Networx Unit Pricer

The Networx contracts require a basic level of security management for its contractors that ensures compliance with Federal Government generally accepted security principles and practices, or better. The contracts employ adequate and reasonable means to ensure and protect the integrity, confidentiality, and availability of Networx services, Operational Support Systems (OSS), and Government information transported or stored in the contractor's Networx services infrastructure. These requirements are detailed in Section C.3.3.2 Security Management of the Networx contracts.

In addition to this mandatory level of security, the Networx contracts provide additional security services that may be ordered on a fee-for-service basis.

These are:

1. 1.Managed Tiered Security Service (MTSS)
2. 2.Managed Firewall Service (MFS)
3. 3.Intrusion Detection and Prevention Service (IDPS)
4. 4.Vulnerability Scanning Service (VSS)
5. 5.Anti-Virus Management Service (AVMS)
6. 6.Incident Response Service (INRS)
7. 7.Managed E-Authentication Service (MEAS)
8. 8.Secure Managed E-Mail Service (SMEMS)

The MFS offering is described below.

MFS Technical Summary

MFS builds on the FTS2001 contracts offerings. The service is implemented to secure internal Agency networks. MFS allows Agencies to mitigate the increasing network security risks they face. The service is one of the security tools that will help reduce service disruptions caused by malicious access, and prevent unauthorized access to or from private networks, such as Local Area Networks (LANs).

MFS safeguards internal networks and systems from hostile activity, protecting critical data from compromise and tampering. As buffers between trusted internal networking environments and external networks, firewalls inspect traffic according to a set of defined security policies, blocking all traffic not meeting the Agency's criteria.

MFS connects to and interoperates with the Agency networking environment, including Demilitarized Zones (DMZs) and secure LANs as required by the Agency. The service also supports connectivity to extranets and public networks such as the Internet.

The contractor provides the firewall software and hardware components, as required. The Agency may order one or more of the following:

Premises-based firewalls deployed at the Agency location. Network-based firewalls located in the contractor's infrastructure. Application/proxy-based firewalls positioned and implemented as per agency needs, and monitor traffic at the application layer.

The diagram below illustrates a sample firewall implementation. Illustrative hardware such as edge routers and Agency servers are not provided as part of the MFS.

MFS also offers several features that complement the basic service. They are

• Demilitarized Zones (DMZs) Support
• Email Security
• Extranet Support
• Fast Ethernet Connection
• Firewall Load Balancing
• Firewall Redundancy
• Firewall-to-Firewall VPNs
• Personal Firewalls
• Remote Client VPNs
• Uniform Resource Locator (URL) Filtering
• User Authentication Integration

These features are described in Section C.2.10.1.2 Features of the Networx contracts.

MFS provides Agency's internal networks with a layer of protection against cyber attacks. This includes providing Agencies with real-time monitoring that helps mitigate attacks and maintain the availability of Agency mission-critical resources; and a single point of accountability for designing, implementing, managing, monitoring, and maintaining the security solution.

MFS will support the full range of technical capabilities that are available in commercial offerings. These include implementing firewall security policies according to the Agency's needs, proactively monitoring the firewall components on a 24x7 basis, and detecting suspicious activity and policy violations. MFS employs various protection techniques, including but not limited to Stateful Packet Inspection, Network Address Translation (NAT) and Port Address Translation (PAT), to guard the Agency's networks from attacks. The service also uses best practices against Denial of Service (DOS), Ping of Death, IP Spoofing, SYN Flood, and Tear Drop attacks. These and other service capabilities are detailed in Section C.2.10.1.1.4 Technical Capabilities of the Networx contracts.

MFS is required to support the User-to-Network Interfaces (UNIs) defined in applicable Networx services, for example:

• C.2.3.1 Frame Relay Service (FRS)
• C.2.3.2 Asynchronous Transfer Mode Service (ATMS)
• C.2.4.1 Internet Protocol Service (IPS)
• C.2.7.2 Premises-based IP VPN Services (PBIP-VPNS)
• C.2.7.3 Network-based IP VPN Services (NBIP-VPNS)

Each Networx contractor may provide variations or alternatives to the offering and pricing for MFS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MFS.

For more information on the general MFS specifications and requirements, please refer to Section C.2.10.1 of the Networx contract for technical specifications and Section B.2.10.1 for pricing.

MFS Price Basics

MFS builds on the FTS2001 contracts offerings. MFS provides the following components:

• Premises-based firewalls deployed at the Agency location.
• Network-based firewalls serving the Agency from the contractor's infrastructure.
• Application/proxy-based firewalls, implemented as per agency requirement, monitor traffic at the application layer.

Premise-based and network-based MFS basic services are available in the following three Tiers:

• Tier I - providing firewall support up to 10 Mbps and up to 100 IP addresses
• Tier II - providing firewall support for up to 100 Mbps and up to 1,000 IP addresses
• Tier III - providing firewall support for up to 1 Gbps and unlimited IP addresses

Price components required for service are:

• Underlying transport services, such as FRS or IPS, to provide connectivity
• Basic service (NRC and/or MRC) consisting of either:
  • Premise-Based MFS (NRC + MRC per firewall). Three (3) tiers of service are available based on required bandwidth and number of IP addresses.
  • Network-Based MFS (NRC + MRC per firewall). Three (3) tiers of service are available based on required bandwidth and number of IP addresses.
  • Application Proxy-Based MFS is priced ICB (NRC + MRC).
• Features ordered as needed by the Agency:
  • Demilitarized Zones (DMZs) Support
  • Email Security
  • Extranet Support
  • Fast Ethernet Connection
  • Firewall Load Balancing
  • Firewall Redundancy
  • Firewall-to-Firewall VPNs
  • Personal Firewalls
  • Remote Client VPNs
  • Uniform Resource Locator (URL) Filtering
  • User Authentication Integration
• Service Enabling Devices (SEDs) may be required to implement MFS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation, and a MRC for maintenance.]
  • SEDs are required to implement Premise-based MFS
  • SEDs may be required to implement Network-based MFS
  • SEDs are required to implement Application/proxy-based MFS

Example 2: Network-based MFS providing firewall support up to 500 Mbps and up to 2,000 IP addresses:

• Transport: Choose Networx telecommunications services such as IPS
• Network-based NRC: Choose CLIN 300203 (Network-Based MFS: Tier III NRC per firewall)
• Network-based MRC: Choose CLIN 300303 (Network-Based MFS: Tier III MRC per firewall)
• SEDs may be required to implement Network-based MFS. Illustrative hardware such as routers and Agency servers are not provided as part of the MFS.

Each Networx contractor may provide variations or alternatives to the offering and pricing for MFS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MFS.

For more information on the general MFS specifications and requirements, please refer to Section C.2.10.1 of the Networx contract for technical specifications and Section B.2.10.1 for pricing.