The vendor is required to provide for a comprehensive network security solution, including next-generation firewalls (NGFWs), authentication server, central management, and security analytics, to enhance network security across approximately 75 locations, 2 data centers, and 2 internet service provider connections.
- Building firewalls
• High availability: each building requires a pair of NGFWs in a high-availability configuration, ensuring continuous operation in case of a device failure.
• Application control: the NGFWs must provide granular application control, enabling the district to restrict or block specific applications or application categories.
• Intrusion prevention: the NGFWs must support custom intrusion prevention signatures, allowing the district to tailor protection against specific threats.
• Device detection: the NGFWs must be capable of identifying and classifying devices connected to the network.
• DNS filtering: the NGFWs must provide DNS filtering to block access to malicious or inappropriate domains supplied by the domain via threat feeds.
• Automation framework: the NGFWs must include a built-in automation framework for streamlining management tasks and incident response.
• SD-wan: the NGFWs must support SD-wan capabilities to optimize connectivity and improve application performance with multiple wan connections.
• Redundant power supplies: the NGFWs must have redundant ac power supplies to ensure continuous operation in case of a power supply failure.
• Configuration and session synchronization: the NGFWs must support configuration and session synchronization between the high-availability pair, ensuring consistent policy enforcement and seamless failover.
• Central management: the NGFWs must be manageable from a central location, simplifying administration and reducing management overhead.
• DHCP and DNS server functionality: the NGFWs must be capable of acting as DHCP and DNS servers, providing essential network services.
• Throughput: the NGFWs must provide a minimum throughput of at least 35gbps in a 1u form factor to ensure physical rack space for high availability deployment in every building.
• Transceivers: the NGFWs must have at least four 10gb SFP+ transceiver slots.
• Switch controller: the NGFWs must be capable of acting as a switch controller, managing and configuring connected switches.
• Licensing: all features must be included without requiring additional licensing.
- Data center firewalls
• High availability: the district requires four NGFWs in a high-availability configuration for the data center, ensuring continuous operation and load balancing capabilities.
• Web filtering: the NGFWs must provide category-based and support static web filtering to block access to inappropriate or malicious websites.
• SSL deep packet inspection: the NGFWs must be capable of inspecting SSL-encrypted traffic to identify threats and enforce security policies.
• Inline antivirus scanning: the NGFWs must perform inline antivirus scanning to detect and block malware.
• Botnet detection and protection: the NGFWs must be capable of detecting and preventing communication with botnet command-and-control servers.
• Dynamically updated intrusion prevention: the NGFWs must support dynamically updated intrusion prevention signatures to protect against the latest threats.
• Server load balancing: the NGFWs must function as a server load balancer for multiple protocols, supporting various load distribution methods and health check mechanisms.
• Network address translation (NAT): the NGFWs must support both source and destination nat.
• Transceivers: the NGFWs must provide at least four 10gb and 25gb transceiver slots with latency at or below 2.5 μs.
• Redundant power supplies: the NGFWs must have redundant power supplies to ensure continuous operation.
• SSL VPN: the NGFWs must support SSL VPN for remote access users, both with a client and browser-based, for at least 50,000 concurrent users.
• IPsec VPN: the NGFWs must support IPsec remote access VPN for at least 50,000 concurrent users.
- Authentication server
• Single sign-on (SSO): the authentication server must provide agent-based SSO for windows and mac devices managed exclusively through Entra id (not hybrid) to integrate user and group information to both building and data center firewalls.
• Virtual machine: the server should be a virtual machine supported in VMware ESXi 8.0+ and licensed to support at least 40,000 concurrent users.
- Central management server
• Configuration and management: the central management server must manage the configuration and software and firmware for both the building and data center firewalls.
• Virtual machine: the server should be a virtual machine supported in VMware ESXi 8.0+ and licensed to support all the firewalls referenced previously.
- Security analytics server
• Logging and analytics: the server must provide logging, analytics, event correlation, notifications alerts, and automation capabilities for both the building and data center firewalls.
• Virtual machine: the server should be a virtual machine supported in VMware ESXi 8.0+ and licensed to support 1 terabyte (tb) of data/log ingest per day as well as any licenses required to support the features referenced previously.
- Contract Period/Term: 1 year
- Questions/Inquires Deadline: April 14, 2025
