Current Network
Happy Pharmaceuticals, Inc. has a three site enterprise network that is connected to the Internet at multiple points. Currently the company is not using firewalls, but instead has a few older proxy servers that are limited in scalability and functionality. The company's business has been growing so it is upgrading its current dual T1 connections from the central site network to higher bandwidth T3 connections. The two regional sites will be upgraded from fractional T1 connections to the Internet to full T1 connections.Current and Future Firewall Requirements
Happy Pharmaceuticals requires its network to be highly available, achieving at least a 99.99% uptime; otherwise known as 'four nines' availability. Any firewall technology put in place must be able to maintain 'four nines' availability, at a minimum. Having a backup firewall on 'hot' standby, ready to take over from the primary firewall is a viable option, if it is not cost prohibitive. The current planned connection to the Internet from the Central Site is over dual T3 connections. The T3's go to separate Sips and will both be used for traffic. (see figure 1)Comment by CyberGuard
A four nines availability means that no more than 52 minutes of outage can be tolerated in a calendar year. The traffic engineering done by Happy Pharmaceuticals indicates that two T3 connections are required to accommodate the system traffic. If two outages occur per year, then the spare equipment must be placed in service within 26 minutes. This rapid response implies that hot spare equipment must be immediately available. Since this is the case, the CyberGuard High Availability Solution can automatically switch in the standby firewall within ten seconds. Over 300 failures per year would be required to exceed the four nines availability specification.Quote from RFP
The firewall solution chosen must be able to process high speed traffic since a switched Fast Ethernet connection is on one side of the firewall (100 Mbit/s) and a 45 Mbit/s T3 connection is on the Internet side. The majority of the traffic will be FTP and HTTP traffic and more than 3000 user sessions are possible at any given time. Since the company has developed some of their own applications for use over the Internet, the firewall should provide some capability to customize security features to address new or unknown applications. The firewall should be able to handle up to 3000 user sessions and still provide additional room for growth.Comment by CyberGuard
The CyberGuard firewall may be operated with either 100 Mbit/s fast Ethernet, 200 Mbit/s full duplex fast Ethernet, 155 Mbit/s FDDI, or any combination of the above. As measured by NSTL, the CyberGuard Firewall can proxy traffic at a minimum of 85 Mbit/s. Since this is almost double the capacity of a saturated T3 connection, the CyberGuard firewall will be able to easily handle the projected traffic load. In addition, the lab tested the total connection limit for the CyberGuard firewall to exceed 70,000 TCP connections.Quote from RFP
Since Happy Pharmaceuticals' network is growing, the network managers want to run Network Address Translation (NAT) on the firewall to allow them to use a larger IP address space. The Firewall solution should not negatively affect the network performance even with NAT running.Comment by CyberGuard
The use of Network Address Translation was also measured in the NSTL tests. The testers found that firewall throughput dropped one percent when Network Address Translation was used.Quote from RFP
Centralized management of all the firewalls, central site as well as remote site, is critical since there is limited resource available on the IT team and travel between sites is very costly. Each firewall's rule base should be stored and updated in one single location and distributed securely to each firewall as needed. Figure 1 shows the proposed location of the firewalls throughout the upgraded network.Comment by CyberGuard
The CyberGuard firewall offers robust centralized management tools. The Central Commander allows the storage of each remote firewall's rule base, user set, and access control privilege in a central location. Changes to these databases can be propagated securely to each target firewall. In addition, Secure Remote Administration will allow Happy Pharmaceuticals' IT staff to have full control over a remote firewall as if they were sitting at the keyboard.Quote from RFP
A strong security logging capability and log file analysis with report generation is also required. This capability can be built into the firewall or a separate workstation on the network. It could be a 3rd party product that interfaces with the firewall completely. If an attempted attack or break in occurs and is logged, the firewall should have some mechanism to page a network manager or alert the standard network management platform. Happy Pharmaceuticals is expecting to receive a plan that describes the number of firewalls required to meet the above requirements and the recommended configuration of the firewalls. A total cost for the solution is also required as well as the cost of any 3rd party software that the vendor recommends for log file analysis.Comment by CyberGuard
The network design proposed by CyberGuard places a CyberGuard High Availability Firewall between the Central site network and each of the T3 connections. The design is based upon the reliable Compaq 5500 server equipped with four 400 MHz Xeon Pentium processors and 1 GB of RAM each. This is the same configuration chosen by other Fortune 500 CyberGuard customers. It is assumed that the two remote sites will not require the same horsepower as the central site. CyberGuard recommends a thorough traffic analysis before determining exact hardware specifications; the initial recommendation is a dual Pentium processor platform, with an estimated cost of $7,500 per unit. CyberGuard is not recommending the High Availability Firewall for the remote site at this time because a failure of a remote site firewall could be corrected by routing traffic through the other remote site's connection. Total cost for the solution would be $125,510 (itemized price quote follows). Note: There are some very serious concerns regarding operating a network with two independent connections to two portions of the public internet. Meticulous attention must be paid to routing details to prevent routing loops. It looks simple on the surface, but internal stations can only have one default route. There is no IP mechanism for an internal host to choose two different ISP's automatically. In addition, it may be necessary to disable "pass client address" on the NAT firewalls. This will mean the internal web server's logs will show all connections as coming from the inside of the firewall. The web master will be unable to track source addresses from external traffic. In short, this can work but it will be a high maintenance network. CyberGuard suggests that the client give some thought to using one high availability ISP with space diversity T3 circuits and a single HA firewall. The ISP and associated routers can be configured for high availability just like a firewall can. The cost of this alternative proposal would be $77,340. Price QuotationDate: 07/01/99 Happy Pharmaceuticals, Inc
Quotation: 21067
| Item | Qty | Model Number | Description | Unit Price | Extended Price | Monthly Maint. |
| 1 | 2 | CSHA300 | CyberGuard Firewall for UnixWare HA+ Packaged System.Complete package including both required CyberGuard Firewalls Includes: Minimum 64 MB recommended |
35,995 | 71,990 | |
| 2 | 2 | CS206C | Central Management Central Commander Upgrade Software. This software adds the Central Management features to a standalone firewall. | 4,995 | 9,990 | |
| 3 | 6 | CS204S | CyberGuard Secure Remote Management Master Module. This software enables you to completely control individual remote firewalls. At least one Secure Remote Management Agent (CS204R) must be ordered in conjunction with the Master. |
2,995 | 17,970 | |
| 4 | 6 | CS204R | CyberGuard Secure Remote Management Agent Module. This software enables the Remote firewall to be completely controlled by the Secure Remote Management Master. Secure Remote Management Master (CS204S) must also be ordered. | 595 | 3,570 | |
| Subtotal--Hardware | 71,990 | |||||
| Subtotal--Software | 53,520 | |||||
| Total | 125,510 | |||||
Payment Terms: Net 30 Days
FOB: Fort Lauderdale, Florida Valid until: 07/31/99 Delivery: 90 Days (ARO) Maintenance: Standard Service Warranty: Ninety (90) day onsite Terms & Conditions: Standard Terms & Conditions CyberGuard Corporation 2000 West Commercial Blvd., Suite 200, Ft. Lauderdale, FL 33309-1892 954.958.3900 The RFPVendor responses:
|
|
|
|
Firewall RFP
See what the vendors are responding to. Includes links to all the RFP responses.
Review: Firewalls
Raptor Firewall 6.0 takes top honors in our testing. Network World, 7/19/99.
Issues and trends
Where the firewall market is headed and what to look for. Network World, 7/19/99.
Interactive buyer's guide
Detailed specs on 52 models. Find the one that meets your criteria or compare two or more models on different specs.
Forum: Firewalls
Post your firewalls questions and discuss their use in this forum.
Firewalls to the rescue
Interviews with firewall users. Network World Fusion, 7/19/99.
