Executive Summary
BorderWare Technologies Inc is pleased to respond to the Happy Pharmaceuticals RFP for Internet Firewalls for the central site and two remote sites. The BorderWare Firewall server provides the ideal solution for Happy Pharmaceuticals combining the highest level of security with ease of management. In addition, the BorderWare Firewall incorporates a number of the essential support services that Happy Pharmaceuticals will need. The inclusion of these services will reduce Happy Pharmaceuticals expenditure in the set-up and continuing maintenance of the upgraded Internet connections lowering the total cost of ownership of the solution. The total product cost of a solution based on the BorderWare Firewall Server will be $24,499. As the BorderWare Firewall Server is a Software product, this costs does not include server hardware. Total hardware costs are estimated at $18,760.The Proposed Solution
BorderWare Technologies Inc (BTI) propose the use of the BorderWare Firewall Server at each of the three sites. Two systems will be installed at the central site (one for each ISP connection) and a single Firewall server will be installed at each remote site. The BorderWare Firewall server is licensed according to the size of the protected network, licenses are available at the 25-user, 50-user, 200-user and unlimited level. There is also an enterprise license which allows a single organisation to deploy up to 6 copies of the BorderWare Firewall Server, each copy provided in the enterprise license is an unlimited user license. The enterprise license proves cost-effective for Happy Pharmaceuticals meeting their immediate needs and providing two additional licenses for possible future expansion.Integrated Services
One of the key differentiating features of the BorderWare Firewall Server is the inclusion of a set of basic services that most organisations need to provide in addition to Firewall Security to correctly configure and operate their Internet connection. These services include Dual DNS, an E-mail Relay an anonymous FTP Server and a WWW Server. The inclusion of these services in the Firewall significantly simplifies the initial configuration and continuing maintenance of the Internet connection. The Dual DNS is essential for Happy Pharmaceuticals as they have specified a requirement for Network Address Translation (NAT). Running NAT requires that internal and external IP addresses must be separated and that name resolution for internal and external systems must be handled by separate Domain Name Servers. The BorderWare Firewall Server includes separate internal and external Domain Name Servers. The database files for each of these servers are created automatically during Firewall Installation. The administrator then simply needs to add appropriate local information, a simple task using BorderWare's remote admin interface. Without the integrated Dual DNS it would be necessary to manually configure a split DNS at each site, a complex and time consuming task. BorderWare's E-Mail relay provides a secure and flexible mechanism for processing and routing e-mail. The RFP does not define Happy Pharmaceuticals E-mail policy, but there are two options: To have all inbound E-mail delivered to the central site and to use the firstname.lastname@domain.com addressing convention. To have inbound E-mail delivered separately to each of the three sites. BorderWare's e-mail relay can readily be configured to handle either of these approaches, ensuring that inbound mail reaches its intended destination regardless of its point of delivery. This facility can be used to provide resilience over and above that requested in the RFP by enabling each of the four Internet connections to receive e-mail for the entire organisation. The mail routing capabilities of BorderWare's e-mail relay will ensure that e-mail service is maintained even in the highly unlikely event of three of the four Internet connections failing. BorderWare's use of an e-mail relay to handle inbound and outbound mail has an important security advantage over other Firewalls that rely on an e-mail proxy or configuring packet filtering rules to pass e-mail. With BorderWare's mail relay incoming messages are delivered first to the Firewall and then separately routed and delivered to the protected internal e-mail server. At no time is a directed or proxied connection established from the Internet to the protected mail server. This provides an important extra level of protection. If the e-mail server has a vulnerability that enables an attacker to gain operating system access through a standard inbound e-mail connection (many such vulnerabilities have been discovered in the past) then the entire internal network could be vulnerable. BorderWare protects the network by blocking all direct connections to the internal mail server. Other Firewall products that handle inbound e-mail through a proxy connection or that rely on packet filtering do not have this additional level of protection.High-Availability Requirements
The requested level of high availability will be achieved by providing hot-standby Firewalls at each location. The BorderWare Firewall server provides a very simple mechanism for making backups of the live Firewall's configuration and applying that configuration to the backup system. In addition BTI's licensing policy allows a second copy of the Firewall to be maintained for standby use at no additional cost. The only additional costs incurred by Happy Pharmaceuticals will be additional hardware costs. Each of the remote sites will have a single hot standby system. The configuration of this backup system should be kept in step with the primary system. This can be done locally by following a very simple procedure on the Firewall console, or remotely by an administrator in the central site connecting over the internal Frame Relay network. The central site has a choice of deploying one or two standby systems. If two standby systems are maintained then the configuration of the standby systems will be maintained through a procedure similar to that employed at the remote sites. Providing two standby systems will increase the hardware costs, and as high-availability is ensured through the provision of dual Internet connections, Happy Pharmaceuticals may choose to maintain a warm standby system (installed but unconfigured). In the event of the failure of one of the live Firewalls, the appropriate configuration can quickly be restored. In either case the BorderWare Firewall Server provides the necessary configuration backup and restore facilities to ensure rapid restoration of service.Sizing for Throughput and Capacity
The BorderWare Firewall Server runs on Intel hardware. Even modest configurations (333Mhz Celeron) have been benchmarked and shown to run at network speed on a 100 Mbit/s Ethernet LAN. There is therefore no problem in achieving the required level of throughput. The BorderWare Firewall server has also been tested at over the specified 3,000 simultaneous connections. To ensure optimal performance at this level of traffic it is recommended that the BorderWare Firewall server is installed on a 450Mhx PIII configured with at least 512 Mbytes memory.Application Support
The BorderWare Firewall Server is an application proxy Firewall and includes built-in proxies for the required applications (FTP and HTTP). Configuring the Firewall for these applications is simply a matter of enabling the pre-configured proxies. The BorderWare Firewall Server also includes built-in proxies for other common applications (FTP, PopMail, NNTP Real Audio etc). For user-developed applications the BorderWare Firewall Server includes a user-definable proxy. The user-definable proxy can be customised to support any TCP or UDP application.Network Address Translation
The BorderWare Firewall Server includes Network Address Translation (NAT) as standard. In addition (as discussed in the Integrated Services section of this response) BorderWare provides a Dual DNS ensuring that the internal and external address spaces are separated not only at the network level, but are also maintained in separate Domain Name Servers.Centralised Management
The BorderWare Firewall Server is managed and configured through a windows hosted remote management interface. This interface (BWClient) is provided free of additional charge to all BorderWare users, so as many copies as are required can be deployed. This gives Happy Pharmaceuticals to freedom to have multiple network administrators at each site or to centralise all management and the main site. Administrators at the central site can connect over the internal Frame relay network to manage the Firewalls. If the management connection is made over the internal network then username and password authentication may be used. If Happy Pharmaceuticals require stronger authentication or require encryption of the management connection, then BWClient connections can be authenticated with authentication Tokens (CryptoCard, SecureID etc). If there is a requirement to establish a remote management connection over the Internet, then the use of authentication tokens and encryption of the data stream is mandatory. The encryption capability is built-in to the Firewall Server and to BWClient. Authentication tokens must be purchased at an additional cost.Alarms and Log Analysis
The BorderWare Firewall Server includes facilities to monitor attempted attacks and to raise alarms in real-time. No additional components are needed. The BorderWare Firewall Server produces extensive logs, a third party log analysis tool (such as Web Trends) is recommended for the production of summary reports.Financial Summary
| Software Costs | ||
| BorderWare Firewall Server Enterprise License | $23,000 | |
| Web Trends For Firewalls and VPNs (Report Generator) | $1,499 | |
| Total | $24,499 | |
| Hardware Costs | ||
| Pentium III, 450 Mhz, 512 Mbyte Ram. 4.5 Gbyte Disc, 2 Network Cards (Dell Power Edge 1300 used for Pricing) | $2,680 each | |
| Total (7 Systems assuming a single standby system at central site) | $18,760 | |
| Optional Items | ||
| Cryptocard Authentication Tokens (for strongly authenticated remote management) | $79 each | |
Contact Details
BorderWare Technologies Inc90 Burnamthorpe Road West
Suite 1402
Mississauga
Ontario
Canada LB5 3C3
Phone: 1 905 804 1855
Fax: 1 905 804 1865
Web: http://www.borderware.com/
The RFP
Vendor responses:
|
|
|
|
Firewall RFP
See what the vendors are responding to. Includes links to all the RFP responses.
Review: Firewalls
Raptor Firewall 6.0 takes top honors in our testing. Network World, 7/19/99.
Issues and trends
Where the firewall market is headed and what to look for. Network World, 7/19/99.
Interactive buyer's guide
Detailed specs on 52 models. Find the one that meets your criteria or compare two or more models on different specs.
Forum: Firewalls
Post your firewalls questions and discuss their use in this forum.
Firewalls to the rescue
Interviews with firewall users. Network World Fusion, 7/19/99.
