Celgene N-IDPS RFP Request For Proposal

Celgene N-IDPS RFP
Request for Proposal
Proprietary and Confidential

Unauthorized distribution or reproduction prohibited.
Copyright © 2009 Celgene.
Copyright All rights reserved.
Revision 1.0 (Draft)
Project: N-IDPS
Printed on: 6/17/09
Last Saved: 10/30/2009
CONTENTS
1 Corporate Information.......................................................................3
2 Purpose and Scope...........................................................................4
2.1 EXECUTIVE SUMMARY............................................................4
2.2 ISSUE..................................................................................5
3 Instructions and Considerations..........................................................6
3.1 DESIGNATED POINT OF CONTACT............................................6
3.2 RELEVANT DATES..................................................................6
3.3 PUBLICITY............................................................................6
3.4 CELGENE CONFIDENTIAL INFORMATION...................................6
3.5 OWNERSHIP OF MATERIAL......................................................6
3.6 RESPONSE SUBMISSION........................................................6
3.7 DISCLAIMER.........................................................................7
4 Solution Overview............................................................................8
5 Functional Requirements...................................................................9
5.1 CENTRALIZED MANAGEMENT..................................................9
5.2 PHYSICAL REQUIREMENTS....................................................11
5.3 RELIABILITY AND AVAILABILITY............................................12
5.4 DETECTION ENGINE AND RULES............................................12
5.5 NETWORK AND USER INTELLIGENCE......................................14
5.6 IDS/IPS AUTOMATION..........................................................14
5.7 IT POLICY COMPLIANCE........................................................14
5.8 NETWORK BEHAVIOR ANALYSIS (NBA)...................................15
5.9 THIRD-PARTY INTEGRATION.................................................15
5.10 TARGET LOCATIONS AND THROUGHPUT REQUIREMENTS........16
ii
Revision 1.0 (Proposal)
Project: N-IDPS
Printed on: 10/30/2009
1 CORPORATE INFORMATION
Celgene is a multinational biopharmaceutical company committed to improving the lives

of patients worldwide.
Celgene strives to deliver truly innovative and life-changing drugs for patients. Your
mission as a company is to build a major global biopharmaceutical corporation while
focusing on the discovery, the development, and the commercialization of products for
the treatment of cancer and other severe, immune, inflammatory conditions.
There are numerous clinical trials at major medical centers using compounds from
Celgene. Investigational compounds are being studied for patients with incurable
hematological and solid tumor cancers, including multiple myeloma, myelodysplastic
syndromes, chronic lymphocyte leukemia (CLL), non-Hodgkin's lymphoma (NHL),
glioblastoma, and ovarian, pancreatic and prostate cancer.
-- www.celgene.com
With clear commitment to clinical accomplishment, Celgene is equally committed to
patient support as a guiding principle. Celgene believes all who can benefit from its
discoveries should have the opportunity to do so. Celgene puts patients first with
industry-leading programs that provide information, support and access to our
innovative therapies.
With an ethics-driven culture, Celgene has demonstrated the need and responsibility to
protect information assets, their own, their customers’, their patients’, and their
partner/suppliers’.
Page 3

All rights reserved.
Project: N-IDPS
2 PURPOSE AND SCOPE

Celgene provides this request with the objective to obtain a Global Network Based
Intrusion Detection/Prevention System (N-IDPS) solution that meets comprehensive and
enterprise-scaleable requirements documented in this RFP.
Please provide your responses to this RFP to address two stages of deployment: POC
(Proof of Concept) and Production Implementation. Break out the associated costs for
each stage with applicable equipment and consulting services. For example:
Proof of Concept:
Equipment = Quote for 30 day evaluation
Consulting Services = Quote for POC installation, configuration, testing, and
administrator training
Production Implementation:
Equipment = Quote for 4 major site deployment
Consulting Services = Quote for installation, configuration, testing, and administrator
training
2.1 EXECUTIVE SUMMARY

Celgene has assessed the need for network security tools that will enable it to identify
network-based attacks that target system and software vulnerabilities. Network-based
IDPS can detect and block such attacks, as well as act as pre-patch shields for systems
and applications. N-IDPS can alert Security and IT Support personnel to locate and
remove culprit systems and/or remediate vulnerable systems. Furthermore, a robust N-
IDPS will enable Security to conduct forensic investigations and produce accountability
reports. In summary, an N-IDPS will give Celgene visibility into the type of traffic that is
flowing through its network. With this diagnostic tool, Celgene can detect and prevent
security risks from external and internal threats that can result in compromised systems,
loss of data, productivity, and possible harm to reputation.
Page 4

Project: N-IDPS
2.2 ISSUE
Currently, Celgene has robust firewalls that deny all network traffic, except that which is
explicitly permitted. While they perform this role satisfactorily, traffic from hosts and
protocols that are explicated permitted still present a risk to Celgene network resources.
Additionally, compromises from internal threats would not be addressed by perimeter
firewall rules.
Moreover, when there are incidents of deliberate or inadvertent violations, the tools to
identify tools offending devices are either inadequate or dispersed across several
systems. A security tool that could identify and preemptively stop such attacks would be
a valuable asset to Celgene.
Page 5

Project: N-IDPS
3 INSTRUCTIONS AND CONSIDERATIONS
3.1 DESIGNATED POINT OF CONTACT

Please contact Dennis Novak – Procurement Analyst – dnovak@celgene.com (908)-860-
7738 with any questions that you might require. We would like to thank you for prompt
attention to this request.
3.2 RELEVANT DATES
Milestone Date Event

10/05/09 Celgene RFP is issued
10/08/09 Bidders must email, through e-sourcing tool, Intent to
Respond by 5:00 PM EST
10/12/09 Deadline for submitting RFP questions by 5:00 PM EST
10/19/09 Final date to submit proposal by 2:00 PM EST
3.3 PUBLICITY
Supplier agrees not to publish or use any advertising, sales, promotional, press releases
or publicity materials, wherein the name or trademark of Celgene is used or language is
employed from which the connection of said name of mark could be inferred or implied
without prior written approval of Celgene.
3.4 CELGENE CONFIDENTIAL INFORMATION

Supplier agrees that all information will be kept confidential. This information will only
be used for proposals to Celgene for furnishing material, software, documentation or
services hereunder, and may not be used for other purposes except as may be agreed
upon between the bidder and Celgene in writing.
3.5 OWNERSHIP OF MATERIAL

All materials submitted in response to this RFP shall become the property of Celgene and
may be returned only at Celgene’s option.
3.6 RESPONSE SUBMISSION

Supplier will provide responses to this proposal in a single Microsoft Word or Adobe PDF
document electronically.
Page 6

Project: N-IDPS
3.7 DISCLAIMER
The purpose of this RFP is to solicit vendor responses to stated requirements for a
project that Celgene intends to execute; however, receipt of this RFP is not to be
interpreted as a commitment on the part of Celgene to purchase any product or service,
or to be executed on the intended project in any manner. Celgene reserves the right to
choose to proceed with and/or cease negotiations with any recipient of this RFP at any
time during this process for any reason.
The Vendor is required to indicate agreement with the conditions stated in this
disclaimer by signing below:
___________________________________________________
Signature
_Supplier’s Company Name_____________________________
____________________________________ ___________
Title Date
Page 7

Project: N-IDPS
4 SOLUTION OVERVIEW
Celgene is seeking bids for a network based IDPS solution that employs inline and/or
passive sensors (appliances) with centralized management for analysis, alerting, and
reporting on critical network segments and devices of any suspicious activity that may
be external or internal to Celgene. The solution should be capable of analyzing network,
transport, and application protocols using a variety of detection methods i.e. signature-
based, anomaly-based; as well as stateful protocol analysis techniques.
A successful solution would also include an NBA (Network Behavior Analysis) system,
which examines network traffic or statistics on network traffic to identify unusual traffic
flows, such as distributed denial of service (DDoS) attacks, certain forms of malware
(e.g., worms, backdoors), and policy violations (e.g., a client system providing network
services to other systems).
While the focus of this RFP is for in house solutions that are owned and managed by
Celgene employees and consultants, Celgene is open to a fee for service solution that
includes external vendor monitoring, alerting, and reporting of internal devices that are
owned by the vendor or Celgene.
Describe the general approach/strategy your N-IDPS solution is based on.
Summarize all of the key components and highlight any competitive advantages your
solution may have. Ideally, provide network diagrams. Explain the solution’s ability to
defend virtual environments.
Page 8

Project: N-IDPS
5 FUNCTIONAL REQUIREMENTS
The following is an outline of functional requirements that a successful bid for N-IDPS
consideration at Celgene should meet or exceed:
5.1 CENTRALIZED MANAGEMENT

The solution must feature centralized management design that is scalable for a global
implementation. Management console should be customizable and easy to use, while
providing effective analysis & alerts, robust reports, and secured access:
A. Design features (physical and logical):

1) The solution must support a centralized management design with hierarchical
features:
a. Each N-IDPS appliance (sensor) can be managed with a local administrative
interface.
b. A management console can manage multiple sensors.
c. The management platform supports “Manager of Managers” capability, whereby
one management console can manage multiple management consoles and push
down global IPS, system, and appliance health policies to individual sensors
2) All traffic between N-IDPS appliances and the management console must be secure
(i.e. authentication via key exchange or shared secret and encryption.)
3) The management platform must be capable of centralized, life cycle management
and configuration of all sensors, with the ability to group sensors e.g. by location,
function, support team.
4) The management platform must support both internal and external
databases/systems for storage of event data, logs, and other system-generated
information.
5) The management platform must be capable of synchronizing time between all
components of the system via NTP.
B. Administration and Access Management:

1) The solution should support LDAP for single sign-on to sensors and the
management console.
2) Management console should support comprehensive administrative access
management.
3) The solution must support individual user accounts.
4) Password strength, complexity, and expiration for management user accounts must
be enforceable.
5) The management platform must be capable of role-based administration, enabling
different sets of views and configuration capabilities for different
administrators subsequent to their authentication.
6) Access to the management console must be accomplished using secure (encrypted)
protocols.
7) The management platform must be capable of logging all administrator activities,
Page 9

Project: N-IDPS
both locally and to a remote log server.
C. Analysis, Alert, and Report Capabilities:

1) The management console must have comprehensive analysis and baselining
capability. Provide a full description of your product’s analysis and baselining
capabilities.
2) The management platform must provide robust reporting capabilities, including a
selection of pre-defined reports and the ability for complete customization and
generation of new reports. Provide a full description of your product’s reporting
abilities and any ‘canned reports’ that your product can produce.
3) Reports should be able to be generated in a readily presentable and protected
format (such as .pdf and .html) as well as editable formats (such as .doc, .xls,
and .csv).
4) The solution should also have efficient alerting tools based on thresholds (default
and customizable). Provide a full description of your product’s alerting features.
a. Alert analysis should provide the capability to identify the exact content
observed that triggered the alert.
b. The product should provide real-time alerting and support multiple
mechanisms for issuing alerts (e.g., SNMP, e-mail, SYSLOG, SMS) to
appropriate personnel.
c. The alerting should be configurable based on standard and custom
parameters.
d. The criteria (or thresholds) should be configurable per alert type and alert
destination (individual email addresses, syslog, SNMP, etc.)
5) Views should have filter and sort capabilities; e.g. by signature, date/time, device
name, IP address subnet.
6) Each view should be able to be exported for reporting and offline analysis
purposes.
7) The management platform must include flexible workflow capabilities for managing
the complete life cycle of an event, from initial notification through to any
response and resolution activities that might be required.
8) The management platform must be capable of aggregating IDS/IPS events and
centralized, real-time monitoring and forensic analysis of detected events.
9) Event syslogs should be generated, with the capability of them being sent and
analyzed by Security Incident/Event Monitoring (SIEM) and/or IT Global
Operations Monitoring (GOM) network tools.
Page 10

Project: N-IDPS
D. Ease of use and customization capabilities:

1) The solution must be easy to install and configure.
2) The management platform must provide a highly customizable dashboard
3) The management platform must be accessible via a Web-based interface and ideally
with no need for a JRE or additional client software
4) The management platform must provide the capability to easily view, enable,
disable, and modify individual rules, as well as groups or categories of rules.
5) The management platform must be capable of automatically receiving rule updates
published by the vendor and automatically distributing and applying
rules to updates sensors.
6) The management platform should include a scheduling subsystem to facilitate
automation of routine tasks, such as backups, upgrades, report creation, and policy
application
5.2 PHYSICAL REQUIREMENTS
A. The management console hard drive capacity should be capable of storing

a minimum of 6 months of data online while operating at a reasonable performance level
and should have a facility for archival of data and transfer of archived data to external
media or online system. (Note: It is understood that the amount of data generated by 6
months of activity at Celgene cannot be adequately determined from this RFP. It is also
understood that performance level will be largely based on the hardware and software
configuration of the management consol. Thus, describe a reasonable level of events
that can be processed and stored by the management console and your solution’s
reasonable archival capability. Include typical management console hardware and
software configurations that would achieve the performance levels described.)
B. The product should provide Layer 2 inline capability, supporting either
802.1q or ISL trunking, with Gigabit and/or Fast-Ethernet connectivity between 2 Cisco
Catalyst series switches.
C. The preferred cabling for the implementation is category 5 or 6, but other
cabling types such as fiber could be considered.
D. The solution should be able to utilize Cisco’s Gigabit Etherchannel or LACP
channel technology to scale the bandwidth between the protected switch and the core
switch if 1Gbps of bandwidth is insufficient at some point in the future. The N-IDPS
solution should support this strategy for scaling bandwidth across 1 or more appliances
as growth demands.
Page 11

Project: N-IDPS
5.3 RELIABILITY AND AVAILABILITY
A. Sensors must be capable of failing open, such that communications traffic

is still allowed to pass if the inline sensor goes down.
B. The management platform must be capable of monitoring the health of all
components and issuing alerts for anomalous conditions.
C. The management platform must be capable of backup and rollback for
sensor configurations and the management platform itself.
D. Sensors and management appliances must include redundant hardware
components, such as power supplies, disks, and fans, to help ensure non-stop
operations.
E. The management platform must be capable of a High Availability (HA)
configuration.
F. Describe how your sensors can accommodate dual fail-over firewalls. Can
your solution employ two input interfaces, either working concurrently or in a fail-over
strategy?
G. The IDS/IPS sensors and management console must be based on a
hardened operating system
H. The supplier must have a detailed process for assuring the quality and
reliability of its products.
5.4 DETECTION ENGINE AND RULES
A. The detection engine must have a long-standing track record of success.

B. The detection engine must be capable of operating in both passive (i.e.,
monitoring) and inline (i.e., blocking) modes.
C. The solution must be supported by a dedicated and highly experienced
team responsible for threat and vulnerability research and generation and testing of new
detection rules.
D. The management platform must include one or more default (i.e., pre-
defined) detection policy configurations (or signature-based rules) to help simplify initial
deployment.
E. Updated rules must be supplied by the product vendor at a reasonable
frequency to ensure that protection against new threats is provided, typically within 48
hours of public disclosure. (Specify your SLA in this regard.)
F. Detection rules must be based on an extensible, open language that
enables users to create their own rules, as well as to customize any vendor-provided
rules.
G. Detection rules provided by the vendor must be documented, with full
descriptions of the identity, nature, and severity of the associated vulnerabilities and
threats being protected against.
H. The detection engine must be capable of detecting and preventing a wide
variety of threats (e.g., malware, network probes/reconnaissance, VoIP attacks, buffer
overflows, P2P attacks, zero-day threats, etc.).
Page 12

Project: N-IDPS
I. The detection engine must be capable of detecting variants of known

threats, as well as new threats (i.e., so-called “unknown threats”).
J. The detection engine must incorporate multiple approaches for detecting
threats, including at a minimum exploit-based signatures, vulnerability-based rules,
protocol anomaly detection, and behavioral anomaly detection techniques. Identify and
explain each type of detection mechanism supported.
K. The detection engine must inspect not only network-layer details and
information resident in packet headers, but a broad range of protocols across all layers
of the computing stack and packet payloads as well.
L. The detection engine must be resistant to various URL obfuscation
techniques common to HTML-based attacks.
M. The solution must incorporate measures to minimize the occurrence of
both false positives and false negatives (i.e., mistaken and missed detection events,
respectively).
N. The solution must be capable of detecting multi-part or extended threats
by aggregating and correlating the multiple, disparate events associated with them.
O. Sensors must be capable of performing packet-level forensics and
capturing raw packet data in response to individual events without significant
performance degradation.
P. The detection engine must support multiple options for directly responding
to events, such as monitor only, block offending traffic, replace packet payload, and
capture packets.
Q. The management platform must be capable of setting thresholds such that
multiple instances of specific events are required before an alert is issued.
R. The solution must be capable of detecting IPv6 attacks.
S. Solution should provide signature baselining capability; with the following
options:
1) Signature globally turned on or off
2) Signature response set to ignore, log, alert, or block
3) Signature turned off by source and/or destination address
4) Signature response set to ignore, log, alert, or block by source
and/or destination address
T. In addition to “standard” signature, additional “intelligent’ capability to
identify and alert/block zero-day attacks without a matching signature, such as anomaly
or heuristics-based threats, is required.
U. Please provide the complete detail regarding what your product supports
for signatures and baselining as well as direct responses to the requirements stated
above.
Page 13

Project: N-IDPS
5.5 NETWORK AND USER INTELLIGENCE
A. The solution must be able to passively gather information about network hosts and
their activities, such as operating system, services, open ports, client applications, and
vulnerabilities, to assist with multiple activities, such as intrusion event data
correlation, elimination of false positives, and policy compliance.
B. The solution must be able to passively gather information about session flows for all
monitored hosts, including start/end time, ports, services, and amount of data.
C. The solution must be able to passively detect pre-defined services, such as FTP, HTTP,
POP3, Telnet, etc., as well as custom services.
D. The solution must be capable of storing user-defined host attributes, such as host
criticality or administrator contact information, to assist with compliance monitoring.
E. The solution should be able to passively gather user identity information, mapping IP
addresses to username, and making this information available for event management
purposes.
F. The aforementioned network and user intelligence should be passively gathered using
existing IPS appliances (no separate appliances required).
5.6 IDS/IPS AUTOMATION
A. The solution must be capable of employing an extensive set of contextual information

(e.g., pertaining to the composition, configuration, and behavior of the network and its
hosts) to improve the efficiency and accuracy of both manual and automatic analysis
of detected events.
B. The solution must be capable of significantly reducing operator effort and accelerating
response to threats by automatically prioritizing alerts, ideally based on the potential
for correlated threats to successfully impact the specific hosts they are directed
toward.
C. The solution must be capable of dynamically tuning IDS/IPS sensors (e.g., selecting
rules, configuring policies, updating policies, etc.) with minimal human intervention.
D. The solution must be capable of automatically providing the appropriate inspections
and protections for traffic sent over non-standard communications ports.
E. The solution must be capable of defending against IPS-evasion attacks by
automatically using the most appropriate de-fragmentation and stream reassembly
routines for all traffic based on the characteristics of each destination host.
5.7 IT POLICY COMPLIANCE
A. The solution must provide capabilities for establishing and enforcing host compliance
policies and alerting on violations.
B. The solution must be capable of exempting specific hosts from specific compliance
rules and suppressing corresponding compliance events and alerts.
C. The solution must be capable of easily identifying all hosts that exhibit a specific
attribute or non-compliance condition.
Page 14

Project: N-IDPS
5.8 NETWORK BEHAVIOR ANALYSIS (NBA)
A. The system must provide a full-featured NBA capability to detect threats emerging
from inside the network (i.e., ones that have not passed through a perimeter IPS).
This includes the ability to establish “normal” traffic baselines through flow analysis
techniques (e.g., NetFlow) and the ability to detect deviations from normal baselines.
B. The NBA capability must provide visibility into how network bandwidth is consumed to
aid in troubleshooting network outages and performance degradations.
C. The NBA capability must provide the ability to link Active Directory and/or LDAP
usernames to IP addresses related to suspected security events.
D. The NBA capability must provide the option of supplying endpoint intelligence to the
IPS for correlation against intrusion events to aid in event impact prioritization.
E. The same network appliances used for IPS must also be used as part of the NBA
capability. No NBA-only appliance should be required.
F. The same management platform used for IPS must also be used to manage the NBA
capability. No NBA-only management components should be required.
5.9 THIRD-PARTY INTEGRATION
A. The management platform must include an integration mechanism, preferably in the

form of open APIs and/or standard interfaces, to:
1) Enable automatic response to threats by external components and remediation
applications, such as routers, firewalls, patch management systems, etc;
2) Enable events and log data to be shared with external network and security
management applications, such as trouble-ticketing systems, Security
Information and Event Managers (SIEMs), systems management platforms, log
management tools, and network operations monitoring systems (e.g. NeTreo);
3) Receive information from external sources, such as configuration management
databases, vulnerability management tools, and patch management systems, for
threat correlation and IT policy compliance purposes;
4) Export SNMP information to network management systems.
5) Obtain network intelligence (i.e., NetFlow) from Cisco routers and switches;
B. As mentioned in the section on NBA, the solution should be capable of integrating with
Microsoft Active Directory or LDAP services in order to make appropriate correlations
and identification of workstations and user accounts, as they relate to any triggered
alerts and base lining of the environment.
Page 15

Project: N-IDPS
5.10 TARGET LOCATIONS AND THROUGHPUT

REQUIREMENTS
Celgene intends for the Network-based IDPS implementation to cover the following
locations, with their associated throughput requirements*:
1. Summit, NJ (major location) 1 Gbps

2. Boudry, Switzerland (major location) 1 Gbps
3. Marin, Switzerland (major location) 1 Gbps
4. San Diego (branch location) 2 Mbps
* There are approximately 23 additional branch locations throughout the US, Europe and
Asia that have internet connectivity and would be candidates for N-IDPS deployment;
however, only the 4 sites listed are within the scope of this RFP.
* Depending on a variety of factors (patch management policy, operating systems, etc.),the
N-IDPS implementation may be expanded to cover specific server farms; while this is
outside the scope of this RFP, the suitability of an N-IDPS solution for such an
implementation will be taken into consideration.
Page 16


Celgene N-IDPS RFP Request For Proposal

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Celgene N-IDPS RFP Request For Proposal

Uploaded by

Copyright:

Available Formats

Celgene N-IDPS RFP

Request for Proposal

Proprietary and Confidential

Celgene is a multinational biopharmaceutical company committed to improving the lives

Proprietary and Confidential

2 PURPOSE AND SCOPE

2.1 EXECUTIVE SUMMARY

Proprietary and Confidential

Proprietary and Confidential

3 INSTRUCTIONS AND CONSIDERATIONS

3.1 DESIGNATED POINT OF CONTACT

3.2 RELEVANT DATES

Milestone Date Event

10/19/09 Final date to submit proposal by 2:00 PM EST

3.4 CELGENE CONFIDENTIAL INFORMATION

3.5 OWNERSHIP OF MATERIAL

3.6 RESPONSE SUBMISSION

Proprietary and Confidential

_Supplier’s Company Name_____________________________

Proprietary and Confidential

Proprietary and Confidential

5.1 CENTRALIZED MANAGEMENT

A. Design features (physical and logical):

B. Administration and Access Management:

Proprietary and Confidential

both locally and to a remote log server.

C. Analysis, Alert, and Report Capabilities:

Proprietary and Confidential

D. Ease of use and customization capabilities:

5.2 PHYSICAL REQUIREMENTS

A. The management console hard drive capacity should be capable of storing

Proprietary and Confidential

5.3 RELIABILITY AND AVAILABILITY

A. Sensors must be capable of failing open, such that communications traffic

5.4 DETECTION ENGINE AND RULES

A. The detection engine must have a long-standing track record of success.

Proprietary and Confidential

I. The detection engine must be capable of detecting variants of known

Proprietary and Confidential

5.5 NETWORK AND USER INTELLIGENCE

5.6 IDS/IPS AUTOMATION

A. The solution must be capable of employing an extensive set of contextual information

5.7 IT POLICY COMPLIANCE

Proprietary and Confidential

5.8 NETWORK BEHAVIOR ANALYSIS (NBA)

5.9 THIRD-PARTY INTEGRATION

A. The management platform must include an integration mechanism, preferably in the

Proprietary and Confidential

5.10 TARGET LOCATIONS AND THROUGHPUT

1. Summit, NJ (major location) 1 Gbps

Proprietary and Confidential

You might also like