general services administration (gsa) enterprise ......attacker could guess ip addresses and send...
Post on 02-Jan-2021
3 Views
Preview:
TRANSCRIPT
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-19 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
1.3 Mandatory EIS Services [L.29(2)(a), M.2.1, C.1.2] The Level 3 Team proposes the EIS services described in SOW
C.1.2:
. Details of the mandatory services Level
3 provides are given in response Sections 1.3.1 through 1.3.3.1. In accordance with
SOW C.1.2, is also included as a mandatory component, as
described in our response Section 1.4.9. As demonstrated in our response, we have the
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-25 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
On- or off-net access circuit: Access circuits can be on-net [i.e., on Level 3
infrastructure (metro private line or colocation)] or off-net (i.e., provided by third-
party providers—for example, circuits, where
available).
VPN port on the : VPNS port types include all
specified in C.2.1.1.3.
Class of Service (CoS) Bandwidth on the VPN port: Level 3 only uses
to connect to our VPNS service. CoS in a Layer 3
is implemented on Layer 3. The access circuit is for
the CoS mechanisms that operate between Level 3’s and the
agency’s .
The security and reliability of the Level 3 VPNS architecture provides the
foundation that agencies require for VPNS services and features. Our approach
includes
security features, as described in the following paragraphs.
Physical Access. All Level 3 facilities that house VPNS elements have
. Employees
are issued to the facilities and areas needed
for the employee to perform their duties.
When VPNS elements are housed in , they are
.
Authorized Personnel. Employees involved with
of the VPNS network have sufficient access to enable
them to perform their duties. In addition, employees who have access to assets in North
America must go through Level 3’s and
in compliance with Government guidelines.
Access to Equipment Configuration. Management access to the VPNS
elements is limited to Level 3 employees with valid
. Those employees needing to
actually change configurations on VPNS network elements must have
. These
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-27 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
. Each
agency interface is mapped into a
. These
and the route is tagged with a
which uniquely defines to which as the
Because the Level 3 core IP network uses , there is address separation
between the . A potential
attacker could guess IP addresses and send packets to these addresses. However,
because of the , each incoming packet is treated as
. Thus, it is impossible to reach an
. In fact, to avoid
. If a
is sent from an agency to the Level 3 network, it is dropped at the
We also use a different addressing scheme between our
.
attack to a particular network element protecting the rest of the network.
do not need to forward traffic to the Internet
natively, makes it
extremely difficult for an Internet site or one of our Internet customers to
attack to a and Internet access onto separate
routers, we can filter out all that has originated at an
The separation of access routers also helps to
protect against , such as an inadvertent bridging of the
, which could inadvertently lead to the VPNS network
being attacked. Additionally when IPS is utilized in conjunction with VPNS,
,
and may also be routed through an as specified in SOW C.1.8.8.
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-28 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
Given the internal structure of the Level 3 , core network
elements and the methods we employ for interfacing with the customer’s premises
routers, the Level 3
Extranet. The Level 3 VPNS
as required for segregation from agency internal
traffic. As specified in SOW C.1.8.8, Extranet routes may be routed to an
Remote Access. Level 3’s VPNS enables to gain
access to secure agency information through (see Figure1.3.1.1.1.1-1). The extend the security policies of
the to mobile users and other/remote sites not directly connected to the
. to
the agency.
Figure 1.3.1.1.1.1-1. Level 3 VPNS Secure Access Architecture. Our architecture
provides secure remote access.
A as specialized software, and
provides an into an
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-31 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
We continue to incorporate specifications as they
mature and products supporting those available. We keep
abreast of developments within the
1.3.1.1.3 Connectivity [L.29.2.1, M.2.1, C.2.1.1.1.3]The Level 3 VPNS service supports a dedicated site-to-site access via leased
lines. The Level 3 VPNS service supports secure remote access via either dialup, DSL
or Cable. The VPNS service provides for full meshing among VPN end-locations as a
default configuration. Partial meshing, if required, is supported. As discussed earlier,
access circuits can be on-net or off-net.
1.3.1.1.4 Technical Capabilities [L.29.2.1, M.2.1, C.2.1.1.1.4] Our VPNS solution meets all the mandatory technical capabilities and thresholds
listed in PWS C.2.1.1.1.4. Elements of our solution are summarized in the following
paragraphs:
1. Meet Applicable Routing Requirements. The Level 3 VPNS solution meets
applicable routing requirements of SOW C.1.8.8, ensuring
2. Provide Multiple Tunneling Standards. The Level 3 network supports
The methods describing compliance
to SOW C.1.8.8 are provided in Section 1.4.13 of this Technical Volume.
3. Provide Various Encryption Levels. The Level 3 network supports
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-33 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
c) Site-to-Site Level QoS is supported by each pair of connected
This is similar to an
Level 3 also allows
d) Intserv (RSVP)-signaled QoS. Level 3 supports
needs of an
application's traffic in the through the network. This provides
a way to deliver the that require by
explicitly managing network resources to provide QoS to specific user packet
streams (flows).
e) Diffserv. Our provides a transparent
,
network transports those markings transparently through the network.
leaving
the agency ) intact.
8. Support QoS on Access. Level 3 supports QoS on the following access
networks:
a) 802.1p Prioritized Ethernet. Level 3 network equipment recognizes agency
b)
c)
d) QoS-Enabled Wireless.
e) Cable High-Speed Access (
to
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-34 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
securely connect for safe access to the network anywhere, anytime;
eliminating the need for all sites to . Key
service features include high availability and diverse path redundancy using
provides superior traffic
management on “best efforts” broadband access to prioritize mission-critical
applications and .
f) QOS-Enabled
9.
10.
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-35 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
11.
12. Provide Secure Routing Services. The
Level 3 has implemented technologies such as to ensure
that
administered on a site-to-site basis to ensure that is not routed
to other customers sharing the network.
13. Support Encryption, Decryption, and Key Management Profiles. Our VPNS
supports
standards.
14. Support Agency Internal Security Mechanisms. Level 3 supports an agency
deploying its own internal security mechanisms which are in addition to those
we employ in support of VPNS, to secure specific applications or traffic more
precisely than on a
15. Allow Agency Alternatives for Temporary Authentication. Level 3 allows an
agency to choose from for
authentication of temporary access users.
1.3.1.1.5 Features [L.29.2.1, M.2.1, C.2.1.1.2] Our VPNS includes the SOW-specified mandatory features, as described below:
High-availability Options for
Interworking Services: Level 3 provides interworking services for an agency’s
1.3.1.1.6 Interfaces [L.29.2.1, C.2.1.1.3] Level 3’s VPNS supports the specified in
SOW C.2.1.1.3.
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-40 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
through the proven application of the ), wherein agency
within unique, secure groups. If, for
coverage extension, Level 3 draws upon another carrier via an
is directly mapped to a across the network boundary. Additionally, for overall
security, Level 3 continuously monitor the threat landscape and take action as
needed.
1.3.1.2.1 Service and Functional Description [L29.2.1, M.2.1, C.2.1.2.1, C.2.1.2.1.1] Available throughout the , Level 3
This network is always expanding, enabling Level 3 to meet
customers’ never-ending demands for scale and scope.
Leveraging this high speed core is Level 3’s
Quality of Service (QoS) to be managed over the entire
network. Secure, diverse
. Consequently, Level 3 is able to provision all on-
net . Another
advantage of an as each internal router views the
forwarding table. Hence, when an , the router is
made aware of it instantaneously, with a .
Level 3
, shown in Figure 1.3.1.2.1-1. This enables agencies to
shown in Figure 1.3.1.2.1-2 (a) and (b) allow agencies to connect
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-41 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
Figure 1.3.1.2.1-1. Overview of Level 3
VLAN and Port Mapping. A
configuration where no service multiplexing is required.
Class of Service.
are used to signal CoS, although static treatments are also used. In the latter,
an .
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-42 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
As Level 3 , CoS is
mapped to .
Figure 1.3.1.2.1-2.
In May 2015, Level 3 announced
The agency is in
control of how long the additional bandwidth is available and can view all events in
historical reports. Costs are known before each event occurs, and there’s even a
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-43 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
monthly rate cap.
offers a via a commit with usage basis.
Figures 1.3.1.2.1-3 and 1.3.1.2.1–4 are examples of that
reflect the ease of harnessing Level 3’s capability.
Figure 1.3.1.2.1-3. Enhanced Management Customer Network Report View.
Figure 1.3.1.2.1-4. Dynamic Capacity “Activate Now” Screen.
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-45 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
In this proven
technology, a unique tag is assigned to the traffic of a given agency/ customer so that
traffic of different customers can be segregated on distinct logical networks within the
Level 3 network. Therefore, each customer (or customer network) is completely isolated
from other customers’ domains,
Should an agency site be a member of more
than one ; the
within the core network.
As noted previously, when ,
continuity is maintained across the interface as part of the
is directly mapped
to a . Therefore, traffic segregation and security are
maintained.
1.3.1.2.2 Standards [L.29.2.1, C.2.1.2.1.2] SOW C.2.1.2.1.2 calls for compliance with a number of standards and
documents of:
Consistent with Level 3’s leadership in
. Particularly as
Level 3 personnel are active in a variety of industry forums and working groups related
to , per item 5), Level 3 will review new versions, amendments, and
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-52 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
Quality of Services. Level 3 ensures voice quality across the network by
carrying . This queue has
. Level 3 meets the
Level 3 performs quality measurements through on-net and off-net to on-net
analysis tools. On-net quality is measured using probes that determine voice quality
across the Level 3 network. These devices generate ,
providing real-time feed-back on network voice quality. These devices also actively
. Level 3 can also provide statistically significant
data on calls traversing the hosted .
Six CoS levels are carried through the Level 3 network and subsequently
delivered to customers. IPVS, being real-time traffic, is carried at the highest CoS level.
The CoS mappings
To deliver on the agreed QoS, queuing mechanisms such as
are employed to
assure output queues deliver traffic with defined service level attributes appropriately.
In addition to , no the hosted IPVS
solution in the core data centers provides a so that if all
connectivity to the
etc.). The
voicemail system also remains active and can be accessed from either
Service Coverage. Level 3’s solution for IPVS extends to all
in SOW C.1.3. The Level 3 IPVS is provided over the
global Level 3 network, which has integrated
, and
and and end offices as a . Level 3’s
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-53 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
Security. Level 3 IPVS employs security measures such as
If the
For Agencies deploying a hosted
IPVS solution, Level 3 recommends archiving
Level 3 applies the following safeguards to ensure the security of our IPVS,
which is delivered over our secure :
Denial of service (DoS):
Intrusion:
Invasion of privacy:
Section 2.1 Information Security of this volume provides specific details on Level
3’s approach to Information Security requirements listed in the RFP.
1.3.2.1.1 Service and Functional Description [L.29.2.1, M.2.1, C.2.2.1.1] Level 3 offers a feature-rich, flexible, and cost-effective IPVS solution to meet
EIS program requirements and accommodate future growth. Our IPVS architecture
supports with
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-55 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
A
and, if required, connectivity to the Internet.
The Level 3 IPVS solution employs QoS enabled IP access connections that may
. A single access
connection .
Figure 1.3.2.1.1-2. Level 3 IPVS –
Our
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-56 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
1.3.2.1.2 Standards [L.29.2.1, M.2.1, C.2.2.1.1.2]Level 3’s TFS offering is compliant with the standards listed in SOW C.2.2.1.1.2.
Our IPVS offering supports all .
1.3.2.1.3 Connectivity [L.29.2.1, M.2.1, C.2.2.1.1.3]The Level 3 IPVS solution provides connectivity and interoperability with the
Within the hosted environment, the Level
3 IPVS solution includes a to the
hosted VoIP data centers. VPNS service has
IPVS provides managed onsite
suitable for analog
telephone sets or legacy fax machines. We provide feature transparent services
between agency locations via the Level 3 , which
includes extended connectivity to remote offices.
Level 3’s IPVS administrator features provide secure with
, ,
and . Administrators can make
to the system, including
; ;
1.3.2.1.4 Technical Capabilities [L.29.2.1, M.2.1, C.2.2.1.1.4] Level 3’s IPVS solution offers a sophisticated suite of personalized settings for
features and capabilities. Through secure
.
They can control
; ;
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-67 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
EIS agency customers with a
connection to Level 3 and need not purchase traditional . Customers simply
connect the premise device to the IP network to handle voice and data traffic. Level 3’s
SIP Trunking solution supports agencies with traditional TDM phone equipment
requiring at the edge of the
(an is no longer needed for a handoff
as opposed to legacy ). We also provide access to optional
network-based features that allow the agency to expand the capabilities of the .
Our SIP trunking is offered to the EIS agency’s over Level 3-provided
dedicated IP connections. All voice traffic remains on Level 3’s premium IP backbone
until it needs to communicate with other , helping to improve overall
service quality and easing problem resolution. Our solution is built to enhance service
quality through infrastructure redundancy. It supports configurable call management and
routing failover capabilities, while at the same time allowing customers to leverage their
investments in legacy as they make the transition to an
Level 3 offers SIP Trunking over dedicated IP connections or
hand-offs to the customer resides, as shown
in Figure 1.3.2.3-1. Multiple access options are available, including ,
for the flexibility to meet connectivity
requirements for all sites, including branches, regional offices, headquarters, and data
centers.
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-68 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
Figure 1.3.2.3-1. Level 3’s SIP Trunking Functionality.
Level 3 can converge the with data traffic onto the
same access facility,
infrastructure’s available bandwidth when it is not needed for voice traffic. This ability
does not apply to native in which the circuit has to be dedicated to the
. This is supported through our extensive MPLS QoS and CoS capabilities.
Level 3 offers two deployment models to our EIS customer agencies:
1.3.2.3.1 SIP Trunking Technical Capabilities [L.29.2.1, M.2.1, C.2.2.1.6.1] Supporting our
consolidates
. Our service
also reduces voice communication costs, and, being IP-based, improves reliability and
disaster recovery capability. Our works with a diversity of devices
and applications.
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-75 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
1.3.3.1.3 Connectivity [C.2.8.1.1.3] The provided by Level 3 interfaces with, uses, and interoperate with the
underlying global Level 3 network which supports EIS services worldwide. We use the
most appropriate EIS services, such as VPNS, Ethernet, and Private Line Services, to
ensure seamless connectivity to, and optimal performance with, agency networking
environments.
1.3.3.1.4 Technical Capabilities [C.2.8.1.1.4] In delivering , Level 3 provides all of the technical capabilities specified by
the SOW. The capabilities we provide in support of and
, as well as .
1.3.3.1.4.1 Design and Engineering Services [C.2.8.1.1.4.1] Level 3 provides agency
requirements. The right people and a proven process form the cornerstones of Level 3’s
.
The Right People. The Level 3 Team provides subject matter experts and end-
to-end project management for design, implementation, installation, access
coordination, provisioning, equipment configuration, hardware testing, and service
activation. Level 3’s design and engineering services under the EIS contract includes
subject matter experts carefully matched to agency and project needs with:
Agency-based focus and understanding, combined with the ability to rapidly
respond to evolving agency needs
Work with agency requirements and make design recommendations such as
performance levels and network capacities
Highly professional technical backgrounds, with certifications in relevant
systems
Proven Methodology and Processes. Level 3’s design objectives are based on
customer needs and specifications when providing , and incorporate the following
overall objectives to the extent possible: high network availability; increased network
performance; network architecture scalability; lower total cost of ownership; enterprise
control and visibility; and industry best practices.
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 1-79 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
deploy appropriate tools to measure
and provide integrated management of services provided by Level
3 and other contractors.
Maintenance. Level 3 technicians provide as
required by the RFP. Maintenance activities include
. Our
. To ensure
timely updates, agency users can subscribe to email notifications on maintenance
activities and trouble tickets. Level 3 supports two types of network maintenance
activities: Scheduled and Unscheduled:
Scheduled Maintenance. Scheduled maintenance includes any foreseen/
predictable need to make a change to the network, including upgrades and
augments. If the scheduled maintenance activity is expected to produce any
service interruption, advanced notification .
Unscheduled Maintenance. Unscheduled maintenance is defined as an
unplanned and immediate need to make changes to the network. Such an
environment demands prompt action to restore a high-risk condition or failure
status to normal operating status. The need for unscheduled maintenance is
directly related to an outage, potential outage, or degradation of service.
Agency stakeholders are notified
.
Figure 1.3.3.1.4.2-1 provides specific details pertaining to each of the
Implementation, Management and Maintenance SOW requirements elements, showing
how the Level 3 fully complies with SOW implementation, management and
maintenance requirements.
top related