Annex A :  KZN DOH Network Security Design

Figure 1: KZN DoH Network Design Topology

Model / IDS / IPS Description
JC527A / HP TippingPoint S1200N IPS A7500 Module
JC019A / HP S660N 750 Mbps appliance IPS
JC184A / HP S10 20Mbps IPS

Table 1: Current Technology

Annex B :  IDPS Features & Technical Specifications

Features / Description / Details
Traffic Control / Must be compatible and perform at the speed of the department’s network. Minimum latency is a key factor. / 1. Provide appropriate level of response to attacks.
2. Optimise network and ensure bandwidth available for department critical applications
3. Gain visibility into current threats and preempt possible attacks before occurrence
Reliability / Installed at critical points, the IDPS must not cause drastic outages if it fails / In case of failure the IDPS, it must not cause a failure on
Traffic Detection Methods / The IDPS device must provide a high level of protection by using a variety of methods to accurately determine the nature of traffic. / IDPS appliance must use a variety of detection techniques:
Signature detection, Protocol anomaly, Backdoor Protection, Traffic Anomaly, Network Honeypot, layer 2 Detection, DoS Detection, Spoofing Detection, rate Limiting, Ipv6 Detection, IP in IP Detection
Centralised Management / To provide simple and intuitive network wide security management / 1. Remote administration,
2. Automatic scheduled Security updates
3. Scheduled database backup for configuration redundancy.

Table 2: IDPS Features

Specification / Description
Technology / Network Based - Monitor network traffic and network / protocol activity to identify suspicious activity
Performance / Inspection Throughput : 1.5.Gbps
Latency < 100 Microseconds
ScalabilityIinterface / 10/100/1000 Ethernet Ports (Min 4 Ports, 2 Inbound & 2 Outbound)
Quality Of Service (Policy Based): / Must be able to block unwanted traffic based on departmental policies.
Ability to prioritise mission critical applications is a must.
Must be able to classify all traffic (in and outbound).
Must allow for throttling, agentless endpoint monitoring capability and Traffic Shaping.
Patching / Real time updates of patches without requirement for rebooting, Automatic updates without the need for user intervention, All devices need to be able to get updates and signature data directly from the management host, and cannot only rely on Internet or out of band connectivity to receive updates, New signatures should bemust be made available on a regular basis, and applying them should must be quick (applied to all sensors in one operation via a central console).
High Availability: / Allow for Active-active or Active-passive State full Redundancy (IPS + Security Management server (SMS), Dual Hot Swappable power supplies, Ability to fail open (Layer 2 fall-back), regardless of the network media (e.g. copper, fibre, etc.), Ability to fail-over to another sensor operating in high availability fail-over group, Ability to fail-close, so as to prevent any traffic from flowing over the network.
Reporting / Ability to generate automated standard reports on at least the following: trending reports, correlation and real-time graphs on traffic statistics, filtered attacks, network hosts and services, Intrusion Detection and Prevention System (IDPS) inventory, Intrusion Detection and Prevention System (IDPS) health, Notifications, Real Time Alerts, Historic Alerts
Protection Against The Following Threats / Worms, viruses, Trojans, blended threats, Phishing, Spyware, VoIP Threats, DoS, DDoS, Backdoors, Walk-in Worms, Bandwidth Hijacking, Zero Day Vulnerabilities, Reconnaissance attacks, OS vulnerabilities, Botnets, etc.
Device Must Protect Against / Prevent SYN-ACK Reflection attacks
Provide protection against HTTP page flood attacks that misuse web server resources.
Brute force and dictionary attacks targeting server authentication schemes.
Logging / Log Source and Destination Ports
Standards And Protocols / Denial of Service Protection.
Use IPv6
Security / Security requirements and considerations:
Storage of logs must be stored and viewed within the Government network and provide .
IDPS authentication. (Note: the , usage and auditing will be subjected to the department's security controls).

Table 3: IDPS Technical Specifications

Annex C :  DoH Sites

Figure 2: KZN DoH Network Topology

Site / IDPS Appliance Type / Building Address
Natalia Building (SITA
, Room 62) / Master / 330 Langalibalele Street, Pietermaritzburg, 3201
Natalia Building (KZN DOH, NW1) / Slave / 330 Langalibalele Street, Pietermaritzburg, 3201
Ulundi / Slave / LA Building, King Dinuzulu Highway, Ulundi
SITA Durban / Slave / 17 Kosi Place, Umgeni Business Park, Durban

Table 4: KZN Site Details

Annex D :  Scope of Work

a)  IDPS Solution Design:

i.  Produce a design for the implementation of the IDPS Solution for the KZN Department of Health, ensuring that the Department will be able to counter new security threats as they arise. This design must (1) provide a schematic of the WAN topology of the department and clearly define how the IDPS solution is to be deployed across the WAN; (2) clearly document how the following criteria will be implemented by the IDPS solution: reliability, interoperability, scalability, and security; and (3) documenting how the appliances will be fine-tuned to limit the number of false positives;

ii.  Design to be completed in 16 working hours;

b)  IDPS Device/Appliance:

i.  Supply on-site IDPS device/appliance for 3 sites, and one (1) management device at SITA, Pietermaritzburg;

ii.  All devices must comply with the technical specifications as per Bid Annex Document A Annex B ;

iii.  All applicable licenses and hardware warranties are to be included in scope for a period of three (3) years;

iv.  All warranty and licencing documentation to be handed over to the Department at the end of the installation.

c)  IDPS Implementation:

i.  Deployment of the appliances to be executed as follows:

1)  As per approved IDPS Solution Design;

2)  One Master appliance at SITA Natalia (PMB)

3)  Three slave appliances/sensors at KZN DOH (PMB), Durban Node and Ulundi Node (See Bid Annex Document A Appendix C for the WAN Topology). The slave devices must monitor outbound/inbound traffic between Natalia (PMB) and all client sites linked to it

ii.  Dynamic Online Reporting and Documentation – The IDPS solution must maintain a record of alerts along with the actions taken in response to each attempted intrusion. This must be accessible via a secure portal such that the department can have round-the-clock access to all captured events, including those that warrant additional action;

iii.  Testing of the solution needs to conducted and reported on as confirmation that the solution meets the approved design;

iv.  Implementation to be completed in 40 hours;

d)  IDPS Governance documentation:

i.  Produce an IDPS policy, procedure and configuration manual aligned to the departments Information Security Policy (policy will be provided on request);

ii.  Governance documentation to be produced in 16 working hours;

e)  Technical Support and Maintenance:

i.  Technical support after implementation to be provided. Eighty (80) Hours per annum for a period of three (3) years i.e. 240 hours in total. Support includes but not limited to: Routine testing and tuning of the deployed appliances, monitor and adjust IDPS policy to optimise performance, appliance updates, signature updates and ad hoc technical assistance;

ii.  One consolidated monthly report to be automatically generated by the IDPS solution, drawing from the dynamic online reporting portal data. The annual hours available will be utilised reviewing/performing quality assurance on this automatically generated monthly report; and

iii.  The successful bidder must provide user level and advanced level training to at least 2 technical team members from the department in each of the levels. There must be skills transfer to the KZN DOH technical. The annual hours available will be utilised for such training and skills transfer activities;