Networx Unit Pricer

Networx Security Services - Overview

The Networx contracts require a basic level of security management for its contractors that ensures compliance with Federal Government generally accepted security principles and practices, or better. The contracts employ adequate and reasonable means to ensure and protect the integrity, confidentiality, and availability of Networx services, Operational Support Systems (OSS), and Government information transported or stored in the contractor's Networx services infrastructure. These requirements are detailed in Section C.3.3.2 Security Management of the Networx contracts.

In addition to this mandatory level of security, the Networx contracts provide additional security services that may be ordered on a fee-for-service basis. These are:

1. 1. Managed Tiered Security Service (MTSS)
2. 2. Managed Firewall Service (MFS)
3. 3. Intrusion Detection and Prevention Service (IDPS)
4. 4. Vulnerability Scanning Service (VSS)
5. 5. Anti-Virus Management Service (AVMS)
6. 6. Incident Response Service (INRS)
7. 7. Managed E-Authentication Service (MEAS)
8. 8. Secure Managed E-Mail Service (SMEMS)

The IDPS offering is described below.

IDPS Technical Summary

Agency networks, like their commercial counterparts, continue to be challenged with increasing security risks. IDPS serves as a component of the Agency's security infrastructure by providing an extra layer of protection for its internal networks. The service enables the monitoring and identification of potential security threats, and helps reduce network service disruptions caused by malicious attacks. IDPS analyzes packet activity for indications of network attack, misuse, and anomalies. The service then generates alerts and records suspicious events.

IDPS builds on the FTS2001 contracts offerings. The service connects to and interoperates with the Agency networking environment, including Demilitarized Zones (DMZs) and secure LANs as required by the Agency. The service also supports connectivity to extranets and public networks such as the Internet.

The contractor provides the IDPS software and hardware components, as required. The Agency may order one or more of the following:

• Intrusion Detection and Prevention Service (IDPS) to secure the Agencies internal networks.
• Host Intrusion Detection and Prevention Service (Host IDPS) which monitors critical Agency servers for security breaches and misuse while enforcing best industry practices, and Agency security policies.

The diagram below illustrates a sample IDPS implementation. Illustrative hardware such as edge routers and Agency servers are not provided as part of the IDPS.

Currently IDPS does not provide any features.

IDPS is an intrusion recognition and mitigation service that protects Agency networks against cyber attacks. The service detects signs of intrusion that may jeopardize the confidentiality, integrity, availability, and control of Agency networks. IDPS supports corrective responses to stop or alleviate malicious attacks. IDPS helps to maintain the availability of Agency mission-critical resources.

IDPS supports a range of technical capabilities that are available in commercial offerings. These include design and implementation services to allow the Agency and the contractor to discuss matters such as system recommendations, a baseline assessment, rules, signature sets, configurations, and escalation procedures. In addition, the service proactively monitors the Agency network on a 24X7 basis for indications of compromise such as intrusions, anomalies, malicious activities, and network misuse. IDPS also performs anomaly detection to identify atypical traffic trends and unusual behaviors that may indicate a potential attack. The service detects precursor activities such as unauthorized network probes, sweeps, and scans. In addition, IDPS performs signature-based detection and analyze system activity for known attacks such as, but not limited to, buffer overflows, brute force, Denial of Service (DOS), and reconnaissance efforts. The service responds dynamically to threats and takes proactive and corrective actions to secure the network. These measures include, for example, automatically terminating affected connections, blocking traffic from the originating host, and disconnecting ports. These and other service capabilities are detailed in Section C.2.10.2.1.4 Technical Capabilities of the Networx contracts.

IDPS is required to support the User-to-Network Interfaces (UNIs) defined in applicable Networx services, for example:

• C.2.4.1Internet Protocol Service (IPS)
• C.2.7.2Premises-based IP VPN Services (PBIP-VPNS)
• C.2.7.3Network-based IP VPN Services (NBIP-VPNS)

Each Networx contractor may provide variations or alternatives to the offering and pricing for IDPS. The specific details can be found within each Contractor's Networx contract files and pricing notes for IDPS.

For more information on the general IDPS specifications and requirements, please refer to Section C.2.10.2 of the Networx contract for technical specifications and Section B.2.10.2 for pricing.

IDPS Price Basics

IDPS is an intrusion recognition and mitigation service that detects signs of intrusion that may jeopardize the confidentiality, integrity, availability, and control of Agency networks. IDPS builds on the FTS2001 contracts offerings. Basic services include software, installation, maintenance and ongoing service support and are available as:

• Intrusion Detection and Prevention Service (IDPS) to secure the Agencies internal networks available in the following two Tiers:
  • Tier I. providing IDPS support for up to and including 100 Mbps
  • Tier II. providing IDPS support for over 100 Mbps and up to and including 1 Gbps
• Host Intrusion Detection and Prevention Service (Host IDPS) per server which monitors critical Agency servers for security breaches and misuse while enforcing best industry practices, and Agency security policies.

Price components required for service are:

• Underlying transport services, such as IPS, NBIP-VPNS or PBIP-VPNS, to provide connectivity
• Basic service (NRC and/or MRC) consisting of either:
  • IDPS (NRC + MRC per IDPS device). Two (2) tiers of service are available based on required bandwidth.
  • Host IDPS (NRC + MRC per server)
• No features available currently
• Service Enabling Devices (SEDs) may be required to implement IDPS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]