12 Value Added Services - Sprint



Managed Security Services

14.1 Introduction

Managed Security Services (MSS) are a set of Sprint-managed and Customer-managed services, which will provide comprehensive network security for Government networks. Sprint has teamed with industry leading firewall vendors and hardware platform providers to offer one of the most complete managed security solutions available. X

X

X

X

X

Additional firewall information is included in Appendix C.

14.2 Management Services

Sprint's MSS offers complete solutions for the Government. These are itemized in Table 1.B.14-1.

|Table 1.B.14-1 Managed Security Services |

|Management Services (14.2) |

|Network Security Design (14.2.1) |

|Managed Firewall Services (14.2.2) Sprint-Provided Hardware & Software, Level 1 or Level 2) |

|Sprint-Managed Firewall Service (14.2.2.1) |

|Firewall Software |

|Firewall Hardware |

|Support Services/Operations (24 x 365) |

|Firewall Management (Includes Encrypting Modem) |

|Firewall Software Support |

|Firewall Hardware Maintenance (4 Hour On-site Response) |

|Customer-Managed Firewall Service (Hardware & Software) (14.2.2.2) |

|Firewall Software |

|Firewall Hardware |

|Support Services (24 x 365) |

|Firewall Software Support |

|Firewall Hardware Maintenance (4 Hour On-site Response) |

|Managed User Authentication Services (14.3) |

|Sprint-Managed User Authentication Service (14.3.1) |

|Token Cards or Token Client Software |

|User Authentication Server User ID Setup (No Design or Implementation Required) |

|Sprint-Managed User Authentication Service |

|Customer-Managed User Authentication Service (14.3.2) |

|Token Cards or Token Desktop Client Software |

|User Authentication Server Software |

|User Authentication Server Hardware |

|Software Support |

|Hardware Maintenance |

|Change Management |

|Additional Security Services (14.4) |

|Customer Firewall Vulnerability Scan (14.4.1) |

|Security Alerts (14.4.2) |

|24-Hour Emergency Response (14.4.3) |

|Investigation Support (14.4.4) |

|Prosecution Assistance (14.4.5) |

|X |

|X |

| |

| |

Table 1.B.14-2 provides a comparison between the MSS services and the FTS2001 contract.

|Table 1.B.14-2 Comparison of Managed Security Services Offerings |

|Feature |MSS Proposal |FTS2001 |

|Network Security Design |Yes |FTS2001 IPS only |

|Sprint-Managed Level 1 Management Service |Yes |No |

|Sprint-Managed Level 2 Management Service |Yes |No |

|Sprint-Managed Firewall Software |Yes |No |

|Sprint-Managed Firewall Hardware |Yes |No |

|Sprint-Managed Firewall Management |Yes |No |

|Sprint-Managed Firewall Hardware support (help desk) |Yes |No |

|Customer managed Firewall software |Yes |Yes |

|Customer managed Firewall Hardware |Yes |Yes |

|Customer managed Firewall Hardware maintenance |Yes |Yes |

|Firewall software support (help desk) |Yes |SMC only |

|Sprint-Managed User Authentication Service |Yes |No |

|Sprint Managed Token Client Software |Yes |No |

|Sprint Managed Token Cards with Key Pad |Yes |No |

|Sprint Managed Token Cards – Key chain style |Yes |No |

|Sprint-Managed User Authentication User ID Setup |Yes |No |

|Customer managed User Authentication Service |Yes |No |

|Customer managed Token Client Software |Yes |No |

|Customer managed User Authentication Server Software |Yes |No |

|Customer managed User Authentication Server Hardware |Yes |No |

|Customer managed User Authentication Software Support |Yes |No |

|Customer managed User Authentication Hardware Maintenance |Yes |No |

|Sprint Managed Level 1 Change Management |Yes |No |

|Sprint Managed Level 2 Change Management |Yes |No |

|Sprint Security Design Engineer Site Visit |Yes |No |

|Analysis of Government’s Internal DNS as it relates to proposed firewall solution |Yes |No |

|SMTP Mail Configuration |Yes |No |

|Available with non FTS2001 IP |Yes |No |

|Available with non-Sprint IP |Yes |No |

|Available with Sprint FRS |Yes |No |

|Available across FR/IP gateway |Yes |No |

14.2.1 Network Security Design

Sprint’s MSS Design is a comprehensive service that will ensure the Security Server is properly implemented and that the network and Security Server design will provide the best possible implementation of the Government’s security policy. Design work will be performed by Sprint's Corporate Security Design Engineers. Sprint continually reviews the market offerings to provide our customers the leading proven technology.

14.2.1.1 The Design Process

The tangible output of the design effort will be a draft Engineering Design Document (EDD). The Government approved EDD will be the primary deliverable in the design process and will provide the technical baseline information used for product implementation. If the Government decides to order the Managed Security Design service independently from implementation and management services, the process will be terminated at the end of the Design Phase and the EDD and Customer Handbook will be delivered to the Government for its own use.

The service will include the following:

1. A Sprint Corporate Security Design Engineer will review the Pre-Installation Questionnaire (provided in Appendix B of the Technical Volume) with the Government. This activity will take place via telephone, if possible. The Design Engineer will contact the designated Government representative if there are questions or the Engineer requires additional information.

2. Sprint will develop a detailed draft EDD. This document will define the Government’s network environment. Since all network and security requirements are unique, there is no single network design that can be applied to every customer.

3. A Sprint Corporate Security Design Engineer will travel to the Government’s site one time, if required, to review the draft EDD with the customer. If additional trips are requested by the Government, a separate order must be placed.

4. The Government and Sprint will approve the final EDD.

MSS and MNS are different and distinct services. As each is a separate product, they have different rules.

14.2.1.2 Domain Name System (DNS) Configuration for Managed Firewall Services

If the customer has an internal DNS for resolving names in their local domain, this DNS will be used by the firewall. If there is no internal DNS, the Government must install one, or the firewall will make use of only external DNS. The internal customer DNS must include all major components on the network, including the firewall, mail hub, web server, etc. If the firewall utilizes the customer’s internal DNS, that server must be set up to resolve Internet addresses. This is usually done by configuring the internal DNS to forward queries for unknown (Internet) data to the internal interface(s) of the firewall.

X

As part of MSS analysis for firewall design and implementation, Sprint Security Engineers will analyze the configuration of the existing domain name services in conjunction with the proposed firewall functionality. Reconfiguration of the domain name services will be modified to meet the security design goals.

14.2.1.3 Simple Mail Transfer Protocol (SMTP) Mail Configuration for Managed Firewall Services

Sprint will configure SMTP mail to run to one mail hub within the Government’s secure domain, and if required, one mail hub outside their secure domain. X X X X X X X

Sprint will assist the Government with the configuration and testing of internal and/or external SMTP mail hubs.

The Government will be responsible for internal mail server administration. Sprint will work with the customer to configure the firewall to pass mail to and from the mail hub.

Sprint will be developing an offering of an intrusion detection system to address malicious attacks such as denial of service. Sprint will propose this service as a modification as soon as it is commercially available from Sprint. Virus detection will not be part of this proposal. However, the Managed Virus Scan Service will be offered under a separate proposal.

14.2.2 Managed Firewall Services

Sprint will offer the Government two options for firewall management.

X

Sprint Engineers will meet with the Government to review the performance metrics and trouble tickets to determine if a redesign of hardware or software is necessary. Table 1.B.14-3 highlights elements provided with Sprint-Managed and Customer-Managed Firewall Services.

|X |

|X |X | |

| | | |

| | | |

| | | |

| | | |

| | | |

| | | |

14.2.2.1 Sprint-Managed Firewall Service

Sprint will offer a two tier firewall management service for Sprint-managed firewalls. The Government will choose either Level-1 or Level-2 service depending on their management and performance requirements.

Figure 1.B.14-1 shows an overview of Sprint’s Firewall Service Components.

X

X

Figure 1.B.14-1 Overview of Service Components Provided with Sprint-Managed Firewall Solution

XTable 1.B.14-4 provides a comparison of the differences between the Level-1 and Level-2 services. If the Government’s requirements do not fit into a Level-1 solution, a Level-2 solution will be required.

|Table 1.B.14-4 Sprint-Managed Firewall Services |

| | |Level-1 Management |Level-2 Management |

|Key Service Parameters | | | |

| |Location of Firewall |Customer Premise |Customer Premise |

| |Who Manages the Firewall |Sprint |Sprint |

| |Platforms Supported |Vendor |Vendor |

| |Sprint Networks Supported |Internet Only |Any IP |

| |Non-Sprint Networks Supported |Internet Only |Internet Only |

| |Maximum Connections (Interfaces) |Three |H/W Maximum |

|Services Required with | | | |

|Management | | | |

| |Managed Security Service Design |Yes |Yes |

| |Managed Security Service Implementation |Yes |Yes |

| |24 x 365 Software Support |Yes |Yes |

| |24 x 365, 4 Hour Response Hardware Maintenance|Yes |Yes |

|Management & Operations | | | |

| |Monitor H/W & S/W Uptime |Yes |Yes |

| |Watch for Suspicious Activity |Yes |Yes |

| |Customized Customer Notification of Events |Yes |Yes |

| |(Email, Pager, Fax, etc.) | | |

| |Maximum Network Entities |10 |Unlimited |

| |Firewall Rule Changes |5/0 |20/5 |

| |(Normal/Emergency Per Month) | | |

| |*Web Filtering |Yes |Yes |

| |User Changes (Add/Delete/Modify) |0/0 |100/20 |

| |(Normal/Emergency Per Month) | | |

| |User Authentication |No |Yes |

| |*Client VPN (Firewall Side) Mgmt. |No |Yes |

| |Managed VPN (Firewall-to-Firewall) |Yes |Yes |

| |Protocols (In- or Out-bound) |Non GSP |All |

| |Max Rule Changes Per Day |2 |5 |

| |Backup of Configuration Files |Weekly |Nightly |

| |Vulnerability Scan |Weekly |Nightly |

| |Log File Retention |3 Months |Duration of firewall |

| | | |agreement according to |

| | | |best commercial storage |

| | | |practices |

| |Monthly Reports |Yes - Limited |Yes - Detailed |

|Performance Guarantees | | | |

| |On-Site Response (h/w failure) |4 Hours |4 Hours |

| |Critical Event Notification |2 Hours |30 Minutes |

| |Time to Initiate Normal Change |Next Day |Next Day |

| |Time to Initiate Emergency Change |N/A (Unless Tied to |2 Hours |

| | |Critical Event | |

| | |Notification) | |

| |Availability/Uptime |100% |100% |

| |Monthly Report |10th Bus. Day |10th Bus. Day |

|* Optional. Will require additional components. |

14.2.2.1.1 Sprint-Managed Firewall Service on Non-Sprint Transport

For those Government customers who use transport providers other than Sprint, Sprint’s Managed Firewall Service will also be available. All Government orders for Sprint’s Managed Firewall Service must document the firewall access transport on the pre-installation questionnaire in order to implement the Managed Security Services solution.

14.2.2.1.2 Firewall Monitoring Tools

X

X

These tools have been customized to Sprint’s specifications for increased reliability and uptime of systems and applications.

Encryption algorithms, key exchange, and authentication methods are all dependent on vendor support for the current state of encryption technology and security. Depending on the customer’s security requirements, Sprint will use different encryption methods including X

X

XX14.2.2.1.3 Firewall Administration and Operations

• The Sprint-Managed Firewall Service will allow the Government to completely outsource this business-critical activity. Sprint’s firewall administration and operations will be provided 24 hours a day, 365 days a year. X

X

X

X

X

X

X

X

When the ISOC identifies a problem, the Government will be notified according to the methods and service levels identified in the EDD. Communication methods include electronic mail, telephone, fax, and pager. Below is a sample method and service level table. Only the Government’s designated points-of-contact (also defined in the EDD) will be notified by Sprint ISOC personnel. Should Sprint be unable to reach the points-of-contact for any reason, a voice-mail followed by electronic mail will serve as default notification. Problem Notification is detailed in Table 1.B.14-5.

|Table 1.B.14-5 Sample Problem Notification |

|Type of Notification |Notification Method |Level-1 Service |Level-2 Service |

|Non-Critical |E-mail/Fax |Next Day |Within 4 hours of Event |

|Critical |Pager/ |Within 2 Hours of Event |Within 30 Minutes of Event |

| |Telephone | | |

|Note: Notification will be defined as the Government deems necessary. |

Non-critical events include the following scenarios:

• Suspicious firewall activity (e.g., continuous port scans)

• Firewall hardware failure that does not disrupt service

• Firewall software failure that does not disrupt service

• Non-critical firewall alerts that indicate internal systems configuration problems.

Critical events are limited to the following scenarios:

• Firewall hardware failure that disrupts service

• Firewall software failure that disrupts service

• Brute-force cracking attempts

• Successful crack through firewall

• Critical firewall alerts that indicate internal system communication (firewall to server) problems (e.g., loss of SMTP Mail Server).

• Events that in the opinion of Sprint Security Operations staff, constitute suspicious or malicious activity, will warrant immediate notification of the Government.

The standard offering does not provide for user-defined critical events. Sprint will determine critical and non-critical events in order to protect and ensure continued system functionality. If the Government desires a higher level of activity monitoring, the customer managed approach offers this capability.

The Government will be responsible for ensuring that the ISOC has up-to-date information on all points-of-contact. Sprint will not be held responsible for unsuccessful notifications due to obsolete point-of-contact information.

Should suspicious activities occur, Sprint will gather as much information as possible on the origin of the activity and present this information to the Government. Should further investigation be deemed necessary, Sprint will assist the Government in determining the appropriate organizations to involve and steps to take. When prosecution is deemed appropriate by the Government, Sprint will act as a liaison with worldwide security organizations and legal authorities. Sprint will also assist the Government in determining the appropriate actions to take to prevent future attacks.

Firewall Software Support: Sprint will ensure the latest software updates are applied to the firewall software. XFirewall Hardware Maintenance: Sprint will dispatch an engineer to the Government site when hardware fails. For work to be done on-site at a secure Government location, only staff with Secret clearance will be provided/authorized to do the work. X The Government’s POC will be notified immediately of any hardware failures. In the event that a failure occurs during non-business hours, the Government POC will determine when the engineer will gain access to the firewall.

Most equipment failures are fixed within four (4) hours of the arrival of the engineer at the Government site. However, certain equipment failures in certain areas may require overnight shipment of parts that will be installed upon arrival. If the amount of down time is a critical consideration and factor in the customer’s environment, Sprint will configure high availability as an option. This option is more fully discussed in Section 14.2.2.1.5 of this document.

Firewall Reporting: Sprint will provide monthly performance, utilization, and configuration change reports to the Government. MSS reporting will be X

Firewall Backups: Sprint will perform remote backups (weekly under Level-1, nightly under Level-2) of the Government’s firewall configuration files. X X X These backups will provide a significant component to the Government’s Disaster Recovery Plan.

Firewall Vulnerability Scans: X XThese scans are one more assurance that the firewall is secure.

Sprint-Managed Firewall Service Firewall Software Sizes: Sprint-Managed Firewall software is available in three sizes:

XXXSprint offers two hardware options for both firewall and authentication services; standard and high-end. X

14.2.2.1.4 Sprint-Managed Service Level Guarantees

X Sprint will provide its Sprint-Managed Firewall Service customers with the performance guarantees detailed in

Table 1.B.14-6.

|X |

| | |

| | |

| | |

| | |

| | |

| |

These Service Performance Guarantees do not apply to Compaq /Windows NT firewalls.

14.2.2.1.5 Additional Options For Sprint-Managed Firewalls

Additional options for Sprint-managed firewalls include managed client VPN software, managed web filtering, and managed high availability.

Managed Client VPN Software: Sprint management of client VPN software will be limited to the firewall side of the configuration. Sprint will not provide support for any desktop (client) security software.

Customer requirements:

• The Government will be required to provide first-level help desk support for questions regarding “how to install” and “how to use”.

• The Government may purchase the on-site consulting service to assist in installation and initial setup of client components, if needed.

• The Government must provide a primary and a secondary point of contact for all communication with Sprint’s ISOC.

• The Government will answer commonly asked questions and be expected to answer all end-user repeat questions.

Please refer to Table 1.B.14-2 for a comparison of FTS2001 and the MSS offering.

Managed Web Filtering: Sprint will provide 24 x 365 management of the web filtering software installed on the firewall. This service is an option for Sprint-Managed Firewall Service customers.

Managed High Availability: Sprint will provide 24 x 365 management of the High Availability (HA) software as an option on certain platforms. X

X

X

14.2.2.1.6 Change Management

Stringent change management procedures are important to ensure the performance and security of a firewall. The change management procedures defined in this section include procedures for add/delete/modify of firewall components. Virus detection is not part of this proposal. The Managed Virus Scan Service will be offered under a separate proposal. The service components and change request levels are detailed in Table 1.B.14-7.

|Table 1.B.14-7 Managed Firewall Change Management |

|Service |Level-1 |Level-2 |

|Firewall Rules |Yes |Yes |

|Applications/protocols |Yes |Yes |

|Systems |Yes |Yes |

|Users |No |Yes |

|Groups |No |Yes |

|Web-filtering |Yes |Yes |

|VPN (firewall-to-firewall) |Yes |Yes |

|Software Support |Yes |Yes |

|Hardware Maintenance |Yes |Yes |

Firewall access components include rules, applications, systems, users, and groups. The first five terms cover requested changes to any of these access components to facilitate passing additional services through the firewall.

1. Firewall Rules: These components are used to implement the security policy on the firewall. They provide the control for allowing or denying connections and access by applications, systems, users, and groups.

2. Applications/protocols: These components relate to the TCP/IP connections, associated protocols and services necessary to facilitate passing of information supporting various applications when the firewall must be configured to control access to systems, users, or groups.

3. Systems: These components are typically IP Hosts such as web servers, mail servers, etc., that require connections or authentication if controlled or passed by the firewall.

4. Users: These components are members of groups with defined access privileges on the firewall.

Groups: These are categories of users, networks, or hosts with a common security status. They are acted upon by the rules to control access and implement security policy.

5. Web-filtering: These relate to URL-filtering specifications including adding specifications to deny or allow access to specific sites when the URL-filtering add on has been purchased.

6. VPN (firewall-to-firewall): These components are the encrypted connections between firewalls and the associated characteristics of these paths such as source and destination, encryption domain, encryption parameters, etc.

7. Software Support and Hardware Maintenance: For both Sprint-managed and customer-managed, a standard part of the hardware maintenance and software support contract is performing software and hardware maintenance on the customer’s security systems. All maintenance will be scheduled by Sprint and performed during the customer-defined maintenance window specified in the Statement of Work. Sprint will notify the customer POC during normal business hours of any necessary maintenance down-time. For any maintenance that requires on-site personnel, Sprint will schedule an appropriate time and any necessary customer premise access with the customer.

Discussions on the limitations on change request service levels and allotted change requests follow. Requests for these changes will be initiated by the Government or by Sprint. All changes initiated by Sprint will require Government approval prior to implementation.

Changes to Firewall Components: Firewall access components are rules, applications, systems, users, and groups. Only the designated Government points of contact will be permitted to request changes. X XA sample Managed IP Security Services - User/System/Group Change Form is provided in Appendix B of the Technical Volume.

All changes will be classified by the Government as either Non-Emergency or Emergency on the Change Request Form. There will be monthly limitations to the number of changes that are made as part of the standard Managed Firewall Service. Customers will incur additional charges when monthly limitations (per calendar month) are exceeded. The forms and instructions will be provided prior to the firewall installation. Table 1.B.14.8 defines the firewall configuration change service levels, and monthly change limits.

|X |

|X | | | |

|X | | | |

|X | | | |

|X | | | |

|X | | | |

|X | | | |

|X | | | |

|X | | | |

|X | | | |

|X |

Sprint will track all changes made by Sprint personnel on the managed firewall. When a change is made, Sprint will make a note of the existing configuration, record any changes, explain why a change is necessary, and record any relevant authorization information. This methodology serves as both a disaster recovery mechanism and an archive of change history.

14.2.2.1.7 Configuration Management

Sprint will proactively monitor the Government’s hardware and software under Sprint-managed firewalls. These services will include X

Hardware Upgrades: Sprint will provide pro-active performance management. Sprint will track and analyze firewall performance statistics to ensure that the Government’s firewall hardware is properly sized. When it is determined that firewall performance is degrading, Sprint will recommend appropriate action. No hardware changes will be made without the Government’s approval. Sprint will not upgrade any equipment without written Government approval in the form of a new order. If the Government chooses not to upgrade its firewall (after recommendation from Sprint), Sprint will no longer be responsible for poor performance or any other possible problems. Upgrading firewall hardware will require a service request.

Software Updates: Sprint will test and validate all major firewall software releases before installing them. Sprint has the following policies regarding firewall software installations and updates:

• Sprint will update the Government’s firewall software revision level if the currently installed level is no longer supported by the firewall vendor.

• Sprint will update the Government’s firewall software to fix software bugs in the existing version.

• When adding new firewalls to the Government’s existing network, Sprint will install the same version of the firewall software running on an existing configuration rather than update the entire network with the latest software release.

• Following testing and validation of the latest software version, Sprint will install the software. This option assumes that Sprint and the Government mutually agree to the business need for the latest software, or that Sprint will no longer supports the version currently installed.

Sprint monitors all security alerts distributed regarding operating systems. Sprint will install all operating system security patches deemed necessary to ensure the security of the firewall system. Sprint will work with the Government in scheduling upgrade and patch implementation. Sprint will test and validate all major firewall software releases before installing them. Distribution and/or Installation of upgrades will be dependent upon the time necessary to complete the testing process.

Firewall Software Size Upgrades: Firewall software size upgrades will be ordered through Sprint. An order for the new software must be submitted and a disconnect order for the existing software line item must also be submitted.

Firewall Redesign: Some customers may modify the network in such a way that normal management and operations cannot be handled through the standard firewall configuration change request process. If a network redesign is required, the EDD must be modified. If the redesign requires deployment, an additional site visit will be required. Modification of the EDD and additional on-site visits are not included in the basic service.

A network redesign is limited to the following scenarios:

X

Sprint’s Corporate Security Design Engineers will work closely with the Government to determine if a redesign is required, based upon the Government’s change requirements.

Maintenance Procedures: From time to time, Sprint will need to perform software and hardware maintenance on the Government’s security systems. All maintenance will be scheduled by Sprint and performed during the Government-defined maintenance window specified in the EDD. Sprint will notify the Government POC during normal business hours of any necessary maintenance down-time. For any maintenance that requires on-site personnel, Sprint will schedule an appropriate time and any necessary Government premise access with the POC. The Government has final approval of all scheduled maintenance periods.

14.2.2.2 Customer-Managed Firewall Service

If the Government wishes to manage its own firewalls, Sprint will offer design, implementation and support services. Figure 1.B.14-2 summarizes the complete firewall software, hardware, and service solution for the Customer-Managed Firewall Service X

X

Figure 1.B.14-2 Overview of Service Components with Customer-Managed Firewall Solution

14.2.2.2.1 Firewall Software Support

Sprint will ensure the latest software updates are distributed to the Government. It will be the responsibility of the Government to update the firewall software. Sprint will notify the Government at the time of update/upgrade distribution as to whether or not the update is required as a condition of continued software support.

For Customer Managed Firewalls, software updates will be provided to the designated POC by express mail. X

24 x 365 technical phone support for questions regarding proper operation and configuration of the software, including problem isolation and definition, will be provided. This support will be available to the Government’s points of contact designated in the EDD.

Firewall Software Size Upgrades: Firewall software size upgrades will be ordered through Sprint. At the time the new software order is submitted, a disconnect order for the existing software must be issued.

Firewall Hardware Maintenance: Sprint will dispatch an engineer to the Government site if the hardware fails. X The Government’s POC will be contacted immediately of any hardware failure. In the event that a failure occurs during non-business hours, the Government POC will determine when the engineer will gain access to the firewall.

Most equipment failures are fixed within four hours of the arrival of the engineer at the Government site. However, certain equipment failures in certain areas may require overnight shipping of parts that will be installed upon arrival. If down time must be further minimized, Sprint will configure High Availability as an option, as described in the Sprint-Managed Service Level Guarantees.

14.3 Managed User Authentication Services

Sprint will offer two options for user authentication services.

X

X

Table 1.B.14-9 highlights the differences between Sprint-Managed and Customer-Managed User Authentication Services:

|Table 1.B.14-9 Comparison of Sprint-Managed vs. Customer-Managed User Authentication Service |

|Required Elements |Sprint-Managed |Customer-Managed |

|Managed Security Service Design |NO* |YES |

|Managed Security Service Implementation |NO* |YES |

|User Authentication Hardware and Software |NO* |YES |

|User Authentication Software Support |NO* |YES |

|User Authentication Hardware Maintenance |NO* |YES |

|User Authentication Tokens |YES |YES |

|User Authentication Service |YES |NO* |

|User ID Setup |YES |NO* |

|Note: The ‘NO’ entry indicates that these components are not orderable or required. |

For the Government to be able to configure User Authentication Services on GFE, its firewall must be capable of running client software that works in conjunction with the user authentication server. X

14.3.1 Sprint-Managed User Authentication Service

Sprint’s Managed User Authentication Service is a comprehensive X service that allows customers to completely out-source this business-critical activity. This service will include the setup and management of a shared primary user authentication server, a remotely located backup server (in the event that the primary fails) and the related ID tokens. The primary user authentication server, owned and managed by Sprint, X A remote backup user authentication server, owned and managed by Sprint, will also be included in this service. User authentication client software will run on the Government’s firewall server. Change requests will be communicated and implemented through the use of stringent change management procedures.

If a shared primary user authentication server does not meet the Government’s security needs, an alternative solution will be designed and presented in the EDD.

X

X

X

X

X

High-Availability is a failover option recommended for customers managing their own authentication. X

Figure 1.B.14-3 illustrates the Sprint-Managed User Authentication Service solution.

X

Figure 1.B.14-3 Sprint-Managed User Authentication Service

14.3.1.1 Tokens

Sprint will control all token seed records and define the naming schemes for user IDs. All user ID’s on each server must be unique. Sprint will work with the Security POC to define an acceptable naming scheme that meets the Government’s need and is compatible with the server.

14.3.1.2 User Authentication User ID Setup

Sprint’s Managed User Authentication Server User ID Setup service will ensure that the Sprint-Managed User Authentication Service is properly implemented and that the network and server designs will provide the best possible user authentication protection. The service will include the following:

• Sprint will review the Government’s User Authentication requirements. These requirements must be provided to Sprint in writing. If none exist, Sprint will work with the Government to understand their high-level requirements.

• Sprint will develop a draft EDD that will define the Government’s network environment and any unique specifications. Since most Government network and security requirements are unique, there is no single network design that can be applied to every case.

• A Sprint Corporate Security Design Engineer will travel to the Government site for an initial site visit and review the draft EDD with the Government. The Government and Sprint will approve the final document, which becomes the EDD.

The user authentication server X

14.3.1.3 Redundant User Authentication Server

X will be the location of the primary user authentication server. There will be a remotely located secondary user authentication server running at all times to provide continuity, in the event operations are interrupted on the primary server.

14.3.1.4 Customer Responsibilities

The network topology will be configured in accordance with the approved EDD. Changes requiring redesign will incur additional charges and may delay implementation. A primary and secondary Government point of contact must be provided to work with Sprint during the implementation process. This point of contact will work closely with Sprint during the installation process. Each server has its own set of POCs. Should Sprint be unable to reach the POC for any reason, a voice-mail followed by e-mail will serve as notification. The point of contact will be identified in the EDD.

14.3.1.5 User Authentication Server Administration and Operations

Sprint-Managed User Authentication Servers will be administered 24 hours a day, 365 days a year. Day-to-day administration will occur through the processing of User Authentication Change Forms. Sprint will accept and process these forms from designated Government points of contact around the clock. The forms include information related to:

• User/System/Group Change

• Customer Information: Name, Firewall Affected

• Emergency Change? Yes/No

• User Changes: Add/Delete/Modify, Logon, User Name, Preferred Firewall, etc.

• System Changes: Add/Delete/Modify, System Alias, IP Address/DNS, Subnet info, etc.

• Group Changes: Add/Delete/Modify systems

A sample change form is provided in Appendix B of the Technical Volume.

14.3.1.5.1 User Authentication Server Monitoring and Customer Notification

Sprint will provide monitoring of the User Authentication Server for suspicious activity and hardware/software problems 24 hours a day, 365 days a year.

When Sprint identifies a problem, the Government will be notified according to the methods and service levels identified in the Sprint-Managed User Authentication Service EDD. Communication vehicles include electronic mail, telephone, fax, and pager. Table 1.B.14-10 details the notification methods. Only the Government’s designated points of contact will be notified by Sprint. X

|X |

|x |x |X |

|X |X |X |

|X |X |X |

Non-critical events will include the following scenarios:

• Multiple rejects of a User ID

• User authentication server hardware failure that does not disrupt service

• User authentication server software failure that does not disrupt service

• Non-critical server alerts that indicate internal systems configuration problems.

Critical events will be limited to the following scenarios:

• User authentication server hardware failure that disrupts service

• User authentication server software failure that disrupts service

• Request for an emergency reset of PIN to static password. Notification will be sent to the second point of contact when the primary point of contact is making the request, and vice-versa. This ensures that both points of contact are aware that a static password has been allowed in place of the one-time password algorithm. This situation should arise only in the case where an employee has lost the use of the secure token (i.e., the card is physically damaged beyond use), and a user must gain access until a replacement token is received by the user.

The Government will be responsible for ensuring that Sprint has up-to-date information on all points of contact. Sprint will not be held responsible for unsuccessful notifications due to obsolete point of contact information.

Should suspicious activities occur, Sprint will gather as much information as possible on the origin of the activity and present this information to the Government. Should further investigation be deemed necessary, Sprint will enlist the assistance of the Government in determining the user involved and the steps to take. When the Government and/or Sprint deem prosecution appropriate, Sprint will act as a liaison with worldwide security organizations and legal authorities. Sprint and the Government will also determine the appropriate actions to take to prevent future attacks.

14.3.1.5.2 User Authentication Server Software Support

Sprint will ensure the latest software updates are applied to the user authentication server software.

14.3.1.5.3 User Authentication Server Hardware Maintenance

The Sprint-Managed User Authentication server hardware will be owned and maintained by Sprint. The primary user authentication server will be X

The Sprint-managed server configuration will include a continuous link (a heartbeat) between the primary user authentication server and a remotely located backup user authentication server. The backup server takes over for the primary whenever the heartbeat stops. Upon failure of the primary user authentication server, the backup server will immediately take over in place of the primary server until the repairs to the original primary server have taken place.

14.3.1.5.4 User Authentication Server Reporting

Sprint will provide monthly change request reports to the Government. These monthly reports will be X Access to this Web site will be limited to the POCs designated in the EDD. A modification to the encryption/digital signature client software will be supplied by Sprint X

14.3.1.5.5 User Authentication Server Backups

Sprint will perform nightly remote backups of the user authentication servers’ (primary and backup) configuration files. These backups will be readily available if a rebuild of either server is necessary. X

14.3.1.6 Change Management

Stringent change management procedures are important to ensure the performance and security of a user authentication server. The user authentication elements addressed in this section include:

• Add new user

• Delete current user (standard)

• Delete current user (emergency)

• Reset PIN to new PIN

• Reset PIN to Static Password (emergency situations only)

• Change/Add/Delete IP address of Agent(s)

• Token card issuance

• User ID administration

• Monthly reports.

Only the designated Government POCs will be permitted to request changes. For initiating change requests, Sprint will provide two copies of the encryption/digital signature client software as part of the service. If the Government requires more than two POCs, extra encryption/digital signature licenses must be ordered.

All changes will be classified by the Government as either Non-Emergency or Emergency on the change request form. Any changes, including adding new users, will require a change request. If the change request to add additional users exceeds the size of the software license, an upgrade to the license will be required. An order for the new software and a disconnect order for the existing software line item will be submitted.

X These changes are submitted by Primary or Secondary Points of Contact. If the government desires to change both Primary and Secondary Points of Contact and does not wish to initiate changes through existing security Points of Contact, special arrangements can be made through written documentation from executive level management of the government organization.

14.3.1.7 Configuration Management

Sprint will track all changes made by Sprint personnel on the managed server. When a change is made, X This methodology acts as a disaster recovery mechanism and provides an archive of changes.

Upgrade Procedures: The authentication servers will be network-based. Sprint will continuously monitor the hardware and software to ensure the highest level of performance and maximum security.

Maintenance Procedures: Sprint will utilize the primary backup user authentication server configuration to perform maintenance without interruption of service.

Software and Hardware Upgrades: Sprint will utilize the primary backup user authentication server configuration to perform maintenance without interruption of service.

14.3.2 Customer-Managed User Authentication Service

Sprint will provide the hardware, software, design, implementation and support services to enable customers to effectively manage their own authentication servers on their premises. A secondary user authentication server is available as an option.

Sprint’s Customer-Managed User Authentication Service solution will consist of the following:

• Managed Security Service Design

• Managed Security Service Implementation (includes installation at the Government premise)

• User Authentication Hardware

• Hardware Maintenance

• User Authentication Software

• User Authentication Software Support

• User Authentication Tokens

• User Authentication Server Client Running on the Government’s firewall.

X If the original order specified tokens going to one location and the seed records going to another location, then the seeds may be shipped to either location. If Sprint or the Government requires seed records to be shipped to a new location, an indemnification form must be completed by the Government’s authorized security point of contact listed in the EDD. Figure 1.B.14-4 depicts Sprint’s Customer-Managed User Authentication Service.

X

Figure 1.B.14-4 Customer-Managed User Authentication Service

14.3.2.1 Customer-Managed User Authentication Service Software and Hardware

Sprint’s Customer-Managed User Authentication Service will require that the following software (with support) and hardware (with maintenance contract) be ordered from Sprint:

• User Authentication Software

• User Authentication Software Support - problem resolution and software updates, patches, etc.

• User Authentication Hardware

• User Authentication Hardware Maintenance - 4 hour, on-site hardware service contract (some locations may be outside the geographic scope and have a response time greater than 4 hours).

• User Authentication Tokens

• Secondary server

14.3.2.2 User Authentication Software Support

Sprint will ensure the latest software updates are distributed to the Government. It is the responsibility of the Government to update the User Authentication Software. Sprint will notify the Government at the time of update distribution as to whether or not the update is required as a condition of continued software support. Sprint’s support for a new software release will be consistent with the vendor’s support for that software release.

14.3.2.3 User Authentication Software Size Upgrades

User Authentication Software Size Upgrades will be ordered through Sprint. An order for the new software and a disconnect order for the existing software line item will be submitted.

14.3.2.4 User Authentication Hardware Maintenance

When it is determined that hardware has failed, an engineer will be dispatched to the Government site to arrive within four (4) hours. The Government’s POC will be contacted immediately. In the event that a failure occurs during non-business hours, the Government POC will direct Sprint as to when an engineer will gain access to the User Authentication Server.

Most equipment failures will be fixed within four (4) hours of the arrival of the engineer at the Government site. Any equipment failures that require overnight shipping of parts, will be installed X

14.4 Additional Security Services

The services described in the sections below will be available to all Sprint transport customers, regardless of whether or not they have purchased Managed Security Services. The Government would contact their account team for information regarding receiving the security services detailed below.

14.4.1 Customer Firewall Vulnerability Scan

X

These scans are for internal use and will not create reports for the Government.

14.4.2 Security Alerts

Sprint Corporate Security will serve as a clearinghouse for the distribution of security alerts posted by various security organizations and equipment vendors, upon receipt of Government request(s). Sprint will assist the Government in getting on the mailing list directly if it would like to receive continuous updates.

14.4.3 24 Hour Emergency Response

The Sprint Security Team will be available 24 hours a day, 365 days a year to respond to Government security emergencies. The emergencies may relate to Sprint-managed firewalls, customer-managed firewalls, hacker attacks, or any other network security emergencies.

14.4.4 Investigation Support

Investigation support will be available to address reported security breaches and other security concerns.

14.4.5 Prosecution Assistance

At the Government’s request, Sprint will serve as a liaison between the Government and various worldwide security organizations. Figure 1.B.14-5 summarizes Sprint’s Managed Security Services, which are available to the Government at no additional charge.

14.5 Managed Intrusion Detection System (IDS)

Sprint-managed Intrusion Detection System (IDS) is a value added component to a Sprint-managed Firewall solution. This managed service will monitor and alert customers of possible intrusions, or suspected compromises of their networked resources facing the Internet or other public networks. The goal of the service is to provide customers timely information on malicious activity detected within their network, enabling the customer to react quickly to protect their network and information assets.

X

14.5.1 Service Description

The IDS Sensor on the customer’s network monitors live network packets and looks for signs of network attacks, network misuse, and anomalies. When it detects an event, the IDS Sensor records the event for future forensic analysis and forwards the event information to the IDS Server located X.

X

• X

14.5.2 Standard Service Components

Sprint’s Managed IDS Service consists of the following required components.

Table B.14-11 IDS Standard Service Components

|Service Component |Section Description |Component Description |

|X |X |X |

|X |X |X. |

|X |X |X |

|X |X |X |

|X |X |X |

14.5.2.1 IDS Equipment

IDS Sensor Appliance

X

IDS Switch

X

IDS Tap

X

14.5.2.2 Maintenance Support

Sprint will provide continuous support for all equipment (hardware and software) located X.

14.5.2.3 Management

X management is offered to Managed IDS customers. Sprint’s IDS Management consists of the following standard services:

X

14.5.2.4 Design

Sprint’s Security Design Service provides customers with a solution customized to their connectivity and security requirements. Sprint Network Engineers and Security Design Engineers work with the customer to determine a solution that balances security with access to network resources consistent with their overall security policy and network architecture. X

The EDD is required by Sprint in order to approve the service request. The implementation group checks the service request against the EDD to ensure that all necessary parts and services are included in the order. Orders submitted without an accompanying EDD will be delayed or rejected until the EDD is prepared.

14.5.2.5 Implementation

X

X

Figure 1.B.14-6 X

Sprint Data Center

Deployments at Sprint Data Centers are similar to the CPE deployment. X

X

Figure 1.B.14-7 X

14.5.3 Event Notification

The IDS Sensor on the customer’s network monitors live network packets and looks for signs of network attacks, network misuse, and anomalies. When it detects an event, the IDS Sensor records the event for future forensic analysis and forwards the event information to X.

14.5.3.1 SEV1

X

Alert Notification

• X

14.5.3.2 SEV2

X

14.5.3.3 Reports

X

14.5.4 SANS/FBI Top 20 List of Vulnerabilities

X

History

In 2000, The System Administration, Networking, and Security Institute (SANS) and the National Infrastructure Protection Center (NIPC) released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. This list was developed to help organizations prioritize their efforts to close the most significant and prevalent network vulnerabilities exposing a network to external attack.

On October 1, 2001, the Top Ten List was expanded and categorized to become the SANS/FBI TOP TWENTY list of vulnerabilities. The list is segmented it into three categories: General Vulnerabilities, Windows Vulnerabilities, and Unix Vulnerabilities.

Function

The SANS/FBI Top Twenty List is valuable because the majority of successful attacks on computer systems via the Internet can be traced to exploitation of security flaws on this list. For instance, the easy and rapid spread of the Code Red and NIMDA worms can be traced to exploitation of unpatched vulnerabilities on this list. These few software vulnerabilities account for the majority of successful attacks, simply because attackers are opportunistic – taking the easiest and most convenient route. They exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and often attack indiscriminately, scanning the Internet for any vulnerable systems.

The creation of the SANS/FBI TOP TWENTY combines the knowledge of dozens of leading security experts from the most security-conscious federal agencies, leading security software vendors and consulting firms, top university-based security programs, CERT, and the SANS Institute. “The LIST” is also a living document. Developed by community consensus- updated as needed, drawing on the knowledge and expertise of experts in conjunction with the experience of engineers and technologists working in the real world networking environment.

What it is not

The SANS/FBI list is not to be compared in purpose or design with the ‘FBI Top 10 Most Wanted List”.

• It is not a list of the most dangerous viruses, worms, or other malicious codes and signatures found on the Internet.

It is a list of commonly exploited vulnerabilities exposing a network to a wide variety of attacks.

• It is not all relevant to all networks.

Only protocols supported by the network are relevant.

• Network changes based on The List will not guarantee a secure network.

But it will significantly reduce the risk of exposure and exploitation by a network.

14.5.5 Optional Service Components

X

14.6 Multi-Tier Security Profiles (MTSP)

With heightened concerns with Security and the Global Economy, the General Services Administration (GSA) Federal Technology Service (FTS) have identified the requirement to increase security in the services being delivered to customer agencies. To meet this requirement FTS has developed the Multi Tier Security Profiles (MTSP) initiative. MTSP provides four baseline levels of embedded security, which can be tailored to individual customer needs and security requirements. In order to provide these services, Sprint has developed MTSP services for FTS2001. Sprint MTSP will provide all services necessary for the Government to satisfy its worldwide telecommunications and information technology and security requirements.

14.6.1 MTSP Service Tiers

Sprint MTSP will provide guidance on four discrete tiers of service from which, the customer agencies may select contingent upon the respective levels of mission criticality and information sensitivity.

[pic]

Figure 1.B.14-8 MTSP National Architecture

Tier 1 – “Standard” service is representative of the transport services currently offered on the FTS2001 contract. The subscribing customer shall be responsible for implementation of all security features.

Tier 2 – “Protected” service shall consist of security enhancements that provide the subscribing customer with additional protection from unauthorized activities and the proliferation of malicious code. Security enhancements should include a combination of firewall, filtering router, proxy server and boundary anti-virus detection technologies configurable to the subscribing customer’s security policy and specifications. Internet connections and connections to Tier 1 or other Tier 2 networks shall only be facilitated through such devices. Utilization of Network Address Translation (NAT) is recommended to mask internal network addresses and may be specified at the subscribing customer’s discretion. Provisions for Virtual Private Network (VPN) and on-site or remote network management services are offered as a customer option.

Tier 3 – “High Assurance” service encompasses the security enhancements offered under Tier 2 but shall not have any direct connection(s) to the Internet or lesser sensitive Tier 1 network(s). Internet connectivity shall only be accomplished through a Tier 2 enclave using trusted gateways, secure mail guard or web proxy technologies. Trusted Gateways, Secure Mail Guards and Web Proxies are evaluated products that offer high assurance against compromise by applying technology solutions that enforce security policies and protocols when allowing data exchanges between enclaves of varying sensitivity. Tier 3 services shall exhibit high reliability and low latency characteristics sufficient to support a subscribing customer’s “Type 1” hardware encryption devices. “Type 1” devices are NSA approved cryptographic GFE that provide hardware encryption generally considered to be immune from exploitation and managed by the customer. On-site and remote network management services are available as a customer option.

Tier 4 – “Network High” service shall include and build upon the security enhancements offered under Tiers 2 and 3 but shall offer no connection(s) to networks of lesser sensitivity. Tier 4 services shall exhibit functional isolation from other networks. Contingent upon the subscribing customer’s criteria, the isolation technique employed may be either physical or a high assurance technical solution. This may include but not be limited to Dense Wave Division Multiplexing (DWDM) of a shared fiber, dedicated fiber in a shared conduit, dedicated fiber and conduit in a shared facility, etc. At the subscribing customer’s discretion, connectivity may be specified to another Tier 4 network. In such cases, concurrence from the owners of both networks shall be obtained prior to execution.

Table 1.B.14-11 reflects the security features and performance measurement criteria for each tier of Sprint MTSP. The actual Sprint-recommended services and measurements may differ for each customer depending on their individual security requirements.

Table 1.B.14-11 Security Features and Performance Measurements

|Security |Tier |Security Function |Performance Measurement |

|Enhancement | | | |

| |1 |2 |3 |4 | | |

|NIACAP (NSTISSI | |X |X |X |Establishes the Certification and |Delivery of certification support |

|1000) | | | | |Accreditation methodology |documentation to the subscribing customer |

| | | | | | |upon service implementation |

|NIST Spec. |X |X |X |X |Establishes guidelines to improve the |Delivery of certification support |

|Publication SP | | | | |overall security profile of Federal |documentation to the subscribing customer |

|800-37 | | | | |computing resources and networks through |upon service implementation |

| | | | | |a defined criteria for Certification and | |

| | | | | |Accreditation that defines, documents and| |

| | | | | |test the functional and security features| |

|Mission Specific |X |X |X |X |Additional security requirements that are|Delivery of certification support |

|Guidance | | | | |mission or community specific |documentation to the subscribing customer |

| | | | | | |upon service implementation |

|Firewall | |X |X |X |Protects a trusted network or network |Inclusion of Firewall test results against|

| | | | | |components from another network based on |the set of rules defined by the |

| | | | | |a set of rules established by the |subscribing customer as a component of the|

| | | | | |subscribing customer. Reference NIST |certification support documentation cited |

| | | | | |Special Publication SP 800-41 |above. Archiving of log files for the |

| | | | | | |previous 90 days for analysis (as needed) |

| | | | | | |of anomalous/hostile activities |

|Intrusion Detection| |X |X |X |Collects information from a variety of |Verification by the subscribing customer |

| | | | | |network resources, analyzes the |or designated agent of IDS software and |

| | | | | |information for signs of intrusion or |attack signature database for protection |

| | | | | |misuse and generates notification of the |against currently known attack scenarios, |

| | | | | |anomaly. Reference NIST Special |the generation of intrusion or misuse |

| | | | | |Publication SP 800-31 |alarms and incident reporting to the |

| | | | | | |FedCIRC |

|Boundary | |X |X | |Application installed at designated |Verification by the subscribing customer |

|Anti-virus | | | | |network boundaries to prevent the |or designated agent of anti-virus software|

|Protection | | | | |proliferation of malicious computer code |and virus signature database for |

| | | | | |(virus) from external and internal points|protection against currently known |

| | | | | |of origin |malicious code and incident reporting to |

| | | | | | |the FedCIRC |

|Service Reliability|X |X |X |X |Minimum acceptable service availability |Inspection of both customer and provider |

| | | | | |requirements |logs to demonstrate service availability |

| | | | | | |as stated in appropriate sections of the |

| | | | | | |FTS2001 contract. Higher service |

| | | | | | |availability requirements may be obtained |

| | | | | | |via MPNS. |

|Configuration | |X |X |X |Addresses, tests and documents any |Verification by the subscribing customer |

|(Change) Management| | | | |changes to a network to minimize impact |or designated agent of the provider’s |

| | | | | |on the performance, security and |documentation details changes to the |

| | | | | |functionality |network for the period of service delivery|

|Help Desk |X |X |X | |Establishes a single point of presence |Verification by the subscribing customer |

| | | | | |for customer trouble reporting. 24X7 |or designated agent of the provider’s logs|

| | | | | |Availability. |detailing reported troubles and the |

| | | | | | |associated response |

|Packet Filtering | |X |X |X |Restricts packets to specific ports based|Verification by the subscribing customer |

|Router | | | | |protocol specific criteria |or designated agent of the provider’s |

| | | | | | |implementation of router tables against |

| | | | | | |customer service requirements |

|Virtual Private | |X |X |X |Provides encrypted and secure |Review by the subscribing customer or |

|Network (VPN) | | | | |communication within specific network |designated agent of security and |

| | | | | |components or between disparate network |functional test results and technical |

| | | | | |enclaves. Sprint offers both CPE and |documentation pertaining to the respective|

| | | | | |Network-based VPN services. |VPN network nodes (Subject to independent |

| | | | | | |testing) |

|Type 1 Encryption | | |X |X |Network performance capability that |Verification by the subscribing customer |

|Support | | | | |enables the use of NSA approved Type 1 |or designated agent of test with results |

| | | | | |(hardware) encryption devices. Maximum |of the encrypted link to substantiate the |

| | | | | |latency complies with individual needs |ability of the link to maintain |

| | | | | |according to bandwidth and speed of |synchronization |

| | | | | |cryptographic device in use. (Provision | |

| | | | | |and maintenance of crypto devices are the| |

| | | | | |responsibility of the subscribing | |

| | | | | |customer) | |

|Trusted Gateway | | |X | |Enables a secure one-way transfer of data|Verification by the subscribing customer |

| | | | | |from one network to another. Approved by |or designated agent of Functional and |

| | | | | |the Secret and Below Interoperability |Security Test results as documented in the|

| | | | | |(SABI) Program Office. Reference NIST |service provider generated certification |

| | | | | |Special Publication SP 800-23 |support documentation. (Subject to |

| | | | | | |independent testing) |

|Secure Mail Guard | | |X | |Guard device that provides a secure |Verification by the subscribing customer |

| | | | | |one-way transfer of data from one domain |or designated agent of Functional and |

| | | | | |to another of equal or lesser |Security Test results as documented in the|

| | | | | |sensitivity. Reference NIST Special |service provider generated certification |

| | | | | |Publication SP 800-23 |support documentation. (Subject to |

| | | | | | |independent testing) |

|Secure Web Proxy | |X |X | |Acts as a boundary device preventing |Verification by the subscribing customer |

| | | | | |penetration into a sensitive network |or designated agent of Functional and |

| | | | | |enclave from one of lesser sensitivity, |Security Test results as documented in the|

| | | | | |while allowing users on the more |service provider generated certification |

| | | | | |sensitive network to safely and securely |support documentation. (Subject to |

| | | | | |browse the lesser sensitive domain (e.g.,|independent testing) |

| | | | | |Internet) | |

|Remote Management | |X |X | |Eliminates the customer’s requirement to |IAW subscribing customer’s requirements |

| | | | | |functionally manage the network or |specification |

| | | | | |components thereof through outsourcing | |

|On-Site Management | |X |X |X |Eliminates the customer’s requirement to |IAW subscribing customer’s requirements |

| | | | | |functionally manage the network or |specification |

| | | | | |components thereof through outsourcing | |

|Network Isolation | | | |X |Network operates in absolute physical |Verification by the subscribing customer |

|(Air Gap) | | | | |isolation from lesser sensitive network |or designated agent of isolation from |

| | | | | |enclaves |lesser sensitive networks |

|Personnel | |X |X |X |Certification of service provider’s |Verification by the subscribing customer |

|Reliability | | | | |personnel commensurate with the critical |or designated agent of National Agency |

|Requirements | | | | |nature of the subscribing customer’s |Check (NAC) or security clearance |

| | | | | |mission, information sensitivity and |adjudication documentation for service |

| | | | | |community specific requirements |provider personnel with access to |

| | | | | | |information resources that are part of the|

| | | | | | |subscribing customer’s information |

| | | | | | |infrastructure. Criteria to be determined|

| | | | | | |by the Subscribing customer |

14.6.2 MTSP Service Offerings

• MTSP Teir1 – MTSP Tier 1 does not require a prepackaged solution as the customer is responsible for security on a Tier 1 network. Sprint will deliver the level of security inherent in the transport service selected.

• MTSP Tier 2 – Sprint will offer a turnkey MTSP package offering the customer a typical configuration for a Tier 2 MTSP network.

• MTSP Tier 3 – Sprint will offer a turnkey MTSP package offering the customer a typical configuration for a Tier 3 MTSP network.

• MTSP Tier 4 – MTSP Tier 4 networks require a total custom security solution for each customer. Depending on the customer’s identified threats and vulnerabilities, a Tier 4 solution could possibly require Sprint on-site management, special personnel requirements, or even an entirely private network physically isolated from other networks or outside influences. X

[pic]

Figure 1.B.14-5 Summary of Value-Added Managed Security Services

Table of Contents

14.0 Managed Security Services 789

14.1 Introduction 789

14.2 Management Services 789

14.2.1 Network Security Design 792

14.2.1.1 The Design Process 792

14.2.1.2 Domain Name System (DNS) Configuration for Managed

Firewall Services 793

14.2.1.3 Simple Mail Transfer Protocol (SMTP) Mail Configuration

for Managed Firewall Services 794

14.2.2 Managed Firewall Services 795

14.2.2.1 Sprint-Managed Firewall Service 796

14.2.2.1.1 Sprint-Managed Firewall Service on Non-Sprint Transport 799

14.2.2.1.2 Firewall Monitoring Tools 799

14.2.2.1.3 Firewall Administration and Operations 800

14.2.2.1.4 Sprint-Managed Service Level Guarantees 805

14.2.2.1.5 Additional Options For Sprint-Managed Firewalls 807

14.2.2.1.6 Change Management 809

14.2.2.1.7 Configuration Management 814

14.2.2.2 Customer-Managed Firewall Service 816

14.2.2.2.1 Firewall Software Support 817

14.3 Managed User Authentication Services 818

14.3.1 Sprint-Managed User Authentication Service 819

14.3.1.1 Tokens 821

14.3.1.2 User Authentication User ID Setup 821

14.3.1.3 Redundant User Authentication Server 822

14.3.1.4 Customer Responsibilities 822

14.3.1.5 User Authentication Server Administration and Operations 823

14.3.1.5.1 User Authentication Server Monitoring and Customer

Notification 823

14.3.1.5.2 User Authentication Server Software Support 825

14.3.1.5.3 User Authentication Server Hardware Maintenance 825

14.3.1.5.4 User Authentication Server Reporting 826

14.3.1.5.5 User Authentication Server Backups 826

14.3.1.6 Change Management 826

14.3.1.7 Configuration Management 828

14.3.2 Customer-Managed User Authentication Service 828

14.3.2.1 Customer-Managed User Authentication Service Software

and Hardware 830

14.3.2.2 User Authentication Software Support 831

14.3.2.3 User Authentication Software Size Upgrades 831

14.3.2.4 User Authentication Hardware Maintenance 831

14.4 Additional Security Services 832

14.4.1 Customer Firewall Vulnerability Scan 832

14.4.2 Security Alerts 832

14.4.3 24 Hour Emergency Response 832

14.4.4 Investigation Support 833

14.4.5 Prosecution Assistance 833

List of Tables

Table 1.B.14-1 Managed Security Services 790

Table 1.B.14-2 Comparison of Managed Security Services Offerings 791

Table 1.B.14-3 Comparison of Sprint-Managed vs. Customer-Managed

Firewall Service 796

Table 1.B.14-4 Sprint-Managed Firewall Services 798

Table 1.B.14-5 Sample Problem Notification 802

Table 1.B.14-6 Sprint-Managed Firewall Service Performance Guarantees 806

Table 1.B.14-7 Managed Firewall Change Management 809

Table 1.B.14-8 Change Management Service Levels and Change Allotments 812

Table 1.B.14-9 Comparison of Sprint-Managed vs. Customer-Managed

User Authentication Service 819

Table 1.B.14-10 Sample Notification Methods 824

List of Figures

Figure 1.B.14-1 Overview of Service Components Provided with

Sprint-Managed Firewall Solution 797

Figure 1.B.14-2 Overview of Service Components with Customer-Managed

Firewall Solution 817

Figure 1.B.14-3 Sprint-Managed User Authentication Service 821

Figure 1.B.14-4 Customer-Managed User Authentication Service 830

Figure 1.B.14-5 Summary of Value-Added Managed Security Services 833

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download