HomeMy WebLinkAbout07-01-2014 C7 Firewall, Intrusion Protection & Virtual Private Netweork Systems UpgradeCity of San Luis Obispo, Council Agenda Report, Meeting Date, Item Number
FROM: Wayne Padilla, Finance & Information Technology Director
Prepared By: Steve Schmidt, Information Technology Manager
Miguel Guardado, Network Services Supervisor
SUBJECT: REQUEST FOR PROPOSALS FOR CITY FIREWALLS, INTRUSION
PROTECTION AND VIRTUAL PRIVATE NETWORK SYSTEMS UPGRADE,
SPECIFICATION NO. 91241
RECOMMENDATION
1. Authorize the issuance of the request for proposals (RFP) to upgrade the City’s Firewalls,
Intrusion Protection and Virtual Private Network (VPN) Systems Upgrade.
2. Authorize the City Manager to award a contract for if the selected proposal is within the
approved budget of $441,500.
DISCUSSION
As part of the 2013-15 City Financial Plan, the Police and Fire Departments along with
Information Technology submitted CIP requests for five mission critical projects. Those projects
were Police and Fire mobile data computers (MDC) and in-car video projects along with the
city-wide firewall, intrusion protection system and virtual private network upgrade projects. All
of these projects are technologically linked and dependent on each other. This dependency was
carefully outlined and explained in the CIP request and to the CIP Committee. All of the
projects, due to their direct tie to public safety and City network security were approved by the
committee and then the City Council as part of the City’s financial plan.
The MDC and in-car video projects are well underway. It is imperative for the success of those
projects that this request to release an RFP for City firewalls, intrusion protection and virtual
private network systems is approved.
Staff is releasing the three CIP projects as a single RFP due to the fact that there are several
vendors that could provide all three components of the overall project. Staff has not restricted
vendors from only submitting proposals on a single component in an effort to try and get the best
solution and pricing for the City.
Background
1. Firewall Replacement
The City’s current firewalls are the last single-points of potential security failure within the
City’s information technology infrastructure. The current firewalls are 5 years old and are
rapidly becoming undersized as well as approaching end of life. In addition, the City’s
bandwidth demands and interface demands are not being met by the current firewalls.
The Police Department and Emergency Communications Center (ECC) has its own firewall to
keep critical public safety information separated from the City network. The Police firewall
07/01/2014
C7 - 1
City Firewall, Intrusion Protection and Virtual Private Network Systems Upgrade Page 2
needs to be upgraded for the City to continue to meet the Federal Bureau of Investigation’s (FBI)
Criminal Justice Information Services (CJIS) Security Policy requirements.
As part of the replacement of the Police Department’s mobile data computers (MDCs) project,
the City must re-apply to the California Department of Justice (DOJ) and validate that the Police
Department meets all the current security requirements for the transportation of sensitive law
enforcement data. The firewall project is closely tied to the Police MDC project as is the Virtual
Private Network project. The Firewall and the Virtual Private Network upgrade projects are the
security and communications components of the MDC project and as such must be completed
before the Police MDC project can complete.
The FBI’s California Justice Information Services Division (CJIS) has phased in new security
requirements over the past three years, for the City to remain in compliance will require that the
City and Police firewalls be upgraded.
2. Intrusion Protection
Currently, the City relies on its firewalls, web filtering equipment and desktop level anti-virus
applications for the security of its network. Two key functions that are missing from this
security configuration are network level malicious software protection and a network intrusion
detection system (IDS). A limitation of the City’s current security configuration is the current
difficulty in adequately protecting the network from internal attacks through wireless access
points. The proposed security upgrades and the replacement of the City’s firewalls will resolve
these issues as well as providing improved web filtering.
In 2010, the California Department of Justice (DOJ) amended their security policy to require
local law enforcement agencies to comply with the Federal Bureau of Investigation’s Criminal
Justice Information Services (CJIS) Security policy. To continue to comply with the CJIS
Security policy will require that the City purchase and implement the requested intrusion
protection equipment.
The recently completed Citywide Information Technology Strategic Plan identified a need to
improve existing network security. After completion, this project will meet or exceed the
security upgrades recommended in the Citywide I.T. Strategic Plan.
3. Virtual Private Network Upgrade
The City currently utilizes two VPN systems. The first system is used by the Police Department
to secure communications between the Department’s network and the Police vehicles. The
Police Department’s system must be certified as meeting Federal Information Processing
Standard (FIPS) 140-2. FIPS 140-2 is an encryption standard that ensures the integrity and
confidentiality of the communication. The second system is used for the rest of the City’s
remote networking needs. Both systems are five years old and will soon no longer be supported
by the vendor.
As part of the Police Department’s replacement of their mobile data computers, the department
must re-apply to the California Department of Justice (DOJ) and demonstrate that the proposed
system meets all the current security requirements for the transportation of sensitive law
enforcement data. This CIP project is needed for the City to remain in compliance with DOJ
requirements. The City will continue to utilize two VPN systems because the Police VPN
C7 - 2
City Firewall, Intrusion Protection and Virtual Private Network Systems Upgrade Page 3
system must terminate behind the Police Department’s firewall connection. The higher
encryption standard also requires a more complex and expensive VPN system.
There are currently a number of mobile initiatives in community development, public works and
utilities departments that will require a more robust VPN system than the current system. Those
initiatives are expected to the number of concurrent VPN connections now in use in the City.
Most VPN solutions are licensed per concurrent connection with discounts increasing for
multiple purchases at a single time. It will be more economical to replace the system now, rather
than continuing to build on the current soon to be obsolete and undersized system.
CONCURRENCES
Both the Police and Fire Departments as well as Network Services staff concur with this request.
FISCAL IMPACT
All of the projects were submitted as CIP requests and were approved by the CIP Committee as
well as City Council as a part of the 2013-15 financial plan.
2013-14 CIP Approved CIP Funding 2013-14
City Firewall Upgrade $186,500
Intrusion Protection System $125,000
Virtual Private Network $130,000
Total $441,500
ALTERNATIVES
Deny this request; a decision to not move forward with this request would mean that the MDC
project/in-car video project would have to be delayed.
ATTACHMENTS
1. 2014 Firewall, IDS and VPN RFP_Final
2. 25300 Firewall Replacement
3. 25300 Network Security Upgrades
4. 25300 VPN Replacement
T:\Council Agenda Reports\2014\2014-07-01\Firewall, Intrusion Protection and Virtual Private Network Systems Upgrade
C7 - 3
990 Palm Street San Luis Obispo, CA 93401
Notice Requesting Proposals for
FIREWALLS, INTRUSION PROTECTION
AND VIRTUAL PRIVATE NETWORK SYSTEMS UPGRADES
Specification No. 91241
The City of San Luis Obispo is requesting sealed proposals for City firewalls, intrusion
protection system and virtual private network system upgrades pursuant to Specification No.
91241. All proposals must be received by the Finance Division by July 30, 2014 at 3:00 PM,
when they will be opened publicly in the City Hall Council Chambers, 990 Palm Street, San Luis
Obispo, CA 93401.
Proposals received after said time will not be considered. To guard against premature opening,
each proposal shall be submitted to the Finance Division in a sealed envelope plainly marked
with the proposal title, specification number, bidder name, time and date of the proposal opening.
Proposals shall be submitted using the forms provided in the specification package.
A pre-proposal meeting will be held at 990 Palm Street, Finance & Information Technology
Conference Room on July 16, 2014 at 2:00 pm to answer any questions that the prospective
bidders may have regarding the City's request for proposals.
Specification packages and additional information may be obtained on the City’s website at
http://www.slocity.org/finance/bids.asp or by contacting Miguel Guardado, Network Services
Supervisor at Spec91241@slocity.org.
The City of San Luis Obispo is committed to including disabled persons in all of our services, programs and activities.
Telecommunications Device for the Deaf (805) 781-7410.
Attachment 1
C7 - 4
Specification No. 91241
TABLE OF CONTENTS
A. Description of Work 2
Overview 2
Background 2
Technical Proposal Requirements 3
Subsection A – City Firewalls, Intrusion Protection Specifications 4
Subsection B – Virtual Private Network System Specifications 6
Training 7
Maintenance and Support 7
B. General Terms and Conditions 8
Proposal Requirements 8
Contract Award and Execution 9
Contract Performance 10
C. Special Terms and Conditions 13
Proposal Content 13
Proposal Evaluation and Selection 14
Proposal Review and Award Schedule 15
Required Deliverable Products 15
Attendance at Meetings and Hearings 15
D. Form of Agreement 17
E. Insurance Requirements 19
F. Proposal Summary Form 21
References 22
Statement of Past Contract Disqualifications 23
1
City of San Luis Obispo
Attachment 1
C7 - 5
Section A
DESCRIPTION OF WORK
OVERVIEW
Purpose
The City of San Luis Obispo is inviting proposals for:
A. A clustered firewall solution\Intrusion protection system (IPS)
B. Virtual private network (VPN) system
Proposers can submit a bid for only one system, however the City will give preference to
proposers who can provide proposals for both systems.
Background
The City currently uses two Juniper SSG-550 firewalls, one Juniper SA-4000 SSL VPN
appliance and one Juniper SA-2000 SSL VPN appliance. One SSG-550 and the SA-4000 SSL
VPN appliance are for the Police department. The other SSG-550 and the SA-2000 SSL VPN
appliance are for the rest of the City. The City also uses two core routing switches in an
Active/Active full mesh configuration.
The City is looking to consolidate to a single clustered firewall solution. The City will be
responsible for relocating any existing connections.
Currently, the City Hall firewall is configured with 6 zones that exist on 9 interfaces. The Police
firewall has 4 zones on 5 interfaces. The City is planning to replace and consolidate the firewalls
to one clustered configuration. The clustered firewall configuration will have in excess of 15
zones. The City is predicting that it will have need for the following type of interfaces per
firewall.
1. Connection Speed and type per link.
• 10G Fiber -> Core Switch 1 (City)
• 10G Fiber -> Core Switch 2 (City)
• 10G Fiber -> Core Switch 1 (Police)
• 10G Fiber -> Core Switch 2 (Police)
• 10G Fiber -> External Provider
• 1G Fiber - > Internet
• 1G Fiber - > Backup Internet
• 1G Fiber -> County Health
• 1G Fiber -> County Law
• 1G Fiber -> (future)
2
Attachment 1
C7 - 6
Approximate number of objects and rules per firewall cluster:
• 300 Rules per firewall cluster
• 700 Named objects (IPs or subnets) per firewall cluster
• 150 Custom service objects per firewall cluster
• 120 Routes per firewall cluster
The City’s has a Juniper SA-2000 SL VPN appliance that serves all non-public safety users with
connectivity to City resources. The City has approximately 35 concurrent VPN users and is
looking to increase the number of VPN users to 100.
The City also has an SA-4000 FIPS 140-2 compliant firewall that serves the secure connections
for the Police and Fire Mobile Data Computers. Currently, we have 35 concurrent users, but the
City is looking at increasing the number of VPN users to 100.
PROPOSAL REQUIREMENTS
The proposer should submit product documentation and address the following requirements in
their proposal.
3
Attachment 1
C7 - 7
A. Firewall/Intrusion Protection Specifications
1. The solution bid MUST demonstrate that it supports 6 - 10 Gig fiber interfaces and 6 - 1
Gig fiber interfaces.
2. The solution bid SHOULD support at least 8 - 10 Gig fiber interfaces and at least 8 - 1
Gig fiber interfaces. If the solution bid is capable of such support, please demonstrate that
it can accomplish this.
3. The solution bid MUST demonstrate that it can implement 10 Gigabit Ethernet as defined
by IEEE 802.3ae-2002 or later.
4. The solution bid MUST list expected mean latency for firewall services in configuration
bid.
5. The solution bid MUST list expected mean jitter for firewall services.
6. The solution bid MUST demonstrate that it can support and fully permit (when
configured) and offer full functionality when a single TCP flow of 10 Gbps passes
through the solution.
7. The solution bid MUST demonstrate that it can support Jumbo frames. The maximum
size or configured size supported should be listed below.
8. The solution bid SHOULD demonstrate that it can support at least 256,000 simultaneous
sessions. MUST specify the maximum number of simultaneous sessions supported for the
total solution.
9. The solution bid MUST list how many new sessions are supported per second. If this
differs from embryonic or half-open sessions, the proposer should state as such, please
demonstrate that it can accomplish this.
10. The solution bid SHOULD implement firewall services in hardware or firmware, please
demonstrate that it can accomplish this.
11. The solution bid SHOULD fail closed under duress (e.g. high packet loss,
oversubscription, etc.). Proposer SHOULD specify how other devices respond if they are
not under duress (but others are) in this situation.
12. The solution bid MUST demonstrate that it can support a forwarding rate (with firewall
services enabled) of at least 1 million small byte IPv4 or IPv6 packets per second.
13. The solution bid MUST demonstrate that it can support 802.3ad link aggregation.
14. The solution bid MUST demonstrate that it can support VLAN tagging as specified in
802.1q.
15. The Proposer SHOULD demonstrate that it can support describe the ability to mirror
ports.
16. The solution bid MUST demonstrate that it can support a minimum throughput (based on
IMIX traffic) of 10 Gbps.
17. The solution bid MUST be expandable (at a later date) to up to 20 Gbps of throughput.
18. The Proposer MUST provide all necessary cables, transceivers, and rails/mounting-
hardware.
4
Attachment 1
C7 - 8
19. The solution bid MUST fully operate in an asymmetrically routed environment. For
example, one physical device may only see one direction of a flow, please demonstrate
that it can accomplish this..
20. The Proposer SHOULD specify other security services that the system can support such
as URL filtering, intrusion detection/prevention, etc. If these services are available, then
the Proposer MUST specify the maximum throughput rate and mean latency of the
system bid with each respective service. For example, if the solution could offer IPS and
URL filtering, then specify rates of firewall+URL and firewall+IPS. This information
should be under similar traffic as to earlier responses. The Proposer may also specify
these qualities with all potential services enabled.
21. The Proposer MUST specify how devices interconnect among themselves and MUST
specify if those links can be switched, please demonstrate that it can accomplish this..
22. The Proposer SHOULD describe in detail which counters are available at physical
interfaces and virtual interfaces such as drops, oversized frames, current input rate, buffer
overflow, CRC errors, etc.
23. The Proposer SHOULD describe how the solution will be managed (e.g. thick client
application, web browser, SSH, console, etc.)
24. The solution bid MUST demonstrate that it can support demonstrate fault-tolerant design
such as dual power, multiple fans, watchdog processes. In addition the solution bid
MUST handle failover or loss such as interface failures, ping failures, and high
congestion rate. Please describe.
25. The Proposer MUST denote below if interruptions (e.g. non-negligible packet loss) occur
when processing updates or configuration changes.
26. The solution bid MUST implement inspection of IPv4 and IPv6 packets. Proposer
SHOULD denote any significant limitations, please demonstrate that it can accomplish
this.
27. The solution bid MUST demonstrate that it can support syslog for external event logging
for the device itself and all events generated.
28. The solution bid MUST demonstrate that it can support SNMPv2c and SHOULD support
SNMPv3. The solution bid SHOULD support polling for CPU(s)/processor(s) utilization,
memory utilization, throughput per physical interface, throughput per virtual interface,
packets per second, active sessions, ICMP throughput, discarded or dropped packets per
second or aggregate, temperature, power, fan speed, etc. The solution bid SHOULD
support sending of SNMP traps. Describe any significant lack of metrics.
29. The Proposer SHOULD describe the out-of-band management (e.g. console access).
30. The solution bid MUST be able to implement rate limiting by throughput and
simultaneous sessions for an interface or network.
31. The solution proposed MUST demonstrate that it can support the functionality of a
stateful firewall in our network.
32. The solution bid MUST fully operate in a transparent mode setting in our environment
such that it does not participate in BGP, please demonstrate that it can accomplish this.
5
Attachment 1
C7 - 9
33. The solution bid MUST demonstrate that it can support at least two (2) virtual firewalls
(e.g. separate administration, separate policies, etc.). Please specify the maximum number
supported and cost for each additional virtual firewall.
34. The solution bid MUST demonstrate that it can support raw packet capture at ingress and
egress interfaces. The packet capture MUST support filtering by IPv4/IPv6 host/network,
and protocol.
35. The Proposer SHOULD specify the available interfaces and media for the solution,
please demonstrate that it can accomplish this.
36. Proposer MUST specify which of the following native operating systems are supported
for management client access to the solution: Windows, Apple OS X, and Linux (e.g.,
Ubuntu, Fedora).
37. The Proposer MUST describe maximum number of firewall policies supported per
virtualized firewall.
38. The solution bid MUST demonstrate that it can support RADIUS and LDAP for
administrative authentication. The solution bid SHOULD support local authentication.
39. The Proposer SHOULD provide a list of Layer7 applications that are recognized and
supported in the solution bid (e.g., HTTP over any port, SSH over any port, Facebook
over HTTP, HTTPS, BitTorrent, etc.) please demonstrate that it can accomplish this.
40. The solution bid SHOULD be compatible with 3rd party management software, such as
SolarWinds.
41. The Proposer MUST describe the solution’s ability to recognize and support applications
using dynamic ports such as FTP, SIP, RPC, MS-RPC, etc. please demonstrate that it can
accomplish this.
42. The Proposer SHOULD describe any ability to offer different classes of service for traffic
based on hardware configurations, such as separate queues.
43. The solution bid SHOULD demonstrate that it can support 802.1p.
44. The Proposer SHOULD describe what information is available about the transceivers
from the command line.
45. The Proposer MUST include a diagram of the proposed solution.
B. Virtual Private Network System Specifications
1. The solution bid MUST demonstrate that it can support a minimum of 500 concurrent
connections.
2. The solution bid MUST demonstrate that it can support a Layer 3 SSL VPN
3. The Proposer SHOULD demonstrate that it can provide Endpoint security for Windows,
Mac OS, Linux devices as well as Apple IOS and Google Android devices.
4. The solution bid MUST demonstrate that it can support split tunneling.
5. The Proposer SHOULD list all launch options.
6. The Proposer SHOULD list all authentication options including single sign-on options.
6
Attachment 1
C7 - 10
7. The Proposer SHOULD list all high- availability clustering options.
8. The Proposer SHOULD list virtual appliance options.
9. The solution MUST demonstrate that it can support automatic reconnect.
10. The Proposer SHOULD list all patch remediation and host checking options. Including
all supported operating systems.
11. The solution MUST demonstrate that it can support policy-based enforcement.
12. The solution MUST be FIPS 140-2 compliant, please demonstrate that it can accomplish
this.
13. The Proposer SHOULD describe interoperability with VMWare View Manager, please
demonstrate that it can accomplish this.
14. The Proposer SHOULD demonstrate interoperability with native Windows, Android and
IOS VPN clients.
15. The Proposer SHOULD demonstrate logging and auditing capabilities.
16. The Proposer SHOULD describe redundancy options of any hardware.
17. The solution MUST work inside of an InMotion Technologies IKEv2 VPN-Tunnel with
MOBIKE extensions for fast failover, please demonstrate that it can accomplish this.
The following information shall be provided separately for each proposal submitted.
Therefore, if your firm is providing a proposal for Subsection A and B specifications,
provide the information shown below two (2) times.
COMPANY BACKGROUND
All proposals must include the size of the company, number of technical support staff and
location of support staff that would provide onsite support. If subcontractors are to be used, the
identity of the subcontractor and information establishing their qualifications to perform this
installation for the City must be provided.
INSTALLATION AND CONFIGURATION
All proposals shall include costs for onsite installation configuration of all required equipment.
TRAINING
All proposals shall include costs for onsite training of all equipment for four (4) people.
MAINTENANCE AND SUPPORT
All proposals shall provide specific information regarding support options for up to 5 years. The
response must include 24X365X7 phone support, remote support and a maximum 2 hour
response time. Response must also include onsite support options, same day hardware
replacement and travel cost estimates. If a subcontractor is proposed to provide ongoing support,
7
Attachment 1
C7 - 11
identify the subcontractor and provide information regarding their qualifications to handle the
City’s support needs.
The maintenance plan must include a toll-free telephone number to the service bureau for
reporting problems. Any request must be identified via a unique tracking identifier for the
problem report. Provide information regarding the service bureau i.e. staffing, normal and out-
of-hours contact numbers.
The plan must include notification, via mail or electronic delivery, of errata, service changes and
software upgrades or patches.
WARRANTY
The vendor shall provide a minimum one (1) year limited warranty and provide options to extend
the warranty for additional years that covers all hardware and software proposed.
The vendor shall warrant the original purchaser that its products are free from any defects in
material or workmanship for a period of up to one year, which begins 30 days from the date of
shipment.
8
Attachment 1
C7 - 12
Section B
GENERAL TERMS AND CONDITIONS
PROPOSAL REQUIREMENTS
1. Requirement to Meet All Provisions of a Subsection. Each individual or firm
submitting a proposal shall meet all of the terms, and conditions of one or more of the
subsections of the Request for Proposals (RFP) specifications package. By virtue of its
proposal submittal, bidder acknowledges agreement with and acceptance of all provisions
of the RFP specifications that pertain to the subsection(s) the proposal is responding to.
2. Proposal Submittal. Each proposal must be submitted on the form(s) provided in the
specifications and accompanied by any other required submittals or supplemental
materials. Proposal documents shall be enclosed in an envelope that shall be sealed and
addressed to the Department of Finance & Information Technology, City of San Luis
Obispo, 990 Palm Street, San Luis Obispo, CA, 93401. In order to guard against
premature opening, the proposal should be clearly labeled with the proposal title,
specification number, name of bidder, and date and time of proposal opening. No FAX
submittals will be accepted.
3. Insurance Certificate. Each proposal must include a certificate of insurance showing:
a. The insurance carrier and its A.M. Best rating.
b. Scope of coverage and limits.
c. Deductibles and self-insured retention.
The purpose of this submittal is to generally assess the adequacy of the proposer’s
insurance coverage during proposal evaluation; as discussed under paragraph 12 below,
endorsements are not required until contract award. The City’s insurance requirements
are detailed in Section E.
4. Proposal Quotes and Unit Price Extension. The extension of unit prices for the
quantities indicated and the lump sum prices quoted by the proposer must be entered in
figures in the spaces provided on the Proposal Submittal Form(s). Any lump sum
proposal shall be stated in figures. The Proposal Submittal Form(s) must be totally
completed. If the unit price and the total amount stated by any bidder for any item are
not in agreement, the unit price alone will be considered as representing the bidder’s
intention and the proposal total will be corrected to conform to the specified unit price.
5. Proposal Withdrawal and Opening. A proposer may withdraw its proposal, without
prejudice prior to the time specified for the proposal opening, by submitting a written
request to the Director of Finance & Information Technology for its withdrawal, in which
event the proposal will be returned to the bidder unopened. No proposal received after
the time specified or at any place other than that stated in the “Notice Requesting
Proposals” will be considered. All proposals will be opened and declared publicly.
Proposers or their representatives are invited to be present at the opening of the
proposals.
9
Attachment 1
C7 - 13
6. Submittal of One Proposal Only. No individual or business entity of any kind shall be
allowed to make or file, or to be interested in more than one proposal, except an
alternative proposal when specifically requested; however, an individual or business
entity that has submitted a sub-proposal to a proposer submitting a proposal, or who has
quoted prices on materials to such bidder, is not thereby disqualified from submitting a
sub-proposal or from quoting prices to other bidders submitting proposals.
7. Cooperative Purchasing. During the term of the contract, the successful bidder will
extend all terms and conditions to any other local governmental agencies upon their
request. These agencies will issue their own purchase orders, will directly receive goods
or services at their place of business and will be directly billed by the successful
proposer.
8. Communications. All timely requests for information submitted in writing will receive
a written response from the City. Telephone communications with City staff are not
encouraged, but will be permitted. However, any such oral communication shall not be
binding on the City.
CONTRACT AWARD AND EXECUTION
9. Proposal Retention and Award. The City reserves the right to retain Contractor’s
proposal for a period of 60 days for examination and comparison. The City also reserves
the right to waive non-substantial irregularities in any proposal, to reject any or all
proposals, to reject or delete one part of a proposal and accept the other, except to the
extent that proposals are qualified by specific limitations. See the "special terms and
conditions" in Section C of these specifications for proposal evaluation and contract
award criteria.
10. Competency and Responsibility of Proposer. The City reserves full discretion to
determine Contractor’s competence and responsibility, professionally and/or financially.
Proposers will provide, in a timely manner, all information that the City deems necessary
to make such a decision.
11. Contract Requirement. The proposer to whom award is made (Contractor) shall
execute a written contract with the City within ten (10) calendar days after notice of the
award has been sent by mail to it at the address given in its proposal. The contract shall
be made in the form adopted by the City and incorporated in these specifications.
12. Insurance Requirements. The Contractor shall provide proof of insurance in the form,
coverages and amounts specified in Section E of these specifications within 10 (ten)
calendar days after notice of contract award as a precondition to contract execution.
13. Business Tax. The Contractor must have a valid City of San Luis Obispo business
license and tax certificate before execution of the contract. Additional information
regarding the City's business license and tax program may be obtained by calling (805)
781-7134.
10
Attachment 1
C7 - 14
CONTRACT PERFORMANCE
14. Ability to Perform. The Contractor warrants that it possesses, or has arranged through
subcontracts, all capital and other equipment, labor, materials, and licenses necessary to
carry out and complete the work hereunder in compliance with any and all federal, state,
county, city, and special district laws, ordinances, and regulations.
15. Laws to be Observed. The Contractor shall keep itself fully informed of and shall
observe and comply with all applicable state and federal laws and county and City of San
Luis Obispo ordinances, regulations and adopted codes during its performance of the
work.
16. Payment of Taxes. The contract prices shall include full compensation for all taxes that
the Contractor is required to pay.
17. Permits and Licenses. The Contractor shall procure all permits and licenses, pay all
charges and fees, and give all notices necessary.
18. Safety Provisions. The Contractor shall conform to the rules and regulations pertaining
to safety established by OSHA and the California Division of Industrial Safety.
19. Public and Employee Safety. Whenever the Contractor’s operations create a condition
hazardous to the public or City employees, it shall, at its expense and without cost to the
City, furnish, erect and maintain such fences, temporary railings, barricades, lights, signs
and other devices and take such other protective measures as are necessary to prevent
accidents or damage or injury to the public and employees.
20. Preservation of City Property. The Contractor shall provide and install suitable
safeguards, approved by the City, to protect City property from injury or damage. If City
property is injured or damaged resulting from the Contractor's operations, it shall be
replaced or restored at the Contractor’s expense. The facilities shall be replaced or
restored to a condition as good as when the Contractor began work.
21. Immigration Act of 1986. The Contractor warrants on behalf of itself and all
subcontractors engaged for the performance of this work that only persons authorized to
work in the United States pursuant to the Immigration Reform and Control Act of 1986
and other applicable laws shall be employed in the performance of the work hereunder.
22. Contractor Non-Discrimination. In the performance of this work, the Contractor
agrees that it will not engage in, nor permit such subcontractors as it may employ, to
engage in discrimination in employment of persons because of age, race, color, sex,
national origin or ancestry, sexual orientation, or religion of such persons.
23. Work Delays. Should the Contractor be obstructed or delayed in the work required to be
done hereunder by changes in the work or by any default, act, or omission of the City, or
by strikes, fire, earthquake, or any other Act of God, or by the inability to obtain
materials, equipment, or labor due to federal government restrictions arising out of
defense or war programs, then the time of completion may, at the City's sole option, be
11
Attachment 1
C7 - 15
extended for such periods as may be agreed upon by the City and the Contractor. In the
event that there is insufficient time to grant such extensions prior to the completion date
of the contract, the City may, at the time of acceptance of the work, waive liquidated
damages that may have accrued for failure to complete on time, due to any of the above,
after hearing evidence as to the reasons for such delay, and making a finding as to the
causes of same.
24. Payment Terms. The City's payment terms are 30 days from the receipt of an original
invoice and acceptance by the City of the materials, supplies, equipment or services
provided by the Contractor (Net 30).
25. Inspection. The Contractor shall furnish City with every reasonable opportunity for City
to ascertain that the services of the Contractor are being performed in accordance with the
requirements and intentions of this contract. All work done and all materials furnished, if
any, shall be subject to the City's inspection and approval. The inspection of such work
shall not relieve Contractor of any of its obligations to fulfill its contract requirements.
26. Audit. The City shall have the option of inspecting and/or auditing all records and other
written materials used by Contractor in preparing its invoices to City as a condition
precedent to any payment to Contractor.
27. Interests of Contractor. The Contractor covenants that it presently has no interest, and
shall not acquire any interest—direct, indirect or otherwise—that would conflict in any
manner or degree with the performance of the work hereunder. The Contractor further
covenants that, in the performance of this work, no subcontractor or person having such
an interest shall be employed. The Contractor certifies that no one who has or will have
any financial interest in performing this work is an officer or employee of the City. It is
hereby expressly agreed that, in the performance of the work hereunder, the Contractor
shall at all times be deemed an independent Contractor and not an agent or employee of
the City.
28. Hold Harmless and Indemnification. The Contractor agrees to defend, indemnify,
protect and hold the City and its agents, officers and employees harmless from and
against any and all claims asserted or liability established for damages or injuries to
any person or property, including injury to the Contractor’s employees, agents or
officers that arise from or are connected with or are caused or claimed to be caused
by the acts or omissions of the Contractor, and its agents, officers or employees, in
performing the work or services herein, and all expenses of investigating and
defending against same; provided, however, that the Contractor’s duty to indemnify
and hold harmless shall not include any claims or liability arising from the
established sole negligence or willful misconduct of the City, its agents, officers or
employees.
29. Contract Assignment. The Contractor shall not assign, transfer, convey or otherwise
dispose of the contract, or its right, title or interest, or its power to execute such a contract
to any individual or business entity of any kind without the previous written consent of
the City.
12
Attachment 1
C7 - 16
30. Termination. If, during the term of the contract, the City determines that the Contractor
is not faithfully abiding by any term or condition contained herein, the City may notify
the Contractor in writing of such defect or failure to perform. This notice must give the
Contractor a 10 (ten) calendar day notice of time thereafter in which to perform said work
or cure the deficiency.
If the Contractor has not performed the work or cured the deficiency within the ten days
specified in the notice, such shall constitute a breach of the contract and the City may
terminate the contract immediately by written notice to the Contractor to said effect.
Thereafter, neither party shall have any further duties, obligations, responsibilities, or
rights under the contract except, however, any and all obligations of the Contractor’s
surety shall remain in full force and effect, and shall not be extinguished, reduced, or in
any manner waived by the termination thereof.
In said event, the Contractor shall be entitled to the reasonable value of its services
performed from the beginning date in which the breach occurs up to the day it received
the City's Notice of Termination, minus any offset from such payment representing the
City's damages from such breach. "Reasonable value" includes fees or charges for goods
or services as of the last milestone or task satisfactorily delivered or completed by the
Contractor as may be set forth in the Agreement payment schedule; compensation for any
other work, services or goods performed or provided by the Contractor shall be based
solely on the City's assessment of the value of the work-in-progress in completing the
overall workscope.
The City reserves the right to delay any such payment until completion or confirmed
abandonment of the project, as may be determined in the City's sole discretion, so as to
permit a full and complete accounting of costs. In no event, however, shall the
Contractor be entitled to receive an amount in excess of the compensation quoted in its
proposal.
13
Attachment 1
C7 - 17
Section C
SPECIAL TERMS AND CONDITIONS
1. Delivery. Prices quoted for all supplies or equipment to be provided under the terms and
conditions of this RFP package shall include delivery charges, to be delivered F.O.B. San
Luis Obispo by the successful bidder.
2. Start and Completion of Work. Work on this project shall begin within one calendar
day after contract execution and shall be completed within 180 calendar days thereafter.
3. Change in Work. The City reserves the right to change quantities of any item after
contract award. If the total quantity of any changed item varies by 25% or less, there
shall be no change in the agreed upon unit price for that item. Unit pricing for any
quantity changes per item in excess of 25% shall be subject to negotiation with the
Contractor.
4. Submittal of References. Each bidder shall submit a statement of qualifications and
references on the form provided in the RFP package.
5. Statement of Contract Disqualifications. Each bidder shall submit a statement
regarding any past governmental agency bidding or contract disqualifications on the form
provided in the RFP package.
6. State Cooperative Purchasing Program. The City of San Luis Obispo participates in
the State Cooperative Purchasing Program. As such, the City can purchase the items
described in Section A through this program. Accordingly, the City will purchase from
the State or the lowest responsible, responsive bidder, after allowing adjustments for the
cost of pickup and/or delivery from the State, adjustments for after-market modifications,
and adjustments for sales tax from local dealers, as it determines to be in its best interest.
7. Proposal Content. Your proposal must include the following information:
Submittal Forms
a. Proposal summary form.
b. Detailed description of the proposed equipment and its functionality for Firewalls,
Intrusion protection system and VPN.
c. Detailed diagram of the proposed systems
d. Certificate of insurance.
e. References from at least three firms for whom you have provided similar services.
f. Statement of past contract disqualifications.
Qualifications
g. Experience of your firm in performing similar services.
h. Resumes of the individuals who would be assigned to this project, including any
sub-Contractors.
i. Standard hourly billing rates for the assigned staff, including any sub-consultants.
14
Attachment 1
C7 - 18
j. Statement and explanation of any instances where your firm has been removed
from a project or disqualified from proposing on a project.
Work Program
k. Detailed responses to the technical proposal requirements in Sections A and B.
l. Explain the methodology of the proposed system.
m. Tentative schedule by phase and task for completing the work.
n. Estimated hours for your staff, coordinating with City staff, to complete the tasks,
including any hardware and software acquisitions.
o. Services or data to be provided by the City (City staff will be installing desktop
devices.)
p. Any other information that would assist us in making this contract award
decision.
Compensation
q. Detailed bill of materials with respective costs for proposed system, to include
hardware, software and any engineering services. (See the Proposal Submittal
form on page 18).
Proposal Copies
r. Five copies of the proposal must be submitted.
8. Proposal Evaluation and Selection. Proposals will be evaluated by a staff review
committee based on the following criteria:
a. Understanding of the work required by the City.
b. Technical merit and capability.
c. Scalability.
d. System management and maintenance.
e. User interfaces and ease of use.
f. Total cost of ownership.
g. Maintenance packages and alternatives.
h. Equipment migration strategies.
i. Equipment upgrade mechanisms and cost.
j. Training.
k. Known or intended changes to hardware and/or software over the next year.
l. Next generation devices that are commercially shipping within 6 months from
date of presentation.
m. Quality, clarity and responsiveness of the proposal.
n. Demonstrated competence and professional qualifications necessary for
successfully performing the work required by the City.
o. Recent experience in successfully performing similar services.
p. Proposed approach in completing the work.
q. References.
r. Background and related experience of the specific individuals to be assigned to
this project.
s. Proposed compensation.
15
Attachment 1
C7 - 19
As reflected above, contract award will not be based solely on price, but on a
combination of factors as determined to be in the best interest of the City. After
evaluating the proposals and discussing them further with the finalists or the tentatively
selected contractor, the City reserves the right to further negotiate the proposed work
and/or method and amount of compensation.
9. Proposal Review and Award Schedule. The following is an outline of the anticipated
schedule for proposal review and contract award:
a. Issue RFP 07/02/14
b. Pre-Proposal Meeting 07/16/14, 2 PM
c. Receive proposals 07/30/14
d. Interviews 08/11/14 – 08/13/14
e. Complete proposal evaluation 8/20/14
f. Finalize staff recommendation 8/27/14
g. Award and execute contract pending DOJ approval
10. Ownership of Materials. All original drawings plan documents and other materials
prepared by or in possession of the Contractor as part of the work or services under these
specifications shall become the permanent property of the City, and shall be delivered to
the City upon demand.
11. Release of Reports and Information. Any reports, information, data, or other material
given to, prepared by or assembled by the Contractor as part of the work or services
under these specifications shall be the property of City and shall not be made available to
any individual or organization by the Contractor without the prior written approval of the
City.
12. Copies of Reports and Information. If the City requests additional copies of reports,
drawings, specifications, or any other material in addition to what the Contractor is
required to furnish in limited quantities as part of the work or services under these
specifications, the Contractor shall provide such additional copies as are requested, and
City shall compensate the Contractor for the costs of duplicating of such copies at the
Contractor’s direct expense.
13. Required Deliverable Products. The Contractor will be required to provide the
following:
a. Firewall/Intrusion Protection and Virtual Private Networking Systems.
b. System documentation (user guides, administration guides, etc.) submitted in Adobe
Acrobat PDF format.
c. Training.
15. Attendance at Meetings and Hearings. As part of the work scope and included in the
contract price is attendance by the Contractor at meetings to present and discuss his/her
findings and recommendations. The Contractor shall attend as many “working” meetings
with staff as necessary in performing work scope tasks.
16
Attachment 1
C7 - 20
16. Accuracy of Specifications. The specifications for this project are believed by the City
to be accurate and to contain no affirmative misrepresentation or any concealment of fact.
Proposers are cautioned to undertake an independent analysis of any test results in the
specifications, as City does not guaranty the accuracy of its interpretation of test results
contained in the specifications package. In preparing its proposal, the proposer and all
subcontractors named in its proposal shall bear sole responsibility for proposal
preparation errors resulting from any misstatements or omissions in the plans and
specifications that could easily have been ascertained by examining either the project site
or accurate test data in the City’s possession. Although the effect of ambiguities or
defects in the plans and specifications will be as determined by law, any patent ambiguity
or defect shall give rise to a duty of proposer to inquire prior to proposal submittal.
Failure to so inquire shall cause any such ambiguity or defect to be construed against the
bidder. An ambiguity or defect shall be considered patent if it is of such a nature that the
bidder, assuming reasonable skill, ability and diligence on its part, knew or should have
known of the existence of the ambiguity or defect. Furthermore, failure of the proposer
or subcontractors to notify City in writing of specification or plan defects or ambiguities
prior to proposal submittal shall waive any right to assert said defects or ambiguities
subsequent to submittal of the proposal.
To the extent that these specifications constitute performance specifications, the City
shall not be liable for costs incurred by the successful proposer to achieve the project’s
objective or standard beyond the amounts provided therefore in the proposal.
In the event that, after awarding the contract, any dispute arises as a result of any actual
or alleged ambiguity or defect in the plans and/or specifications, or any other matter
whatsoever, Contractor shall immediately notify the City in writing, and the Contractor
and all subcontractors shall continue to perform, irrespective of whether or not the
ambiguity or defect is major, material, minor or trivial, and irrespective of whether or not
a change order, time extension, or additional compensation has been granted by City.
Failure to provide the hereinbefore described written notice within one (1) working day
of contractor’s becoming aware of the facts giving rise to the dispute shall constitute a
waiver of the right to assert the causative role of the defect or ambiguity in the plans or
specifications concerning the dispute.
17
Attachment 1
C7 - 21
Section D
FORM OF AGREEMENT
AGREEMENT
THIS AGREEMENT is made and entered into in the City of San Luis Obispo on [day, date, year] by and
between the CITY OF SAN LUIS OBISPO, a municipal corporation, hereinafter referred to as City, and
[CONTRACTOR’S NAME], hereinafter referred to as Contractor.
W I T N E S S E T H:
WHEREAS, on DATE City requested proposals for Firewall/Intrusion Protection and Virtual Private
Networking Systems per Specification No 91241.
WHEREAS, pursuant to said request, Contractor submitted a proposal that was accepted by City for said
services.
NOW THEREFORE, in consideration of their mutual promises, obligations and covenants hereinafter
contained, the parties hereto agree as follows:
1. TERM. The term of this Agreement shall be from the date this Agreement is made and entered, as first
written above, until acceptance or completion of services.
2. INCORPORATION BY REFERENCE. City Specification No. 91236 and Contractor's proposal dated
, are hereby incorporated in and made a part of this Agreement.
3. CITY'S OBLIGATIONS. For providing Firewall/Intrusion Protection and Virtual Private Networking
Systems as specified in this Agreement, City will pay and Contractor shall receive therefore compensation in a total
sum not to exceed [$ .00 ].
4. CONTRACTOR'S OBLIGATIONS. For and in consideration of the payments and agreements
hereinbefore mentioned to be made and performed by City, Contractor agrees with City to do everything required by
this Agreement and the said specification.
5. AMENDMENTS. Any amendment, modification or variation from the terms of this Agreement shall be in
writing and shall be effective only upon approval by the Council of the City.
18
Attachment 1
C7 - 22
6. COMPLETE AGREEMENT. This written Agreement, including all writings specifically incorporated
herein by reference, shall constitute the complete agreement between the parties hereto. No oral agreement,
understanding or representation not reduced to writing and specifically incorporated herein shall be of any force or
effect, nor shall any such oral agreement, understanding or representation be binding upon the parties hereto.
7. NOTICE. All written notices to the parties hereto shall be sent by United States mail, postage prepaid by
registered or certified mail addressed as follows:
City City Clerk
City of San Luis Obispo
990 Palm Street
San Luis Obispo, CA 93401
Contractor Name
Address
8. AUTHORITY TO EXECUTE AGREEMENT. Both City and Contractor do covenant that each
individual executing this agreement on behalf of each party is a person duly authorized and empowered to execute
Agreements for such party.
IN WITNESS WHEREOF, the parties hereto have caused this instrument to be executed the day and year first
above written.
ATTEST: CITY OF SAN LUIS OBISPO
________________________________ By:_____________________________________
City Clerk City Manager, Katie Lichtig
APPROVED AS TO FORM: CONTRACTOR
________________________________ By: _____________________________________
City Attorney, Christine Dietrick
19
Attachment 1
C7 - 23
Section E
INSURANCE REQUIREMENTS: Consultant Services
The Contractor shall procure and maintain for the duration of the contract insurance against
claims for injuries to persons or damages to property which may arise from or in connection with
the performance of the work hereunder by the Contractor, its agents, representatives, employees
or subcontractors.
Minimum Scope of Insurance. Coverage shall be at least as broad as:
1. Insurance Services Office Commercial General Liability coverage (occurrence form CG
0001).
2. Insurance Services Office form number CA 0001 (Ed. 1/87) covering Automobile
Liability, code 1 (any auto).
3. Workers' Compensation insurance as required by the State of California and Employer's
Liability Insurance.
4. Errors and Omissions Liability insurance as appropriate to the consultant's profession.
Minimum Limits of Insurance. Contractor shall maintain limits no less than:
1. General Liability: $1,000,000 per occurrence for bodily injury, personal injury and
property damage. If Commercial General Liability or other form with a general
aggregate limit is used, either the general aggregate limit shall apply separately to this
project/location or the general aggregate limit shall be twice the required occurrence
limit.
2. Automobile Liability: $1,000,000 per accident for bodily injury and property damage.
3. Employer's Liability: $1,000,000 per accident for bodily injury or disease.
4. Errors and Omissions Liability: $1,000,000 per occurrence.
Deductibles and Self-Insured Retentions. Any deductibles or self-insured retentions must be
declared to and approved by the City. At the option of the City, either: the insurer shall reduce
or eliminate such deductibles or self-insured retentions as respects the City, its officers, officials,
employees and volunteers; or the Contractor shall procure a bond guaranteeing payment of losses
and related investigations, claim administration and defense expenses.
Other Insurance Provisions. The general liability and automobile liability policies are to
contain, or be endorsed to contain, the following provisions:
1. The City, its officers, officials, employees, agents and volunteers are to be covered as
insureds as respects: liability arising out of activities performed by or on behalf of the
Contractor; products and completed operations of the Contractor; premises owned,
occupied or used by the Contractor; or automobiles owned, leased, hired or borrowed by
the Contractor. The coverage shall contain no special limitations on the scope of
protection afforded to the City, its officers, official, employees, agents or volunteers.
20
Attachment 1
C7 - 24
2. For any claims related to this project, the Contractor's insurance coverage shall be
primary insurance as respects the City, its officers, officials, employees, agents and
volunteers. Any insurance or self-insurance maintained by the City, its officers, officials,
employees, agents or volunteers shall be excess of the Contractor's insurance and shall
not contribute with it.
3. The Contractor's insurance shall apply separately to each insured against whom claim is
made or suit is brought, except with respect to the limits of the insurer's liability.
4. Each insurance policy required by this clause shall be endorsed to state that coverage
shall not be suspended, voided, canceled by either party, reduced in coverage or in limits
except after thirty (30) days' prior written notice by certified mail, return receipt
requested, has been given to the City.
Acceptability of Insurers. Insurance is to be placed with insurers with a current A.M. Best's
rating of no less than A:VII.
Verification of Coverage. Contractor shall furnish the City with a certificate of insurance
showing maintenance of the required insurance coverage. Original endorsements effecting
general liability and automobile liability coverage required by this clause must also be provided.
The endorsements are to be signed by a person authorized by that insurer to bind coverage on its
behalf. All endorsements are to be received and approved by the City before work commences.
21
Attachment 1
C7 - 25
PROPOSAL SUMMARY FORM
The undersigned declares that she or he:
Has carefully examined Specification No. 91241, which is hereby made a part of this proposal.
Is thoroughly familiar with its contents.
Is authorized to represent the proposing firm.
Agrees to perform the work as set forth in this proposal.
Certificate of insurance attached; insurance company’s A.M. Best rating: __________________.
Technical proposal documentation attached.
Description Quantity Unit Price Total
Firewall System
Intrusion Protection System
VPN System
Onsite Installation
On-site Training
Maintenance and Support
Discounts: special pricing, etc.
Sales tax @ 8.00%
Shipping and Handling
TOTAL BASE PRICE
TOTAL $
Firm Name and Address
Contact Phone
Signature of Authorized Representative Date
22
Attachment 1
C7 - 26
REFERENCES
Number of years engaged in providing the services included within the scope of the specifications under
the present business name or by the principal assigned to this engagement: _______________years.
Describe fully the last three contracts performed by your firm or the principal assigned to this engagement
which demonstrates your ability to provide the services included with the scope of the specifications.
Attach additional pages if required. The City reserves the right to contact each of the references listed for
additional information regarding your firm's qualifications.
Reference No. 1
Customer Name
Contact Individual
Telephone & FAX number
Street Address
City, State, Zip Code
Description of services provided
including contract amount, when
provided and project outcome
Reference No. 2
Customer Name
Contact Individual
Telephone & FAX number
Street Address
City, State, Zip Code
Description of services provided
including contract amount, when
provided and project outcome
Reference No. 3
Customer Name
Contact Individual
Telephone & FAX number
Street Address
City, State, Zip Code
Description of services provided
including contract amount, when
provided and project outcome
23
Attachment 1
C7 - 27
STATEMENT OF PAST CONTRACT DISQUALIFICATIONS
The Contractor shall state whether it or any of its officers or employees who have a proprietary interest in
it, has ever been disqualified, removed, or otherwise prevented from proposing on, or completing a
federal, state, or local government project because of the violation of law, a safety regulation, or for any
other reason, including but not limited to financial difficulties, project delays, or disputes regarding work
or product quality, and if so to explain the circumstances.
Do you have any disqualification as described in the above paragraph to declare?
Yes No
If yes, explain the circumstances.
Executed on at _______________________________________ under penalty
of perjury of the laws of the State of California, that the foregoing is true and correct.
______________________________________
Signature of Authorized Contractor
24
Attachment 1
C7 - 28
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
FIREWALL REPLACEMENT
Project Description
Replacing the City’s two firewalls will cost $186,500 in 2013-14.
Maintenance/Replacement New project Fleet Replacement New Fleet Request
Council Goal / Measure Y Priority - List:
Need and Urgency
The City’s current firewalls are the last single-points of failure within the City’s information technology infrastructure. The current firewalls are 5 years old as of
October 2012 and are rapidly becoming undersized and obsolete. Both the City’s bandwidth demands and interface demands are not met by the current firewalls.
In addition, the Police Department firewall also needs to be replaced to meet the Federal Bureau of Investigation’s (FBI) Criminal Justice Information Services
(CJIS) Security Policy. As part of the replacement of the Police Department’s mobile data computers (MDC’s), the Police Department must re-apply to the
California Department of Justice (DOJ) and show that the Police Department meets all the current security requirements for the transportation of sensitive law
enforcement data. This project is closely tied to the Police MDC CIP as well as the Virtual Private Network CIP. This project and the Virtual Private Network
CIP must be completed before the Police MDC CIP.
The FBI phased in the new requirements over a three-year period from January 1, 2011 to January 1, 2014. As of January 1, 2012, the Police Department’s firewall
is no longer in compliance with CJIS. Staff does not expect to be able to get on DOJ’s schedule for approval until after January 1, 2014, so the City’s information
security systems will have to fully meet the CJIS requirements in order to get approval by DOJ. This CIP project is caused by an unfunded State mandate.
Department of Justice Requirements
In 2010, DOJ amended their security policy to require local law enforcement agencies to comply with the Federal Bureau of Investigation’s Criminal Justice
Information Services (CJIS) Security policy. In relation to this equipment replacement request, these new policies would require the following in order to be
compliant:
1. Malicious Code Protection – CJIS requires that agencies “employ virus protection mechanisms to detect and eradicate malicious code (e.g. viruses,
worms, Trojan horses) at critical points throughout the network and on all workstations, servers and mobile computing devices on the network.” For
malicious code protection the City’s current security arrangement focuses only the desktop and workstation level. CJIS requires a multi-layered
defense where all data packets going into and out of the City’s network are scanned for malicious code in addition to desktop/server level scanners. A
multi-layered defense is becoming increasingly important because new types of malicious code are being developed that are designed to get by either
firewall level malicious code protection or desktop/server level malicious code protection.
2. A local patch management policy must be in place that ensures prompt installation of newly released security relevant patches, service packs and hot
fixes. Patches for firewalls come out about every 3 months. Currently staff would have to take down all mobile data communication and all outside
Attachment 2
C7 - 29
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
FIREWALL REPLACEMENT
communication via the City’s network to the Emergency Communication Center (ECC) every 3 months for about an hour in order to keep up on
patches. The City’s current single-point of failure firewall configuration also makes it impossible for staff to test patches until they are applied to
production hardware. Currently when staff updates the firewalls it is a major undertaking that requires the coordination of multiple staff members and
an outside consultant onsite in order to mitigate the risks of updating the City’s firewalls without a straight forward way to fall back to the previous
configuration. This project would bring in clustered firewalls, where staff could patch one of the clustered firewalls and then test the configuration. If
the configuration did not work, staff could just keep all systems on the unpatched firewall until the patched configuration could be fixed. One or two
staff members could safely patch the firewalls in this case.
Anticipated Growth and Improved Service
With this project, staff also plans to ensure that the ECC will have full functionality regardless of the condition of City Hall. Currently, in the event of a loss of
communication between City Hall and the ECC, mission critical function would stay up but most non-mission critical functions would be lost. The loss of these
non-mission critical functions decreases the efficiency of the dispatchers and increases the difficulty of responding quickly to a major emergency.
It is also anticipated that the proliferation of wireless networks for telemetry and traffic signals will eventually require additional firewall interfaces. There is a high
level of concern that as staff implements upgrades to the City’s telemetry systems the systems are protected with the latest security features. Every wireless access
point is a potential vulnerability to the City’s network. To ensure that the telemetry systems and the rest of the network systems are protected the links to and from
the wireless access points need to pass through a physical firewall before accessing the City’s network. The City’s secondary Internet connection provided by
Digital West will also require additional firewall interfaces before it can be utilized.
Readiness to Build
Study complete or n/a
Equipment purchased or n/a
Property owned or property agreement in place n/a
Environmental approval and permits complete or n/a
Specifications or construction documents complete n/a
IT Steering Committee review n/a
Environmental Review and Permits Required
Environmental Review n/a
Building Permit n/a
Waterway Permits (Fish & Game, Water Quality, Army Corps) n/a
Railroad n/a
Other: (Enter the title and agency of any other needed permits) n/a
Attachment 2
C7 - 30
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
FIREWALL REPLACEMENT
Operating Program Number and Title:
25300 Network Services
Project Phasing and Funding Sources
Continuing, ongoing or master account project - Specification No.
Initial Project Costs by Phase
Budget to Date 2013-142014-152015-162016-172017-18 Total
Equipment Acquisition $186,500 $186,500
Total $0$186,500 $0 $0 $0 $0$186,500
Detail of ongoing costs and alternatives to ongoing costs including return on investment information:
URL filtering and firewall maintenance is on an annual subscription plan.
Anticipated Equipment Life Span: 5 years
Budget to Date 2013-142014-152015-162016-172017-18 Total
General Fund $157,500 $157,500
Water Fund $11,500 $11,500
Sewer Fund $8,500 $8,500
Parking Fund $5,500 $5,500
Transit Fund $3,500 $3,500
Total $0$186,500 $0 $0 $0 $0$186,500
Project Funding by Source
Costs are allocated between these funds according to the number of computers in each.
Reduced / Enhanced Project Alternatives
Alternate project is feasible or advantageous – Cost of alternative project:
Project can be phased – Number of years for phasing:
Attachment 2
C7 - 31
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
FIREWALL REPLACEMENT
Project Team
Assignment Program Estimated Hours
Equipment RFP & Acquisition Network Services 120
Equipment Configuration & Installation Network Services 80
Attachment 2
C7 - 32
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
NETWORK SECURITY UPGRADES
Project Description
Upgrading the City’s network security will cost $125,000 in 2013-14 in order to comply with California Department of Justice (DOJ) requirements for the Police
Department, provide secure public access, protect the City’s wireless networks and improve web filtering capabilities.
Maintenance/Replacement New project Fleet Replacement New Fleet Request
Council Goal / Measure Y Priority - List:
Need and Urgency
Currently, the City relies on its firewalls, a web filter and desktop level anti-virus programs for the security of its network. Two key functions that are missing from
this security arrangement are network level malicious software protection and a network intrusion detection system (IDS). A limitation of the City’s current
security arrangement is the difficulty in adequately protecting the network from internal attacks through wireless access points. The proposed security upgrades
and the replacement of the City’s firewalls will also provide improved web filtering.
The recently completed Citywide Information Technology Strategic Plan recognizes a need to improve existing network security. This project would meet or
exceed the security upgrades recommended in the Strategic Plan.
Department of Justice Requirements
In 2010, DOJ amended their security policy to require local law enforcement agencies to comply with the Federal Bureau of Investigation’s Criminal Justice
Information Services (CJIS) Security policy. In relation to this equipment replacement request, these new policies would require the following in order to be
compliant:
1. Malicious Code Protection – CJIS requires that agencies “employ virus protection mechanisms to detect and eradicate malicious code (e.g. viruses,
worms, Trojan horses) at critical points throughout the network and on all workstations, servers and mobile computing devices on the network.” For
malicious code protection, the City’s current security arrangement focuses only the desktop and workstation level. The firewall replacement CIP
(separate request) will provide a layer of protection from external threats. However, additional equipment is needed to protect the City from internal
attacks via the City’s wireless access points. Each access point is basically an external interface to the City’s network that must be protected at the
same level as all other external interfaces.
Network IDS
A network IDS provides monitoring of inbound and outbound communications for unusual or unauthorized activities and employs automated tools to support near-
real time analysis of events in support of detecting system-level attacks. Under the current security arrangement, Networks Services would only know of an attack
Attachment 3
C7 - 33
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
NETWORK SECURITY UPGRADES
if staff was looking for one. Network Services staff does not have any automated tools that would provide an alert for most attacks. Only the most brute force level
attacks that affect network performance would be detected.
Network IDS is especially critical for wide spread wireless networks that are accessible to the public. Wireless access points provide an easy to attack interface.
They are typically less secured than hardwire connections, they are easier to find since they broadcast their location by design, and they are typically overlooked
when accessing network security. Each of the City’s wireless access points does have a built-in firewall that is of the level that is typically found in home and
small business networks. However, unlike the City’s physical connections which are difficult to locate and have multiple layers of protection, if a hacker were to
break in via a wireless access point, there are no other layers of protection. The hacker would be behind the City’s network defenses and virtually undetectable.
This risk is partially mitigated by ensuring that signals from the City’s wireless access points do not bleed over outside of the City’s buildings. In many areas,
however, the City requires outdoor coverage and coverage in publically accessible areas.
Long range wireless access points such as those that are envisioned to be used by Utilities’ telemetry wireless networks are especially vulnerable to attack because
they are designed to cover a large outside area and cannot be contained within a building. These wireless access points will require special security considerations
and their security profile will be greatly enhanced by a network IDS.
CJIS requires that state level agencies use a network IDS; however, DOJ has so far chose not to require local agencies to comply with that requirement. Having a
network IDS is a widely agreed upon best practice for network security and it is probable that DOJ will require compliance in the future.
Internal Attacks via Wireless Access Points
The City is seeing an increasing rise of “bring your own device” (BYOD) instances. BYOD represents a major security threat to the City’s network because users
typically move these devices between their home network and the City’s network. Most home networks do not have the same level of security as the City’s
network and the devices can become infected with malicious software that is then transferred to the City’s network when the device connects to the City’s network.
The City currently allows any device to be attached to the City’s network regardless of risk. Typically, the attacks are automated and the user does not even know
their device is infected and causing an attack. A network access control solution working with a network IDS is the industry standard solution for protecting from
internal attacks.
Improved Web Filtering
An additional benefit of these security improvements and the firewall replacement is that this equipment will also provide more granular web filtering. Currently,
the City’s web filtering is based strictly on URL. This means that sites like scribd.com must be completely blocked because a portion of their content is
objectionable. The City’s current web filtering content cannot separate out the acceptable content from the unacceptable content. The same is true for other file
sharing sites that contain a mixture of acceptable and unacceptable content. Current web filters can provide access to a particular site but prevent downloading any
files from that site. They can also allow streaming but enforce bandwidth limitations (e.g. allow access to youtube.com but prevent a user from streaming multiple
videos at the same time). Another useful capability is their ability to allow access to a site like Facebook but prevent the execution of applications from the site.
This would allow the City to allow access to Facebook but prevent access to Facebook games such as Farmville. Applied to security, this same technology can be
Attachment 3
C7 - 34
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
NETWORK SECURITY UPGRADES
used to allow access to a site but prevent suspect add-ons from launching on the site. Suspect add-ons are one of the most common ways malicious software infects
systems.
Readiness to Build
Study complete or n/a
Equipment purchased or n/a
Property owned or property agreement in place n/a
Environmental approval and permits complete or n/a
Specifications or construction documents complete n/a
IT Steering Committee review n/a
Environmental Review and Permits Required
Environmental Review n/a
Building Permit n/a
Waterway Permits (Fish & Game, Water Quality, Army Corps) n/a
Railroad n/a
Other: (Enter the title and agency of any other needed permits) n/a
Operating Program Number and Title:
25300 – Network Services
Project Phasing and Funding Sources
Continuing, ongoing or master account project - Specification No.
Initial Project Costs by Phase
Budget to Date 2013-142014-152015-162016-172017-18 Total
Land Acquisition $0
Site Preparation $0
Design $0
Equipment Acquisition $125,000 $125,000
Total $0$125,000 $0 $0 $0 $0$125,000
Attachment 3
C7 - 35
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
NETWORK SECURITY UPGRADES
Detail of ongoing costs and alternatives to ongoing costs including return on investment information:
All security equipment requires regular updates in order to protect against emerging threats as they are identified.
Anticipated Facility Life Span: N/A
Budget to Date 2013-142014-152015-162016-172017-18 Total
General Fund $106,800 $106,800
Water Fund $6,500 $6,500
Sewer Fund $5,500 $5,500
Parking Fund $3,100 $3,100
Transit Fund $3,100 $3,100
Total $0$125,000 $0 $0 $0 $0$125,000
Project Funding by Source
Costs are allocated between these funds according to the number of computers in each.
Reduced / Enhanced Project Alternatives
Alternate project is feasible or advantageous – Cost of alternative project:
Project can be phased – Number of years for phasing:
Project Team
Assignment Program Estimated Hours
Equipment RFP & Acquisition Network Services 120
Equipment Installation Network Services 160
Attachment 3
C7 - 36
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
VIRTUAL PRIVATE NETWORK REPLACEMENT
Project Description
Replacing the City’s Virtual Private Network (VPN) systems will cost $130,000 in 2013-14.
Maintenance/Replacement New project Fleet Replacement New Fleet Request
Council Goal / Measure Y Priority - List:
Need and Urgency
The City utilizes two VPN systems. The first system is used by the Police Department to secure communications between the Police Department’s network and the
Police vehicles. The Police Department’s system must be certified as meeting Federal Information Processing Standard (FIPS) 140-2. FIPS 140-2 is an encryption
standard that ensures the integrity and confidentiality of the communication. The second system is used for the rest of the City’s remote networking needs. Both
systems are five years old. As part of the Police Department’s replacement of their mobile data computers (MDC’s), the Police Department must re-apply to the
California Department of Justice (DOJ) and show that the department meets all the current security requirements for the transportation of sensitive law
enforcement data. This CIP project is caused by an unfunded State mandate.
The City will continue to need two VPN systems in the future because the Police VPN system must terminate behind the Police Department’s firewall connection.
The higher encryption standard also requires a more complex and expensive system. Both systems need to be replaced to maintain the staff time for managing the
VPN connections at the current levels.
Department of Justice Requirements
In 2010, the California Department of Justice (DOJ) amended their security policy to require local law enforcement agencies to comply with the Federal Bureau of
Investigation’s Criminal Justice Information Services (CJIS) Security policy. In relation to this equipment replacement request, these new policies would require
the following in order to be compliant:
1. Advanced Authentication – CJIS defines advanced authentication as using biometric systems, user-based public key infrastructure (PKI), smart cards,
software tokens, hardware tokens, paper tokens, or “Risk-based Authentication.” It is imperative that the new VPN system support at least one of these
advanced authentication methods. Network Services staff recommends that PKI be used because it does not require any special hardware in the vehicles, is
widely used and is supported by all major VPN vendors. The exact implementation of PKI, however, will depend on what VPN system the City chooses.
Attachment 4
C7 - 37
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
VIRTUAL PRIVATE NETWORK REPLACEMENT
End of Support
The Police Department’s VPN system will lose same day support on August 1, 2014. After this date, only next business day support will be available. If a failure
were to happen on a Friday, it could take up to three days before the system could be repaired. Until the VPN system was repaired, all of the public safety MDC’s
would not be operational.
The City’s VPN system loses next business day support on January 31, 2014 and all support ends on January 31, 2015. The City’s VPN system is becoming
increasingly mission critical and is projected to become more so as future projects are completed. Once next business day support ends, Juniper will no longer
provide hardware support. If there is a hardware failure, the City would be without any VPN capability until a replacement system could be purchased and
installed.
Projected Growth
There are a number of mobile initiatives in Community Development, Public Works and Utilities that will require a more robust VPN system than the current
system. Those initiatives are expected to at least double the number of concurrent VPN connections. Most VPN solutions are licensed per concurrent connection
with discounts increasing for multiple purchases at a single time. Staff believes that it will be more economical to replace the system now, instead of building on
the current system and then replacing the entire system in two years.
Cost Breakdown
Clustered FIPS 140-2 VPN system for Police (Equipment
and Installation)
$ 65,000
Advanced Authentication (Equipment and Installation) $ 30,000
City VPN system (Equipment and Installation) $ 20,000
Contingency (12%) $ 15,000
Total $130,000
Readiness to Build
Study complete or n/a
Equipment purchased or n/a
Property owned or property agreement in place n/a
Environmental approval and permits complete or n/a
Specifications or construction documents complete n/a
IT Steering Committee review n/a
Attachment 4
C7 - 38
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
VIRTUAL PRIVATE NETWORK REPLACEMENT
Environmental Review and Permits Required
Environmental Review n/a
Building Permit n/a
Waterway Permits (Fish & Game, Water Quality, Army Corps) n/a
Railroad n/a
Other: (Enter the title and agency of any other needed permits) n/a
Operating Program Number and Title:
25300 Network Services
Project Phasing and Funding Sources
Continuing, ongoing or master account project - Specification No.
Initial Project Costs by Phase
Budget to Date 2013-142014-152015-162016-172017-18 Total
Study $0
Environmental / Permit $0
Land Acquisition $0
Site Preparation $0
Design $0
Construction $0
Construction Management $0
Equipment Acquisition $130,000 $130,000
Total $0$130,000 $0 $0 $0 $0$130,000
Budget to Date 2013-142014-152015-162016-172017-18 Total
Maintenance materials $1,000$1,000$1,000$1,000$4,000
Total $0 $0$1,000$1,000$1,000$1,000$4,000
Ongoing Costs by Type
Detail of ongoing costs and alternatives to ongoing costs including return on investment information:
Attachment 4
C7 - 39
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
VIRTUAL PRIVATE NETWORK REPLACEMENT
The advanced authentication method will require key generation devices being issued to all sworn Police staff. These devices are either shaped like a USB flash
drive or are the size of three credit cards stacked together. In order to maintain the integrity of the system, these devices will have to be disabled as soon as they are
reported missing and a new device issued. The devices also all have internal batteries that are rated for 3-5 years. The advanced authentication method will also
probably increase the overall annual maintenance costs of the VPN system.
Anticipated Facility Life Span:
Budget to Date 2013-142014-152015-162016-172017-18 Total
General Fund $108,300 $108,300
Water Fund $15,500 $15,500
Sewer Fund $6,200 $6,200
Total $0$130,000 $0 $0 $0 $0$130,000
Project Funding by Source
Costs are allocated between these funds according to the number of current MDC units.
Reduced / Enhanced Project Alternatives
Alternate project is feasible or advantageous – Cost of alternative project:
Project can be phased – Number of years for phasing: 2 years
The projected could be phased over two years with the first year replacing the City VPN system and implementing advanced authentication with the Police
Department’s current VPN system. Replacement of the Police Department’s VPN system at a later date will force the City to re-apply to DOJ for certification that
the City’s systems meet DOJ’s current security standards. The process to apply to DOJ for certification is a very time consuming process for staff and there is no
guarantee the application will be accepted on the first review. Due to state budget cut backs, the committee that reviews local agencies’ applications for security
certification currently only meets every six months. If the application was rejected, it is probable that the City would have to wait another six months before any
new hardware could be installed. Since 2010, new requirements have gone into effect every year. It is possible that by 2014 there will be new requirements for
equipment not related to the VPN system that will need to be replaced in order to meet the new security requirements. Another problem with phasing the project is
that at a minimum the advanced authentication method would have to be completely reconfigured in order to integrate with the new VPN system. This would
require an increase of at least $10,000 to the overall budget of this project. This also could result in the City having two completely different VPN systems for a
year, which would significantly impact Network Services staff work load. Network Services and the Police Department do not recommend phasing this project.
Attachment 4
C7 - 40
CAPITAL IMPROVEMENT PLAN - GENERAL GOVERNMENT
VIRTUAL PRIVATE NETWORK REPLACEMENT
Project Team
Assignment Program Estimated Hours
Equipment RFP & Acquisition Network Services 120
Equipment Configuration & Installation Network Services 120
Spillman CAD/RMS System
Configuration
Police 40
Attachment 4
C7 - 41
Page intentionally left
blank.
C7 - 42