Addendum to RFP SSL/IT/RFP-00/0- dated -March-0 Revised RFP Submission date: th April 0, 00 Hours RFP is now open for all SBI empanelled and non-empanelled bidders. Additional Requirement: Bidders are also required to quote for a mid-range NG firewall hardware (in high availability) Technical Specifications for above will be as per Annexure B- ANNEXURE B- A NG Firewall requirements Complied (Yes/No) Remarks Deviations if any The proposed solution must be a Next Generation Firewall with Layer / Application Layer security solution. The solution must be deployed in HA mode. It should embed application visibility/intelligence for commonly used TCP/IP protocols like telnet, ftp etc. Appliance should support for Active connections in case of HA. Device based licensing and not user/ip based licensing Support for dynamic routing protocols, OSPF, & BGP. Support the multicast protocols as a multicast host, by participating in IGMP and PIMDM / PIM-SM and Sparse mode. Firewall should offer Bandwidth Management for every TCP, IPSEC, & VoIP protocols with attributes of Minimum Committed Bandwidth per protocol; Proposed firewall OEM should be in the Leaders & Challengers Quadrant of Gartner Magic Quadrant for the last consecutive years for NG Firewall. The firewall should have an Ethernet interface for outof-band device Management Firewall should support VOIP traffic filtering. 0 Should support IPv and IPv
B NGFW - Hardware and Interface requirements Firewall appliance should have at least x 0/00/000 GE RJ Ports interfaces and scalability up to x 0/00/000 GE additional RJ interfaces. Should behave dedicated HA interfaces The proposed solution must provide 00 Mbps of throughput with all security features enabled including application control + IPS +Anti Spyware + Anti Bot+ Antivirus +APT Protection +URL filtering along with all signatures turned on performance must based on HTTP traffic and not UDP traffic. The claim has to be supported by publicly available documents Firewall should not introduce more than microsecond latency, same should be available publicly The Firewall solution should support NAT, DNS & DHCPv The NGFW appliance should have console port and USB Ports Appliance should be rack mountable and support side rails if required Platform should support VLAN tagging C Should support Internet Service Provider link load balancing. Support for health LEDs, LCD etc. to indicate operational status of the NGFW module NGFW - Performance requirements The proposed solution must provide 00 Mbps of throughput with all security features enabled including application control + IPS +Anti Spyware + Anti Bot+ Antivirus +APT Protection+URL filtering along with all signatures turned on performance must base on HTTP traffic and not UDP traffic. The claim has to be supported by publicly available documents The proposed solution must be able to handle minimum 0000 concurrent sessions per second with all the layer/ application layer/security features turned ON.
The proposed solution must be able to handle minimum 000 new sessions per second with all the layer/ application layer/security features turned ON Should have capability to support for more than 0 VLAN. Inbuilt support for IPSEC VPNs with DES/DES and AES support The NGFW should support Active/Active High Availability feature. Proposed NGFW solution must be capable to detect device failure, link and path failure NGFW appliance failover should be complete stateful in nature without any manual intervention. Proposed NGFW shall synchronize the following for HA: 0 a) All sessions b) Decryption Certificates c) All threat and application signatures d) All configuration changes e) Forwarding Information Base (FIB) tables The proposed solution must be able to handle minimum -0K SSL decrypted Sessions. Should support Advanced Persistent threat Prevention capabilities in a single appliance from day one. SBICap Sec can add a license later in the lifecycle of the solution to enable the capabilities D Firewall - Network Protocols/Standards Support Requirements Should support at least 00 protocols Firewall Modules should support the deployment in Routed as well as Transparent Mode. Firewall must provide state engine support for all common protocols of the TCP/IP stack. Firewall must provide NAT functionality, including dynamic and static NAT translations. All internet based applications should be supported for filtering like Telnet, FTP, SMTP, http, DNS, ICMP, DHCP, ARP, RPC, SNMP, Lotus Notes, Exchange etc.
Local access to the firewall modules should support authentication protocols RADIUS & TACACS+. Firewall should support authentication proxy for Remote VPN, HTTP/HTTPS Applications access and various other applications. Firewall should support the authentication protocols RADIUS, LDAP, TACACS, PKI methods & single sign on for Windows AD, Novell edirectory, Citrix and Terminal Server Agent Firewall should support PKI Authentication with PCKS# & PCKS#0 standards. 0 Should support BGP, OSPF, RIPv &, Multicast Tunnels. Dynamic policy enforcement on VPN clients. Should support telnet client and server functionality E Firewall filtering requirements Should support the filtering of TCP/IP based applications with standard TCP/UDP ports. Should provide state engine support for all common protocols of TCP/IP stack. Filtering capability that includes parameters like source & destination addresses, source & destination port numbers, protocol type. Firewall should be able to filter traffic even if the packets are fragmented. Should support the VOIP Applications Security by supporting to filter SIP, H., MGCP and Skinny flows. Firewall should support authentication protocols like LDAP, RADIUS and have support for firewall passwords, smart cards, & token-based products like SecurID, LDAP-stored passwords, RADIUS or TACACS+ authentication servers and X.0 digital certificates. Firewall should support database related filtering and should have support for Oracle, MS-SQL, and Oracle SQL-Net. Firewall should provide advanced NAT capabilities, supporting all applications and services-including H. and SIP based applications.
0 F Should support CLI & GUI based access to the firewall modules. Local access to firewall modules should support role based access. QoS Support [Guaranteed bandwidth, Maximum bandwidth, Priority bandwidth utilization, QOS weighted priorities, QOS guarantee, QOS limits and QOS VPN]. Should be able to block Instant Messaging like Yahoo, MSN, Skype. Should enable blocking of Peer-Peer applications, like Kazaa, Gnutella, Bit Torrent, IRC (over HTTP) Should support IPv and IPv Rate based DOS protection In-built token server that manages both physical and mobile tokens for use with IPsec (Client to site) & SSL VPN users. Anti-bot capability using IP reputation DB, terminates botnet communication to C&C servers. Intrusion prevention system requirements IPS device should perform stateful pattern recognition to identify vulnerability-based attacks through the use of multi-packet inspection across all protocols. The proposed IPS must perform protocol decoding and validation for network traffic including: IP, TCP, UDP, and ICMP. IPS should provide anomaly identification for attacks that may cover multiple sessions and connections, using techniques based on identifying changes in normal network traffic patterns. Should support creation of baseline of normal network traffic and then uses baseline to detect worm-infected hosts Proposed IPS should identify attacks based on observed deviations in the normal RFC behaviour of a protocol or service.
0 Must be able to identify Layer Address Resolution Protocol (ARP) attacks and man-in-the-middle attacks. The sensors should be able to detect attacks running inside of these tunnelling protocols such as GRE, IP-in- IP, MPLS, and IPv/IPv. Should be resistant to IPS evasion and protection from anti-nips (Network Intrusion Prevention System) techniques. Should support Vulnerability and Exploit signatures, Protocol validation, Anomaly detection, Behaviourbased detection, Multi-element global correlation and reputation based filtering IPS profile should have an option to select or re-select specific signatures that can be deactivated Intrusion Prevention should have the option to add exceptions for network and services. IPS should provide rate shaping to prioritize known, normal traffic flows and unknown traffic flows and proposed system should have integrated Traffic Shaping functionality. IPS policy to block the traffic by country should have an option to configure in incoming direction, outgoing direction or both. IPS events/protection exclusion rules should be created and the packet data should be viewed directly from log entries. Application Intelligence should have controls for Instant Messenger, Peer-to-Peer, Malware Traffic etc,regardless of Port / Protocol Instant Messenger should have options to Block File Transfer, Block Audio, Block Video, Application Sharing and Remote Assistance IPS should have an option to create your own signatures
G 0 H IPS should provide detailed information on each protection, including: Vulnerability and threat descriptions, Threat severity, Release date, Industry Reference, Confidence level etc Signatures should have severity level defined to it so that the administrator can understand and decide which signatures to enable for what traffic (e.g. for severity level: high medium low) Administration, Management and Logging NGFW Real-Time Monitoring, Management & Log Collection (with storage) should not be distributed to more than ONE server/appliance Any changes or commands issued by an authenticated user should be logged to a database. NGFW administration station must provide a means for exporting the firewall and IPS rules set and configuration. Support for role based administration of firewall and IPS NGFW administration software must provide a means of viewing, filtering and managing the log data. Firewall logs must contain information about the firewall policy rule that triggered the log. NGFW must provide a minimum basic statistics about the health of the device and the amount of traffic traversing the NGFW device. NGFW should have the functionality of auditing administrator configuration changes. Should provide real time health status of all the firewall modules on the dashboard for CPU & memory utilization, state table, total number of concurrent connections and the connections/second counter. NGFW must send mail or SNMP traps to Network Management Servers (NMS) in response to system failures or threshold violations of the health attributes. IPSec / SSL VPN Requirements
The VPN should be integrated with firewall and should be ICSA Labs certified for both IPSec and SSL-TLS. Should support the following protocols: DES & DES MD, SHA- & the more secure SHA- authentication Diffie-Hellman Group, Group, Group & the more secure Group Internet Key Exchange (IKE) v as well as IKE v algorithm The new encryption standard AES, & (Advanced Encryption Standard) IPSec VPN should support XAuth over RADIUS and RSA SecurID or similar product. The system should support forms of site-to-site VPN configurations: a) Route based IPsec tunnel b) Policy based IPsec tunnel The product must deliver integrated SSL VPN. At least 00 concurrent users must be supported by the product. Minimum 00 SSL VPN licenses must be enabled from day one. Should support one time login per user options: prevents concurrent logins using same username Should support SSL-VPN Two-factor Authentication Should support single sign-on for FTP and SMB Should support Windows, and MAC OS for SSL-VPN (Should have always-on clients for these OS apart from browser based access) 0 Should support Host integrity checking and OS check (for windows terminals only) prior to SSL tunnel mode connections Should able to view and manage current IPSEC and SSL VPN connections in details Device should support client for both IPSec and SSL-VPN Should support NAT within IPSec/SSL VPN tunnels
I Should also support PPTP and LTP over IPSec VPN protocols. Web Content Filtering The appliance should facilitate embedded web content filtering feature Web content filtering solution should work independently without the need to integrate with proxy server. Should have facility to block URL' based on categories. 0 URL Database should be cloud based, with filtering for categories like Adult, PP, Non-Business, Social Networking, Unknown, Malware and Phishing websites Should be able to block different categories/sites based on users. Should have configurable parameters to block/allow unrated sites Should have configurable options to allow/deny access to web sites in case if the URL rating service is unavailable Should have options to customize the block message information send to end users Should have facility to schedule the configurations so that non work related sites are blocked during office hrs and allow access to all sites except non harmful sites during non-office hrs. The solution should have options to block java applets, ActiveX as well as cookies The solution should be able to block URLs hosting spywares / adware s etc. Should have configurable policy options to define the URL exempt list The proposed solution should be able to enable or disable Web Filtering per policy or based on authenticated user groups for both HTTP and HTTPS traffic. The URL Filtering solution must support blocking of Phishing websites.
J The solution must prevent users from Credential Theft by not allowing users to submit corporate credentials to unauthorized websites/categories as defined by policy. Anti-virus & Anti-bot Should be able to block, allow or monitor only using AV signatures and file blocking based on per firewall policy based or based on firewall authenticated user groups with configurable selection of the following services: a) HTTP, HTTPS b) SMTP, SMTPS c) POP, POPS d) IMAP, IMAPS e) FTP, FTPS Solution should be able to inspect traffic on the fly for infected file using its own Anti-virus (AV) engine. It should be able to notify users if the traffic is blocked due to upload /download of infected file. Solution should have no file size restrictions on file scanning Firewall must include Anti-bot capability using IP reputation DB, terminates botnet communication to C&C servers also. Vendor needs to add additional license if it is required. Firewall should have dedicated botnet and command control definitions in its database inbuilt and should be updated on regular basis to protect from new definitions Antivirus module should be ICSA certified K Data Leakage Prevention Firewall should have in-built DLP functionality without requiring any additional hardware or software license System should allow administrator to prevent sensitive data
from leaving the network. Administrator should be able to define sensitive data patterns, and data matching these patterns that should be blocked and/or logged when passing through the L M unit. Solution must detect, protect and log sensitive data travelling through HTTP and HTTPS channels DLP actions should be : Log only, block, quarantine user/ip/interface Other Requirements Provision to create secure zones / DMZ (ie Multi-Zone support) Should support Gateway Data Loss Prevention (DLP) feature for popular protocols like HTTP, HTTPS, FTP, POP, IMAP, SMTP, POPS, IMAPS, SMTPS The DLP feature should support popular file types like MS-Word, PDF etc Should Support Packet Capture/sniffer to capture and examine the contents of individual data packets that traverse the firewall appliance for troubleshooting, diagnostics and general network activity Should able to support Geo-IP block. It should able to block country wise traffic. Warranty years x comprehensive support from OEM with maximum hour response time / hour Call-to- Resolution N Services & Support ever be a hardware failure replacement Training Technical Training for two persons All other terms and conditions of above referred tender shall remain unaltered.