal” traffic baselines through flow analysis techniques (e.g., NetFlow) and the ability to detect deviations from normal baselines. B. The NBA capability must provide visibility into how network bandwidth is consumed to aid in troubleshooting network outages and performance degradations. C. The NBA capability must provide the ability to link Active Directory and/or LDAP usernames to IP addresses related to suspected security events. D. The NBA capability must provide the option of supplying endpoint intelligence to the IPS for correlation against intrusion events to aid in event impact prioritization. E. The same network appliances used for IPS must also be used as part of the NBA capability. No NBA-only appliance should be required. F. The same management platform used for IPS must also be used to manage the NBA capability. No NBA-only management components should be required.
5.9
THIRD-PARTY INTEGRATION
A. The management platform must include an integration mechanism, preferably in the form of open APIs and/or standard interfaces, to: 1) Enable automatic response to threats by external components and remediation applications, such as routers, firewalls, patch management systems, etc; 2) Enable events and log data to be shared with external network and security management applications, such as trouble-ticketing systems, Security Information and Event Managers (SIEMs), systems management platforms, log management tools, and network operations monitoring systems (e.g. NeTreo); 3) Receive information from external sources, such as configuration management databases, vulnerability management tools, and patch management systems, for threat correlation and IT policy compliance purposes; 4) Export SNMP information to network management systems. 5) Obtain network intelligence (i.e., NetFlow) from Cisco routers and switches;
B. As mentioned in the section on NBA, the solution should be capable of integrating with Microsoft Active Directory or LDAP services in order to make appropriate correlations and identification of workstations and user accounts, as they relate to any triggered alerts and base lining of the environment.
Page 15
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.
Revision 1.0 (Proposal)
5.10
Project: N-IDPS Printed on: 10/30/2009 Last Saved: 10/30/2009
TARGET LOCATIONS AND THROUGHPUT REQUIREMENTS
Celgene intends for the Network-based IDPS implementation to cover the following locations, with their associated throughput requirements*: 1. 2. 3. 4.
Summit, NJ (major location) Boudry, Switzerland (major location) Marin, Switzerland (major location) San Diego (branch location)
1 1 1 2
Gbps Gbps Gbps Mbps
* There are approximately 23 additional branch locations throughout the US, Europe and Asia that have internet connectivity and would be candidates for N-IDPS deployment; however, only the 4 sites listed are within the scope of this RFP. * Depending on a variety of factors (patch management policy, operating systems, etc.),the N-IDPS implementation may be expanded to cover specific server farms; while this is outside the scope of this RFP, the suitability of an N-IDPS solution for such an implementation will be taken into consideration.
Page 16
Proprietary and Confidential Unauthorized distribution or reproduction prohibited. Copyright © 2009 Celgene. All rights reserved.