REQUEST FOR PROPOSAL FOR SUPPLY & INSTALLATION OF Firewall General Scope of Work: Supply & installation of Firewall in the following location. Locations of Installation: ISI kolkata, 203 B.T. Road, Kolkata 700108, West Bengal, INDIA Bill of Material Sl. No. Item Qty 1. Firewall 1 2. Support pack of the firewall(for 3 years) 1 3. Support pack of IPS Signature update(for 3 years) 1
Firewall Specification Sr No Feature Description 1 The FW should integrate with multiple full-featured, high-performance security services, including application-aware firewall, SSL and IPsec VPN, IPS with Global Correlation. 2 The FW should support a comprehensive command line interface (CLI), verbose syslog, and Simple Network Management Protocol (SNMP). 3 The FW should be 1 RU, 19-in. rack-mountable form factor 4 Should have a maximum throughput of 4 Gbps stateful firewall inspection throughput, 1.2 Gbps IPS throughput and 1.4 Gbps or Multiprotocol throughput. 5 Maximum 3DES/AES throughput of 700 mbps 6 Maximum Firewall Connections 1000,000 7 Maximum Firewall Connections/Second 50,000 8 Firewall should have redundant power supply 9 Should have integrated 8 nos. of 10/100/1000 Base T ports and expandable to another 6 Gigabit Ethernet copper/sfp ports 10 Maximum Virtual Interfaces (VLANs) 500 11 Should support up to 100 Virtual Firewalls 12 The software on the firewall should support online software reconfiguration to ensure that changes made to a firewall configuration take place with immediate effect. 13 Should support Active/Active and Active/Standby Failover 14 Should support integrated Ipsec and Client and Clientless SSL VPN 15 Should support up to 5000 VPN peers 16 Should support Etherchannel with Each channel group supporting up to eight active interfaces. 17 The Security appliance Support Botnet Traffic Filter database accurately and reliably identifies command and control traffic, as well as the domains or hosts receiving the information 18 Should support checking of incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses, and then logs any suspicious activity. 19 The FW should deliver per-flow, policy-based QoS services, with support for LLQ and Traffic Policing for prioritizing latency-sensitive network traffic and limiting bandwidth usage of administrator-specified applications 20 There Performance should not be significantly affected by enabling the firewall features, SSL and IPsec encryption should be performed by dedicated hardware processors. 21 Should have the ability to integrate with either on premises web-security or cloud based web security services 22 The solution should support all popular authentication mechanisms, including but not limited to Local user database, RADIUS, Windows NT LAN Manager (NTLM), Active Directory Kerberos, Native RSA SecurID, RADIUS with Expiry, one-time password (OTP) via RADIUS (State/Reply message attributes), Lightweight Directory Access Protocol (LDAP) with password expiry capabilities (including pre-expiry warning), digital certificates (including X.509), smartcards, SSO and SPNEGO. Should support CRL and OCSP for certification revocation checks. Should supports AAA and Certificate authentication simultaneously. 23 The device should be able to act as a CA by itself 24 Should be able to bind granular policies to specific users or groups across multiple identity management systems via Dynamic Access Policies (DAP). DAPs should be created by setting a collection of access control attributes associated with a specific user tunnel or session 25 It should support feature that enables termination of SRTP/TLS-encrypted endpoints for secure remote access. Should support large scale deployments of secure phones without a large scale VPN remote access hardware deployment. End-user infrastructure is limited to just the IP endpoint, without VPN tunnels or hardware 26 The FW should be able to intercept and decrypt encrypted signaling from encrypted endpoints to the Unified Communications Manager, and apply the required threat protection and access control. It should also ensure confidentiality by re-encrypting the traffic onto the UCM servers. 27 Should have features to identify system issues and report them back to the vendor or through other userdefined channels, often before the issues exist
28 The FW should support Identity Firewall which provides more granular access control based on users' identities. You can configure access rules and security policies based on user names and user groups name rather than through source IP addresses. 29 Should support dynamic downloading and enforcement of ACLs on a per-user basis once the user is authenticated with the appliance 30 Should support inspection of IPv6 traffic based on the extension header 31 IPv6-enabled inspection services for applications based on HTTP, FTP, SMTP, ICMP, TCP, and UDP. In addition, SSHv2, Telnet, HTTP and HTTPS, and ICMP-based management over IPv6 32 The firewall must have support for virtual firewalls and include at least 2 virtual firewalls without any additional license costs 33 There must be support for bi-directional NAT 34 The firewall should have support for cut-through proxy and user authentication VPN Features 1 The device should support IPSEC/IKEv2 for remote VPN access 2 The security appliance supports the following encryption standards for ESP: DES, 3DES, AES-128, AES-192, AES-256 3 The security appliance supports the following hashing algorithms: MD5, SHA 4 Supports the use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512 5 The Device should preserve the TOS bits as per RFC 2401. TOS bits in the original IP header should be copied to the IP header of the encrypted packet so that QoS policies can be enforced after encryption 6 Should support for acting as a L2TP/IPSec VPN headend, terminating VPN connections from native VPN clients included with Microsoft Windows 2000, Windows XP, Windows 2003, and Windows Pocket PC and also support variety of authentication methods including user ID/password, pre-shared keys, certificate, and two-factor authentication 7 Should support VPN connections between Android mobile devices and the appliance, when using the L2TP/IPsec protocol and the native Android VPN client. 8 Should have capability to automatically identify operating systems and service packs on any remote device establishing a client or clientless SSL VPN 9 Should support VPN from variety of endpoints like desktops, tablets and smartphones on the same appliance 10 Should support Start Before Login (SBL) feature which allows a VPN connection to be established prior to machine login. This functionality allows for native Windows functionality such as AD group policies, drive mapping and login scripts to be provided for VPN users 11 The vpn client should support EAP-TLS (Transport Layer Security), LEAP (Lightweight EAP), MD5 (Message Digest 5) 12 The vpn client should support mobile devices like apple, android 13 Internal websites (both http and https). IPS Features 1 Inspect normal traffic as well as encapsulated traffic including the following GRE MPLS 802.1q, IPv4 in IPv4 IPv4 in IPv6 Q-in-Q double VLAN 2 Concurrent Threat Mitigation Throughput (Mbps) (Firewall + IPS Services) should be 1.2 Gbps 3 Should support custom signatures 4 It should have the capability of defining virtualized IPS sensors 5 Supports central management of policy configuration and one-touch global policy roll-out for policy changes and application
6 Support creation of baseline of normal network traffic and then uses baseline to detect worm-infected hosts 7 Should be able to determine host operating system by inspecting characteristics of the packets exchanged in the network 8 Should be able to correctly track TCP sessions in complex network configurations 9 Support inspection and mitigation of threats in Multiprotocol Label Switching (MPLS) environments 10 IPS should be capable of being installed in asymmetric network environments 11 operator should be able to change from active (inline) mode to passive mode remotely 12 ips device should have features to prioritize alerts after an alert action is taken place eg - if a high priority attack is dropped, the alert should be log, however if an high priority attack is allowed, the alert should be an email 13 The ability to define a default operating system that will be used in the attack relevance calculation - eg if a linux based attack is targeted towards a windows server, the alert severity of the attack should be lowered 14 all traffic should be scrubbed/normalized/reordered as it passes through the sensor 15 the ips should have the ability to dynamically understand the risk posed by an attack to the network so as to best adjust the rating of the alert. This risk should be assessed via various parameters like - relevance of an attack (linux vs windows) and value of target (printer vs server) 16 Ability to identify attacks in IPv6 environments through the inspection of IPv4 traffic being tunnelled in IPv6
OEM Eligibility Criteria: All active components should be same OEM. The OEM should be an ISO-9000 and ISO-14001 certified company. Consortium: If the Bidder is not a manufacturer he should provide documentary evidence (e.g. Manufacturers Authorization Form) for having tied up with all the participating agencies. Tax and Duty Exemption: The Institute may provide necessary certificates for tax/duty exemption as applicable. Bid Currencies: Bids are to be quoted in Indian Rupees only. Cancellation of Tender: 1. The Institute may cancel the tender processing at any point of time prior to the issuance of purchase order without assigning any reason whatsoever for unforeseen and unavoidable circumstances. 2. The Institute may also cancel the tender processing for want of any participating Bidder or if all the participating Bidders fail to qualify eligibility in terms with technical or other reasons. Technical & commercial bids should be submitted in separate sealed envelopes mentioning the contents on it. Any Technical Bid not containing the above
specifications may be rejected. The Technical Bid should not contain any price information, such proposal will be rejected.
Bill of Material (To be included in Technical Bid) The Bidder should provide Bill of Material (details of all Modules / Components of Hardware including those bought-out, off-the-shelf or third-party products / items required) Module-wise, in the following format. Module/Item Description Make/ Model/ Version Part Number Principal Vendor/ Manufacturer Signature of Bidder : Name : Business address : Place : Date :
Bill of Material (To be included in Commercial Bid) Module/ Item Make/ Model/ Version Part Number Principal Vendor/ Manufacturer Quantity/ No. of Licenses per installation Unit Price Total Price without Tax Tax % Tax Estimate Total Price with Tax Signature of Bidder : Name : Business address : Place : Date :
Quotation Address : To The Head Computer & Statistical Service Center 4th Floor, S.N.Bose Bhaban Indian Statistical Institute 203 B.T. Road, Kolkata 700108