TENDER ACTIVE COMPONENTS TENDER DOCUMENT at ITI Data Center TENDER NO: ITI DEPARTMENT

Transcription

1 Document No.: Issue Date: Revision: v1.7 Revision Date: TENDER ACTIVE COMPONENTS TENDER DOCUMENT at ITI Data Center TENDER NO: ITI DEPARTMENT A G M ( G S M, N G N & I T ) C M R ( D C )

2 Sl.No. Network Equi ment Type Equipment Description Total Qty. Unit Rate 1. DDoS with IPS 2 Internet Routers 3 MPLS Routers 4 Internet Switches 5 MPLS Switches 6 Perimeter Firewall -19" Rack mountable DDoS with IPS -Throughput 2 Gbps and scalable up to 8 Gbps -4*10Gbps Pluggable Optics Multimode SR -8*1 Gbps SFP SR modules -Power cords should be either C13-14 & C19-20 as per the Datacenter standards -5 Years NBD support -19" Rack mountable Router Chassis -Min 6*1G SFP or more, fully populated with SR Optics -2*10G interface populated with 2*10G SR modules --Power cords should be either C13-14 & C19-20 as per the Datacenter standards -5 Years NBD support -19" Rack mountable multi services Router Chassis -8 x 1G SFP/Copper combo ports populated with SR Optics -Power cords should be either C13-14 & C19-20 as per the Datacenter standards and RPS -5 Years NBD support -19" Manageable and stackable switch -48 port 1G/10G SFP+ ports -12 no s of 10G MMF optics -12 no s of 1G MMF optics -12 no s of 1G BaseT -VSS or Equivalent Support -Provided with Indian Power cord and RPS -5 Years NBD support -19" Manageable and stackable switch -24 port 1G BaseT with min 2 *10G populated SR Optics -VSS or Equivalent Support -Stacking Cable and Modules - Power cords should be either C13-14 & C19-20 as per the Datacenter standards -5 Years NBD support -4x10G SFP+ and 4 x 40G QSFP+ interfaces fully populated ports from day one. -Should have at least Log Storage Space of 480 GB - Minimum firewall real world production throughput of 80 Gbps and upgradable A G M ( G S M, N G N & I T ) C M R ( D C )

3 7 MPLS Firewall 8 Load Balancer 9 Data Center Core -Minimum Intrusion prevention system real world production throughput of 20 Gbps -Next Gen. FW production throughput must be more than 9 Gbps - Threat real world production throughput must be more than 7 Gbps and upgradable -Appliance must support at least 30 million concurrent Connection and upgradable -Appliance must support more than 750,000 new connections per second processing and upgradable -Must support at least 30 Gbps of IPSEC VPN throughput and SSL VPN Users from Day one -Firewall Should support virtual firewall instances from Day One -Each Chassis proposed must have hot swappable dual power supplies -Power cords should be either C13-14 & C19-20 as per the Datacenter standards -5 Years NBD support -19" Rack mountable -12 x GE RJ45, 2 x 10 GE SFP+ Interfaces, -8 no s of 10G MMF optics -The firewall should support a minimum of 3 Gbps of IPS throughput with Enterprise mix traffic -Should support 9-15 Million Concurrent sessions -Should Support all the necessary licenses from day 1 - Power cords should be either C13-14 & C19-20 as per the Datacenter standards -5 Years NBD support -should have support for minimum 2 X 40G QSFP -should have minimum 16 X 10G SFP+ interfaces 8 populated with 10G Module -should have minimum 4 X 1G Copper -should have minimum 128 GB from day -Should support 25 Gbps L7 throughput and should be scalable to 50 Gbps - Power cords should be either C13-14 & C19-20 as per the Datacenter standards --5 Years NBD support -19" Rack mountable High-Performance Fabric switch -Provided with redundant CPU, Redundant Fabric -320nos of native 40G QSFP+ ports -12nos of native 100G QSFP28 ports -60nos of native 10G SFP+ ports -2x 20mtr 100G Twinix/DAC Cable -10nos of 100G SMF LR4 optics with 2 core LC connector -320nos of 40G MMF Bi-Di optics with 2 core LC connector -30nos of 10G MMF SR optics with 2 core LC connector -Provided with Indian Power cord and RPS A G M ( G S M, N G N & I T ) C M R ( D C )

4 10 Spine Switch-Type 1 11 Leaf Switch-Type1 12 Spine Switch-Type 2 13 Leaf Switch-Type2 14 Work Area -5 Years NBD support -19" Rack mountable Leaf switch + Fabric controller +Border Leaf -To be part of spine-leaf DC fabric for the POD-Type- 1-24nos of 40G QSFP+ ports for leaf and uplink connectivity -10nos of 10G SFP+ ports for Server connectivity -4nos of 40G MMF Bi-Di optics with 2 core LC connector -10nos of 10G MMF SFP+ optics -Integrated or additional fabric controller per PoD -Software/licenses required for Redundant fabric controller -All hardware to be provide with redundant power supply -Provided with Indian Power cord and RPS -5 Years NBD support -19" Leaf switch with L2 and L3 switching capability -To be part of spine-leaf DC fabric for the POD-Type x 100Mb/1G/10G BaseT for server connectivity -6 x 40G QSFP+ ports -2x 30mtr 40G Twinix/DAC Cable, -Provided with Indian Power cord and RPS -5 Years NBD support -19" Rack mountable Leaf switch + Fabric controller +Border Leaf -To be part of spine-leaf DC fabric for the POD-Type- 2-24nos of 100G QSFP28 ports for leaf connectivity -8nos of 100G QSFP28 ports for uplink connectivity -2x 30mtr 100G Twinix/DAC Cable -2 no s of 100G SMF Bi-Di optics with 2 core LC connector -integrated or additional fabric controller per PoD -software/licenses required for Redundant fabric controller -All hardware to be provide with redundant power supply -5 Years NBD support -19" Leaf switch with L2 and L3 switching capability -To be part of spine-leaf DC fabric for the POD-Type x 1/10G SFP+ for server connectivity -4 x 100G QSFP+ ports -2x 30mtr 100G Twinix/DAC Cable -48x 10mtr 10G Twinix/DAC cable for servers -Provided with Indian Power cord and RPS -5 Years NBD support -19" Manageable and stackable switch -48 port 1G/10G SFP+ ports A G M ( G S M, N G N & I T ) C M R ( D C )

5 Aggregation Switch (Non IT Core) Access Switch- Type 1 (non IT) Access Switch- Type 2 (non IT) Access Switch - Type 1(with PoE+)(non IT) Access Switch - Type 2 (with PoE+)(non IT) Internal Firewall- NON-IT ZONE Central Network Management Software Support, Subscription & Warranty Installation & Commissioning -40 no s of 10G MMF optics -8 no s of 1G BaseT ports -Provided with Indian Power cord and RPS -5 Years NBD support -19" Manageable and stackable switch -48 x 10/100/1000BaseT ports -4 x 1/10G SFP+ -2nos of 10G MMF optics -Provided with Indian Power cord -5 Years NBD support -19" Manageable and stackable switch -24 x 10/100/1000BaseT ports -4 x 1/10G SFP+ -2nos of 10G MMF optics -Provided with Indian Power cord -5 Years NBD support -19" Manageable and stackable switch -48 x 10/100/1000BaseT ports PoE+ -4 x 1/10G SFP+ -2nos of 10G MMF optics -Provided with Indian Power cord -5 Years NBD support -19" Manageable and stackable switch -24 x 10/100/1000BaseT ports PoE+ -4 x 1/10G SFP+ -2nos of 10G MMF optics -Provided with Indian Power cord -5 Years NBD support -19" Manageable and stackable switch -5 x1g SFP, 5 x1ge RJ45 & 8x 10G SFP+ port -8 x10g SR optics -Provided with Indian Power cord and RPS -5 Years -Should be provided with NMS software supported on VM for Monitoring and managing all the provided router, switches and firewalls. -Supports Fault, Configuration, Accounting, performance, Security (FCAPS) network management framework -Provides total management of network elements performance management -Support& Subscription & Product Warranty of all the above items for 5 years with premium SLA. -Installation & Commissioning as per requirement at DC A G M ( G S M, N G N & I T ) C M R ( D C )

6 Technical Specification 1. Required Specifications for DDOS +IPS Sl.No. Specifications 1 Hardware Architecture 2 The Proposed DDoS solution should be a dedicated hardware appliance and not a licensed feature on Firewall or Load Balancer Appliance and also the DDOS mitigation devices shall be completely stateless 3 Solution should have least 8 x 1GE interfaces, 4 X 1G SFP (Modular Copper or Fiber) interfaces and 4 X 10G SFP+ populated with 10G Multimode SR 4 System should have scalable inspection throughput of 2 Gbps and scalable to 8 Gbps without additional hardware. 5 Should support latency less than <60 microseconds and should be clearly documents in the data sheet 6 System should have High performance ASIC-based DoS-mitigation engine ensures that attack mitigation does not affect normal traffic processing and Maximum DDoS Flood Attack Prevention Rate up to 10 Million PPS 7 SSL attack prevention Module/appliance System should Mitigate encrypted attacks and should have 5000 SSL CPS with 2048 bit Key and scalable up to SSL without any hardware changes with minimum SSL Throughput of 1 Gbps 8 The device should support high availability. 9 System should Support Hardware Bypass Mechanism for Proposed Solution 10 The device should have dual power supply. 11 Should have USB ports for storage of OS and configuration files. 12 Performance 13 System should have scalable inspection throughput of 2 Gbps and scalable to 8 Gbps without additional hardware. 14 Generic Features A G M ( G S M, N G N & I T ) C M R ( D C )

7 15 System should support, In-Line, SPAN Port, Out-of-Path deployments modes from day 1 16 The system should support symmetric & asymmetric traffic flow for HTTP and HTTPS and Syn Flood protection. 17 Solution should be transparent to control protocol like MPLS and Q tagged VLAN environment. Also it should transparent to L2TP, GRE, IPinIP traffic. 18 The system should be transparent to logical link bundle protocols like LACP 19 Solution Should detect IPv6 Attacks and mitigate IPv6 Attacks 20 The DDoS detection capability of the solution must not be impacted by asymmetric traffic routing. 21 Should detect and Mitigate attacks at Layer 3 to Layer 7 and support standard network MTU. 22 The system must allow protection parameters to be changed while a protection is running. Such change must not cause traffic interruption 23 Security / DDoS Feature 24 System should Protect from multiple attack vectors on different layers at the same time with combination of Network, Application, and Server side attacks 25 Solution should provide protection for volumetric/protocol and Application layer based DDoS attacks 26 Inspection and prevention is to be done in hardware 27 The system must have an updated threat feed that describes new malicious traffic (botnets, phishing, etc...). 28 The system should be capable to mitigate and detect both inbound and outbound traffic. 29 Solution should provide real time Detection and protection from unknown Network DDOS attacks. 30 System should have mitigation mechanism to protecting against zero-day DoS and DDoS attacks without manual intervention. 31 System supports horizontal and vertical port scanning behavioural protection 32 System supports behavioural-based application-layer HTTP DDoS protection 33 System supports DNS application behavioural analysis DDoS protection 34 System must be able to detect and block SYN Flood attacks and should support different mechanism 35 SYN Protection - Transparent Proxy/out of sequence 36 SYN Protection - Safe Reset 37 System must be able to detect and block HTTP GET Flood and should support mechanisms to avoid False A G M ( G S M, N G N & I T ) C M R ( D C )

8 Positives 38 Should support following HTTP flood Mechanism : 39 High Connection Rate 40 High rate GET to page 41 High rate POST to page 42 System should detect and Mitigate different categories of Network Attacks: 43 High rate SYN request overall 44 High rate ACK 45 High rate SYN-ACK 46 Push Ack Flood 47 Ping Flood 48 Response/Reply/Unreachable Flood 49 System should provide zero-day attack protection based on learning baseline / behavioural analysis of normal traffic, zero-day attacks are identified by deviation from normal behaviour. 50 System provides behavioural-dos protection using real-time signatures 51 System should Protect from Brute Force and dictionary attacks. 52 System must be able to detect and block Zombie Floods 53 System must be able to detect and block ICMP, DNS Floods 54 Should support IP defragmentation, TCP stream reassembly. 55 The system must be able to block invalid packets including checks for : Malformed IP Header, Incomplete Fragment, Bad IP Checksum, Duplicate Fragment, Fragment Too Long, Short Packet, Short TCP Packet, Short UDP Packet, Short ICMP Packet, Bad TCP / UDP Checksum, Invalid TCP Flags, Invalid ACK Number) and provide statistics for the packets dropped 56 Should detect and Mitigate from Low/Slow scanning attacks 57 should detect and mitigate from Proxy & volumetric Scanning 58 System Should support dedicated DNS protection from DDoS 59 System should support suspension of traffic/ blacklisting from offending source based on a signature/attack detection A G M ( G S M, N G N & I T ) C M R ( D C )

9 60 System should support user customizable and definable filter 61 system should support malware prorogation attacks 62 System should support anti-evasion mechanisms 63 System should support Intrusion Prevention from Known Attacks either on the appliance or through external appliance 64 System should have capability to allow custom signature creation 65 System protects from DDoS attacks behind a CDN by surgically blocking the real source IP address 66 To mitigate Dynamic IP attack the Solution should use multiple TCP/IP parameters like source IP,TTL value, Packet ID, destination IP, destination port etc. to mitigate attacks by real time signature instead of rate limiting or Src IP blocking. 67 DDOS Mitigation system should accurately follow attack vector changes without Pcap Analysis Required or manual scripts 68 DDOS solution should support mitigation of Valve Source Engine Specific Flood as part of Mirai Botnet 69 Protection against Encrypted Attacks 70 System should have out-of-path / on device SSL inspection from same vendor as of DDoS solution 71 Proposed Solution should Protect against SSL & TLS-encrypted Attacks with an separate SSL Decryption module on device / out of Path 72 Proposed solution should Protect against SSL & TLS-encrypted information leaks with an separate SSL Decryption module on device / out of Path 73 Proposed Solution should provide protection for known attack tools that attack vulnerabilities in the SSL layer itself with an separate SSL Decryption module on device / out of Path 74 Proposed Solution should detect SSL encrypted attacks at Key size 1K & 2K without any hardware changes. 75 System should support Outbound SSL Inspection for inspecting the outgoing encrypted traffic and should have capability to integrate with minimum 3 security inspection solutions 76 High detection and mitigation accuracy 77 System should have capability to integrate with SIEM solution 78 Should have ready API for SDN environment integration/ Anti-DDoS system for attack mitigation in custom portal 79 System should support SDN controller/anti-ddos system with a vision and strategy to support future SDN enabled network A G M ( G S M, N G N & I T ) C M R ( D C )

10 80 Monitoring & Management 81 The system must support configuration via standard up to date web browsers. System user interface must be based on HTML 82 System must support CLI access over RS-232 serial console port, SSH. 83 Trivial File Transfer Protocol (TFTP), Network Timing Protocol (NTP) 84 The system must have a dedicated management port for Out-of-Band management 85 Management interfaces must be separated from traffic interfaces. System management must not be possible on traffic interfaces, management interfaces must not switch traffic 86 System must have supporting of tools for central monitoring 87 System must have concept of users / groups / roles 88 Management certificate must be possible to change 89 Proposed solution should have centralized management system and helps to manage, monitor, and maintain all DDoS Appliances from a centralized location. 90 Role/User Based Access Control 91 The system must support the generation of PDF and reports 92 Integration with RADIUS and TACACS+ 93 Warranty 94 Should be provided with hardware replacement warranty and ongoing software upgrades for all major and minor releases for a period of 5 year. 95 OEM Services 96 Direct OEM Implementation and Managed Service for 2 Years Period 97 Quoted OEM should have India TAC for local support 98 OEM Should provide training and knowledge transfer to Department / Team 99 Certification / References 100 Device should be Common criteria certified at least EAL 3 or above 101 Quoted OEM product should be deployed in India at least with 5 PSU / Govt customer reference in India and should provide evidence of the same 102 OEM should be present as the dedicated DDoS solution in the market for last 3 years A G M ( G S M, N G N & I T ) C M R ( D C )

11 103 The Solution should be deployed and used by at least 2 Tier-1 service providers for DDoS mitigation in India 104 OEM should be present in Leaders Category of either Gartner / Forrester / IDC reports for DDoS 2. Required Specification for Internet Routers Sl.No. Specifications Chassis should have a minimum 6 x 1G SFP or more ports support and populated with LX/LH SFP transceivers from day 1. It should also support 10G interface on the same chassis from day 1without additional hardware. And should come with 2 1GBPS LR modules and 10G SR modules populated from day 1 The router should have processor bandwidth scalable up to 20 Gbps and should have 2.5 Gbps from day 1 all the necessary licenses should be provided All modules, fan trays & Power supplies should be hot swappable and must support online insertion and removal. Should have redundant power supplies from day 1. The router shall be capable of Storing 2 images for backup purposes for roll back to a stable image in case of any issues during updating, bringing redundancy with 8 GB RAM support and expandable upto 16 GB Network Protocol: Should support RIPv2, OSPF, IS-IS and BGP4 routing protocols, with support for all the features like OSPF on demand etc. & IP multicast routing protocols: PIM Version 2 (Sparse Mode & Dense Mode), IGMP v1, v2,v3 6 Should have support for protocols like Multiprotocol Label Switching (MPLS) & Virtual Route Forwarding (VRF) High Availability: Shall support dual Images for redundancy. Should have modular software images, so that each software process runs independent of the other thus allowing for higher stability. Should also support online upgrade of patches for specific processes or ISSU without affecting traffic forwarding operations on the router Router Security: The chassis shall optionally support MD5 authentication for routing protocols. The chassis shall function as a full fledge firewall & VPN concentrator upon activation of licenses. The router should optionally support IPsec encryption for data confidentiality. The router should optionally support 3DES and AES encryption standards with the activation of Security license. Quality of Service: The router should be able to support IP precedence and able to configure six classes of service. Should be able to do accounting based on IP precedence. 11 Management Features: The router should support in-band and out of band management. 12 The router should be able to support multiple Operating System images for smoother up gradation A G M ( G S M, N G N & I T ) C M R ( D C )

12 13 The Services Processor / modules should additionally support the following functions in hardware & should be enabled using appropriate software license s only if required, without the need for additional hardware 14 Firewalls & intrusion prevention with flexible pattern matching for deep-packet inspection. 15 Network Based Application Recognition or Exact Equivalent feature 16 Should support the following LAN interfaces: Fast Ethernet and Gigabit Ethernet, 10Gigabit Ethernet with ports in compliance with standards. 17 Shall be capable of supporting 802.1q VLANs and VLAN Trunking. 3. Required Specification for MPLS Routers Sl.No. Specifications 1 Router may have modular chassis or fixed platform with minimum 3 I/O Modules. 2 Should be provided with internal redundant power supply. Single unit should be able to handle the load of full equipment 3 Router must have separate control and data plane. 4 Router should have minimum 4 GB of DRAM/RAM expandable upto 16 GB and 8 GB Flash expandable upto 32 GB 5 Router Should have hardware assisted VPN acceleration 6 Minimum support of 8 on board Ethernet WAN ports 100/1000 Mbps with a flexibility of terminating Fiber if required, Day 1 Port Requirement. 7 Should support Static Routing, Default Routing, RIPv2, OSPFv2, BGP 8 Should support BGP4 routing protocol with CIDR and should have all necessary licenses to enable full features of BGP protocol 9 Should support Static Routing, Default Routing, RIP for IPv6, OSPFv3, BGP for IPv6 10 Should have all necessary licenses for to enable full features of BGP protocol for IPv6 11 Router should have full support for dual stack IPv6 on all interfaces and Ipv6 over Ipv4 tunneling 12 Router should support NAT All software licenses should be included from day 1 14 The router should have at the minimum MPLS features like Layer 2 VPN, Traffic engineering with RSVP-TE, Fast Reroute and Virtual Route Forwarding (VRF) and Layer-3 MPLS-VPN A G M ( G S M, N G N & I T ) C M R ( D C )

13 15 Should have PIM-SM, PIM-DM, PIM-Sparse-Dense mode, Bidirectional PIM, PIM- SSM for IPv4 16 The router should have full support for dual stack IPv6 on all interfaces and IPv6 over IPv4 tunneling. 17 Should have at least 500 Mbps of Throughput with all the slots operating at non- blocking mode The router should support Access Control List to filter traffic based on Source & Destination IP Subnet, Source & Destination Port, VLAN, Protocol Type (IP, UDP, TCP, ICMP etc) and Port Range etc. The Router shall support QoS for Traffic Management,class based policing, shaping, CBWFQ,WRED and 802.1p, HQOS (All Ethernet ports) 20 The router shall support Control Plane Policing to protect the router CPU from attacks. 21 Router must have Stateful and VRF aware Firewall and support IPS features natively. The State full firewall supports IPSEC pass through 22 Router should provide below mentioned functionality either internally or externally. 23 The router shall provide MD5 hash authentication mechanism for RIPv2, OSPF, IS- IS, BGP and MPLS routing protocols. 24 The router shall support AAA features through Active Directory and/or RADIUS or TACACS The router shall have Network Address Translation (NAT) and CGNAT. Router should be able to use NAT feature on all the interfaces. All software licenses should be included from day 1 Router shall be able to discover network traffic with application-level insight with deep packet visibility and analyze and report on application usage per user basis. It shall be provide monitoring capabilities on an ongoing basis with or without help of NMS tool. 27 The router shall facilitate all applications like voice, video and data to run over a converged IP infrastructure. 28 The router should have crtp for VoIP on day 1 29 The proposed router shall be NDPP/EAL or greater certified (document proof shall be submitted with the bid) 30 The Router shall be manufactured in accordance with quality standard (ISO 9001:2000 or higher) 31 Preferably Router shall conform to UL or IEC or CSA or EN Standards for Safety requirements of Information Technology Equipment. 32 Router should be scalable to 2500 IPSec tunnels and at least 2,000,000 IPv6 routes (BGP) 33 Routers should support MD5, SHA1, SHA2 or SHA3 hash functions from Day Preferably the Router should be NDPP or EAL3 certified at the time of Bidding 35 The Router should be 19" Rack mountable & should be supplied with Indian standard AC (5Amp) power cord. 36 All necessary SFP's, interfaces, connectors, patch cords (if any) & licenses must be delivered along with the A G M ( G S M, N G N & I T ) C M R ( D C )

14 Router from day one. 37 Preferably IPv6 phase 2 certified by IPv6 ready forum or any equivalent certified 4. Required Specification for Internet Switches Sl.No. Specifications 1 Should have minimum 24 SFP+ Ports from day 1, support required modules need to be populated from day 1 as per requirement 2 Switch should support stacking with dedicated stacking ports and 480 Gbps of stacking bandwidth 3 Switch shall have minimum 450 Mpps of forwarding rate and Switching capacity of 640 Gbps 4 Must support Stack Power with stacking upto 9 Switches together The proposed interfaces must have n-blocking and wire-speed performance for all packet sizes for IPv4 & IPv6 traffic. Switch should have 1:1 redundant internal power supply. Power supply modules, fan modules and transceivers modules should be hot swappable. Switch should have IPv4 & IPv6 static routes and advanced Layer 3 features of OSPF, BGP, PIM, IPv6 routing such as OSPFv3. Support advanced security and MQC-based QoS. 8 Switch should have IPv4 & IPv6 static routes, OSPF, OSPFv3, PBR and PIM-SM / DM Should support IEEE Standards of Ethernet: IEEE 802.1D, 802.1s, 802.1w, 802.1x, 802.3ad, 802.3x, 802.1p, 802.1Q, 802.3, 802.3u, 802.3ab, 802.3z, 802.3az. Switch should support minimum 8 hardware queues per port for applying various traffic prioritization through QoS. 11 Should support Port Security and RADIUS / TACACS integration Should be upgradable to support OpenFlow or equivalent functionality, to support SDN (Software Defined Networking). The SDN functionality shall be native to switch Switch should support port security, DHCP snooping, Dynamic ARP inspection, IP Source guard, BPDU Guard, Spanning tree root guard. Switch should support IPv6 Binding Integrity Guard, IPv6 Snooping, IPv6 RA Guard, IPv6 DHCP Guard, IPv6 Neighbor Discovery Inspection and IPv6 Source Guard. 15 Should have NetFlow/sflow/ Jflow to support 24K entries functionality for traffic monitoring. 16 Preferably the proposed switch should be IPv6 logo ready/certified or any equivalent and NDDP Certified A G M ( G S M, N G N & I T ) C M R ( D C )

15 Switch / Switch s Operating System should be tested and certified for EAL 2/NDPP/NDcPP or above under Common Criteria Certification. Switch shall conform to UL or IEC or CSA or EN Standards for Safety requirements of Information Technology Equipment. Switch shall conform to EN Class A/B or CISPR22 Class A/B or CE Class A/B or FCC Class A/B Standards for EMC (Electro Magnetic Compatibility) requirements. 5. Required Specification for MPLS Switches Sl.No. Specifications 1 Should have minimum 24 CU Ports from day 1, with a support of 2x10G SFP+ support required modules need to be populated from day 1 as per requirement 2 Switch should support stacking with dedicated stacking ports and 480 Gbps of stacking bandwidth 3 Must support Stack Power with stacking upto 9 Switches together 4 Switch shall have minimum 68 Mpps of forwarding rate and 92 Gbps of Switching capacity 5 6 The proposed interfaces must have non-blocking and wire-speed performance for all packet sizes for IPv4 & IPv6 traffic. Switch should have 1:1 redundant internal power supply. Power supply modules, fan modules and transceivers modules should be hot swappable. 7 Switch should have IPv4 & IPv6 static routes, OSPF, OSPFv3, PBR and PIM-SM / DM. 8 9 Should support IEEE Standards of Ethernet: IEEE 802.1D, 802.1s, 802.1w, 802.1x, 802.3ad, 802.3x, 802.1p, 802.1Q, 802.3, 802.3u, 802.3ab, 802.3z, 802.3az. Switch should support minimum 8 hardware queues per port for applying various traffic prioritization through QoS. 10 Should support Port Security and RADIUS / TACACS+ integration Should be upgradable to support OpenFlow or equivalent functionality, to support SDN (Software Defined Networking). The SDN functionality shall be native to switch Switch should support port security, DHCP snooping, Dynamic ARP inspection, IP Source guard, BPDU Guard, Spanning tree root guard A G M ( G S M, N G N & I T ) C M R ( D C )

16 13 14 Switch should support IPv6 Binding Integrity Guard, IPv6 Snooping, IPv6 RA Guard, IPv6 DHCP Guard, IPv6 Neighbor Discovery Inspection and IPv6 Source Guard. Switch should support IPv6 Binding Integrity Guard, IPv6 Snooping, IPv6 RA Guard, IPv6 DHCP Guard, IPv6 Neighbor Discovery Inspection and IPv6 Source Guard. Should have NetFlow/sflow/ Jflow to support 24K entries functionality for traffic monitoring. 15 Preferably the proposed switch should be IPv6 logo ready/certified or any equivalent Switch / Switch s Operating System should be tested and certified for EAL 2/NDPP/NDcPP or above under Common Criteria Certification. Switch shall conform to UL or IEC or CSA or EN Standards for Safety requirements of Information Technology Equipment. Switch shall conform to EN Class A/B or CISPR22 Class A/B or CE Class A/B or FCC Class A/B Standards for EMC (Electro Magnetic Compatibility) requirements. 6. Required Specification for Internet Firewalls Sl.No. Specifications 1 2 Security Gateway Performance Validation: - Vendor must have a dedicated hardware solution to meet all next generation Data center's requirements of the ITI. Vendor must be able to supply a recommended hardware configuration based on the criteria of real world traffic blend and next generation security applications provided by the customer. OEM must submit appliance performance Certificate ( as per asked performance on the real world traffic blend's throughout with respective security modules/features fully enabled) duly validated and certified by Product Engineering head/solution Head/RnD Head or equivalent of Respective OEM. This is a mandatory clause, failing which Bid will be summarily rejected. Vendor must be able to supply the scalable platform for the desired combination of these security controls, with supporting evidence that the appliance will perform as expected Internet Bandwidth requirements scalable upto 5Gbps Total Throughput requirements upto 10Gbps. Security gateway with 1000 security rules Network Address Translation enabled. Logging Enabled A G M ( G S M, N G N & I T ) C M R ( D C )

17 3 4 Real world Datacenter traffic blend of HTTP, HTTPS, FTP, SMTP and DNS. Enablement of the required security modules/features on the supplied chassis based device/appliance. Stateful inspection Firewall Intrusion Prevention system (minimum 80% of signatures enabled for both incoming and outgoing traffic.) Application filtering & control URL filtering Anti-Malnet/Botnet. IPSEC VPN. The Proposed vendor must be Leader in Gartner Magic Quadrant for Enterprise Network NGFW's in all last 3 years. 5 Vendor shouldn't have reported any backdoor vulnerability in their product or OS for past 3years. 6 7 The proposed solution should support Stateful policy inspection technology. It should also have application intelligence for commonly used TCP/IP protocols like telnet, ftp etc. The solution must support Firewall, Application visibility, filtering and control, IPS, Anti-virus, Anti-malware, Anti-botnets/malnets from day one and URL Filtering in future if required. 8 The proposed solution shouldn't use a proprietary ASIC hardware for any kind of performance Improvement. If option to disable ASIC is there than OEM must mention the performance numbers in datasheet ( without ASIC ) 9 Licensing should be a per device and not user/ip based (should support unlimited users) 10 The proposed solution should support the multicast protocols like IGMP and PIM-DM / PIM-SM 11 Firewall should support HA and must support synchronization of Sessions The admins must be able to view report on the CPU usage for management activities and CPU usage for other activities. The hardware platform must be chassis based solution with option to add security hardware blades as the requirements grows in the future 14 Solution must failover without dropping any connection in active-active mode. 15 The platform should support VLAN tagging (IEEE 802.1q) 16 Firewall should support creating access-rules with IPv4 & IPv6 objects simultaneously 17 The proposed solution should support IPv4 & IPv6 static routing, RIP, OSPF v2 &v3, PBR, BGPv4/ BGPv6 18 Device must support automatic search, downloading and install software hotfixes without any administrator efforts. System should have provision to automatically roll back last saved configuration. 19 The solution Should support Non Stop Forwarding in HA during failover and Graceful Restart 20 Firewall should support Nat of IPv4 and IPv6 addresses 21 It should support the VOIP traffic filtering 22 Security appliance provider OEM should be different from Networking OEM The platform must be supplied with at least 4x10G SFP+ and 4 x 40G QSFP+ interfaces fully populated ports 23 from day one and expandable up to 16 x10g SFP+ and 8x 40G QSFP+ interfaces. Also the device should have provision to support 2x100G QSFP28 interfaces in addition to above mentioned ports A G M ( G S M, N G N & I T ) C M R ( D C )

18 24 The proposed Appliance should have at least Log storage capacity of 480 GB Each of the chassis proposed should provide redundancy between chassis modules, power supplies and fans. 25 ITI is looking for Intra chassis redundancy wherein failure of one module in chassis should not failover the chassis and should not hamper the production traffic 26 Each Chassis proposed must have hot swappable dual power supplies. 27 Each of the module in chassis should have backplane connectivity with Switching fabric through 10GbE/40GbE 28 The proposed solution should have minimum firewall real world production throughput of 80 Gbps and upgradable upto 2x times. 29 The proposed solution should have minimum Intrusion prevention system real world production throughput of 20 Gbps and upgradable upto 2x times. 30 The proposed solution's Next Gen. Firewall (IPS + Application filtering & control + Firewall features enabled) production Throughput must be more than 9 Gbps and upgradable upto 2x times. The proposed Solution's Threat Prevention (IPS + Application filtering & control + Firewall + URL filtering + 31 Anti-Malnets + Anti-Virus features enabled) real world production Throughput must be more than 7 Gbps and upgradable upto 2x times. 32 The proposed appliance must support at least 30 million concurrent Connection and upgradable upto 2x times. 33 The proposed appliance must support more than 750,000 new connections per second processing and upgradable upto 2x times. 34 The proposed solution must support at least 30 Gbps of IPSEC VPN throughput and SSL VPN Users from Day one 35 Firewall Should support 10 virtual firewall from Day One. 36 It should support the IPSec VPN for both Site-Site & Remote Access VPN 37 The proposed solution's system should support virtual tunnel interfaces to provision Route-Based IPSec VPN 38 In the proposed solution, following user authentication schemes must be supported by the security gateway and VPN module: tokens (ie-secureid), TACACS, and digital certificates 39 It should also support the system authentication with RADIUS and local authentication. Both should work simultaneously. 40 It should support the filtering of TCP/IP based applications with standard TCP/UDP ports or deployed with customs ports 41 The proposed solution must not have any limit to define Address objects, if such limit exists than it should support more than 150,000 address objects. 42 The proposed solution should have no limit for firewall policies, if such limit exist than it should be over 150, The NGFW updates should have an option of Automatic downloads and scheduled updates so that it can be scheduled for specific days and time 44 The proposed NGFW's application filtering should support over applications 45 The proposed solution must provide granular security control of at least 100 million URLs / websites. Also the solution must be able to create a URL filtering rule with multiple categories. 46 The proposed solution must categorize applications and URLs and applications by Risk Factor and also the application filtering and URL filtering databases must be updated by a cloud based service. 47 The IPS should scan all parts of the session in both directions with maximum database signatures enabled. 48 The proposed solution should be able to block Instant Messaging like Yahoo, MSN, ICQ, Skype (SSL and HTTP tunneled) A G M ( G S M, N G N & I T ) C M R ( D C )

19 49 It should enable blocking of Peer-Peer applications, like Kazaa, Gnutella, Bit Torrent, IRC (over HTTP) The NGFW should support authentication protocols like LDAP, RADIUS and have support for NGFW 50 passwords, smart cards, & token-based products like SecurID, LDAP-stored passwords, RADIUS or TACACS+ authentication servers, and X.509 digital certificates. IPS should have the functionality of Geo identification and Protection to Block the traffic country wise in 51 incoming direction, outgoing direction or both. IPS also should alert through Mail if any IPS traffic/event detected from Specific Country. 52 The proposed solution should support advanced NAT capabilities, supporting all applications 53 The proposed solution Should support Identity Access for Granular user, group and machine based visibility and policy enforcement 54 IPS should be able to detect and prevent imbedded threats with in SSL traffic. 55 The solution should allow for third party signature import such as Snort The proposed solution should have Anti-malnet/botnet application must use a multi-tiered detection engine, 56 which includes the reputation of IPs, URLs and DNS addresses and detect patterns of bot communications and also must be able to scan for botnets/malnets actions. 57 The proposed solution should support detection & prevention of Cryptors & ransomware viruses and variants through use of static and/or dynamic analysis. The proposed solution should have detection and prevention capabilities for C&C DNS hide outs and also it 58 should Look for C&C traffic patterns, not just at their DNS destination. The solution should have DNS trap feature which must discover infected hosts generating C&C communication. 59 Security vendor and Network vendor should be different OEM. 60 Activation of new protections based on parameters like Performance impact, Confidence index, Threat severity etc. 61 IPS Engine should support Vulnerability and Exploit signatures, Protocol validation, Anomaly detection, Behavior-based detection, Multi-element correlation. 62 IPS profile can be defined to Deactivate protections with Severity, Confidence-level, Performance impact, Protocol Anomalies. 63 IPS Profile should have an option to select or re-select specific signatures that can be deactivated 64 IPS must provide option to deactivate all signature which have high impact on performance with a single click configurable option. 65 Intrusion Prevention should have an option to add exceptions for network and services. 66 The proposed solution should be able to detect & Prevent Unique communication patterns used by BOTs i.e. Information about Botnet family 67 The proposed solution should be able to detect & Prevent attack types such as spam sending click fraud or self-distribution, that are associated with Bots 68 The proposed solution should be able to block traffic between infected bot Host & Remote C&C Operator and it should allow the traffic to legitimate destinations 69 The proposed should inspect HTTP, HTTPS, DNS & SMTP traffic for the detection and prevention of the Bot related activities and Malware activities 70 The proposed solution should have an option of configuring file type recognition along with following actions i.e. Scan, Block, Pass on detecting the Known Malware The proposed Firewall appliances for the perimeter networks should be managed by single management and 71 single console along with build in Logging & Reporting option. The centralized management can be an appliance or server which could manage 25 GWs 72 The proposed management solution should have capability to manage physical firewalls and the firewalls instances in public and private cloud deployed by ITI data center. Also the Solution must dynamically insert, A G M ( G S M, N G N & I T ) C M R ( D C )

20 deploy and orchestrate advance security protection including Stateful Firewall, Intrusion Prevention system, Anti Bot, Zero-Day Protection etc. for ACI /NSX enabled data center 73 Management Server and Logging module must be single solution. It must allow administrator to choose to login in read-only or read write mode. Option must be available at Authentication window itself. The device should support selective Log Forwarding Based on Log Attributes and should be able to trigger an 74 action or initiate a workflow on an external HTTP-based service when a log is generated on the firewall by sending an HTTP-based API request directly to a third-party service to trigger an action based on the attributes in a log. Management Server must support backup with all configuration, certificates etc. It should be possible to 75 restore management server configuration on normal open server to manage network security in case of failure. Or, Upon Management Server Failure bidder must deliver management server Chassis within two hours after reporting the incident through The proposed Management solution should have Log storage of minimum 5TB HDD, RAID and should be support external storage expansion The proposed Solution must provide the option to add management high availability, using a standby 77 management server that is automatically synchronized with the active one, without the need for an external storage device. The proposed Solution must have the ability to log all integrated security applications on the gateway and 78 including Firewall, IPS, Application Filtering & Control, URL Filtering, Anti-Virus, Anti-Malnets/Botnets and User Identity. 79 The Solution must include an automatic packet capture mechanism for IPS events to provide better forensic analysis. 80 The logs must be securely transferred between the gateway appliances and the management or the dedicated log server and the log viewer console in the administrator s PC. 81 The proposed management solution must provide the following system information for each gateway: OS, CPU usage, memory usage, all disk partitions and % of free hard disk space 82 The solution must include the status of all VPN tunnels, site-to-site and client-to-site 83 The proposed solution must have an option to recommend Security Best Practices. 84 The proposed solution must have an option to Monitor constantly gateway configuration with the security best practices. 85 The proposed solution must have an option to Deliver real-time assessment of compliance with major regulations (PCI-DSS, ISO27001/2, NIST, SOX, etc.). 86 The proposed solution must have an option for Real Time Compliance Monitoring across all security services in the product. 87 The solution must have an option for Instant notification on policy changes on the gateways impacting compliance. 88 The solution should support management of firewall policies via Cli, SSH & inbuilt GUI management interface. 89 Policy Management should have option to create various Layered policy for various Zones and should have option to create various Administrator to manage specific policy layers. 90 The solution should support the functionality of Auto-Update to check for latest software versions & download the same. 7. Required Specifications for MPLS Firewalls A G M ( G S M, N G N & I T ) C M R ( D C )

21 Sl.No. Specifications The OEM quoted in bid must be in Gartner's Leader Quadrant for Enterprise Firewall preferably for last 3 1 years 2 The solution shall have integrated Firewall, VPN, IPS, Anti-malware and Anti-Bot functionality. 3 The proposed OEM must not be less than 95% in NSS LABs DCSG or NGFW or NGIPS evaluation, preferably for last 3 years 4 The appliance should be based on 64-Bit hardware architecture and it should have 64-Bit OS 5 The appliance should support the IEEE 802.1q VLAN Tagging on the traffic data ports 6 The appliance should support the Link Aggregation Control Protocol (LACP) to create the bundles of NIC Interfaces 7 The proposed appliance should be deployed as the High Availability, Active-Standby, Active-Active Cluster Solution should support the feature which provides the information against each rule on how many times it is used, to know the utilization of Each rule. The proposed solution of appliances should support the dynamic routing protocols with readiness for RIP, BGPv4/6 & OSPF The proposed solution of appliances should support the Threat Prevention Suite with all the following controls embedded: a) Prevention against Intrusions b) Prevention against Malwares, viruses, Bot & Botnets. The platform must be supplied with at least 12 x GE RJ45, 2 x 10 GE SFP+ Interfaces (OEM should populate with necessary transceivers). 10G SFP+ Scalable upto 4 ports. Also should have provision to support 2 x 40G QSFP+ ports. 12 The appliances must be supported with hardened OS with 32GB of RAM. 13 The proposed appliance should have system storage of 480 GB SSD. 14 The proposed firewall should be supplied with the inbuilt Redundant Power Supply. 15 Each appliance quoted should take maximum of 2U rack space 16 The appliance quoted should consume maximum of 500Watts 17 The appliance should support minimum 12 Million Concurrent Connections 18 The appliance should support more than 100,000 and scalable to 150,000 New Connections Per Second 19 Proposed appliance should deliver real world threat prevention throughput of 1.5 Gbps enabling IPS, Antivirus, Anti-bot. OEM must have published the real world performance throughput on the public available website / should submit performance results tested and verified by R&D/Products team A G M ( G S M, N G N & I T ) C M R ( D C )

22 20 To be Included : proposed firewall should have necessary license for 1000 SSL VPN users from Day1 21 Firewall shall deliver real world performance throughput of minimum 20 Gbps with mixed blend enabling HTTP, HTTPS, SMTP, DNS, FTP, telnet, SSH, POP3 etc. OEM must have published the real world performance throughput on the public available website / should submit performance results tested and verified by R&D/Products team. 22 The proposed solution must have intrusion prevention engine. 23 The proposed IPS solution must have minimum 3000 Signature in its database 24 The proposed intrusion prevention engine should have the functionality of Geo Protection to Block the traffic country wise in incoming direction, outgoing direction or both. IPS also should alert through Mail if any IPS traffic/event detected from Specific Country. 25 The proposed intrusion prevention engine must provide detailed information on each protection, including: Vulnerability and threat descriptions, Threat severity, Performance impact, Release date, Industry Reference, Confidence level etc The solution should generate the reports for the firewall, gateway level AV, IPS web filtering and application blocking functionalities requested. The solution shall have readymade templates to generate reports like complete reports or attack reports, bandwidth report, intranet report. 28 The firewall should support SNMP V2C and V3 for integration with existing NMS The solution should help to analyze/understand Attacks over various protocols like http, ftp, SMTP, POP3 and IMAP as well as to sources and destination for these attacks. The solution should help to analyze/understand the security breaches hacker attacks and the sources and destination for these attacks. The solution should help to analyze/understand the protocol and bandwidth usage by users to help in capacity planning and understand network utilization. Should have options to generate reports in terms of which are the frequent attacks as well as top sources and destination for attacks. 33 Should have options to generate reports in different formats like html, pdf, ms word etc A G M ( G S M, N G N & I T ) C M R ( D C )

23 The solution should have configurable options to send the reports as a mail to the designated address or to ftp to the configured ftp location. Should have configurable parameters to send alert s based on event type or attack type or total number of attacks The solution should have configurable options to schedule the report generation (e.g. hourly, daily, weekly etc.). 37 The solution should be running its own syslog server to collect the logs or equivalent The solution should also have the option to generate reports based on the logs collected from multiple firewalls. Should have options to create users with different access rights (e.g. users who can only view reports, users who can create schedules and reports etc.) If separate server/appliance is required for the logging & reporting, the BOM should be included in the annexure 41 Reporting solution should able to generate all the report for each virtual system separately. 8. Required Specification for Load Balancer Sl.No. Specifications 1 Hardware 2 The proposed solution should be purpose build ASIC based hardware appliance 3 The hardware should have support for minimum 2 X 40G QSFP 4 The Hardware should have minimum 16 X 10G SFP+ interfaces, 8 populated with 10G Module 5 The Hardware should have minimum 4 X 1G Copper 6 The solution should have minimum 128 GB from day 1 upgradable to 256 GB of memory (RAM) 7 The solution should support dynamic Routing Protocols from day 1 8 System should have Dual Power Supply 9 Architecture Solution should be virtualization ready with OEM's own hypervisor with minimum 5 virtual instances from day 1 and scalable to 25 virtual ADC instances Virtualization: Ability to divide single box in to multiple virtualized load balancers & operate as independently so single device can be used to load balance application servers located across multiple DMZ / LAN without compromising network security A G M ( G S M, N G N & I T ) C M R ( D C )