Web Application Firewall Solution

The Vendor is required to provide a cloud based Web Application Firewall (WAF) solution and related implementation services.
- Solution will replace agency existing on-premises F5 environment and provide web application security, load balancing, traffic management, and related functionality for university-hosted services.
- Currently utilizes an F5 platform to support multiple web applications and services through reverse proxy, load balancing, TLS termination, and web application firewall capabilities.
- The system should support SSL automation for the client connectivity. Automated cert replacement for back-end servers is a plus.
- Solution Must:
• Be a streamlined, user-friendly solution with an intuitive interface and minimal configuration requirements. Highly complex or feature-heavy systems that exceed the stated functional needs are not preferred.
• Must be capable of protecting workloads in various cloud environments (OCI, AWS, Azure, etc) as well as our on-prem datacenters.
• Be cloud only – no on prem equipment, software, or VMs in the environment.
• Have a highly available geographically diverse infrastructure which can tolerate loss of regional services.
• Provide 24/7 technical support.
• Support a migration from the existing on-premises F5 LTM/AWAF/ASM environment.
• Must allow backend applications to enforce Microsoft Entra Conditional Access for WAF-protected applications and provide audit/logging of authentication and access decisions with forwarding to Splunk and/or Rapid7 InsightIDR.
• Must perform layer 7 inspection of web traffic, decrypting traffic for analysis, blocking malicious requests, and re-encrypting traffic before forwarding to backend servers. Traffic must remain encrypted while in transit.
• Must provide support for HTTP 1.0, HTTP 1.1, HTTP 2.0 and HTTP/3, along with IPv4 and IPv6.
• The capability to perform the aforementioned decryption while ensuring the end user connects to the service in the form of without certificate issues/security warnings from the client application.
• The aforementioned cryptography must be in line with TLS 1.3 and PCQ. If not currently quantum resistant, this will need to be on the roadmap.
• Provide WAF protection for a minimum of 18 web applications/services, including load balancing for 5 services with a minimum of two backend servers each, and allow for scalable expansion as additional services are added.
• Automatically apply updates for threat signatures without manual intervention. The platform must also allow administrators to create exceptions or disable specific signatures to mitigate false positives that block legitimate traffic.
• Be capable of whitelisting particular public IP ranges and blocking all traffic from other public IP space for traffic incoming to the WAF service.
• Be capable of whitelisting particular URL paths with and without wildcards for added protection (for example allow or block all traffic to /path/*).
- Implementation & Project Management Requirements:
• Must assign a dedicated project manager (PM) and technical implementation lead for the duration of implementation and cutover.
• Must provide a documented implementation plan and schedule that includes, at minimum: kickoff, discovery, design, configuration, pilot, phased onboarding/migration, production cutover, and post-cutover support.
• Must perform a readiness assessment of our current environment, including a network readiness review and pre-deployment validation, to confirm migration preparedness.
• Must provide project governance including recurring status cadence (at least weekly during implementation), ongoing tracking of project hours, and written status reports.
• Must work with agency to develop a phased migration approach for onboarding the 18 services, including recommended grouping/waves, stakeholder coordination, communication plan, and defined criteria for progressing from one wave to the next.
• Must define testing and acceptance criteria for each on boarded service, including validation of application functionality, verification of logging/SIEM integration, and an agreed process for false-positive tuning.
• Must provide a documented backout/rollback plan for each service cutover.
• Must provide a post-cutover support period with defined hours, response targets, and support channels, and conduct a transition/handoff to steady-state operations (including review of monitoring, alerting, and escalation procedures).
• Must assist UNCW in designing and standing up a non-production test environment (or equivalent testing approach) that mirrors production as closely as practical.
• Must provide a written test plan with agreed testing parameters, including at minimum: functional testing (application workflows), security testing (rule coverage and false-positive validation), and performance testing (latency/throughput impacts) for each on boarded service.
• Must define clear acceptance criteria and a sign-off process per service, and provide testing artifacts upon request (e.g., results summaries, configuration snapshots, and evidence of logging/SIEM events) prior to production cutover.
• Must provide documentation aligned with industry best practices (such as NIST, CIS benchmarks, etc.) And support its review and implementation.