SPECIFICATIONS FOR PERIMETER FIREWALL. APPENDIX-24 Complied (Yes / No) Remark s. S.No Functional Requirements :

Transcription

1 S.No Functional Requirement : 1 The propoed olution mut allow ingle policy rule creation for application control, uer baed control, hot profile, threat prevention, Anti-viru, file filtering, content filtering, QoS and cheduling at ingle place within a ingle rule and not at multiple location. There mut not be different place and option to difine policy rule baed on thee parameter The Solution mut upport identification and control of all type of application (Buine, Social, Encrypted and Cutom) within our environment without requiring any licene/ubcription/blade. It hould provide detailed analyi on eion conumed,data tranferred and threat involved through the application. The propoed olution mut allow free cutom application ignature for Homegrown and cutom application(both current and future) that are running in our network. The olution mut provide real time traffic log baed on application irrepective of port. While monitoring real time traffic log, olution mut provide detailed view of application and Uer, not jut port and ip addree. Solution mut not have Application pecific chip like ASIC that doen't allow future firmware and feature expanion on the ame hardware. Solution mut be baed on parallel proceing architecture and mut not ue proprietry ASIC chip. The propoed olution mut be in the Leader quadrant in Gartner Magic Quadrant of Enterprie Firewall for lat 3 year. Solution mut upport Full tunnel, plit tunnel and application pecific tunnel for client to ite VPN. Solution mut allow cutom policie to control VPN traffic baed on uer, application. It mut allow different policie for different uer group for threat (Virue, vulnerabilitie, zero-day malware) within VPN traffic. The Firewall mut upport application identification and control natively, without requiring any licene/ubcription/blade.

2 S.No Functional Requirement : 9 The olution mut upport Firewall, Application viibility and control, IPS, Anti-viru, Anti-malware, Anti-bot, Zero-day attack prevention from day one The olution mut have alway on acce to the firewall. The Firewall hould have dedicated inbuilt hardware reource for firewall acce and management at all time, and mut be available irrepective of load. The olution mut report on the CPU uage for management activitie and CPU uage for other activitie. The propoed olution mut upport Policy Baed forwarding baed on: - Zone - Source or Detination Addre - Source or detination port - Application (not port baed) - AD/LDAP uer or Uer Group - Service or port Firewall hould upport Active/Active and Active/Paive HA and mut upport ynchronization of the following for HA: All eion -Decryption Certificate -All VPN Security Aociation -All IPS and AV eion -All threat and application ignature -FIB Table The propoed olution mut upport different Cutom IPS and Application policie for different uer and group. The propoed olution mut upport Cutomized DoS protection rule. Solution hould upport Seion baed load haring (not packet baed) over multiple equal cot path.it hould work with both tatic and dynamic routing. The propoed olution mut upport different action in the policy uch a deny, drop, reet client, reet erver, reet both client and erver. Solution hould upport Seion baed (not packet baed) differentiated ervice code point (DSCP) claification.

3 S.No Functional Requirement : Solution mut upport end-to-end (firewall-to-client) priority policing and C2S & S2C direction enforcement. Solution mut upport Link Layer dicovery protocol (LLDP) for implified network management Solution mut upport IPv6 baed ite-to-ite VPN tunnel Solution mut upport SNMP counter for logical interface e.g L2/L3 ubinterface, tunnel intefface, LAG (802.3ad), Loopback. Solution mut upport virtual ytem.every Virtual ytem mut upport individual eparate configuration for eparate DNS entrie and other ervice route for acce to NTP, Sylog, SNMP, Proxy etc. Every virtual ytem mut upport individual route through virtual ytem pecifc interface to acce all thee ervice. Solution hould correlate and detect hot that have received malware detected by inbuilt APT olution, and have alo exhibited command-and-control (C2) network behavior correponding to the detected malware. Solution hould correlate and detect hot that have exhibited command-and-control (C2) network behavior correponding to malware detected by inbuilt APT olution elewhere on the network Solution hould correlate and detect a hot involved in a equence of activity indicating remote compromie, tarting with canning or probing activity, progreing to exploitation, and concluding with network contact to a known maliciou domain. Solution hould detect probable exploit kit activity targeted at a hot on the network. Exploit kit hould be identified by a vulnerability exploit or exploit kit landing page ignature, combined with either a malware download ignature or a known commandand-control ignature.

4 S.No Functional Requirement : Solution hould correlate and detect likely compromied hot baed on activity that reemble command-and-control (C2) beaconing, uch a repeated viit to dynamic DNS domain, repeated file download from the ame location, generation of unknown traffic, etc. Solution mut provide change control and baeline deviation mechanihm. It mut provide viibility in traffic pattern change in lat one hour, one day and compare thi with lat one day, one week and one month traffic pattern. The propoed olution hall upport andbox behavior baed inpection and protection of unknown virue and zero-day malware for any application and protocol (not limited to HTTP and SMTIP) The propoed olution hall upport automated ignature generation for dicovered zero-day malware and the OEM hould enure the delivery of the ignature in 15 min from the time of inpection Solution mut provide automatic ignature for zeroday malware baed on File content and file type (not jut file hah and file name) Solution mut perform andbox baed multi-verion analyi of PDF file acro minimum three verion of Adobe reader The propoedolution hall upport DNS-baed ignature to detect pecific DNS lookup for hotname that have been aociated with malware The olution mut upport minimum four level of decompreion/decoding for any combination of decoding: ZIP, gzip, bae64,chunked, uuencode. The olution mut provide the ability to block file with multi-level-encoding with 5 or more level of compreion e.g office file in 5 level of zip. The propoed olution be able to upport imultaneou deployment with interface ervicing Layer 3, Layer 2, Tranparent and Tap mode The propoed olution mut upport the ability to lock configuration while modifying it, avoiding adminitrator colliion when there are multiple people configuring the appliance

5 S.No Functional Requirement : The propoed olution mut upport validation of policy for hadowed rule before rule application The propoed olution mut upport on appliance Per policy SSL and SSH decryption for both inbound and outbound traffic. The propoed mut upport on appliance SSL decryption policy baed on IP, Uer, web category The Propoed olution hould upport authentication for terminal ervice like Citrix and Microoft. The propoed olution hall upport block and continue (i.e. allowing a uer to acce a web-ite which potentially violate policy by preenting them a block page with a warning with a continue option allowing them to proceed for a certain time) The propoed olution hould upport the ability to create QoS policy on a per rule bai: -by ource addre -by detination addre -by application (uch a Skype, Bittorrent, YouTube, azureu) -by tatic or dynamic application group (uch a Intant Meaging or P2P group) -by port and ervice The propoed olution hall upport packet capture baed on: -Application -Unknown Application -any threat -data-filter Solution upgrade mut not require new licene and there mut be feature parity from previou verion Solution mut not require cloud connectivity to detect and control any application Solution hould allow file blocking acro all protocol not limited to http, mtp, imap, Pop3. Solution mut provide a ingle on appliance management for Firewall, Application control, IPS, AV, Advanced malware etc.

6 S.No Functional Requirement : 50 The OEM mut provide free profeional ecurity audit report once every 3 month after tudying the network. The report mut provide detail related to dicovery of all type of threat (known and unknown) that are running on the network. It hould alo cover bandwidth utiliation of all application by uer, and capture the threat landcape uggeting corrective action if required. The Bidder i duty bound to include implementation a part of thi exercie. Pleae note that all uch ecurity report will be the property of the Railtel. 51 S.No OEM mut provide performance, throughput and feature evidence through public domain- Webite and data heet. we reerve the right for aking the bidder to do a PoC that validate all technical compliance a ubmitted in the tender document. Any variance found during the PoC and not inline with technical compliance ubmitted by the bidder will be ummarily rejected leading to bid diqualification.the PoC will be done before the releae of any formal purchae order. Hardware Specification The propoed olution will be a Next Generation Firewall and not an UTM (unified threat management) ytem, with a capability of upporting at leat 250 Mbp of Application Identification Enabled Firewall throughput uing 64 byte HTTP packet. The OEM mut publih performance claim on public domain like webite, dataheet. Letter head performance claim will not be entertained. The propoed olution hould upport at leat 100 Mbp of performance with Firewall, application control, IPS, Anti-Viru, Anti-malware and Anti-bot enabled. The OEM mut publih performance claim on public domain like webite, dataheet. Letter head performance claim will not be entertained. Thi ubcription licene not to be quoted but teh functionality hall be available from Day 1.

7 S.No Functional Requirement : The propoed olution hould upport at leat 100 Mbp Gbp of performance with tream baed (not proxy baed) Anti-Viru Prevention. The OEM mut publih performance claim on public domain like webite, dataheet. Letter head performance claim will not be entertained. The performance mut be meaured uing Data Center Environment with all Traffic enabled (not jut internet traffic). The OEM mut furinh detail of the teting methodology. The propoed olution mut upport at leat 64,000 concurrent connection. The connection count mut be active TCP connection. The propoed olution mut upport at leat 7,500 new eion per econd The propoed olution mut upport at leat 50 Mbp of IPSec VPN throughput. The olution mut provide 8 10/100/1000 gigabit interface and 1 out of band management interface. 60 The propoed olution mut upport at leat 250 IPSec VPN tunnel and 100 SSL VPN Uer from Day one without requiring any licene.