Perimeter Security Upgrade for LUKS: Web Proxy and Firewall Replacement

LUKS is looking for a reliable and competent service provider for each of the two lots who can best meet the requirements and set up the respective part of the perimeter security for LUKS, migrate the functions of the respective existing solution to the respective new solution, and finally put the new solution into operation and decommission and recycle or dispose of the existing one.

In lot 1, the web proxy and perimeter firewall are to be replaced by a geo-redundant on-premise perimeter firewall with proxy functions, which will be able to take over VPN termination at a later date. It is particularly important to note that the configuration of the web proxy has grown organically over many years and has been tailored to the specific features of the existing web proxy solution.

Migrating this configuration and standardising it with that of the existing perimeter firewall is a comprehensive analysis and configuration project, for which the bidders for Lot 1 must have extensive knowledge and devote significant resources. Accordingly, Lot 1 contains a number of highly weighted requirements that test the bidders' understanding of the situation and their capabilities.

Optionally, Lot 1 also requires a new, additional internal DMZ firewall from the same manufacturer as the perimeter firewall, which can be administered in the same management GUI, including the development of a simple configuration with a maximum of 50 ACLs. This firewall is used exclusively for access lists of layers 3 to 4 and serves as a separation between the DMZ and the internal infrastructure.

In Lot 2, on the other hand, ‘only’ the existing WAF, a BIG-IP from f5, is to be replaced with the successor product f5 BIG-IP r5600 ‘Best Bundle’. The existing configuration and the existing modules of the existing BIG-IP in use are to be transferred 1:1 to the successor product, with the aim of replacing the existing BIG-IP as seamlessly and quietly as possible.

Accordingly, Lot 2 contains only a few requirements in addition to the highly weighted price criterion. In addition, LUKS already has a highly qualified provider for the necessary operational services, which is why these are only being tendered as an option in Lot 2.

As the total volume of these operational services is well below the thresholds for public tenders, LUKS reserves the right to exercise the option and commission the successful bidder with the operational services, or not to exercise the option and continue to procure the operational services from the existing service provider through private treaty.

LUKS aims to manage the solutions procured in both lots independently, i.e. internally within LUKS. Nevertheless, LUKS requires expert know-how from the successful bidders in both lots. To enable LUKS's IT department to obtain further expert know-how from the service providers at a later date if required, the bidders shall also submit roles at predefined rates in their bids, which they can make available to LUKS.

In addition to this expert know-how, the bidders for lot 1 of this tender also show LUKS what training and, if necessary, certification options they can offer LUKS for this solution, so that LUKS's IT department can operate the solution largely independently after commissioning; this know-how is already available at LUKS for BIG-IP.

To enable LUKS and its partner companies to operate the solutions offered for at least the next five years, the bidders shall submit all necessary additional contracts for licences, maintenance, etc. with their bids and include all related costs in their bids.