Social Islami Bank Ltd.

Transcription

1 Social Islami Bank Ltd. IT Division, Level-19, City Center 90/1, Motijheel C/A, Dhaka 1000, Bangladesh Request For Proposal Supply and implementation of Next Generation Firewall in perimeter to secure infrastructure and Security Solution for comprehensive protection of enterprise system for SIBL Infrastructure. Schedule No. : SIBL-IT NG Firewall and security. Submission Date : 29 January, 2015 DISCLAIMER: The document briefly describes the Technical requirements and Financial for supply and implementation of Next Generation Firewall in perimeter to secure infrastructure and Security Solution for comprehensive protection of enterprise system for SIBL Infrastructure. Your access to it does not imply a license to reproduce and / or distribute this information and you are not allowed to any such act without the prior approval of Social Islami Bank Limited.

2 Table of Contents 1. Introduction: Network Topology Technical Requirements and Specifications Next generation firewall requirement Security Solution Financial Offer: Terms and Conditions: Submission Form Evaluation Criteria...18 Proprietary & Confidential 2 of 18

3 1. Introduction: Social Islami Bank Ltd is running Core Islami Banking Solution since Total no of Branches/ Users is increasing per year. Now, Bank has a robust network infrastructure and communication system to perform banking activities. At present Social Islami Bank Ltd have layer four firewall for its internet security and no security solution in its IT infrastructure. Now a day s internet system has become so complex and threats coming from internet cannot be detected by a legacy layer four firewall and same for the system. Therefore, we need to deploy a Next generation layer seven (7) firewall and security system to secure its infrastructure. 1.1 Network Topology Internet Internet Router security Eamil server Eamil server Eamil server DMZ switch Internet Firewall 1 Internet Firewall 2 Access Core switch Core Core banking servers Proprietary & Confidential 3 of 18

4 2. Technical Requirements and Specifications: Supply, Installation and Configure below item Next generation firewall requirement (Palo Alto Model: PA 3020): General Feature Performance and Capacity Bank s Requirement To protect the internet perimeter from external attacks Should be a leader in the Gartner for past four years or above. The proposed firewall must run on a hardened OS and delivered on purpose built hardware (i.e. no server architecture) The proposed firewall must be optimized for layer 7 application level content processing and have special ASICS to handle signature matching and processing in a single pass parallel processing architecture The proposed firewall must allow policy rule creation for application identification, user identification, threat prevention, QOS and scheduling in a single rule and not in multiple locations in the management console. The proposed firewall should have a minimum application layer throughput of at least 2Gbps The proposed firewall should support Application layer plus IPS and Treat Prevention and should have a throughput of 1Gbps The proposed firewall should support Application layer plus IPS, Anti Virus, Anti Spyware/Malware and all other Treat Prevention features turn on throughput of 1Gbps The proposed firewall should have least 120Gb Hard drive for storage The proposed firewall should have at least 12x10/100/1000 interfaces and minimum of 8x 1GE SFP interfaces The proposed firewall should have dedicated management interface for out of band management and a console port The proposed firewall should support IPSec VPN throughput of 500 Mbps The proposed firewall should support 250,000 concurrent sessions The proposed firewall should support 50,000 new sessions per second The proposed firewall should support at least 1000 IPSec VPN tunnels The proposed firewall should support at least 1000 SSL / Remote VPN users The proposed firewall should support at least 05 Virtual Systems The proposed firewall should support at least 40 security zones The proposed firewalls effective throughput (all features turned ON) should be at least 45% of the raw stated throughput (vanilla firewall throughput) to ensure minimal degradation of performance The firewall should have separation of processing between data flow and management/control (separate planes/processors) The proposed firewall must be able to be administered locally on the box without additional management or logging software. The proposed firewall should be able to generate all functional reports out of the box with no additional hardware or software from the vendor or any third party solution The proposed vendor must be in the Leader s quadrant of the Enterprise Firewalls Gartner Magic Quadrant for at least 3 years Vendor Response Proprietary & Confidential 4 of 18

5 Operation Mode The proposed firewall must allow policy creation for application identification, user identification, threat prevention in a single location: -Application Detection -IPS -Anti-Virus -Anti-Spyware -Botnet detection -Data Content Filtering -URL Filtering -IPSec VPN -SSL-VPN -High Availability -Virtual Systems -QoS (marking and/or traffic shaping) -SSL Decryption -SSH Decryption The proposed firewall must be able to operate in routing/nat mode The proposed firewall must be able to support Network Address Translation (NAT) The proposed firewall must be able to support Port Address Translation (PAT) The proposed firewall must be able to support Policy-based NAT The proposed firewall must be able to support Traffic Management QoS per policy The proposed firewall must be able to support Network attack detection The proposed firewall must be able to support DoS and DDoS protection The proposed firewall must be able to support TCP reassembly for fragmented packet protection The proposed firewall must be able to support Brute force attack mitigation The proposed firewall must be able to support SYN cookie protection The proposed firewall must be able to support IP spoofing The proposed firewall must be able to support Malformed packet protection The proposed firewall must support tap mode (via mirrored, taped, or SPAN port) The proposed firewall must support transparent mode (layer 1, or bump on the wire) The proposed firewall must support layer 2 deployment The proposed firewall must support layer 3 deployment The proposed firewall must support simultaneous deployment with interfaces servicing layer 3 connections, transparent and tap modes within a single piece of hardware The proposed firewall shall support 802.1Q VLAN tagging The proposed firewall shall support Dual Stack IPv4 / IPv6 application control and threat inspection support in: - Tap Mode - Transparent mode - Layer 2 Proprietary & Confidential 5 of 18

6 - Layer 3 The proposed firewall shall support standards based Link aggregation (IEEE 802.3ad) to achieve higher bandwidth. The proposed firewall shall support logical Ethernet sub-interfaces tagged and untagged. The proposed firewall must be able to support Dynamic IP/Port NAT (Many -to- 1, and Many-Many) The proposed firewall must be able to support Dynamic IP NAT (Manyto-Many) The proposed firewall must be able to support Static IP Nat (1-to-1, Many-to-Many, IP's) The proposed firewall must be able to support 1-to-1 bidirectional static NAT The proposed firewall must be able to support Virtual IP (VIP) The proposed firewall must be able to support Port Address Translation (PAT) The proposed firewall must be able to support source NAT The proposed firewall must be able to support destination NAT The proposed firewall must be able to support source and destination NAT simultaneously independent of security policy The proposed firewall must be able to provide NAT traversal capabilities, supporting VoIP applications and services The proposed firewall must support the following routing protocols: - Static - RIP v2 - OSPF - BGP v4 The proposed firewall must have IPv6 Routing Support even for virtual routers. The proposed firewall must have Virtual Router capability that supports all L3 capability (minimum 20) The proposed firewall must support Policy Based forwarding based on: - Zone - Source or Destination Address - Source or destination port - Application (not port based) - AD/LDAP user or User Group The proposed firewall shall support DNS proxy The proposed firewall shall support DHCPv6 relay The proposed firewall solution must be able to support Active/Active HA configuration The proposed firewall solution must be able to support Active/Passive HA configuration The proposed firewall solution must be capable to detect device failure The proposed firewall solution must be capable to detect link and path High Availability failure The proposed firewall solution must be able to support encryption of HA heartbeat & control traffic The proposed firewall solution must be able to support session and configuration synchronization The proposed firewall shall synchronize the following for HA - All sessions Proprietary & Confidential 6 of 18

7 Central Management Policy Based Controls - Decryption Certificates - All VPN security associations - All threat and application signatures - All configuration changes - FIB tables The proposed firewall HA shall support hitless upgrades for both major and minor code releases The proposed management system shall also needs to be able to provide a customizable 'Application command center' or at least system monitor to provide overall status of the network traffic and attack going through the firewall, including potential problems that may need attention The proposed management should use simple HTTPS/SSL base UI for management The management server shall provide the ability to generate and deploy numerous policies to multiple firewall system through an intuitive policy management user interface The management server must be capable of providing rich reports based on application, users and threats or in any combination. The management server must be able to monitor system and status that will send out s to the administrator regarding the health of the appliance based on the threshold been set. The management server must support the report generation on a manual or schedule (Daily, Weekly, Monthly, etc. ) basis The management server must allow the report to be exported into other format such as PDF, HTML, CSV, XML etc. The logs from management server must be able to allow archiving and backup of configurations and historical logs to tapes or similar devices. The management system must be able to provide different level of users account and access management, with support for external authentication server, specifically RSA Secure ID and/or Active Directory The management system must be able to audit any changes made to rules or configuration with full details. The management system must support systems configuration rollback to previously saved configurations on box The management system must support validation of policy for shadowed rules before rule application The management system must support the ability to lock configuration while modifying it, avoiding administrator collision when there are multiple people configuring the appliance The management system must support the ability to view delta's between current, staged, or past configurations on the appliance The management system must be able to integrate with third-party SIEM vendors The proposed firewalls must be via central management and locally without causing synchronization issues The proposed firewall must have built in XML API for management purposes; custom logging capabilities. The proposed firewall shall control parameters by security Zone, Users, IP, Application, Schedule, QOS The proposed firewall shall be application based (even for unknown applications running on non-standard ports) and not port-based and Proprietary & Confidential 7 of 18

8 Application Security Policy protocol based. The proposed firewall shall support the following policy types/capabilities: -Policy-based control by port and protocol -Policy-based control by application and/or application category (nonport based) -Policy-based control by user, group or IP address -Policy-based control by country code (SG, VN, USA, UK, RUS) -Per policy SSL decryption & inspection (forward or reverse proxy) -Per policy SSH decryption & inspection -Block files by type: bat, cab, dll, exe, pif, and reg -Data filtering: Social Security Numbers, Credit Card Numbers, -Data filtering: Custom Data Patterns -QoS Policy-based traffic shaping (priority, guaranteed, maximum) -QoS Policy-based diffserv marking -Policy support of IPv6 rules/objects -Policy support of multicast rules/objects -Policy support for scheduled time of day enablement The proposed firewall shall control parameters by security Zone, Users, IP, Application, Schedule, QOS etc. The proposed firewall shall support network traffic classification which identifies applications across all ports irrespective of port/protocol/evasive tactic The proposed firewall shall have multiple mechanisms for classifying applications The proposed firewall shall have application identification technology based upon IPS or deep packet inspection The proposed firewall shall be able to handle unknown/unidentified applications e.g. alert, block or allow The proposed firewall shall be able to create custom application signatures and categories The proposed firewall shall include a searchable list of currently identified applications with explanation and links to external sites for further clarification The proposed firewall shall allow updating the application database automatically or manually via the control or traffic plane The proposed firewall shall allow dynamic updates of the application DB and not require a service restart or reboot The proposed firewall shall warn the end-user with a customizable page when the application is blocked The proposed firewall shall allow port-based controls to be implemented for all applications as well in the same rule The proposed firewall shall delineate specific instances of peer2peer traffic (Bit torrent, emule, neonet, etc.) The proposed firewall shall delineate specific instances of instant messaging (AIM, YIM, Facebook Chat, etc.) The proposed firewall shall delineate different parts of the application such as allowing Facebook chat but blocking its file-transfer capability The proposed firewall shall delineate specific instances of Proxies (ultrasurf, ghostsurf, freegate, etc.) The proposed firewall shall support Voice based protocols (H.323, SIP, SCCP, MGCP etc.) The proposed firewall shall be able to create filters to control groups Proprietary & Confidential 8 of 18

9 Threat Prevention of application based on category, sub category, technology, risk or characteristics etc. The proposed firewall shall support user-identification allowing Active Directory, LDAP, RADIUS groups, or users to access a particular application, while denying others The proposed firewall shall support IPS features on the proposed firewall hardware The proposed firewall shall support Anti-Virus and Anti-Spyware (phone home attacks) on the proposed firewall across all product line offerings The proposed firewall shall block application vulnerabilities on all proposed firewall models The proposed firewall IPS shall be supported by a world-class research organization dedicated to the discovery and analysis of threats, applications and their respective network behavior. The threat and vulnerability information that the IPS protect against shall be publicly accessible on the internet. The proposed firewall shall block spyware and malware on all proposed firewall models The proposed firewall shall block known network and application-layer vulnerability exploits The proposed firewall shall block buffer overflow attacks The proposed firewall shall block DoS/DDoS attacks The proposed firewall shall perform stream-based Anti-Virus and not store-and-forward traffic inspection The proposed firewall shall perform stream-based Anti-Spyware and not store-and-forward traffic inspection The proposed firewall shall be able to perform Anti-virus scans for SMB traffic The proposed firewall shall support attack recognition for IPv6 traffic the same way it does for IPv4 The proposed firewall shall support Built in Signature and Anomaly based IPS engine on the proposed firewall The proposed firewall shall support the ability to create custom userdefined signatures The proposed firewall shall support be able to exclude certain hosts from scanning of particular signatures The proposed firewall shall support granular tuning with option to configure overrides for individual signatures The proposed firewall shall support automatic security updates directly over a secure connection (i.e. no dependency of any intermediate device) The proposed firewall Threat/Anti-Virus/Anti-Spyware updates shall not require reboot of the unit. The proposed firewall shall support the same signature packages across all platforms and models The proposed firewall shall support several prevention techniques including drop packet, tcp rst (Client, Server & both) etc. List all prevention options The proposed firewall shall support response adjustment on a per signature basis. The proposed firewall shall support notifications via alerts, notifications, SNMP traps and packet logs Proprietary & Confidential 9 of 18

10 URL Filtering Data Filtering Modern Malware Prevention User Identification The proposed firewall shall not have a performance hit when IPS, Anti- Virus, and Anti-Spyware is enabled below the threat prevention throughput. Please state in percentage and absolute throughput figures if any The proposed IPS should be capable of adding threat exceptions based on IP address The proposed firewall shall support URL-Filtering The proposed firewall shall have the database located locally on the device The proposed firewall shall support custom URL-categorization The proposed firewall shall support customizable block pages The proposed firewall shall support block and continue (i.e. allowing a user to access a web-site which potentially violates policy by presenting them a block page with a warning with a continue option allowing them to proceed for a certain time) The proposed firewall shall support logs populated with end user activity reports for site monitoring within the local firewall The proposed firewall shall support logs populated with end user activity reports for site monitoring within the central manager The proposed firewall shall support Drive-by-download control The proposed firewall shall support URL Filtering policies by AD user, group, machines and IP address/range Full-path Categorization of URLs only to block re categories the malicious malware path not the full domain or website The proposed firewall shall support file identification by signature and not file extensions The proposed firewall shall support identification and optionally preventing the transfer of various files (i.e. MS Office, PDF, etc.) via identified applications (i.e. P2P, IM, SMB, etc.) The proposed firewall shall support compressed information stored in zipped format and be able to unpack and filter per policy The firewall shall be capable of identifying and optionally preventing the transfer of files containing sensitive information (i.e. credit card numbers) via regular expression Should support DNS based botnet signature to control DNS look ups of known malicious domains The proposed firewall must have sand box-based protection of unknown viruses. The proposed firewall must have automated signature generation for discovered malware The proposed firewall must have inline control of malware infection and command/control traffic The proposed firewall shall support SLA based signature delivery for unknown malware The proposed firewall must have modern malware protection that identifies unknown malicious files by directly and automatically executing them in a virtual cloud-based environment to expose malicious behavior even if the malware has never been seen in the wild before without the need for additional hardware. The proposed firewall shall support authentication services for useridentification: - Active Directory - LDAP Proprietary & Confidential 10 of 18

11 QoS SSL/SSH Decryption - edirectory - RADIUS - Kerberos - Client Certificate The proposed firewall should support the creation of security policy based on Active Directory Users and Groups in addition to source/destination IP within the same hardware platform The proposed firewall shall support user-identification in policy, logs, reports and other parameters without any external agent installation The proposed firewall shall support user-identification from Citrix and terminal services environments in policy and logs The proposed firewall shall populate and correlate all logs with user identity (traffic, IPS, data, etc.) without any additional products or modules in real-time The proposed firewall should support the ability to create QoS policy on a per rule basis: (across product line) - by source address - by destination address - by user/user group as defined by AD - by application (such as Skype, Bittorrent, YouTube, Facebook, twitter) - by static or dynamic application groups (such as Instant Messaging or P2P groups) - by port The proposed firewall shall define QoS traffic classes with: - guaranteed bandwidth - maximum bandwidth - priority queuing The proposed firewall should support real-time prioritization of voice based protocols like H.323, SIP, SCCP, MGCP and applications like Skype The proposed firewall should support diffserv marking of packets The proposed firewall should support real-time bandwidth statistics of QoS classes The proposed firewall shall be able to identify, decrypt and evaluate SSL traffic in an outbound connection (forward-proxy) The proposed firewall shall be able to identify, decrypt and evaluate SSL traffic in an inbound connection The proposed firewall shall be able to identify, decrypt and evaluate SSH / SSH Tunnel traffic in an outbound connection The proposed firewall shall be able to identify, decrypt and evaluate SSH / SSH Tunnel traffic in an inbound connection The NGFW shall support the ability to have a SSL inspection policy differentiate between personal SSL connections i.e. banking, shopping, health and non-personal traffic Is the proposed firewall able to decrypt in the following network modes: -Tap mode -Transparent mode -Layer 2 mode -Layer 3 mode SSL decryption must be supported on any port used for SSL i.e. SSL decryption must be supported on non standard SSL port as well Proprietary & Confidential 11 of 18

12 VPN Authentication TCP Dump / PCAP Power supply Report and The proposed firewall must be capable of IPSec VPN The proposed firewall must be capable of SSL VPN The proposed firewall must have the ability to establish VPN connections to protect the traffic, enforces policy to manage access to applications and data, and provides protection against mobile threats. Solution must be capable of permitting users to enjoy the native enterprise network facilities in their preferred devices while connected in internet from anywhere. The proposed firewall should have the provision to integrate mobile device manager and mobile device threat management system from the same vendor. The proposed firewall shall support IPSec VPN or SSL VPN without additional licensing. IPSec VPN should be integrated with NGFW and support full encryption standards suites- - DES, 3DES, AES - MD5 and SHA 1 authentication - Diffie Hellman Group 1, Group 2 and Group 5 - Internet Key Exchange (IKE) algorithm - AES 128, 192 & 256 (Advanced Encryption Standard) The proposed firewall should support automatic establishment of SL VPN tunnel when the end point is detected to be outside of the corporate network The proposed firewall should support global load balancing for SSL connections based on response times from the different gateways The proposed firewall administrative module shall support the following authentication protocols: - LDAP - Radius (vendor specific attributes) - Token-based solutions (i.e. Secure-ID) - Kerberos The proposed firewall s SSL VPN shall support the following authentication protocols - LDAP - Radius - Token-based solutions (i.e. Secure-ID) - Kerberos - Any combination of the above The proposed firewall shall support on box packet captures based on: - Source Address - Destination Address - Applications - Unknown Applications - Port - any threat - data-filters - any combination of the above The proposed firewall shall support PCAP downloads of specific traffic sessions from the GUI from the logging screen Internal power supply having input voltage 230 V and 13Amp power cable should be available. The proposed vendor must have a track record of continuous 3 years Proprietary & Confidential 12 of 18

13 Analysis / Industry Recognition Warranty and Support improvement in threat detection and must have successfully completed NSS recommended category on NSS-Next Generation Firewall Product Analysis Report. Should be listed on Gartner leaders quadrant for Enterprise network firewalls for last 3 years. Three (3) years Comprehensive warranty, support and subscription Security Solution (Barracuda Model: BSF-400) Feature Capacity Active Users Domains Message Log Storage Quarantine Storage Hardware Rack mount Chassis Dimensions (in) Weight (lb) Ethernet AC Input Current (amps) Redundant Disk Array (RAID) Features Outbound Filtering Encryption Cloud Protection Layer MS Exchange/LDAP Accelerator Per-User Settings and Quarantine Delegated Help Desk Role Syslog Support Clustering & Remote Clustering Per Domain Settings Single Sign-On SNMP/API Warranty, support and subscription Requirement System should support at least 5000 users. System should be capable of handling at least 500 domains. Log storage capacity should be at least 22 GB. Quarantine Storage should be at least 58 GB. Standard. Standard. Standard. 1 x Gigabit. Standard. Should support RAID. System Should Support Outbound filtering capacity with no degradation of performance. Encryption capacity should be there at the highest level System should have provision of Cloud protection layer System should be capable to hook in to Active Directory or LDAP server and checks the validity of an address before accepting the . System should be able to quarantine according to user and user setting can customizable. System should support help desk role System should be capable to integrate any syslog server Clustering option should be there System can be configured as per domain Single sign-on feature should be supported. System should support standard SNMP and API for any system integration 01 year Comprehensive warranty, support and subscription. Vendor Response Proprietary & Confidential 13 of 18

14 3. Financial Offer: [*The full specification of the item is as per Technical Offer.] Name of the Company : Financial Proposal : SN Particulars Qty Unit Price (Tk.) Total Price (Tk.) Subscription / AMC (%) from 2 nd Year onwards Delivery Period 1 Palo Alto Networks PA with Redundancy 02 SN Particulars Qty Unit Price (Tk.) Total Price (Tk.) Subscription / AMC (%) from 2 nd Year onwards Delivery Period 2 Barracuda BSF Training on Palo Alto and Barracuda (Person) 05 Seal & Signature With Name of the participating vendor Proprietary & Confidential 14 of 18

15 4. General Terms and Conditions: i. Submission of the bid document: The participant company must submit the offer in two (02) separate envelopes. One envelope will contain the technical offer and the other envelope will contain the financial offer. The two envelopes must be covered in a large envelope. All the envelopes will contain the full name and address of the participant company. The name, address and telephone number of the contact person should be mentioned in the forwarding letter submitted with the technical offer. The technical offer should also be submitted as softcopy as well in CD/DVD/Flash drive in PDF format including relevant supporting documents as proof. ii. iii. iv. Time & date of submission: Up to 4:00 pm as on Jan 29, The sealed tender must be submitted in the tender box kept in the IT Division, Level-19, SIBL Corporate Office, 90/1, Motijheel, Dhaka mentioning Quotation for supply and implementation of Next Generation Firewall in perimeter to secure infrastructure and Security Solution for comprehensive protection of enterprise system Social Islami Bank Ltd. The Technical proposals submitted against the subject RFP will be opened on 29th January, 2014 at 4:30 PM in front of the purchase committee of Social Islami Bank Limited. The Financial offer will be opened at a later date, which will be notified earlier. Only Technically qualified offers will be opened. Proper documents and data sheet have to be provided for indicating all the specification is present in the offered hardware which is stated in the required specification, features and description along with brochure and road maps. v. 2 % (Two percent) of the quoted price to be submitted as Bank Guarantee (BG) with the offer in favor of "Social Islami Bank Limited" as earnest money for the period of 6 (Six) months. vi. vii. The awarded bidder shall submit a Bank guarantee of 2.5% of the quoted value as performance guarantee for the entire warranty period. The earnest money will be released upon receive of performance guarantee. All the prices should be mentioned in BDT and payment will also be made in BDT. All quoted price should include delivery, installation, testing and training cost and VAT, Tax, etc., if any. viii. Payment terms : a. 50% on delivery on SIBL premises. b. 50% on successful installation, testing and commissioning and submission of regulatory compliance report. ix. Warranty period will start after delivery, installation & successful commissioning. The AMC will start after the end of the warranty period as set forth in the tender schedule. During warranty vendor will replace or repair the defected / corrupted hardware and correct the software bug within 24 hours of reporting of the problem. The vendor will attend the problem with 2 hours of reporting. Proprietary & Confidential 15 of 18

16 x. Photocopy of all the relevant documents should be submitted with the offer including: a) Copy of Valid Trade License. b) Copy of Certificate of Incorporation c) Copy of TIN certificate. d) Copy of VAT registration certificate to be submitted. e) Copy of Manufacturer Authorization Letter f) Copies of Audited Annual Report for the last three (03) financial year(s). g) List of major clients in Financial Institutions and copies of certificates issued by such financial institutions regarding supply, installation and configurations of quoted products to such financial institutions xi. xii. xiii. The bidder should have experience in business of Supplying, installing, commissioning, operating of similar goods and providing support service in Bangladesh for the last one year in renowned organization. Should submit a realistic project implementation plan along with Gantt chart. The successful bidder must supply and install the hardware & software within 6-8 weeks from the date of issuance of the work order. In case of failure, the Performance Security of the bidder will be forfeited. The Bank shall not be under any obligation to accept the lowest quotation. The Bank authority reserves the right to accept or reject any or all, in part or full offers without assigning any reason. The Bank reserves the right to flexible, change or drops any of the terms and conditions of the schedule without any further notice. I/we have completely read the terms and conditions & specifications and understood the total responsibility of the job. I/we have quoted this bid taking all the responsibility and liability. Name of the Bidder: Signature: Telephone No: VAT Registration Number: Address: Seal: Proprietary & Confidential 16 of 18

17 5. Submission Form (To be submitted on the pad of the bidder) IT Division, Level-19, SIBL Corporate Office, Social Islami Bank Ltd. 90/1 Motijheel, Dhaka Bangladesh. Date: Subject: Submission of proposal for supply and implementation of Next Generation Firewall in perimeter to secure infrastructure and Security Solution for comprehensive protection of enterprise system. Dear Sir, With reference to your Tender Notice published in the Daily. Dated., I/We, being agreed to the terms and conditions as contained in the relative schedule SIBL-IT NG Firewall and security of Social Islami Bank Ltd, hereby submitted our proposal for Supply and implementation of Next Generation Firewall in perimeter to secure infrastructure and Security Solution for comprehensive protection of enterprise system which includes the Technical Proposal and Financial Proposal sealed under separate envelopes. I/we would also like to provide the following the information of our company: 1. Company Name, Address :. 2. Name of the Proprietor/ Partner/ :. Director 3. Date of commencement of Business :. 4. Nature of the business :. 5. Total number of permanent :. employee 6. Particulars of identical projects with :. other Bank/ financial Institution (related papers are attached with the Technical Proposal) 7. Relevant papers mentioned in the schedule are enclosed herewith : a). b). c). d). e). I/we solemnly declare that the statements made above are correct. I/We agree that any misstatement made by us, if detected later on, shall render our application unacceptable to the Bank. (Signature) (Name & designation of Authorized Signatory) (Name & Address of the Bidder with Seal) Proprietary & Confidential 17 of 18

18 6. Evaluation Criteria STAGE 1: Evaluation of the Technical Bid 70 Marks The bidder s technical offer will open first. Below are the evaluation criteria of Technical bid. The following factors will be considered when evaluating proposals. 1. Compliance with requirements 25 a. Does the proposal comply with technical specifications as set forth in this tender schedule? i. Palo Alto Networks ii. Barracuda 5 b. Does the proposal comply with all terms as set forth under general terms and conditions in this tender schedule? Vendors organization capacity 45 a. Resumes of the certified resources who will be involved in the installation, commissioning, UAT and on-going after sales support. Minimum 2 (two) local certified engineer should be available as regular employees of the bidder. i. Palo Alto Networks 10 ii. Barracuda 5 15 [Furnish a resume for proposed key personnel, both supervisory and technical. Field personnel should be included with relevant experience, background, accomplishments, and relevant certifications] b. Relevant Experiences of the vendor (5)/ History of recent deployment in last 12 months (5) 10 c. Support & Services Methodology [Vendor must have ability to provide with the replacement box / hardware for 10 critical support; please mention the number of ready stock with serial numbers] d. Local Support 24/7 - Call Center [Vendor must have the ability to response within 2 hours in critical cases (24/7 5 call center will get preference)] e. Years of Operation field (Each 2 Years carry 1 Mark) 5 STAGE 2: Evaluation of the Financial Bid 30 Marks The successful bidders at the end of Stage 1 of the evaluation process will be considered for evaluation under stage 2. The evaluation of the financial bid also will be calculate separately, as follows: The points/marks for the other successful quotes will be computed as per the following formula: Financial Bid Rating= (Lowest Bid Bidder s Price) 30. STAGE 3: Overall Rating The overall rating will be finalized as under considering 70% of Technical and 30% of Financial Bid ratings: i.e. OVERALL RATING = [Technical Bid Rating (stage1)] + [Financial Bid Rating (stage2)] The award of the contract may be made to the bidder scoring the highest overall rating. Proprietary & Confidential 18 of 18