ANNEXURE TO TENDER NO. MRPU/IGCAR/COMP/5239 Check Point Firewall Software and Management Software I. Description of the Item Up gradation, installation and commissioning of Checkpoint security gateway firewall software blade (R75.40) with GAiA or latest operating system for two node cluster architecture on Intel X86 platform in high availability and active-active load balancing mode for unlimited IP addresses along with Network Policy Management Software/Smart Center Pro Management software or equivalent on Intel X86 platform and should run on MS windows operating system 2008 or higher for managing the cluster firewall as per the specifications mentioned in Annexure I and the terms and conditions mentioned in Annexure II. Annexure I specifications The vendor shall upgrade the existing software based firewall product to the latest R75.40 version that meets the following mandatory requirements. 1. The security gateway firewall software shall be supplied and commissioned with all necessary modules to run on Intel X 86 platform with high availability and load sharing two node cluster configuration. It shall support unlimited IP addresses and shall be of latest version. 2. The firewall should have native IPv6 support and IPv6 security features. 3. The firewall should support IPv4 and IPv6 features either independently or in mixed environment i.e. only IPv4, only IPv6 and mixed IPv4 and IPv6 deployments. 4. Every module of security gateway software blades (Firewall and IPsec VPN) should support IPv6 fully in addition to IPv4. 5. Support for Extensive Set of Policy Objects like Individual node, networks, groups, dynamic objects etc. 6. Firewall software must define a default filter that provides protection during boot time and prior to initial policy. 7. Certificate-based secure internet communications (SIC) channel should be available for communication among all Check Point distributed components. 8. In high availability cluster deployment option, the Firewall Gateway cluster shall provide a state-full failover for established connections. In the event of failure of one node the switch over should be transparent to the users. 9. In load sharing cluster deployment, the Firewall Gateway cluster shall distribute the load almost equally to both the servers.
10. All necessary software blades should be supplied to provide IPSec based VPN connectivity between two networks (site-to-site VPN) and network to mobile users (remote VPN). 11. The Software shall be supplied with required modules to support high availability and dynamic load balancing for clear text and VPN connections going through the two node cluster. 12. The firewall shall support for unlimited number of networks and unlimited number of users. 13. The Firewall should have a TCP State Aware Packet Filter Technology and must be software based. 14. The Firewall should have an inbuilt Anti-spoof engine to drop spoofed packets. 15. The Firewall should have configuring facility to drop all IP fragment packets. 16. Support for Static/hide NAT (Network address translation) with manual or automatic rules and PAT (Port address translation). 17. It shall support multiple DMZs. 18. The Firewall Gateway Software shall support the TACACS+, RADIUS, LDAP. It shall support authentication based on IP address or user-id / password. 19. The Firewall Gateway source code shall be embedded into the kernel of the secured OS. 20. The Firewall Gateway will reside on a secured Operating System, regardless of platform. The required secured Operating System like GAiA should be supplied. 21. The Firewall Gateway shall be able to integrate with third party anti-virus/content filtering/reporting/authentication products 22. The Firewall Gateway should achieve Giga bit per second performance on open Intel based machine. 23. Firewall System shall be of ICSA or ITSEC certified and proven against all the known attacks till date including the following: a. IP address spoofing b. IP fragmentation control c. Filtering of IP options d. SYN Flood attack protection e. Tear Drop control f. Buffer over run attack g. TCP Session Hijacking h. Source route attacks
i. TCP sequence number prediction attacks j. Random Port Scanning k. Large Packet PING attacks l. password replay attacks 24. Administrator should be able to configure the default timeout for TCP/UDP services. 25. The Firewall Management Software shall be commissioned on Intel X 86 hardware with MS Windows server 2008 or latest server operating system. It shall be able to manage a two node cluster of Intel X 86 with load balancing and high availability environment. 26. Check point security management software should provide comprehensive, centralized network security policy management for Check Point gateways and Software Blades, via Smart Dashboard - a single, unified console that provides control over the security gateway deployments. 27. Management software should be able to configure and administer all the Check Point Security Gateway Software Blades like Firewall, VPN, IPS, DLP, Application control, Mobile Access, Web Security, URL Filtering, Antivirus & Anti-Malware, Anti-Spam & Email Security, Advanced Networking, Acceleration & Clustering, Voice over IP etc. 28. The Firewall Gateway shall be able to integrate access control, authentication, and encryption to guarantee the security of network connections, the authenticity of local and remote users, and the privacy and integrity of data communications. It shall have support for VPN integration. 29. The Firewall Gateway when integrated with VPN, shall be able to adhere to the IPSec standard and automatically negotiates the strongest possible encryption and data authentication algorithms available between communicating parties. This includes DES and 3DES and SHA-1 and MD5 for data authentication. There should also be support for AES. In addition, encryption keys are updated frequently, ensuring maximum security so that older encryption keys cannot be used to decipher more recent communications. Lifetime of encryption keys should be limited either in seconds or by number of transferred bytes. 30. Should allow administrator to specify the maximum number of sessions between client and server in VPN connection. 31. It shall support and secure commonly used applications like HTTP, SMTP, Telnet, IPSec and FTP. It shall support protocols such as TCP, UDP, ESP, AH and ICMP. 32. IP Traffic Control should be based on Source, Destination, Protocols, Ports, etc 33. The Firewall System shall provide a scalable multi-tier and modular management infrastructure including a GUI, a management module, a log server module and an enforcement point. The management module shall support multiple enforcement points. A single security policy can be changed and deployed without reconfiguring
each gateway. Distribution of management modules and log server modules to different dedicated hardware shall be possible. 34. It should provide Access to the firewall management from specified IPs only. 35. Should provide different privileges for administration and management and should be able to create objects with unique properties and will be able to create policies based on Objects. 36. Should provide extensive logging and should log all the active TCP/UDP sessions. 37. The Firewall Management software should provide selective viewing of Logs based on Source, Destination, Source Port, destination port, rule number, time etc. It should be able to auto refresh the most recent logs while viewing. 38. All management communications shall be encrypted to allow management of remote gateway sites over the Internet over un-trusted networks where required. 39. The management module shall be able to configure the security policy, control the communication gateways and hosts (enforcement points), and view logging and alert information. 40. The management module should have utilities for backing up firewall configurations, security policies, remote users, configured network resources and log data. 41. The management module should have utilities for extracting relevant log data from log data repository easily. It should have tools for archiving and deleting old log data. 42. Management software should support Role-based Administration i.e. Global and granular administrative access and permissions 43. Management software should provide SmartMap Navigator software to view complex topologies easily. 44. Management software should support Multi-platform including Windows Server, Red Hat Linux, Solaris, IPSO, SecurePlatform etc. 45. Management software should be able to connect to the firewall server using IPv6 address also in addition to IPv4 address and administer the firewall cluster. Annexure II Terms and conditions 1. The firewall gateway software and firewall management software have to be supplied, installed and commissioned on Intel x86 hardware. The gateway software shall be commissioned on Intel x86 hardware with a dual CPU cluster configuration. The firewall software should be of latest version. The Firewall should support unlimited IP addresses and should work in active-active load balancing and high availability modes.
2. The Firewall Management Centre software shall be commissioned on Intel X86 hardware with Windows 2008 or latest operating system. 3. The vendor shall provide full technical support for the firewall and management software for at least 1 year free of cost. 4. The vendor shall provide extensive training for the engineers of Computer Division in the installation, commissioning, configuration, operation, maintenance, and all aspects of the Firewall software and Firewall management software. 5. The Complete documentation (installation, commissioning, configuration etc.) of the Firewall software as well as Firewall management Centre, both hard copy as well as CD media shall be supplied. 6. The Software will be accepted only after successful installation, training, testing and commissioning for all services at Computer Centre, IGCAR. 7. The vendor shall enclose complete catalogue / data sheets of the products quoted. Otherwise the quotation may not be considered. 8. The Firewall software and management software shall be supplied with perpetual license. II. Optional Items A). Supply installation and commissioning of check point logging and status blades in the above environment as per the specifications given below: 1. The logging and status software blades should support IPv6 in addition to IPv4. 2. The software should analyze the logged traffic and should be able to generate the reports. 3. The software should be able to analyze the back up log stored on some other drive on management server or on an NFS storage server. 4. The software should be integrated with security management software and should be able to operate it from the GUI of management server. 5. Analyze patterns from multiple log files for proactive security investigation. 6. Centrally track security activity across all Software Blades. 7. Log format should be as defined in the OPSEC LEA API. 8. It should log Connection, active and audit log entries of firewall server.
9. Log switch should be Manual or automatic at a specific time or size. 10. Should provide Smart Log, an advanced log analyzer program to deep analyze the generated logs. 11. There should not be any limit on log size, it should be only limited by disk space B). Supply installation and commissioning of check point extended security software bladed package with 1 year support in the above environment as per the specifications given below: 1. The extended security software blade should provide Intrusion Prevention System (IPS), Application Control, URL Filtering, Antivirus, Data Loss Prevention (DLP), Anti-Spam & Email Security etc. functionalities and database update support for minimum 1 year for all facilities. 2. The software should be installed in the above firewall environment in cluster mode and should be managed through management software. 3. The IPS Software Blade should provide a complete IPS security solution and should give protection against Malware attacks, Dos and DDoS attacks, Application and server vulnerabilities, Insider threats, Unwanted application traffic, including IM and P2P etc. 4. The IPS software blade must inspect SSL Encrypted Traffic also in addition to plain traffic. 5. The IPS software blade should give support for adding custom defined attack patterns. 6. The URL Filtering software blade should cover all URLs and should update URL list dynamically and categorize them from time to time. 7. Support to integrate the URL Filtering software blade with application control software blade. 8. The URL Filtering software blade should give support to white list and black list a specified URL and facility to add custom URL categories. 9. The DLP software blade should block data leakage through pattern, keyword and dictionary matching. 10. DLP should give support for an open scripting language to tailor and create specific data types. Template creation should be possible. 11. Detection of content in multiple languages, including single and double-byte fonts (UTF-8) 12. Integration facility to smart center dash board for management of DLP.
13. The anti virus software blade should prevent virus spreading through HTTP, HTTPS, FTP, POP3, SMTP etc. protocols. 14. Anti virus software should prevent access to malicious web sites automatically. 15. Anti-Spam & Email Security Software Blade should Block spam and malware at the connection level by checking the sender's reputation against a dynamic database of known malicious IP addresses. 16. Protection against advanced forms of spam, including image-based and foreignlanguage spam, using pattern-based detection. 17. Protection against a wide range of viruses and malware and includes scans of message content and attachments 18. Zero-hour Outbreak Protection Defends against new spam and malware outbreaks by using and distributing an analysis engine. 19. The application control software blade should support application security policies to identify, allow, block or limit usage (based on bandwidth and/or time) of thousands of applications, including Web 2.0 and social networking, regardless of port & protocol. 20. Availability of AppWiki application classification library to classify applications. 21. Central policy management should be possible. 22. All these optional software blades should run on security gateway firewall servers using GAiA operating system or latest and should be centrally managed by smart centre console or equivalent via GUI. The generated logs should be sent to logging and status blades for analysis and for report generation. NOTE: - After publishing the tender, if there is any change in specification, it will be published as corrigendum in the MRPU portal. - Remarks column shall be utilized only for filing up non financial aspects such as make, packing etc, - Aspects having an implication on the price shall be given in the column provided for the same and not in the remarks column. - Scanned copy of the quotation should not be uploaded separately. - Technical details/ catalogues/drawings etc, if any, shall be uploaded separately. Accessories, Spares, Breakup costs etc. if any, may be quoted online in the Price Bid Alternate Offer form