Tender 10/ dated Reply to Pre-bid Queries

Transcription

1 Compliance Queries Suggested changes Reply Please specify if this is mandatory or Optional? 1 27/6.2 System should have capability to integrate with new/forthcoming network technologies such as it should have ready API for Software Defined Networking (SDN) / Application Centric Infrastructure (ACI) environment (Recommended) With the current technology trends and with growing adoption of SDN / NFV technologies; we recommend bank to consider the SDN integration and should Make it Mandatory. Also, this will ensure that all the proposed solution are comparable technically and commercially. We suggest to change this point from Recommended to Mandatory. 27/6.3 System should be compatible for integration with the existing Data Center Management and Orchestration devices/tools/systems. (optional) Please specify the current Management / Orchestration used by Bank. We suggest to have this clause as mandatory so that it will ensure all the proposed solution are comparable technically and commercially. We recommend to make this Mandatory. 2 Request you to change the clause as EAL 4 or more certification level /9.1 Device should be Common criteria certified at least EAL 3 or above 28/8.1 29/1 OEM should provide 50 Man Days direct Onsite support / assistance during installation at each location of the Bank. OEM is required provide 50 Man day support for implementation of the proposed security solution at each location separately. 1.4 Present license should be for 500 Mbps throughput and a minimum of 2 million 1.2 Device should have at least 8 x 1G copper Interfaces Should have at least 4 x 1G SFP fibre interfaces Request you to change the clause as EAL 4 or more certification level. to ensure the security device / software themselves are secured and robust to withstand any attacks. The Higher certification rating ensure the better level of Solution robustness. Current EAL level available from 1-7. EAL1: Functionally Tested; EAL2: Structurally Tested; EAL3: Methodically Tested and Checked; EAL4: Device should be Common criteria certified at least EAL 4 Methodically Designed, Tested and Reviewed. or above Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements.common Criteria is used as the basis for a Government driven certification scheme and typically evaluations are conducted for the use of Federal Government agencies and critical infrastructure. the numerical rating describing the depth and rigor of an evaluation. Each EAL corresponds to a package of security assurance requirements which covers the complete development of a product, with a given level of strictness. Please Clarify Bank is looking for a direct OEM resource at site to support or through SI. Please Clarify Bank is looking for a direct OEM resource at site to support or through SI. We request Bank to consider proposed DDoS device solution to be present in market for at least last 4-5 years. Additional Suggestion This is to ensure that the devices present in market have been present for some time and have customers using them rather then some new OEM coming up and suggesting their solution which might not be tested or proven. The ask for or simultaneous connections in a DDoS solution is absolutely not needed because this falls back on a stateful inspection and makes the DDoS appliance itself vulnuerable to state exhaustion attacks The ask for SFP is not industry standard and is very vendor specific. The fiber SFPs do not support built-in hardware bypass and creates a single point of failure in the DC Present license should be 500Mbps and the appliance must support stateless architecture Yes, Direct OEM Support. 50 Man days collectively for 2 locations Refer Qualification Criteria, Track Record of past installations The Appliance should be state aware. The appliance must support a mix of copper and fiber interfaces and these should support built-in Built-in or External copper and hardware bypass both on copper as well as on fiber. Fibre ports should support port level hardware bypass System should have High performance ASIC-based DoS-mitigation engine ensures that attack mitigation does not affect normal traffic processing and Maximum DDoS Flood Attack Prevention Rate up to 1 Million PPS 1.9 The device should support high availability. The 1Mpps of flood prevention rate is extremely low and the appliance will not be able to sustain in case of attack sizes going beyond this. These s are very low for an Enterprise level DC. The appliance must support maximum DDoS flood prevention rate of up to 8.5Mpps What kind of high availability is expected? Please elaborate the point, whether it's active /active or a cold standby etc. As per the standard Packet size and the bandwidth capacity of the link, attack rate upto 1 million PPS is the bank's requirement. the device should support both Active/Active and Cold Standby HA

2 Compliance Queries Suggested changes Reply Annexure A/page26 Annexure A/page System should support horizontal and vertical port scanning behavioral 3.17 System should Protect from Brute Force and dictionary attacks System should support prevention of anti-evasion mechanisms 3.29 System should support Intrusion Prevention from Known Attacks either on the appliance or through external appliance 4.6 System should support Outbound SSL Inspection for inspecting the outgoing encrypted traffic and should have capability to integrate with other security inspection solutions. Please elaborate this point. Does not have any relevance in the DDoS threat landscape These are intrusion techniques and not attack forms to compromise availability These are intrusion techniques and not attack forms to compromise availability This ask is very vendor specific and has no relevance in a DDoS architecture. In fact, if the IPS were to be integrated, it would put the DDoS architecture at risk. Please explain the necessity to inspect outbound SSL traffic, what is the resource that we are trying to protect and confirm it's availability Elaborated as follows Horizontal: Low and Slow attacks Vertical: Multi Vector attacks Removed. Removed. : The Solution should support Intrusion Prevention from Known Attacks. No change The Server/Node in the network should not be the part of attack campaign System should support Polymorphic Challenge-Response mechanism by default /without scripts 5.4 System should support DNS Challenge Response authentication : Passive Challenge, Active challenge Both by default /without scripts 6.2 System should have capability to integrate with new/forthcoming network technologies such as it should have ready API for Software Defined Networking (SDN) / Application Centric Infrastructure (ACI) environment integration. 6.3System should be compatible for integration with the existing Data Centre Management and Orchestration devices/tools/systems. (optional) 6.4 Proposed solution should have capability to integrate with existing security solutions (which are compatible only) with Bank in order to optimize the inspection performance. (Optional) 8.2 Bidder/OEM to provide support in real-time to the Bank who faces malware outbreak or emergency flood attack 8.5 Post Attack Forensics Analysis and Recommendations 8.6 Security Expert Service: After the customer notification the response SLA of the Security Expert should be within 10 min. And should be available to bank to handle attack situations 8.7 OEM should provide Quarterly Configuration Review and fine tuning of appliance should not be limited by duration / days of effort 8.8 OEM should provide monthly Security event report and should have option to customize as per Bank needs Please elaborate on this Different vendors adopt any one of the challenge mechanisms. Hence, it is requested to change this clause as suggested Extremely vendor specific The need for integration cannot be left open like this without defining the tools, instead focus on the protocols and keep them industry standard Please elaborate and define the systems Services can be provided through a certified partner customization needs to be defined and elaborated Please specify what kind of services. System should support DNS Challenge Response authentication : Passive Challenge or Active challenge The appliance must support notifications/integration via SNMP, SMTP, Syslog etc. This can be provided through a certified partner This service is typically available with cloud services and not applicable in an appliance deployment 8.7 OEM/bidder should provide Quarterly Configuration Review and fine tuning of appliance Refer information sources on Web for polymorphic challenge response mechanisms. Optional Direct Hotline with DDoS Security Experts is necessary for real-time attack mitigation. Certified Partner is also allowed. Details will be shared with successful bidder. 8.9 Direct Hot-Line Access: Bank should have direct Hot Line access to the Security team for the duration of the attack/campaign and should provide the Toll Free no. as Very vendor specific and not an industry standard. Support during an incident can be provided through TAC. part of RFP response Refer Serial No. 21

3 OEM should provide 50 Man Days direct Onsite support / assistance during installation at each location of the Bank. Compliance Queries Suggested changes Reply 8.10 OEM/Bidder should provide 50 Man Days OEM's do not directly work with customers but wok through their direct Onsite support / assistance during installation system integrators/vads and partners at each location of the Bank. 9.1 Device should be Common criteria certified at least EAL 3 or above Most of the industry DDoS appliances are at EAL2. In order not to be very vendor specific and to include other vendors, please see the recommended change Typically, 5 years of support is asked ( 3 + 2). Most of the industry Enterprise customers ask for a 5 year support post which a product refresh is discussed. Device should be Common criteria certified at least EAL 2 or above Kindly change the support clause to 5 years ( 3 years warranty + 2 years additional support) OEM should be involved in design and implementation of best practices of security. Annexure G1/page37 Post warranty, additional 3 years of support has been asked, making it 3 +3 The solution must be built on stateless analysis filtering engine. The solution must have built-in hardware bypass in all of its service (protection) interfaces, whether the media is Copper or The Hardware Security Module used for SSL/TLS inspection should support FIPS level 2 and level 3 certification. FIPS Additional points that should be considered The appliances must have dual power supplies for redundancy. The Solution must support the ability to enhance overall protection by integrating local protection with cloud-based DDoS services. Signaling to multiple servers within a cloud service provider should be supported. The system must support the ability to blacklist a host, country, domain, URL 13/9 The turnover of the company in the previous two financial years ( and ) We would request bank to amend clause as : - "The turnover of the company in the previous two financial years ( and should be more than Rs. 20 crores per year ) should be more than Rs. 50 crores per year." 13/9 In addition, it is required that the bidder should have executed one or more single order We would request bank to amend the clause as : - "In addition, it is required that the bidder should have executed one or of Rs.50 Lakhs or more in the immediate previous two years in India ( and more single order of Rs.1 crore Lakhs or more in the immediate previous two years in India ( and )." 16). 17/7a 18/7c 40 25/Annexure A /Annexure A /Annexure A /Annexure A /Annexure A The Bidder shall be responsible for delivery and installation of the DDoS protection We would request bank to amend clause as : - "The Bidder shall be responsible for delivery and installation of the DDoS appliances ordered at all the sites and for making them fully functional at no additional protection appliances ordered at all the sites and for making them fully functional at no additional charge within 6 weeks from charge within 4 weeks from the date of Delivery Instructions. The Bank reserves to itself the date of Delivery Instructions. The Bank reserves to itself the right to place release orders in phases depending upon the the right to place release orders in phases depending upon the project requirements. project requirements. The Bidder shall be responsible for immediate delivery of the DDoS protection appliances on receipt of The Bidder shall be responsible for immediate delivery of the DDoS protection appliances such release orders." on receipt of such release orders. The Bank will not arrange for any Road Permit/Sales Tax clearance for delivery of DDoS protection appliances to different locations and the Bidder is required to make its own arrangements for delivery of DDoS protection appliances to the locations as per the list of locations/sites provided from time to time by the Bank. However, the Bank will provide letters/certificate/authority to the Bidder, if required. In States where Road Permits are compulsory, delivery, installation must be completed within 5 weeks from the date of Delivery Instructions. Device should have at least 8 x 1G copper Interfaces Should have at least 4 x 1G SFP fibre interfaces System should have scalable inspection throughput of 500 Mbps scalable to 3 Gbps without additional hardware. Present license should be for 500 Mbps throughput and a minimum of 2 million System latency should be less than <80 microseconds and should be clearly documented in the data sheet. System should have High performance ASIC-based DoS-mitigation engine ensures that attack mitigation does not affect normal traffic processing and Maximum DDoS Flood Attack Prevention Rate up to 1 Million PPS We would request bank to amend clause as : - "The Bank will not arrange for any Road Permit/Sales Tax clearance for delivery of DDoS protection appliances to different locations and the Bidder is required to make its own arrangements for delivery of DDoS protection appliances to the locations as per the list of locations/sites provided from time to time by the Bank. However, the Bank will provide letters/certificate/authority to the Bidder, if required. In States where Road Permits are compulsory, delivery, installation must be completed within 7 weeks from the date of Delivery Instructions." The DDoS mitigation device should ideally have 10G fiber SFP+ ports to mitigate volumetric attacks. Maximise price/performance by utilizing the peak hardware capacity of the appliance especially for DDoS mitigation. The SSL CPS/TPS performance s are very low considering the scenarios of volumetric attacks. The lower capacity could exhaust the connection tables in no time. OEM specific. The DataSheet formats of OEMs could vary and is not standardized. The compliance could be provided in OEM letterhead instead. Also, OEMs who are not capable of performing SSL inspection on the same appliance might deploy separate SSL offload appliances which could further increase the latency. Hence the latency should ideally be for the overall solution and not specific to a single solution component. The PPS rating is very low considering the scalability to 3Gbps+ and 64B packet size, the system must be capable of supporting at least 6 million PPS. Device should have at least 4 x 1G Copper / Fiber SFP ports and at least 2 x 10G Fiber SFP+ ports System must be capable of scaling inspection throughput to 10 Gbps without additional hardware. Present license should be for at least 10Gbps throughput and a minimum of 20 million concurrent sessions Overall solution latency should be less than <80 microseconds. System should have High performance ASIC-based DoS-mitigation engine ensures that attack mitigation does not affect normal traffic processing and Maximum DDoS Flood Attack Prevention Rate up to 6 Million PPS Refer Serial No. 9

4 45 25/Annexure A Compliance Queries Suggested changes Reply The SSL CPS/TPS performance s are very low considering the SSL attack prevention Module/appliance System SSL attack prevention Module/appliance System should Mitigate encrypted attacks and scenarios of volumetric attacks. Maximise price/performance by utilizing should Mitigate encrypted attacks and should should have 3000 SSL CPS on day 1 and upgradable to 5000 SSL CPS with 2048 bit Key the peak hardware capacity of the appliance especially for DDoS support at least 20,000 SSL CPS/TPS with 2048 bit mitigation. Key from day 1 Fail-open or bypass is highly insecure as all traffic would hit servers directly and could bring down the services in the event of an attack. It is The proposed solution must have HA to ensure that not a good practice to fail open security devices.the fail-open there are no SPOF. architecture could be implemented using network bypass switch if HA is not provisioned /Annexure A System should Fail-Open or should bypass the traffic in case of Hardware failure 47 25/Annexure A //Annexure A System should support, In-Line, SPAN Port, Out-of-Path deployment modes by default without any extra license cost. Solution should be transparent to control protocol like MPLS and Q tagged VLAN environment. Also it should transparent to L2TP, GRE, IPinIP traffic. Inline is the best and most secure mode of protection where separate connections are initiated by the DDoS appliance post inspection ensuring the client requests does not hit the servers directly /Annexure A System should provide behavioral-dos protection using real-time signatures OEM specific. Real-time signatures have very high false positives /Annexure A System should Protect from Brute Force and dictionary attacks /Annexure A /Annexure A /Annexure A /Annexure A /Annexure A System should support Intrusion Prevention from Known Attacks either on the appliance or through external appliance System should have on device SSL/ out-of-path inspection from same OEM as of DDoS solution provider Proposed Solution should Protect against SSL & TLS-encrypted Attacks with an separate SSL Decryption module on device / out of Path Proposed solution should Protect against SSL & TLS-encrypted information leaks with a separate SSL Decryption module on device / out of Path Proposed Solution should provide protection for known attack tools that attack vulnerabilities in the SSL layer itself with a separate SSL Decryption module on device / out of Path CAPTCHA is an effective way of mitigating DDoS and the DDoS appliance must be capable of initiating CAPTCHA out of the box. Also, CSID helps with Bot identification and mitigation using Java Script challenge. DDOS and IPS are two different technologies and should not be combined in this RFP. Sending a DDoS attack through an IPS is a good way to take down the network. IPS in itself is a comprehensive security solution and if IPS is desired by the bank, we request bank to release a detailed RFP and not just one single requirement. This requirement is favouring particular OEM. Instead the device must be capable of integrating with best of breed security devices by providing high performance SSL visibility and service chaining based on security context /Annexure A System should have capability to integrate with SIEM solution What is the current SIEM deployed in the bank? 57 27/Annexure A System should be compatible for integration with the existing Data Centre Management and Orchestration devices/tools/systems. (optional) System should support the recommended In-Line deployment mode by default without any extra license cost. Other modes of deployment could be optional. OEM specific. What is the exact use case for this requirement? To be removed as it may not be a valid use case considering the possible solution deployment scenarios. What are existing Data Centre Management and Orchestration devices / tools / systems in the bank? System must be capable of providing DoS protection using data plane programmability / scripts. The solution should be transparent to all protocols. System should Protect from Brute Force and dictionary attacks and must be capable of initiating CAPTCHA challenge out of the box. The solution also must support Client Side Integrity Defenses to identify legitimate browsers and block bot attacks. System should support high performance SSL offload / visibility and ICAP service chaining with best of breed Intrusion Prevention and other security devices based on security context. System should support SS inspection on the same DDoS appliance. Proposed Solution should Protect against SSL & TLSencrypted Attacks on the same DDoS appliance. Proposed solution should Protect against SSL & TLSencrypted information leaks on the same DDoS appliance. Proposed Solution should provide protection for known attack tools that attack vulnerabilities in the SSL layer itself on the same DDoS appliance System should support High Speed Logging and integrate with leading SIEM solutions. Refer Serial No. 14 Current SIEM solution is ArcSight. Optional. The details shall be shared with successful bidder.

5 58 28/Annexure A Quoted OEM should have India TAC for local support 59 28/Annexure A Device should be Common criteria certified at least EAL 3 or above 60 Compliance Queries Suggested changes Reply System should have scalable inspection throughput of 500 Mbps scalable to 3Gbps without additional hardware. OEM specific. All leading OEMs provide SLA driven follow the sun model TAC assistance to ensure 24x7x365 coverage. ISO 9001:2008 ensures process standardization across all TACs to ensure high quality support. Quoted OEM should have 24x7x365 TAC support and must be ISO 9001:2008 certified Can this be changed to EAL2+ to accommodate all vendors in the DDOS Device should be Common criteria certified at least space as the EAL 3 certification process takes time? EAL 2 or above As per point 1.4, Bank wants present license to support 500 Mbps with 2 Million Concurrent Session, as banks plan to have scalable solution upto 3 Gbps Concurrent connection also needs to increase to accommodate increased traffic. It is recommended to increase the concurrent connection support also to 12 M To have a predictable costing license cost to upgrade from 500 Mbps to 3 Gbps should also be considered in financial evolution Refer Serial No Present license should be for 500 Mbps throughput and a minimum of 2 million As 10 Gbps is becoming standard for core networks, we recommend to increase performance to 10 Gbps throughput & 10 Gbps interface with 16 Million concurrent connections as this will also mitigate DDOS attacks originating from inside to outside and protect gateway devices 62 System should Fail-Open or should bypass the traffic in case of Hardware failure As DDOS Solution is an very critical solution & bank consider devices to be deployed are in HA. We highly recommended to not use Fail-Open or hardware bypass as incase of DDOS appliance hardware failure bank will be open to DDOS attack & DDOS traffic will pass through Network, Application & entire network will be open to DDOS attack. As solution is considered in HA incase device fails secondary device will takeover the traffic an bank will always be protected from DDOS attack. 63 System should support Multiple Segment protection minimum of 4 Segments. Segmentation is an IPS terminology. As DDOS device is to be deployed on perimeter level to protect the network from Internet network to protect Network, Application, Servers from Multi vector DDOS attack. All traffic coming inside the network from perimeter router i.e. from Internet would be passed through DDOS device. 64 Device should be Common criteria certified at least EAL 3 or above Segmentation should not be considered in DDOS Solution offering. To make the compliance more generic we recommend to change the clause to include EAL or equivalent 65 Qualification Criteria Point Number 8: The Oem/Bidder should provide proof of having sold 4 DDoS protection appliances which have been installed and working in any of the PSU/Bank/Financial Institution for the immediate previous two years ( and ) We hereby requests the bank to modify the clause as mentioned below: The OEM/Bidder should provide proof of having sold 4 DDoS protection appliances which have been installed and working in any of the PSU/Bank/Financial Institution/Enterprise Level Organization in the years ( to ) 66 Delivery and Implementation We hereby requests the bank to help us with 7 weeks for delivery and 3 weeks for implementation.