Total Wi-Fi BOQ

Sl No.

Item Description UOM Qty

1 L3 Switch 24 port 10G IP Base with 24 Nos SFP 10G populated No 2

2 12 Port Switch L3 with 4 Nos 10G SFP and 1G populated Nos 12

3 L2 Managed 24 Port with 4 SFP with 4 Nos 10 G populated Nos 35

4 Router No 2

5 Network Access Control No 2

6 Link Load Balancer with Five years support No 2

7 UTM Firewall with three years subscription 24X7 support. With five Years No 2

8 Redundant WLAN Controller with 4 GigE ports and 530 AP management license from day one. Nos 2

9 Omni, outdoor access point, 802.11ac 2x2:2 , dual band concurrent, one ethernet port, PoE input, includes mounting bracket. Nos 40

10 Dual-band 802.11abgn/ac (802.11ac Wave 2), Wireless Access Point, 2x2:2 streams, MU-MIMO, dual ports, 802.3af PoE support. Nos 460

11 Cat 6 UTP Cable (305 Mtrs / Box ) Box 60

12 Outdoor Cat 6 Cable Box 5

13 Information Outlet ,CAT6 RJ45, Unshielded Nos 500

14 24 Port CAT6 UnShielded Jack Panel Loaded Nos 28

15 Workstation/ Equipment end CAT 6 Patch Cords 1Mtrs Nos 500

16 Workstation/ Equipment end CAT 6 Patch Cords 2Mtrs Nos 500

17 Face Palate Single port Nos 500

18 12 core Central loose tube 50 micron MM OM4 cable Mtrs 6000

19 12/24 Port LIU Nos 50

20 Pigtail LC PC, beige, 50 micron,grade OM4, 1.5 m Nos 600

21 LC-LC Duplex Multimode 50 micron patch cord Nos 50

22 Adapter LC-Duplex PC, beige, OM4 Nos 50

23 Fiber splice Shelf(LIU) -12 LC Duplex Nos 50

24 OFC Module SPP 5100ZX 10G Nos 50

25 OFC Module SPP 1G Nos 20

26 12 U WallMount Rack with all acessories Nos 24

27 6 U WallMount Rack with all acessories Nos 13

28 42 U Floor Mount Rack with all acessories Nos 1

29 HDPE Pipe 1" Mtrs 6000

Service

1 L3 Switch 24 Port Installation & Commissioning Charge Nos 2

2 12 Port Switch Installation & Commissioning Charge Nos 13

3 12 Port Switch Installation & Commissioning Charge Nos 35

4 Router Installation & Commissioning Charge Nos 2

5 Link Load Balancer Installation Charge Nos 2

6 Wireless Controller Installation & Commissioning Charge Nos 2

7 Wireless AP Installation & Commissioning Charge Nos 530

8 Cat 6 UTP Cable laying charge through condute. Nos 19200

9 I/O Installation and commissioning charge Nos 500

10 Fluke Test Report for Cat 6 UTP Cable Nos 500

11 Jack pannel Installation and Punching charge Nos 28

12 Laying of OFC through HDPE Pipe including Digging, refilling of hard/soft soil and Road crossing. Mtrs 6000

13 Pigtail splicing Charge Nos 600

14 LIU Installation Charges Nos 50

15 OTDR Testing Report for OFC Nos 600

16 L2 Engineers yearly charges ( For Five Years) Nos 2

17 L1 Engineers yearly charges ( For Five Years) Nos 5

18 25 Years site certification Lot 1

19 Project Management Charge Lot 1

20 UTM Firewall Installation & Commissioning Charge Nos 2

Sr. No. Feature Set

A Solution Requirement

A1 The router should support a throughput of 10 Gbps

A2 The router architecture should be based on hardware based forwarding and switching. System should be multi processor based architecture for enhanced performance

A3 The router should have data plane and control plane hardware level of redundancy for providing self redundency and should not disrupt the system functionality at the time of any data plane or control plane hardware failure

A4 The router should support granular traffic detection and management using QoS features and should allocate network resources on application priority and requirement

A7 Router should support RFC 4012 for future implementation and Multicast Support.(Desirable)

A8 Router should support the complete STACK of IP V4 and IP V6 services

A9

The router should support Operating System (OS) redundancy in 1:1 mode to ensure high-availability of the system. In the event of running OS failure router should switchover to the redundant OS without distrubing the traffic flow. There should not be any impact on the performance in the event of active processing engine failure

A10 The router should support on line hot insertion and removal of power supply and connected modules. Any insertion line card/power supply should not require for router rebooting nor should disrupt the functionality of the system

B Hardware and Interface Requirement

B1 Router should have the following interfaces:

B2 Router should have 2 x 10 G ports & 4 X 1 G Ports or higher .

B3 Router should have console port

B4 Router should have management interface for Out of Band Management

B5 Router should be rack mountable and support side rails if required

B6 Router should have redundant power supplies (atleast dual)

B7 Router should have hardware health monitoring capabilities and should provide different parameters through SNMP

B8 Router should support VLAN tagging (IEEE 802.1q)

B9 Router should support IEEE Link Aggregation and Ethernet Bonding functionality to group multiple ports for redundancy

B10 Router should have the capability of holding multiple OS images to support resilience & easy rollbacks during the version upgrades etc and should support inservice software upgrade including:

B11 a. Multiple System image

B12 b. Multiple system configuration

B13 c. Option of Configuration roll-back

B14 Router should support for different logical interface types like loopback, GRE and IPIP tunnel, VLAN etc

C Performance Requirement

C2 The router should support minimum 3,000,000 IPv4 and IPv6 routes entries including multicast routes

C5 Router should support Graceful Restart for OSPF, BGP, MP-BGP etc.

C6 Router should support required as mentioed throughput of crypto IMIX WAN traffic including the services

C6.1 a. Hardware based encryption acceleration (IPSec VPN)

C6.2 b. IPSec Encryption (ESP-AES 256 ESP-SHA-HMAC)

C6.3 c. IP Routing (Static/Dynamic)

C6.4 d. IP Forwarding

C6.6 f. NAT

C6.7 g. QoS

C6.8 h. ACL and Other IP Services

C6.9 i. MPLS with VRF Edge Routing

C6.10 j. IP V.6 host and IP V.6 routing

C7 The router should support secured connectivity using point to point and any to any dynamic IPSec VPN for secured data transfer:

C7.1 a. Hardware based IPSec Encryption

C7.3 c. Any to Any Dynamic IPSec VPN using the GDOI Protocol should be supported

C7.4 d. IPSec Idle Timeout and Dead Peer detection

C7.5 e. Support Multicast traffic over any to any dynamic VPN

C8 The router should support uninterrupted forwarding operation for OSPF, BGP etc. routing protocol to ensure high-availability during primary controller failure

D Layer2 Features

D1 Spanning Tree Protocol ( IEEE 8201.D, 802.1S)

D2 VLAN Trunking (802.1q)

D3 System should provide basic Layer 2 WAN protocols as:

D3.2 b. GRE

D3.3 c. Ethernet

E Layer3 Features

E1 The router should support IPSec Framework for Secured Data tansfer

E1.1 a. IPSec Data Encapsulation AH and ESP

E1.2 b. Key Exchange : Internet Key Exchange (IKE), IKEv2, Pre-Shared Keys (PSK), Public Key Infrastructure PKI (X.509), RSA encrypted noncesetc

E1.3 c. Encryption Algorithm: DES, 3DES, AES-128/192/256

E1.4 d. Authentication Algorithm: SHA1 and SHA2

E1.5 e. Group: Diffie-Hellman (DH) Group 1, 2, 5

E1.7 g. Different mode of communication: Tunnel mode and Transport mode

E1.8 h. IPSec NAT Traversal

E2 The router should support IPSec framework standard RFC:

E2.1 a. IPSec (RFCs 2401 to 2410)

E2.2 b. IPSec ESP using DES and 3DES (RFC 2406)

E2.3 c. IPSec authentication header using MD5 or SHA (RFCs 2403 to 2404)

E2.4 d. IKE (RFCs 2407 to 2409) and 7296

E2.5 e. GDOI Group Domain of Interpretation

E3 Router should provide basic routing feature i.e. IP Classless and default routing

E4 Router should provide static and dynamic routing using:

E4.1 a. Static routing

E4.2 b. RIP V.2 with MD5 Authentication

E4.3 d. OSPF V.2 using MD5 Authentication

E4.4 e. ISIS using MD5 Authentication

E4.5 f. BGP V.4 using MD5 Authentication

E4.6 g. Should support route redistribution between these protocols

E4.7 h. Should be compliant to RFC 4760 Multiprotocol Extensions for BGP-4 (Desirable)

E5 Router should support for policy based routing for providing different path selection for different applications and also should support best path selection using realtime parameters like:

E5.1 a. Jitter

E5.2 b. Minimum cost

E5.3 c. Network path availability

E5.4 d. Network Response Time

E5.5 e. Packet loss

E6 The router should re converge all dynamic routing protocol at the time of routing update changes i.e. Non-Stop forwarding for fast re-convergence of routing protocols

E7 Router should connecting multiple MPLS service provider using multi instance routing using VRF and do VRF Edge routing

E8 Router should be capable to work as DHCP server and relay

E9 Router should provide multicast traffic reachable using:

E9.1 PIM-SM

E9.2 PIM-SSM

E9.3 Bi-Directional PIM

E9.4 MBGP, DVMRP or equivalent

E9.5 Support RFC 3618 Multicast Source Discovery Protocol (MSDP)

E9.6 Support Any cast Rendezvous Point (RP) mechanism using PIM and Multicast Source Discovery Protocol (MSDP) as defined in RFC 3446

E9.7 IGMP V.1, V.2 and V.3

F Availability

F1 Router should have provisioning for connecting to dual power system

F2

Router should support to dynamically discover and cope with differences in the maximum allowable maximum transmission unit (MTU) size of the various links along the path, using multiple interconnected for end to end network connectivity and usability

F3 Router should automatically failover of primary interface status change or remote network not reachable to the secondary link connectivity using following realtime parameters (IP SLA):

F3.1 Jitter

F3.2 Network path availability

F3.3 Network Response Time

F3.4 Packet loss

F4 Router should provide gateway level of redundancy in Ip V.4 and IP V.6 using HSRP/VRRP & NHRP/equivalent for Dynamic VPN

G Quality of Service

G1 Router system should support 802.1P classification and marking of packet using:

G1.1 a. CoS (Class of Service)

G1.2 b. DSCP (Differentiated Services Code Point)

G1.3 c. Source physical interfaces

G1.4 d. Source/destination IP subnet

G1.5 e. Protocol types (IP/TCP/UDP)

G1.6 f. Source/destination TCP/UDP ports

G2 Router should support methods for identifying different types of traffic for better management and resilience under network attacks

G3 Router should support for different type of QoS features for ream time traffic differential treatment using

G3.1 Weighted Fair Queuing

G3.2 Weighted Random Early Detection

G3.3 Priority queuing

G4 Router should support controlling incoming and outgoing traffic using

G4.1 a. Traffic Shaping

G4.2 b. Traffic Policing

G5 Router should support for managing congested network connectivity using:

G5.1 a. TCP congestion control

G5.2 b. IP Precedence

G5.3 c. Ingress and Egress Rate Limiting

G6 Router should support for packet classification and fragmentation before applying IPSec security encryption for providing end to end QoS treatment

G7 Router should support hierarchical QoS for providing granular policy per application basis for providing bandwidth provisioning and management

H Security

H2 Router should support for deploying different security for each logical and physical interface using Port Based access control lists of Layer-2 to Layer-4 in IP V.4 and IP V.6

H3 Router processor and memory Protection from unnecessary or DoS traffic by control plane protection policy

H4 Router should support for strigent security policies based on time of day of Layer-2 to Layer-4

H5 Router should support for external database for AAA using:

H5.1 a. TACACS+

H5.2 b. RADIUS

H6 Router should support dynamic inspection of ARP for the locally connected network system

H7 Router should support for multiple service provider using edge VRF and IPSec traffic encryption

H8 Router should support GRE and IPSec WAN traffic encapsulation and encryption

H9 The router shall support unicast RPF (uRPF) feature to block any communications and attacks that are being sourced from Randomly generated IP addresses.

I Manageability

I1 Router should support for embedded RMON for central NMS management and monitoring

I2 Router should support for sending logs to multiple centralised syslog server for monitoring and audit trail

I3 Router should provide remote logging for administration using:

I3.1 a. Telnet

I3.2 b. SSH V.2

I4 Router should support for capturing packets for identifying application performance using remote port mirroring for packet captures

I5 Router should support for management and monitoring status using different type of Industry standard NMS using:

I5.1 a. SNMP V1 and V.2

I5.2 b. SNMP V.3

I5.3 c. Filtration of SNMP using Access list

I5.4 d. SNMP MIB support for QoS

I6 Router should support for basic administrative tools like:

I6.1 a. Ping

I6.2 b. Traceroute

I7 Router should support central time server synchronisation using Network Time Protocol NTP V.4

I8 Router should support for collecting real-time traffic statistics for analysis and troubleshooting using Netflow or Ipfix or equivalent

I9 Router should support for providing granular MIB support for different statistics of the LAN and WAN interface

I10 Router should support for predefined and customised execution of script for device mange for automatic and scheduled system status update for monitoring and management

I11 Router should provide different privileged for login in to the system for monitoring and management

I12 Router should support to dynamically change in configuration or operating system by using diffent local and central tools and scripts

J IPv6 features

J1 Router should support IP V.6

J2 Router should support for IP V.6 connectivity and routing required for network reachability using different routing protocols such as:

J2.1 a. RIP NG

J2.2 b. OSPF V.3

J2.3 c. BGP with IP V.6

J2.4 d. IP V.6 Policy based routing

J2.5 e. IP V.6 Dual Stack etc

J2.6 f. IP V.6 Static Route

J2.7 g. IP V.6 Default route

J2.8 h. Should support route redistribution between these protocols

J3 Router should support different types of IP V6 tunnelling mechanism, such as:

J3.1 a. Automatic IPV 6 to IPV4 tunnels/IPv4 to IPv6 IP Tunnels

J3.2 b. Automatic IP v4 compatible tunnels/IPv4 to IPv6 IP Tunnels

J3.3 c. IPv6 over IPv4 tunnelling

J4 Router should support different types of multicast routing in IP V.6 network using:

J4.1 a. PIMv2 Sparse Mode

J4.2 2. PIMv2 Source-Specific Multicast

J5 Router should support for QoS in IP V.6 network connectivity

J6 Router should support for monitoring and management using different versions of SNMP in IP V.6 environment such as:

J6.1 a. SNMPv1, SNMPv2c, SNMPv3

J6.2 b. SNMP over IP V.6

J6.3 c. RFC4292/RFC4293 MIBs for IPv6 traffic

J7 Router should support syslog for sending system log messages to centralised log server in IP V.6 environment

J8 Router should support NTP to provide an accurate and consistent timestamp over IPv6 to synchronized log collection and events

J9 Router should support for IP V.6 different type of application usage like:

J9.1 a. HTTP

J9.2 b. HTTPS

J9.3 c. ICMP

J9.4 d. TCP/UDP

J9.5 e. DNS lookup

J9.6 f. DHCP

J10 Router should support for IP V.6 different types of tools for administration and management such as:

J10.1 a. Ping

J10.2 b. Traceroute

J10.3 c. VTY

J10.4 d. SSH

J10.5 e. TFTP

Firewall

Sr. No.

Features Complian

ce (Yes/No)

A Solution Requirement

A 1 Make and Model (Palo Alto/Checkpoint/Fortinet and Cisco Only)

A 2 Details of the proposed solution: name, version, date of release, date of release of next version, application/product development path, etc.

A 3

Proposed solution framework should be scalable to support large scale deployment and reduce the time and effort to deploy the entire set up. Bidder should clearly illustrate various tools and methodologies used to achieve the same

A 4

Please submit a list of all features provided by proposed solution in addition to the specifications mentioned in this document, that will be available to the bank without any additional charges and will be under support. These features will be treated at par with other features mentioned in the RFP.

A 5 Solution should support Firewall, Intrusion Prevention System, Application Visibility, SSL Inspection (in & out) functions etc.

A 6 Solution should support "Stateful” policy inspection technology. It should also have application intelligence for commonly used TCP/IP protocols, not limited to telnet, ftp, http, https etc

A 7 Not applicable

A 8 Firewall & IPS should have Recommended rating in 2015/last released respective Group tests of NSS

A 9 The communication between all the components of solution (firewall module, logging & policy and Web GUI Console) should be encrypted with SSL or PKI

A 10

Management of the entire solution including real-time monitoring, event logs collection, policy enforcement etc should be from a single device only (mgt server/appliance), however solution should have management devices at both locations

A 11 Firewall should be supplied with the support for static routing and dynamic routing with protocols, like RIP v2, OSPF, & BGP etc.

A 12 Firewall should support the multicast protocols like IGMP and PIM-DM / PIM-SM etc

A 13 Solution should support Identity Access for Granular User/ Group, location and machine based visibility

A 14 Solution should provide stateful failover among devices for all components and should be completely automatic without any sort of manual intervention

A 15 Solution should have hardened OS for both appliance and management platform

A 16 Solution Should provide protection against various types of cyber attacks evasive attacks, scripting attacks etc

A 17 Solution should have capability to store Logs and configuration of all devices, centrally in the solution and should also have capability to send logs of all devices to the generic central log collection servers

A 18 Solution should be IPV6 ready. It should have IPV6 ready logo or similar certification from any other reputed third party. No extra cost will be borne by bank for IPV6 implementation

A 19 Solution must support the complete STACK of IP V4 and IP V6 services

A 20 Solution should have capability to analyse the impact of any new policy prior

to making it live.

A 21 Solution should support for multiple security levels/zones like internal, DMZ and external etc.

A 22

Independent administrative controls for all the major functions like Firewall, IPS, SSL offloading etc should be in place. Compromise with any component either by connecting with it physically or remotely should not impact other components of the solution

A 23 Not applicable

A24 Patches & updates being received from OEM should be from trusted sites

B Hardware and Interface Requirements

B 1 Each appliance of solution requires at least 6 x 10G & 2 x 1G interfaces including ports for sync, HA and other functionalities. System should support 4x40G for future requirement

B 2

B 3 Each appliance should have management interface for Out of Band Management

B 4 Each appliance should be rack mountable and support side rails if required

B 5 Each appliance should have redundant power supplies (atleast dual) and management system should have HDD/SSD with RAID enabled.

B 6 Each appliance should have hardware health monitoring capabilities and should provide different parameters through SNMP

B 7 Solution should support VLAN tagging (IEEE 802.1q)

B8 Solution should support IEEE Link Aggregation and Ethernet Bonding functionality to group multiple ports for redundancy

B 9 Solution should Support DHCP Relay

B 10 Solution should support and not limited to:

B.10.1

Active-Active & Active- Failover Load Balancing: The firewall must support Stateful active-active & Active-Failover architecture for Firewall, VPN & IPS functions and high availability for redundancy. Appliance failover should be complete Stateful.

B.10.2 Solution should provide stateful failover for Firewall and VPN functionalities

B.10.3 Solution should not require any downtime/reboot for failover

B 11 Solution should have the capability of holding multiple OS images to support resilience & easy rollbacks during the version upgrades etc

B 12 Centralized Management Solution should provide high availability at site level for enabling DR deployment

B 13

It should be possible to manage the entire solution from Primary & Secondary management server/appliance placed at DC and DR. Management solution should have the capability to be deployed in geographically different location enabling DR deployment

B 14 The firewall system should have adequate local storage in order to keep the various logs in the event of management server connection failure etc

C Performance Requirements

C 1 Each of Appliance of Solution should be properly sized for following given parameters, with all features enabled at the same time:

C1.1 Handling minimum 10 Gbps of user traffic (Incoming 10 Gbps and Outgoing 10 Gbps traffic simultaneously) and other application Zones.

C1.2 Please change this to "Should support at least 10 Gbps of real world performance throughput (includes Firewall, Application Visibility & IPS)"

C1.3 Running all internet protocols etc, traffic flowing through different zones in the solution with all the features enabled and running

C 2 Request you to change this to 20 million concurrent session with AVC considering NGFW firewall and 10 Gbps real world throughput

C 3 Request you to change this to more than 1,60,000 new sessions per second

C 4

Solution should not impact the application response by adding latency. Maximum permissible latency of firewall is 50 mili second and for the complete solution at each site is 100 millisecond with all the services enabled together as asked in this RFP at any point of time

C 5 The Firewall must provide filtering capability using FQDN and URL

D Network Standards/Protocols and Firewall System Requirements

D 1 Solution should support at least 250+ protocols

D 2 Solution should have a capability to support for more than 500 VLAN

D 3 Solution should support the filtering of TCP/IP based applications with standard TCP/UDP ports or deployed with customs ports etc

D 4 Firewall Modules should support the deployment in Routed as well as Transparent Mode & should also support following:

D 4.1 Solution should mask the internal network from the external world.

D 4.2 Multi-layer, stateful, application-inspection-based filtering should be done

D 4.3

It should provide network segmentation features with powerful capabilities that facilitate deploying security for various internal, external and DMZ (Demilitarized Zone) sub-groups on the network, to prevent unauthorized access

D 4.4 Ingress/egress filtering capability should be provided for internal, external and DMZ (Demilitarized Zone) zones

D 4.5 Solution should support detection of reconnaissance attempts such as IP address sweep, port scanning etc

D 5 Solution should provide NAT functionality, including dynamic and static NAT translation etc

D 6 IPSec should have the functionality of PFS (perfect forward secrecy) and NAT-T and should support:

D 6.1 Network Address Translation (NAT) should be configurable as 1:1, 1: many, many: 1, many:many, flexible NAT (overlapping IP addresses). Reverse NAT or equivalent should be supported

D 6.2

Port address translation/Masquerading should be provided for all internet based applications should be supported and not limited to for filtering like Telnet, FTP, SMTP, http, DNS, ICMP, DHCP, ARP, RPC, SNMP, Lotus Notes, MS-Exchange etc

D 7 Solution should support integration with following standards :

D 7.1 X.509 Digital certificates

D 7.2 RSA Secure ID Certified

D 7.3 Two Factor Authentication

D 7.4 Radius/Tacacs+

D 8 Solution should support RADIUS/TACACS+ authentication protocol for Local access to devices

D 9 Solution should support PKI with:

D 9.1 PKCS 7/PKCS 10/ PKCS 12 and PEM

D 9.2 Self-signed Certificates

D 9.3 External CA support

D 9.4 Certificate Revocation List Import

D 9.5 Embedded Certificate Authority

D 10

IPSec ISAKMP methods should support Diffie-Hellman Group 1 & 2, MD5 & SHA, SHA2 , RSA & Manual Key Exchange Authentication, 3DES/AES-256 Encryption of the Key Exchange Material and algorithms like RSA-1024 / 1536

D 11 Not applicable

D 12 Firewall system should support virtual tunnel interfaces to provision Route-Based IPSec VPN

D 13 Dynamic Host Configuration Protocol (DHCP) over Virtual Private Network (VPN) should be supported for dynamic allocation of IP addresses

D 14 Solution should support to features and not limited to:

D 14.1 The firewall should support Internet Protocol Security (IPSec)

D 14.2 Key exchange with latest Internet Key Exchange (IKE), IKEv2, Public Key Infrastructure PKI (X.509)

D 14.3 Site-to-site VPN tunnels: full-mesh / star topology should be supported

D 14.4 Support Latest Encryption algorithms including AES 128/192/256(Advanced Encryption Standards), 3DES(Data Encryption Standard) etc

D 14.5 Support Latest Authentication algorithms including SHA-1(Secure Hash Algorithm-1), SHA- 2(Secure Hash Algorithm-2) etc

D 14.6 IPSec NAT traversal should be supported

D 14.7 Not applicable

D 14.8 It must include the ability to establish VPNs with gateways with dynamic public IP's

D 14.9 Not applicable

D 15

The Firewall must provide filtering capability that includes parameters like source addresses, destination addresses, source and destination port numbers, protocol type with other parameters to configure rules based on following parameters:

D 15.1 Source/Destination IP/Port

D 15.2 Not applicable

D 15.3 User/group role (Integration with AD)

D 15.4 Customizable services

D 15.5 Not applicable

D 15.6 Combination of one or multiple of above mentioned parameter

D 16 The Firewall should be able to filter traffic even if the packets are fragmented

D 17 It should be able to block Instant Messaging like Yahoo, MSN, ICQ, Skype (SSL and HTTP tunnelled) etc

D 18 It should enable blocking of Peer-Peer applications, like Kazaa, Gnutella, Bit Torrent, IRC (over HTTP) /HTTPS etc

D 19 The Firewall should support database related filtering and have support for Oracle, MS-SQL, and SQL-Net etc

D 20 Should support CLI & GUI based access to the firewall modules

D 21 Solution should support Access for Granular user, group & machine based visibility and policy enforcement etc

D 22 Should support basic attack protection features listed below but not limited to :

D 22.1 Maximum no of protections against attacks that exploit weaknesses in the TCP/IP protocol suite

D 22.2 It should enable rapid detection of network attacks

D 22.3 TCP reassembly for fragmented packet protection

D 22.4 SYN cookie protection , SYN Flood, Half Open Connections and NUL Packets etc

D 22.5 Protection against IP spoofing

D 22.6 Malformed packet protection

E IPS Feature Requirements

E 1 intrusion detection and prevention systems (IDPS), should monitor network and/or system activities for malicious activities and identify them, log information about the activities, attempt to block/stop it, and report it

E 2 It should be possible to deploy the product as an Intrusion Detection system (with logs and alerts suspected attacks) and/or as an Intrusion Prevention System located in line and which drops packets that are suspicious.

E 3 It should perform deep packet inspection up to layer-7 and take desired action based on findings

E 4 Advanced detection techniques with stateful application & Protocol intelligence

E 5 IPS should capture (but not limited to) the following important parameter about attack:

E 5.1 Identifying Network Characteristics (IP Address Src&Dst, Port Address Src&Dst and protocols etc)

E 5.2 Raw data packet, and Raw data information should be converted into the format that is compatible with the most popular sniffers, like Wire shark, etc. for the forensics.

E 6 A wide range of response options from logging and raising alarms to blocking traffic should be supported.

E 7 System should have capability to turn on or off the as and when required.

E 8 The IPS should be constantly updated with new defences against emerging threats.

E 9 IPS updates should have an option of Automatic downloads and scheduled updates so that it can be scheduled for specific days and time

E 10 Should have flexibility to define newly downloaded protections will be set in Detect or Prevent mode

E 11 Solution should provide details of Performance Impact on Signatures along with the Vulnerability severity and should have options for new signatures for avoiding false positives

E 12 The product should have signature based as well as anomaly based analysis and prevention facility

E 13 The IPS should provide easy updating of signatures to remain current with latest attacks prevention

E 14 IPS Engine should support Vulnerability and Exploit signatures, Protocol validation, Anomaly detection, Behaviour-based detection, Multi-element correlation etc

E 15

IPS processes should be hardened so as to be resistant to attacks including DoS/DDoS attacks and advance attacks from time to time. Product should offer features that make them resistant to failure due to advance attacks & emerging threats modes

E 16 IPS should have Resistance to Evasion and protection from anti-NIPS techniques

E 17 IPS Profile should have an option to select or re-select specific signatures that can be deactivated

E 18 Intrusion Prevention should have and option to add exceptions for network and services

E 19 IPS should have the functionality of Geo Protection to Block the traffic country wise and direction

E 20 IPS events/protection exclusion rules can be created and view packet data directly from log entries with RAW Packets and if required can be sent to Wireshark for the analysis

E 21 Application Intelligence should have controls for Instant Messenger, Peer-to-Peer, Malware Traffic etc

E 22 NIPS should have facility to blocking options of File Transfer, Block Audio, Block Video using Instant Messenger and other facility like Application Sharing and Remote Assistance etc

E 23 IPS should have an option to create your own signatures with an open signature language

E 24 Detailed IPS Logs to be provided post detection of attacks. The logs should have the attack Name, the Severity, Industry Reference, Confidence Level etc

E 25 Advanced capabilities that detect and prevent attacks launched against the Web infrastructure

E 26 Malicious code protector for Buffer Overflow, Heap overflow and other malicious executable code attacks that target Web servers and other applications without the need of signature

E 27 Monitor all communication for potential executable code, confirms the presence of executable code and identifies whether the executable code is malicious

E 28 Application layer protections for Cros site scripting, LDAP injection, SQL Injection, Command Injection, Directory traversal, OWASP (Open Web Application Security Project) etc

E 29 Spoofing attacks, Directory listing options and error concealment etc attacks should be prevented

E 30 NIPS should support HTTP Protocol Inspections for HTTP format size enforcement, ASCII-only request enforcement, ASCII-only response header enforcement, header rejection definitions, HTTP method definitions etc

E 31 Solution Should provide infrastructure and ways to test new signatures/version update/OS update in SBI environment before deploying the same in to prevention mode etc

E 32 Enforcements options with Active, Monitor-only, Disabled etc

E 33

The IPS should be able to monitor all of the major TCP/IP protocols, including IP, Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP). And detect latest attacks (not limited to) port scanning, unusual packet fragmentation, SYN

E 34 The IPS should be able to inspect SSL,https, SFTP,SSHetc traffic

E 35 Should have support for frequently analyzed network layer protocols such as IPv4, IPv6, ICMP (Internet Control Message Protocol).etc

E 36 Solution Should send notifications on a real time basis in the form of Session Packet Log, Session Summary, E-mail, SNMP, and any other configurable mode etc

E 37 IPS system should be capable to reconnaissance to get victimized

F Administration, Management and Logging Functionality Feature Requirements

F 1

The bidder must propose two management devices for real time monitoring, management and log collection to manage these Firewalls. All the logs should be retain in these 2 management devices. in case if primary manegement device fails, complete logs should be available at secondary management device

F 2 A centralized monitoring and management system with multiple administrators who have administrative rights based on their roles, should provide Audit Trail of the Changes etc

F 5 Solution should be able to support large scale WAN deployment with following important Criteria for Real-Time Monitoring, Management & Log Collection etc

F 5.2 To ensure business continuity all the solutions/hardware proposed should be in HA

F 6 Any changes or commands issued by an authenticated user should be logged to a database of the management system

F 7

Firewall Management system should also provide the real time health status of all the firewall modules on the dashboard for CPU & memory utilization, state table, total number of concurrent connections and the connections/second counter etc

F 8 It should support SNMP (Simple Network Management Protocol) v 2.0 and v 3.0 and NTP V.4 with all new versions of present and future release

F 9 Firewall must send mail or SNMP traps to Network Management Servers (NMS) in response to system failures or threshold violations of the health attributes.

F 10 Firewall should support the user based logging. Log levels must be configurable based on severity

F 11 Not applicable

F 12 The Firewall must provide simplified provisioning for addition of new firewalls where by a standard firewall policy could be pushed into the new firewall

F 13 The Firewall administration station must provide a means for exporting the firewall rules set and configuration

F 14 Support for role based administration of firewall

F 15 The Firewall administration software must provide a means of viewing, filtering and managing the log data

F 16 The Firewall logs must contain information about the firewall policy rule that triggered the log

F 17 Centralized Security Management should include for all the proposed security controls but not limited to:

F 17.1 Real Time Security Monitoring

F 17.2 Logging

F 17.3 Reporting functions

F 18 The solution must provide a minimum basic statistics about the health of the firewall and the amount of traffic traversing the firewall

F 19 Solution should support for configuration rollback

F 20 Solution should support Real time traffic statistics & Historical report with

F 20.1 Attacks and threat reports, etc.

F 20.2 Customized reports on HTML and CSV format etc

F 21 Solution Audit T rail should contain at a minimum:

F 21.1 The name of the administrator making the change

F 21.2 The change made

F 21.3 Time of change made

F 22

Management system should provide detailed Event analysis for Firewall and IPS and also should provide Syslog output to integrate with other major SIEM tools and specifically should support RSA SIEM tool current and future versions

F 23 Solution should support for real time analysis of all traffic the firewall may encounter (all possible SOURCE, DEST, SERVICE, including groups) etc

F 24 Provide geographic distribution of data collection from devices, processed locally, compressed and then transferred to the central manager

G Licensing Requirements

G 1

Solution should have enterprise license without any restrictions. If during the contract, solution is not performing as per specifications in this RFP, bidder has to upgrade/enhance the devices or place additional devices and reconfigure the system without any cost to bank

G 2

Solution and its various components like Firewall, IPS, VPN etc should not have any licensing restriction on number of users, concurrent connections, total connections, new connections, number of vlan, zones, number of policies, number of appliances, other network parameters, number of equipments / servers etc

G 3 The offered product part codes have to be General Availability Part codes and not custom built Part Code for SBI. There should be cross reference to the public website of the OEM

G 4

Any third party product required to achieve the functionality should be provided with the necessary enterprise version license of software/appliance and necessary hardware, database and other relevent software or hardware etc should be provided with the s

URL FILTERING

H 1 The Proposed System Should have integrated Web Content Filtering System without external solution, devices or hardware module.

H 2 The proposed solution should be able to enable or disable Web Filtering per policy or based on firewall authenticated user, groups for both HTTP & Https traffic

H 3 The proposed system shall provide web content filtering features:

H 3.1 1. Which block web plug-ins such as Active X, java applet and cookies

H 3.2 2. Shall include Web URL block

H 3.3 3. Shall Include score based web keyword block

H 3.4 4. Shall include Web exempt List

H4 The proposed system shall be able to query a real time database of over 110 million + rated website categorised into 70+ unique content categories.

Advance Malware Protection

I 1 Solution should be capable of blocking callbacks to CnC Servers

I 2 Solution should be capable of blocking threats based on both signatures and behaviour

I 3 Detection rules should be based on an extensible, open language that enables users to create their own rules, as well as to customize any vendor-provided rules.

I 4

The solution should be capable to analysis & block TCP and UDP protocols to identify attacks and malware communications. At a minimum, the following protocols are supported for real-time inspection, blocking and control of downloaded files: HTTP, SMTP, POP3, IMAP, Netbios-ssn and FTP.

I 5 The solution should be capable of executing MS Office Documents, Portable Documents, Archive Files, Multimedia Files and executable binaries in a virtual sandbox environment

I 6

The solution should be capable of gathering Active Directory user identity information, mapping IP addresses to username and passively gathering information about network devices including but not limited to: ● Operating system vendor ● Operating system version ● Network protocols used, e.g. IPv6, IPv4 ● Network services provided, e.g. HTTPS, SSH ● Open ports, e.g. TCP:80 ● Client applications installed and type, e.g. Chrome - web browser ● Web applications access, e.g. Facebook, Gmail ● Risk and relevance ratings should be available for all applications ● Potential vulnerabilities ● Current User ● Device type, e.g. Bridge, Mobile device ● Files transferred by this device / user

I 7 The solution should be capable of white listing trusted applications from being inspected and not an entire segment to avoid business applications from being affected & in turn productivity

I 8 The solution should be capable of blocking traffic based on geo locations to reduce the attack landscape and to protect communication to unwanted destinations based on geography

I 9 The solution shall be able to detect attacks on 64-bit operating systems

I 10 The proposed solution must Detect, control access and inspect for malware at least the following file types: Microsoft Office files, executables, multimedia, compressed documents, Windows dump files, pdf, jarpack, install shield.

I 11

The solution should allow real-time detection and prevention of attacks in the following applications: Microsoft Internet Explorer, Mozilla Firefox, Chrome, Adobe Acrobat Reader, Adobe Acrobat, Microsoft Silverlight, Java SUN, Real Player, Microsoft Office and Apple QuickTime.

I 12

The proposed solution must have capability to Analysis of malwares must be performed in real-time using hybrid analysis capabilities, using various analysis and control strategies, including simultaneously, whether the local, remote or hybrid execution technology for the determination of advanced malware.

I 13 The Advance Malware Protection should support retrospective alert so that if a file turned to be malicious later on, it should provide alert and block immediately traversing from the network

Distribution switches :

Switch must have 12 nos. of 1/10 GE SFP+ based interfaces and 4 nos. of 10 GE SFP+ based uplink dedicated ports populated with 12 nos. of long range optics and 4 nos. of long range 10G optics respectively .

Switch should support switching capacity of 320 Gbps

Access (edge) switches:-

Switch must have atleast 24 nos. of multispeed 10/100/1000 Ethernet Copper interfaces and 2 nos. of 10 GE SFP+ based uplink dedicated ports. Each of the switch must be populated with 2 nos. of long range 10G optics