Guidelines in the Conduct of Test for Unified Threat Management/Firewall

February 6, 2017

PNP MEMORANDUM CIRCULAR NO. 2017-009

GUIDELINES IN THE CONDUCT OF TEST FOR UNIFIED THREAT MANAGEMENT/FIREWALL

1. REFERENCES:

a. Republic Act (RA) No. 9184 entitled "An Act Providing for the Modernization, Standardization and Regulation of the Procurement Activities of the Government and for Other Purposes, and its Revised Implementing Rules and Regulations"; acEHCD

b. RA No. 7394 entitled "The Consumer Act of the Philippines";

c. Commission on Audit (COA) Government Accounting and Auditing Manual Volume I;

d. COA Revised Manual on Inspection;

e. Government Procurement Policy Board (GPPB) Guidelines on the Establishment of Procurement Systems and Organizations (Volume 1);

f. National Institute of Standard and Technology, Guidelines on Firewalls and Firewall Policy;

g. http://www.wepopedia.com;

h. GPPB Manual of Procedures for the Procurement of Goods and Services (Volume 2);

i. COA Memorandum No. 98-023 (Revised Manual on Inspection);

j. NAPOLCOM Resolution No. 2012-256 entitled "Approving the Minimum Standard in the Specifications for Unified Threat Management (UTM)/Firewall";

k. PNP Memorandum Circular No. 2015-015 entitled "Policy Guidelines in the Conduct of Test and Evaluation"; and

l. Mission and Functions of the Directorate for Research and Development.

2. RATIONALE:

The Directorate for Research and Development (DRD) as an independent research and testing facility of the PNP, shall conduct test of clothing, materiel, weapons, vehicles, and equipment required by the PNP.

3. PURPOSE:

This Memorandum Circular (MC) sets forth the policy guidelines in the conduct of test for Unified Threat Management (UTM)/Firewall to ascertain whether the procured items conform with the requirements as provided for under the bidding documents and the minimum specifications as approved by NAPOLCOM.

4. SCOPE AND APPLICATION: EcTCAD

This MC shall be applicable in the conduct of post-qualification test and during inspection and acceptance test of Unified Threat Management (UTM)/Firewall.

5. DEFINITION OF TERMS:

a. Computer Security is also known as cybersecurity or IT security.It is the protection of information systems from theft or damage to hardware, software, and information contained in them, as well as from disruption or misdirection of the services.

b. Concurrent Connection is an option wherein the user is able to limit the maximum connections for a web server.

c. Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not of itself prevent interception, but denies the message content to the interceptor.

d. Firewall is a device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.

e. Firewall Throughput is the amount of data moved successfully from one place to another in a given time/period, and typically measured in bits per second (bps),as in megabits per second (Mbps) and gigabits per second (Gbps).

f. Networking is a telecommunications network which allows computers to exchange data. In computer networks, networked computing devices pass data to each other along network links (data connections).The connections between nodes are established using either cable media or wireless media. The best-known computer network is the Internet.

g. Pass-Through Authentication is a host or a user from one zone who tries to access resources on another zone.

h. Port is a device that serves as an interface between the computer and other computers or peripheral devices. SDHTEC

i. Power Supply is a device that provides components with electric power. The term usually pertains to devices integrated within the component being powered.

j. Software are programs and routines for a computer or the program material for an electronic device which make it run.

k. Unified Threat Management (UTM) is a category of security appliance which integrates a range of security features into a single appliance. UTM appliances combine firewall, gateway anti-virus and intrusion detection and prevention capabilities into a single platform.

l. Virtual Private Network is also known as a VPN.It is a private network that extends across a public network or internet. It enables users to send and receive data across shared or public networks as if their computing devices are directly connected to the private network.

m. Web Authentication is when users try to connect, using HTTP or HTTPS, to an IP address on the device that is enabled for Web authentication; in this scenario, the user do not use HTTP or HTTPS to get to the IP address of the protected resource. A message is displayed to inform you about the successful Web authentication. After successful authentication, the browser launches the original destination URL without the need to retype the URL.

6. GUIDELINES:

a. General:

1) The DRD, shall function as independent testing facility of the PNP. As required, its personnel shall perform their duties pursuant to the mandates of PNP Memorandum Circular No. 2015-015; 1

2) In case the Bids and Awards Committee (BAC) or the Committee on Inspection and Acceptance (CIA) designate a DRD personnel as member of the Technical Working Group (TWG),the designation shall at all times be covered by appropriate Letter Orders. Accordingly, the designated personnel shall cease to perform his functions as personnel of the DRD, but shall instead perform his tasks as member of the TWG for Post-qualification or TWG for Inspection and Acceptance;

3) The composition of the TWG for the conduct of Post-Qualification Test and the TWG for Inspection and Acceptance shall be meticulously selected by the BAC or the CIA. The TWG shall be headed by the most senior Police Commissioned Officer (PCO) who shall be appointed by the BAC in case of post-qualification test, or the CIA, in case of inspection and acceptance test; HSAcaE

4) The Chief of the concerned Division of the End-User Unit or other competent PCO from the same Office shall be automatically selected as member of the TWG. To strengthen check and balance, in no case shall a member of the TWG for post-qualification be selected as member of the TWG for Inspection and Acceptance;

5) The post-qualification test and the conduct of inspection and acceptance test shall be based on the most recent standard specifications issued by the National Police Commission (NAPOLCOM) for Unified Threat Management/Firewall and the number of sample items to be tested shall be clearly reflected in the bidding documents;

6) Additional technical requirements imposed by the BAC may only be considered in the conduct of test if the same are properly reflected in the bidding documents or in its supplemental bid bulletin (SBB).Likewise, in case there is a need to conduct additional tests, which are not included in the approved test parameters, the same may be allowed only if the additional test parameters are properly reflected in the bidding documents or in its SBB;

7) Administrative and operational expenses for the conduct of post-qualification and test and evaluation shall only be imposed upon the supplier if the same were included in the computation of the Approved Budget for the Contract (ABC) and integrated in the preparation of the Project Procurement Management Plan (PPMP).If such expenses were not considered therein, the same may be charged to the proceeds of the sale of the bid documents as indirect cost or administrative cost allocated to the bidding activities, pursuant to GPPB Resolution No. 04-2012;

8) Consistent with the "pass or fail criteria," non-compliance with the NAPOLCOM approved standard specifications during post-qualification test is a ground for post-disqualification; AScHCD

9) If during the inspection and acceptance test, the items delivered by the supplier failed to pass any test and/or inspection or do not conform with the specifications, the same shall be subject to the provision of Clause 16.4 of the General Conditions of the Contract of the Philippine Bidding Documents;

10) Samples submitted for post-qualification and test and evaluation shall not be considered part of the delivered items, unless otherwise specifically provided in the bidding documents. Except in cases where samples are considered part of the delivered items or when a Motion for Reconsideration is filed by the suppliers with the BAC or IAC, all samples submitted shall be returned to the suppliers immediately after the termination of the post-qualification or test and evaluation;

11) All the members of the TWG shall sign the result of the post-qualification test. In case there are disagreements on the findings of the TWG, the member who did not conform with the findings/result is allowed not to sign the report, provided that he will submit his written explanation, which shall be attached to the report of the TWG; and

12) The report of the TWG on post-qualification shall be submitted to the BAC; while the outcome of the inspection and acceptance test shall be submitted by the TWG to the IAC, copy furnished TDRD and the end-user unit.

b. Test Proper:

1) Phase I — Visual/Dimensional/Technical Inspection/Test

a) Purpose: To determine the completeness and correctness of the Unified Threat Management/Firewall based on the requirements specified by the Requesting Party (e.g.,NAPOLCOM-approved specifications, The Revised Manual on Inspection, other requirements indicated in the bidding documents, etc.); HESIcT

b) Procedure: Examination of Unified Threat Management/Firewall to ascertain completeness and correctness based on the requirements specified by the Requesting Party (e.g.,NAPOLCOM-approved specifications, The Revised Manual on Inspection, other requirements indicated in the bidding documents, etc.);and

DESCRIPTION	PARAMETERS
Category	Based on Certification
Form Factor	Based on Visual Inspection
Firewall throughput	Based on Brochure/Certification
VPN throughput	Based on Brochure/Certification
Concurrent connections	Based on Brochure/Certification

Interfaces/Ports	RJ 45 10/100 Auto Sensing and Auto Switching Ethernet WAN Ports	Based on Visual and System Inspection
RJ 45 10/100/1000 Auto Sensing and Auto Switching Ethernet LAN Ports
Minimum USB or Higher
Other latest technology

Software

Based on System Inspection

Security features	Stateful Packet Inspection Firewall	Based on System Inspection
Web/Content Filtering
Block TCP/UDP Packet Floods
DoS Attack Protection
Port/Service B locking
Hardware DMZ Port
Other latest firewall security features

VPN Features	Based on System Inspection
Encryption	Based on Brochure/Certification
Input Power	Based on Brochure/Certification
Accessories	Based on Visual Inspection
Warranty	Based on Contract
Training	Based on Contract

c) Standard: The Unified Threat Management/Firewall should be complete and correct based on the requirements specified by the Requesting Party (e.g.,NAPOLCOM approved specifications, The Revised Manual on Inspection, other requirements indicated in the bidding documents, etc.). AcICHD

2) Phase II — Functional Test

a) Purpose: To determine if the Unified Threat Management/Firewall is functioning based on its intended purpose;

b) Procedure: Run the Unified Threat Management/Firewall and check the functionality of the following:

b.1) Interfaces/Port;

b.2) Software;

b.3) Security Features;

b.4) VPN Features;

b.5) Encryption; and

b.6) Authentication.

c) Standard: The UTM/firewall should be functioning based on its intended purpose:

c.1) Interfaces/Ports: All ports should be able to connect the following:

c.1.a) RJ 45 10/100 auto-sensing and autos-switching Ethernet WAN;

c.1.b) RJ 45 10/100/1000 auto-sensing and auto-switching Ethernet LAN;

c.1.c) Universal Serial Bus (USB);and

c.1.d) Other latest technology.

c.2) Software: Should be able to run Management software; caITAC

c.3) Security Features: Should be able to configure security features of the following:

c.3.a) Stateful Packet inspection firewall;

c.3.b) Web/content filtering;

c.3.c) Block TCP/UDP packet floods;

c.3.d) DoS attack protection;

c.3.e) Port/service blocking;

c.3.f) Hardware DMZ port; and

c.3.g) Other latest firewall security features.

c.4) VPN Features: Enable users to send and receive data across shared or public networks as if their computing devices are directly connected to the private network. Test if the virtual network supports the following Server and/or Client Set up:

c.4.a) SSL;

c.4.b) PPTP; and

c.4.c) IPSEC.

c.5) Encryption: should be able to send messages or information through VPN in such a way that only authorized parties can read it using any of the following type of encryption:

c.5.a) DES;

c.5.b) Triple DES; and

c.5.c) AES. TAIaHE

 

Computer Parts/Peripherals	Findings/Observations

 

7. RESCISSION:

All other test procedures, guidelines or standard operating procedures contrary to or inconsistent with the provisions of this MC are hereby rescinded, modified or amended accordingly.

8. EFFECTIVITY:

This MC shall take effect after 15 days from filing a copy thereof at the UP Law Center in consonance with Section 3, Chapter 2, Book VII of Executive Order 292 otherwise known as the "Revised Administrative Code of 1987," as amended.

(SGD.) RONALD M. DELA ROSAPolice Director GeneralChief, PNP

Footnotes

1.Policy Guidelines in the Conduct of Test and Evaluation.