Shared Services Canada

(1)

Shared Services Canada Test Plan/Results:

Gateway Network Access Control Solution RFP

Status: Version 04 Date: 2016-08-19

(2)

Release History

Ser (a)

Date Released

(b)

Version (c)

Amendment (d)

Author (e)

1 2016-07-08 01 Initial Draft Crown

2 2016-08-16 02 Edits Crown

3 2016-08-17 03 Edits Crown

4 2016-08-19 04 Added test case Crown

(3)

The Gateway Network Access Control (GNAC) Request for Proposal (RFP) has two primary purposes: to replace the end-of-life and end-of-support (as of November 5, 2017) GNAC solution that is currently deployed on Shared Services Canada (SSC) networks at Government of Canada (GC) partners; and to structure the RFP such that it will meet both current partner requirements and any future requirements within SSC and its partners, thus providing a standard GNAC solution for the GC end state.

In order to meet both objectives, several mandatory and rated requirements have been established to evaluate bids. This test plan will be used to verify a subset of the mandatory requirements as part of the RFP process. Only the winning bid will be subjected to this test plan; if the test plan fails, the bidder will automatically be disqualified and the next eligible bid will be evaluated.

1.2. Document scope

This test document was written with the intent of validating three separate role-based groups — workstations, servers and SSC management.

1.3. Assumptions

This document assumes the following:

• A representative of the OEM will be present during the testing, and will work with the Crown’s testing resources to execute the test plan.

• The OEM representative testers have expert knowledge with all the hardware and software components of the solution.

• The OEM representative will provide the solution testing equipment suitable to be placed in the test lab. The equipment must match what is being bid.

• The Crown will provide the test lab. Crown testers will be fully familiar with this lab.

• The testing will occur at 101 Goldenrod Driveway, Ottawa, Ontario. Both OEM and Crown resources will conduct the testing onsite.

• All data used for the testing will be unclassified.

• All cabling will be 1 Gb copper Ethernet.

1.4. Test environment

An unclassified test and development center (TDC) will be used. The test environment will comprise the

following components.

(5)

1.4.1. Test environment gateway access control

a. Workstation(s): Operation Zone – provided by the Crown and to be used to launch access request. A Windows 10 workstation will be used and Symantec Endpoint Protection Agent version 12.1.6 will be installed. The signature of the SEP agent will be updated to the latest version.

b. Remote workstation(s): Public Zone – provided by the Crown and to be used to launch access request. A Windows 10 workstation will be used and Symantec Endpoint

Protection Agent version 12.1.6 will be installed. The signature of the SEP agent will be updated to the latest version.

c. Simulated unauthorized workstation: Operation Zone – Windows 10, provided by the Crown.

d. Access Control Appliance (solution): Restricted Zone – provided by OEM. Equipment will be returned to OEM on completion of the testing.

e. Bidder-provided enforcer (solution): Operation Zone – provided by OEM. Equipment will be returned to OEM on completion of the testing.

f. Windows 2008 R2: Jump box (management station) provided by the Crown.

g. Windows 2008 R2: Windows Server Update Services (WSUS) provided by the Crown.

h. F5 BIG-IP load balancer, equipped with the Advanced Firewall Manager (AFM),

Application Security Manager (ASM), Application Policy Manager (APM), and Local Traffic Manager (LTM) modules.

i. Forcepoint 4100: Internal firewall (zone interface point [ZIP]) provided by the Crown.

j. Forcepoint 4100: External firewall (ZIP) provided by the Crown.

k. Internet – Public Zone: Public sites will be accessed to perform several of the tests.

(6)

Figure 1. Test scenario with bidder provided enforcer

(7)

Figure 2. Test scenario with bidder provided enforcer and remote user

1.4.2. Test environment for switch-based access control

a. Workstation (laptop): Operation Zone – provided by the Crown and to be used to launch access request. A Windows 10 workstation will be used and Symantec Endpoint

Protection Agent version 12.1.6 will be installed. The signature of the SEP agent will be updated to the latest version.

b. Simulated unauthorized workstation (laptop): Operation Zone – Windows 10, provided by the Crown.

c. Cisco 3750 switch: Crown provided.

d. Access Control Appliance (solution): Restricted Zone – provided by OEM. Equipment will be returned to OEM on completion of the testing.

e. Window 2012 IIS server

(8)

Figure 3. Test scenario with switch-based access control

1.4.3. What is not tested

This document will not test the following infrastructure:

• Requirements not explicitly listed in section 1.2.

• Execution of known malware will not be performed in the environment.

• Known malicious sites will not be accessed in the environment.

1.5. Terminology and abbreviations

See RFP SOW.

(9)

2. Test plan

2.1. Description

The following section is intended to document the test results and verify a subset of the RFP mandatory requirements. The test cases that have been created are non-solution specific. The environment can be set up dynamically based on the execution needs of each test case. In addition, the Crown has the flexibility to update the test execution to suit the design of the OEM default architecture.

2.2. Prerequisites

The following prerequisite configurations for the components listed in Section 1.4 are to be completed prior to executing the test cases.

• External firewall will be configured as follows:

o The trusted side internal IP will be 10.10.10.1/24.

o On the trusted side, a firewall rule will be configured to allow HTTP (port TCP: 80) traffic from internal to external as a non-transparent proxy.

o On the trusted side, a firewall rule will be configured to allow HTTPS (port TCP: 443) traffic from internal to external as a non-transparent proxy.

o On the trusted side, a firewall rule will be configured to allow SSH (port TCP: 22) traffic from internal to external.

o On the trusted side, a firewall rule will be configured to all NTP (port UDP: 123) traffic from internal to external.

• F5 load balancer will be configured as follows:

o The default route of the F5 will be configured to be the external firewall internal IP (10.10.10.1).

o An F5 pool will be configured with the external firewall as the pool member (“FW_External”).

All ports permitted in the pool.

o Four F5 VIPs will be created.

a. HTTP 10.10.50.50:80

i. pool configured to use FW_External pool ii. Standard VIP

b. HTTPS 10.10.50.51:443

i. pool configured to use FW_External pool ii. Standard VIP

c. SSH 10.10.50.52:22

i. Forwarding (Layer 2)

d. NTP 10.10.50.53:123 (UDP)

(10)

o Crown will configure any required iRules, authentication profiles, etc., that have been indicated by the bidder as part of the bid to meet Use Case 1.

• Windows 10 workstations will be configured as follows:

o Internet Explorer Version 11 will be configured to use the HTTP and HTTPS VIPs as application proxies.

o Workstation will be configured as a standalone box not joined to a domain.

o User account called “UserX” will be configured.

• Internal firewall will be configured as follows:

o The firewall policy will permit traffic from the Windows 10 workstation in the operation zone (OZ) to the bidder’s access control appliance located in the restricted zone (RZ).

• Bidder provided enforcer will be configured as follows:

o In a bridge mode

o One interface will be facing the OZ; a second interface will be facing the F5.

o Management interface will be cabled into the RZ (same zone as the access control

appliance).

(11)

2.3. Test Cases

Case # Description Test Execution Desired Outcome Actual Result PASS /

FAIL

1 Solution must work by blocking network traffic using an inline gateway enforcer that is

provided by the bidder. Network access control must be protocol agnostic.

For this test, when Notepad is open host integrity (HI) fails;

when Notepad is closed HI passes.

1. Log in to workstation as “UserX”.

a. Ensure endpoint has passed host compliancy.

b. SSH to a SSH server on the Internet.

c. Fail host integrity (HI) check by opening notepad.

d. Repeat step b and confirm SSH is blocked by gateway enforcer.

2. Log in to Windows server.

a. Ensure server has passed host compliancy.

b. Manipulate time to be one hour behind.

c. Do an NTP synchronization with time.nrc.ca.

d. Fail HI by opening Notepad.

e. Repeat steps b and c, and confirm that NTP cannot be synced.

b. Open up Internet Explorer and navigate to www.cbc.ca.

c. Fail HI check by opening Notepad.

d. Repeat step b and confirm www.cbc.ca is no longer accessible.

When HI has passed, protocol agnostic traffic flows through the enforcer.

When HI has failed, traffic is blocked and logs reflect blocked events in the Central Manager.

(12)

Case # Description Test Execution Desired Outcome Actual Result

FAIL 4. Log in to workstation as “UserX”.

b. Open up Internet Explorer and navigate to https://www.bankofamerica.com/

d. Repeat step b and

https://www.bankofamerica.com is no longer accessible.

b. Open up CMD line; establish FTP session at ftp.microsoft.com.

d. Repeat step b and confirm ftp.microsoft.com is no longer accessible.

b. Open up an SSL VPN to Internet facing government VPN gate.

(13)

Case # Description Test Execution Desired Outcome Actual Result PASS / FAIL a. Ensure endpoint has passed host

compliancy.

b. Open up an IPSEC to Internet facing government VPN gate.

d. Repeat step b and confirm an IPSEC connection can no longer be

established.

2 If points claimed:

Solution must support role- based access control. At a minimum, the following roles are mandatory:

1. Administrator (ability to administer all aspects of the solution).

2. Read view (ability to view reports and status of endpoints).

1. Login to GNAC backend (Access Control Appliance Central Manager) GUI as User- Admin

2. Verify account privileges 3. Log out of User-Admin account 4. Log in as User-Guest account 5. Verify account privileges 6. Log out of User-Guest account

• User-Admin should be able to create, read, update and delete all aspects of the solution.

• User-Guest should only be able to view specific aspects of the solution.

3 If points claimed:

Solution must be able to accommodate a multi-tenancy deployment in order to respect the responsibilities and mandates of SSC and its partners, as per the use case below:

1. Workstation security staff is provided role-based access to perform all policy

1. Log in to access control appliance central manager GUI as Workstation- Admin 2. Verify account privileges of policy configuration

3. Log in to access control appliance central manager GUI as Server-Admin

4. Verify account privileges of policy configuration

5. Log in to access control appliance central manager GUI as Full-Admin

• Workstation-Admin should only be able to configure policies related to workstations.

• Server-Admin should only be able to configure policies related to servers.

• Full-Admin has no restrictions.

(14)

FAIL configurations concerning

workstations; however, they would not have the ability to change policies related to server endpoints.

2. Server security staff is provided role-based access to perform all policy

configurations concerning servers; however, they would not have the ability to change policies related to workstations.

3. Enterprise Infrastructure support team will manage the solution overall.

6. Verify account privileges of policy configuration

4 Desktop agent GUI must be available in the English

language for all texts, including all pop-ups, dialogue boxes, alerts, etc.

1. Log in to Windows 10 box as “User X”

2. Confirm language pack is set to English 3. Open bidder desktop agent

4. Navigate the GUI to verify all text is English

Verify GUI text is in English

5 Desktop agent GUI must be available in the French

language for all texts, including all pop-ups, dialogue boxes, alerts, etc.

1. Log in to Windows 10 box as “User X”

2. Confirm language pack is set to French 3. Open bidder desktop agent

4. Navigate the GUI to verify all text is French

Verify GUI text is in French

(15)

Case # Description Test Execution Desired Outcome Actual Result PASS / FAIL three days

1.2. Stormshield is operational 1.3. Specific Window 10 patch 1.4. Registry value:

HKEY_LOCAL_MACHINE\SOFTWAR E\GNAC\ Compliant="yes"

1.5. USB storage is not connected 1.6. Blackberry mobile phone is not

connected by USB

1.7. Login user is not part of the admin OU within AD

1.8. Wireless card is not active

1.9. Application Wireshark is not installed 2. Log in to workstation as “User X”.

3. Ensure workstation is compliant to policies 1.1 to 1.9.

4. Navigate to www.cbc.ca and confirm the page is reachable.

5. Log into the access control appliance and validate that the host is reported as compliant.

6. Log into the enforcer and validate that the traffic has been permitted.

7. Roll back SEP AV definitions to five days.

8. Login to workstation and validate that www.cbc.ca is no longer reachable.

9. Log into the enforcer and validate the traffic is blocked.

compliancy states are enforced.

(16)

FAIL 10. Log into the access control appliance and

verify that the host is reported as non- compliant.

11. Login to workstation and verify the user receives notification that they are no longer compliant and the reason for non-

compliancy.

12. Revert changes to restore compliancy.

13. Stop Stormshield service 14. Repeat steps 8 to 12 15. Uninstall Windows 10 patch 16. Repeat steps 8 to 12 17. Change registry value to:

HKEY_LOCAL_MACHINE\SOFTWARE\GN AC\ Compliant="no"

18. Repeat steps 8 to 12 19. Insert a USB thumbdrive 20. Repeat steps 8 to 12

21. Connect a Blackberry mobile device through USB

22. Repeat steps 8 to 12

23. Log into workstation as domain admin 24. Repeat steps 8 to 12

25. Enable wireless interface

(17)

Case # Description Test Execution Desired Outcome Actual Result PASS / FAIL

7 Agent must be able to inspect out-of-the-box endpoint compliancy on a server.

1. Log in to the access control appliance and configure the following policy:

1.1. SEP AV definitions are up to date within three days

1.2. Registry value:

HKEY_LOCAL_MACHINE\SOFTWAR E\GNAC\ Compliant="yes"

2. Ensure server is compliant to policies 1.1 to 1.2.

3. Launch a WSUS update and confirm connectivity to Microsoft update systems.

4. Log into the access control appliance and validate that the host is reported as compliant.

5. Log into the enforcer and validate that the traffic has been permitted.

6. Roll back SEP AV definitions to five days.

7. Login to server and launch a WSUS update.

Validate that WSUS update is no longer reachable.

8. Log into the enforcer and validate the traffic is blocked.

9. Log into the access control appliance and verify that the host is reported as non- compliant.

10. Login to server and verify the user receives notification that they are no longer compliant and the reason for non-compliancy.

Verify the new updated policies will apply to the endpoint and that compliancy and non- compliancy states are enforced.

(18)

FAIL 11. Revert changes to restore compliancy.

12. Change registry value to:

HKEY_LOCAL_MACHINE\SOFTWARE\GN AC\ Compliant="no"

13. Repeat steps 8 to 12

9 Verify bidder-provided enforcer is compatible with being in-line on the un-encrypted private side of VPN connection. In this test case, hosts that fail host compliancy are blocked except to the IP of the WSUS server.

1. Establish a VPN connection from a remote workstation to the external firewall.

2. Establish remote desktop session to the Windows 10 workstation in the operation zone.

3. Establish remote desktop session to the WSUS server.

4. Change registry value on the Remote workstation to:

HKEY_LOCAL_MACHINE\SOFTWARE\

GNAC\ Compliant="no"

5. Log in to the access control appliance and confirm the remote workstation has failed host compliancy.

6. Login to the remote workstation and confirm traffic is blocked to the Windows 10 workstation by the enforcer by attempting a remote desktop session 7. Confirm remediation traffic is not

blocked to the WSUS server.

When compliant, all network traffic from the remote workstation to the testing lab is allowed.

When not compliant, only access to the WSUS server is allowed.

Shared Services Canada