BGS Web Application Firewall (WAF)

Descriptions

The purpose of this survey is to test the market and see what the market can offer and whether suppliers able to deliver what is required.

If UKRI decide to go to market, then In alignment with the Procurement Act 2023, information gathered as part of this Pre-Market Engagement activity shall be shared and made available to all potential suppliers to maintain a fair and transparent process, preventing any Supplier from gaining an unfair advantage and to avoid distorting competition. If there is any information you enter which you deem commercially sensitive and that you wish not to be shared to other suppliers, then please indicate within the specific response(s) in the questionnaire including your reason for them not to be part of the information to be shared to other potential suppliers.

This pre-market engagement notice is to help us understand the market.

UK Research and Innovation (UKRI) have an existing web application firewall in Keyworth and Edinburgh, that is due to go end of life in December 2026 and needs to be replaced to maintain a secure operating environment and Cyber Essentials Plus certification, which critically underpins BGS commercial activities.

The primary objective for deploying the new solution is to enhance application security, ensure high availability, and optimise traffic management across the BGS operating environments in Keyworth and Edinburgh.

Functional and Non-functional Requirements

The Balancer solution must meet the following functional and non-functional requirements to ensure robust performance, security, and scalability.

Functional Requirements

· SSL Offloading: Terminate SSL connections at the load balancer to reduce backend server load.

· Traffic Inspection: Deep packet inspection to detect and block malicious traffic.

· Application Layer Protection: Defend against OWASP Top 10 vulnerabilities including XSS, SQL injection, and CSRF.

· Load Balancing Algorithms: Support for round-robin, least connections, and IP hash methods.

· Session Persistence: Maintain user sessions across multiple requests.

· Health Monitoring: Continuous checks on backend server health to ensure availability.

· Content Switching: Route traffic based on URL, headers, or other application-level data.

Non-Functional Requirements

· High Availability: Redundant architecture with failover capabilities (achieved by dual systems in Keyworth and Edinburgh)

· Scalability: Ability to handle increasing traffic loads without performance degradation.

· Performance: Low latency and high throughput under peak conditions.

· Security Compliance: Adherence to standards such as PCI DSS, ISO 27001, and GDPR.

· Manageability: Centralised management interface with role-based access control.

· Logging & Auditing: Comprehensive logging for security events and administrative actions.

· Interoperability: Compatibility with existing infrastructure and third-party tools.

Security and Compliance

The solution must align with industry-standard security and compliance frameworks to ensure data protection, regulatory adherence, and risk mitigation. Key considerations include:

· Regulatory Standards: Support for compliance with PCI DSS, HIPAA, ISO 27001, GDPR, and other relevant regulations.

· Data Protection: Encryption of data in transit and at rest, secure key management, and tokenisation where applicable.

· Access Control: Role-based access control (RBAC), multi-factor authentication (MFA), and integration with identity providers.

· Audit & Logging: Detailed logging of security events, configuration changes, and user activities to support forensic analysis and compliance reporting.

· Vulnerability Management: Regular updates, patching, and integration with threat intelligence feeds to address emerging vulnerabilities.

· Security Testing: Support for penetration testing, automated vulnerability scanning, and security validation during deployment cycles.

These measures ensure that the solution not only meets technical requirements but also aligns with organisational governance and risk management policies.

Integration and Monitoring

Successful deployment of the solution requires seamless integration with existing infrastructure and robust monitoring capabilities. Key integration and monitoring requirements include:

· Infrastructure Integration: Compatibility with existing network architecture, DNS, firewalls, and application servers.

· Identity & Access Management: Integration with LDAP, Active Directory, and SSO solutions for centralised authentication and authorisation.

· SIEM & Logging Platforms: Support for integration with Security Information and Event Management (SIEM) tools e.g. Microsoft Sentinel

· Monitoring & Alerting: Real-time monitoring of traffic patterns, performance metrics, and security events with customisable alerting mechanisms.

· API & Automation: RESTful API support for configuration management, automation, and orchestration with tools like Ansible, Terraform, and CI/CD pipelines.

· Reporting & Dashboards: Centralised dashboards for visualising system health, performance, and security posture.

These capabilities ensure operational visibility, proactive threat detection, and streamlined management across diverse environments.

Support and Maintenance

To ensure long-term reliability and performance of the solution, the following support and maintenance practices are required:

· Support: Access to technical support services, including 10/5 assistance, knowledge base, and escalation procedures.

· Software Updates: Regular updates and patches to address security vulnerabilities, improve functionality, and maintain compliance.

· Hardware Maintenance: Scheduled inspections, component replacements, and lifecycle management for physical appliances.

These practices help maintain system integrity, reduce downtime, and ensure that the solution continues to meet evolving business and security requirements.

Support:

5 year support - Level 1-3 Standard Service (10 hours x 5 days: 8am to 6pm Monday to Friday).

Providing - vendor software support, security patches and telephone support for the traffic management operating system (TMOS).

Hardware Maintenance:

5 year support - Next-Business-Day Hardware Replacement Service (RMA) (10 hours x 5 days: 8am to 6pm Monday to Friday). Next business day is acceptable given the high availability configuration.

Providing - replacement for defective hardware.

Implementation Support:

Onsite engineer support at Keyworth and Edinburgh for implementation.

Desired solution unique functionality includes:

WAF - ASM policies

APM - VPN

DNS - Global web site Load Balance (DNS)

LTM - Load Balancing of local traffic

VPN

To operate as an SSL VPN gateway and terminal server gateway.

Support active directory, saml and custom idp configurations.

Client/user attribute based rules.

Host checking including certificate/pathing/AV.

WAF

Advanced WAF (Web Application Firewall)

Be able to inspect API traffic and block malicious requests.

Supports JSON and XML payload inspection, which is essential for API protection.

Defends against common API threats like SQL injection, XSS, and API abuse.

Support ability to import openapi to create an api security defence policy.

Bot Protection

Detects and mitigates automated attacks on APIs (e.g., credential stuffing, scraping).

Uses behavioural analysis and machine learning to distinguish between legitimate users and bots.

Rate Limiting & Throttling

Prevents abuse by limiting the number of requests per user/IP/token.

Helps mitigate DDoS attacks targeting APIs.

Authentication & Access Control

Integrates with OAuth2, JWT, and other token-based authentication mechanisms.

Ensures only authorized users can access specific API endpoints.

API Discovery & Visibility

DNS

Needs to be able to query databases including Oracle to determine their high availability status.

Provide cross site load DNS level balancing

LTM

Being able to programmatically interact with traffic flow and security inspections using a like TCL syntactic language.

Be able to offload uploaded file scanning to antivirus using icap or cava

Specification:

The system specifications for the solution includes:

Hardware Specifications

· Processor:

o 6 vCPUs

o 18 vCPUs available for tenant workloads

· Memory:

o 128 GB DDR4 RAM

· Storage:

o 1 × 1TB M.2 SSD

· Form Factor:

o 1U rack-mountable chassis

o Dimensions: 1.72" (H) × 17.1" (W) × 30.6" (D)

o Weight: 36 lbs (16.33 kg)

Networking & Connectivity

· Management Ports:

o 1 × 1000BASE-T (RJ-45)

o 1 × USB 3.0

o 1 × Serial Console

· Data Ports:

o 2 × 100G/40G QSFP+/QSFP28

o 8 × 25G/10G SFP+/SFP28

Performance Metrics

· Layer 7 (L7) Requests per Second: 3.3 million

· Layer 4 (L4) Connections per Second: 1.4 million

· L4 HTTP Requests per Second: 18 million

· Max L4 Concurrent Connections: 85 million

· Throughput:

o L4: 95 Gbps

o L7: 85 Gbps