Corrigendum 3. Tender Number: 10/ dated

Transcription

1 (A premier Public Sector Bank) Information Technology Division Head Office, Mangalore Corrigendum 3 Tender Number: 10/ dated for Supply, Installation and Maintenance of Distributed Denial of Service (DDoS) protection solution. Last Date & Time for receipt of Offers: Extended Last Date & Time for receipt of Offers: at 4:00 PM at 4:00 PM. From: The Assistant General Manager Corporation Bank Information Technology Division Head Office, Mangalore Karnataka.

2 Sr. No. Specification Compliance 1 Hardware and Performance 1.1 DDoS solution should be a dedicated hardware appliance designed exclusively for DDOS detection and mitigation. The solution should not be a licensed feature on any other network devices (like Firewall and Load Balancer Appliance etc.) 1.2 Device should have at least 8 x 1G copper Interfaces with port level bypass 1.3 Should have at least 4 x 1G SFP fibre/ 4 x 1 G Internal fibre interfaces with port level bypass 1.4 System should have scalable inspection throughput of 500 Mbps scalable to 3 Gbps without additional hardware. 1.5 Present license should be for 500 Mbps throughput and a minimum of 2 million concurrent sessions 1.6 System latency should be less than <80 microseconds and should be clearly documented in the data sheet. 1.7 System should have High performance ASIC-based DoS-mitigation engine ensures that attack mitigation does not affect normal traffic processing and Maximum DDoS Flood Attack Prevention Rate up to 1 Million PPS 1.8 SSL attack prevention Module/appliance System should Mitigate encrypted attacks and should have 3000 SSL CPS on day 1 and upgradable to 5000 SSL CPS with 2048 bit Key 1.9 In inline mode system must not modify MAC or IP addresses of passed frames 1.10 The device should support high availability System should Fail-Open or should bypass the traffic in case of Hardware failure 1.12 System should support Multiple Segment protection minimum of 4 Segments. 2 Generic Features 2.1 System should support, In-Line, SPAN Port, Out-of-Path deployment modes by default without any extra license cost. 2.2 Solution should be transparent to control protocol like MPLS and Q tagged VLAN environment. Also it should transparent to L2TP, GRE, IPinIP traffic. 2.3 The system should be transparent to logical link bundle protocols like LACP 2.4 The Solution should be IPV6/ dual stack compatible IPV6 certified 2.5 Solution Should detect IPv6 Attacks 2.6 Solution should mitigate IPv6 Attacks 2.7 The DDoS detection capability of the solution must not be impacted by asymmetric traffic routing. 2.8 Should detect and Mitigate attacks at Layer 3 to Layer Should support inspection of standard network MTU The system must allow protection parameters to be changed while a protection is running. Such change must not cause traffic interruption 2.11 The appliances must have dual power supplies for redundancy.

3 3 Security / DDoS Feature 3.1 System should Protect from multiple attack vectors on different layers at the same time with combination of Network, Application, and Server side attacks 3.2 Solution should provide protection for volumetric, protocol and Application layer based DDoS attacks 3.3 Inspection and prevention is to be done in hardware 3.4 The system must have an updated threat feed that describes new malicious traffic (botnets, phishing, etc...). 3.5 The system should be capable to mitigate and detect both inbound and outbound traffic. 3.6 Solution should provide real time Detection and protection from unknown Network DDOS attacks. 3.7 System should have mitigation mechanism for protection against zero-day DoS and DDoS attacks without manual intervention. 3.8 System should support horizontal and vertical port scanning behavioral protection 3.9 System supports behavioral-based application-layer HTTP DDoS protection 3.10 System supports DNS application behavioral analysis DDoS protection 3.11 System must be able to detect and block SYN Flood attacks and should support different mechanism a SYN Protection - Transparent Proxy/out of sequence b SYN Protection - Safe Reset c SYN Protection /TCP Reset System must be able to detect and block HTTP GET Flood and should support mechanisms to avoid False Positives 3.13 Should support following HTTP flood Mechanism : a High Connection Rate b High rate GET to page c High rate POST to page 3.14 System should detect and Mitigate different categories of Network Attacks: a High rate SYN request overall b High rate ACK c High rate SYN-ACK d Push Ack Flood e Ping Flood f Response/Reply/Unreachable Flood g any other DOS/DDoS attacks 3.15 System should provide zero-day attack protection based on learning baseline / behavioral analysis of normal traffic, zero-day attacks are identified by deviation from normal behavior System should provide behavioral-dos protection using real-time signatures 3.19 System must be able to detect and block ICMP, DNS Floods 3.20 Should support IP defragmentation, TCP stream reassembly The system must be able to block invalid packets including checks for : Malformed IP Header, Incomplete Fragment, Bad IP Checksum, Duplicate Fragment, Fragment Too Long, Short Packet, Short TCP Packet, Short UDP Packet, Short ICMP Packet,

4 Bad TCP / UDP Checksum, Invalid TCP Flags, Invalid ACK Number) and provide statistics for the packets dropped 3.22 Should detect and Mitigate from Low/Slow scanning attacks 3.23 should detect and mitigate from Proxy & volumetric Scanning 3.24 System Should support dedicated DNS protection from DDoS 3.25 System should support suspension of traffic/ blacklisting from offending source based on a signature/attack detection 3.26 System should support user customizable and definable filter 3.27 system should support prevention of malware propagation attacks 3.28 System should support prevention of anti-evasion mechanisms 3.29 System should support Intrusion Prevention from Known Attacks either on the appliance or through external appliance 3.30 System should have capability to allow custom signature creation 3.31 System should protect from DDoS attacks behind a CDN by surgically blocking the real source IP address 3.32 The system must support the ability to blacklist a host, country, domain, URL 4 Protection against Encrypted Attacks 4.1 System should have on device SSL/ out-of-path inspection from same OEM as of DDoS solution provider 4.2 Proposed Solution should Protect against SSL & TLS-encrypted Attacks with an separate SSL Decryption module on device / out of Path 4.3 Proposed solution should Protect against SSL & TLS-encrypted information leaks with a separate SSL Decryption module on device / out of Path 4.4 Proposed Solution should provide protection for known attack tools that attack vulnerabilities in the SSL layer itself with a separate SSL Decryption module on device / out of Path 4.5 Proposed Solution should detect SSL encrypted attacks at Key size 1K & 2K without any hardware changes. 4.6 System should support Outbound SSL Inspection for inspecting the outgoing encrypted traffic and should have capability to integrate with other security inspection solutions. 5 High detection and mitigation accuracy 5.1 System should support Challenge-response (Layers 4 to 7) mechanisms by default /without Scripts 5.2 System should support HTTP Challenge Response authentication by default /without Scripts 5.3 System should support Polymorphic Challenge-Response mechanism by default /without scripts 5.4 System should support DNS Challenge Response authentication : Passive

5 Challenge, Active challenge Both by default /without scripts 6 Integration Capabilities 6.1 System should have capability to integrate with SIEM solution 6.2 System should have capability to integrate with new/forthcoming network technologies such as it should have ready API for Software Defined Networking (SDN) / Application Centric Infrastructure (ACI) environment integration. (Recommended) 6.3 System should be compatible for integration with the existing Data Centre Management and Orchestration devices/tools/systems. (optional) 6.4 Proposed solution should have capability to integrate with existing security solutions (which are compatible only) with Bank in order to optimize the inspection performance. (Optional) 7 Monitoring & Management 7.1 The system must support configuration via standard up-to-date web browsers. System user interface must be based on HTML 7.2 System must support CLI access over RS-232 serial console port, SSH. 7.3 The system must have a dedicated management port for Out-of-Band management 7.4 Management interfaces must be separated from traffic interfaces. System management must not be possible on traffic interfaces, management interfaces must not switch traffic 7.5 System must have supporting of tools for central monitoring 7.6 System must have concept of users / groups / roles 7.7 Management certificate must be possible to change 7.8 Proposed solution should have centralized management system and should help to manage, monitor, and maintain all DDoS Appliances from a centralized location. 7.9 The system must support Role/User Based Access Control 7.10 The system must support the generation of reports (PDF and ) 7.11 Integration with login authentication system (RADIUS and TACACS+) should be possible 8 OEM Services 8.1 OEM should have their own Security research team to generate signature profile targeted at DoS Tools and the same should be updated weekly to the devices installed at Bank. 8.2 Bidder/OEM to provide support in real-time to the Bank who faces malware outbreak or emergency flood attack 8.3 OEM should have Own Cloud Scrubbing Capability such that Bank can use it in future if required - optional 8.4 Real Time Attack Mitigation: The Bidder/OEM should have Experts who should analyze the attack and advice on adjustments to the security configuration onthe-spot in order to mitigate the attack.

6 8.5 Post Attack Forensics Analysis and Recommendations 8.6 Security Expert Service: After the customer notification the response SLA of the Security Expert should be within 10 min. And should be available to bank to handle attack situations 8.7 OEM should provide Quarterly Configuration Review and fine tuning of appliance should not be limited by duration / days of effort 8.8 OEM should provide monthly Security event report and should have option to customize as per Bank needs 8.9 Direct Hot-Line Access: Bank should have direct Hot Line access to the Security team for the duration of the attack/campaign and should provide the Toll Free no. as part of RFP response 8.10 OEM should provide 50 Man Days direct Onsite support / assistance during installation at each location of the Bank Quoted OEM should have 24x7x365 India TAC for local support 8.12 OEM Should provide 2 days training and knowledge transfer to Bank 9 Certification / References 9.1 Device should be Common criteria certified at least EAL 3 or above