PART 5: TECHNICAL & FUNCTIONAL SPECIFICATIONS (TFS)
1. Technical Specs :
Interested Bidders who are dealing in ADC and Load Balancer Solution and meeting the following technical specification may respond to this RFP. These features will be part of scope of work. For each technical specification necessary evidence must be submitted.
Sr. Criteria Remarks
Hardware Features
1 The proposed solution should be in the form of hardware box.
This is to ensure bidder should not give/offer solution in software form only.
2 The solution should have minimum 8 Ports and 2 Fiber ports to cover multiple Network Segments.
The solution should have minimum 8 ports to cover multiple segments and free ports for backup and additional two (2) 1G Fiber Slots for Future scalability.
3 Appliance should have minimum 8 GB memory with dual Power support
Dual Power is a started for Banking datacenter to have dual power backup for same appliance. Memory should be good enough to ensure high performance and compatible for all OEMs. 4 Appliance should have LCD screen /LED
on the on the front
Appliance should support a LCD panel/LED to display alerts and fault information for an administrator to monitor the system
5 Appliance should support minimum 4 Gbps layer 7 throughput,
Single DMZ would need a Gigabit port switching performance and with addition of multiple network each network would need minimum Gigibit switching network and can be added as needed. The actual throughput for application may be very less to Gigabit but the packet processing speed should be a gigabit port to be compatible to other gigabit ports for minimizing
packet drops and retransmission. So a Gigibit throughput per port will ensure network switching performance
6 The proposed solution should Support minimum 2 Million TCP connections and minimum 100k TCP L4 CPS
The expected load is maximum 10000 Internet users for the site and while the users open multiple sessions and explorer window which are new connections to the load balancer. The reason to have minimum 2 Million is to ensure there are ample of available connection table available for new request during peak time and have option to scale the appliance higher with new applications and services for more users for later time.
7 Minimum 15000 SSL handshakes per second/CPS @1024 Key size and 3000 SSL handshakes per second/CPS @2048 Key size without any SSL session reused with bulk throughput of 2 GBPS
SSL handshakes per second, SSL Handshakes is a measure of new SSL connection per second i.e. New public -private Key exchanges in one second. After establishment of SSL handshake, the number of transaction made by customer will be treated as only one
8 The proposed solution Should support atleast 500k of concurrent SSL users connected at 2048 key size
This feature ensure 500k Concurrent SSL Connection at 2048 key Size or higher
9 For Internet segment all the features mentioned are must and all the modules should be from same OEM however for Intranet segment Web Application firewall features can be excluded
It ensure that mentioned modules are from same OEM
10 Bidder may quote different OEM solution
for Internet and Intranet segment A combination of one bid for Internet and one bid for intranet will be accepted
11 The Proposed Solution should support High Availability
The proposed solution should support HA Cluster, it help move services from failed appliance to active appliance seamlessly without disconnecting any user sessions. Failover should happen in within 3 sec
Load Balancer Features
Deployment Modes Supported 12 The appliance should have various
Topology Deployment like
i. Single Arm Mode single arm or one leg mode is quite easy and used for most sites as this installation does not change any current ip schema and break application flow
ii. Two Arm mode This is inline or two arm mode generally used for layer 2 load balancing
13 Appliance should have capability to Perform load balancing in
i Proxy mode ( reverse proxy mode) this is equivalent to star token system which does proxy connection from user to internal applications for hiding internal resources
ii Transparent mode ( client transparency mode)
In case the server needs client details transparency mode help track end user ips
14 The appliance should support X-forwarder option
The appliance should have option to enable x- forwarder option per service to log actual client IP in webserver log
General Features
15 The proposed solution should have capability to handle and Configure multiple load balancing ( Layer 7) protocols on same appliance
The proposed solution should support multiple protocols like http, https, ftp, TCP, TCPS, Radius applications which can be configured with its own profile per service and be able to route the applications independently of server location or network schema, hence more applications will benefit from load balancer services
16 The proposed solution should have capability of Rate Limiting and TCP Surge Protection
Appliance should support rate limiting connections for client to backend servers at the same time support TCP Surge protection, In an event of connection surge from end client the appliance should be able to queue the connection without dropping them.
17 The proposed solution should have the capability to configure multiple services on same Virtual IP with different ports and services options.
In case the applications have same ip schema and need port based server selection, the load balancer should be able to ensure port based server selection for minimizing ip overuse and have support for same Virtual IP for port based grouping
18 The proposed solution should have the capability of Rate shaping & Qos Support
Solution should have Rate Shaping capabilities so all application work optimally without impacting user experience "Rate shaping helps connection control and request per source to prevent dos attacks and ensure minimum resources are available for all users. Like 10 connection per second per source ip to ensure not one ip overload the server TCP stack and
server process
19 The proposed solution should support unlimited context or partition without any additional license
Segmentation controls application flow to respective gateway per server and helps multiple segment control for various applications
20 The proposed solution Should have Application Visibility
Appliance should support customized reports example , Location of the user, IP Address, Hostname, Resolve Server IP Address etc, Number of Clients rejected etc .
21 The appliance should have feature of Cluster failover over industries standard is preferred with within 3 second failover
Cluster help move services from failed server to cluster server and hence help continuity for applications access
Multiplexing Server Side Connection
22 i. Support Server Multiplexing Multiplexing helps to reduce server side connections and need to report it per service which it has enabled
ii. Customized Multiplexing setting per Virtual IP Address
depending on application server may not support multiplexing hence should be controlled per server
Load Balancing Algorithm
23 Load balancing should support minimum ip based persistency, session based cookie persistency and headers inspection, url redirection, hash ip, round robin, shortest repose time and least connections , these are various algorithm support for
maximum options and help granular control per service and applications
The solution should have various options to control and redirect user request to ensure proper load distribution and ensure incoming traffic is properly load balanced and distributed for best performance
SSL offloading
24 The appliance should have feature of SSL Offloading which
should have
i. Dedicate SSL Chipset for SSL Offloading SSL offloading should be done by dedicated hardware instead of shared of CPU used for load
balancing
ii Minimum 2 Gbps SSL Throughput Max. SSL Bulk Crypto should be minimum 1 Gbps for ensuring SSL connections are used with good performance
iii SSL be card based for 1024 and 2048 bits certificates and support 4096 bit
All Server certificate that are 1024 or 2048 bit need to be supported , appliance should also support 4096 bit for future requirement.
iv SSL Renegotiate DoS protections from Various SSL Attacks
---NIL---
HTTP and TCP Layer Acceleration
25 The appliance should have feature of Compression with
i) Appliance should support minimum
2Gbps Hardware or Software Compression
Compression helps speed up the application access for end users and enable faster transactions and speed
ii)Per browser and service control for Mime (Multipurpose Internet mail extension) type reporting
MIME is a identifier of browser version and helps control compression per browser, like pdf compression in ie6 has issues as reported by Microsoft so mime selection can prevent pdf compression issue by disabling pdf compression for ie6 but enabled for other version hence controlling compression support per service iii)Support TCP Optimization Should support granular control on TCP Stack to
optimize TCP layer example RFC 2018, RFC 3168, RFC 3042, RFC 2582, RFC 2581, RFC 3390, RFC 3390 , RFC 1323 etc "
Caching
26 The appliance should have feature of Caching with
i) Per file type/content type TTL control This feature ensures the load balancer perform compression for valid file types and avoid private data caching
ii) Per service application cache details and responses
The cache report per service help identify cache performance and optimization capability
iii) Dynamic content caching Should have intelligence to caching of dynamic content so enables the correct content is delivered to the end user always
Iv ) Push static content to local client machine
Appliance should be able to push static contents to client browser to reduce WAN Bandwidth cost.
v) Change expiry timers Should support change lifetimes of content passed by the backend servers to the client. These lifetimes can be made specific to any parameter that the user may want to identify. Should support OBEY OR DISOBEY lifetimes set by the backend server.
vi) Customize Cache Timers Cache period configurable i.e. for e.g. can NS set the MAX-AGE value in the Cache Control
vii) Per service caching filter support Per service filter helps granular control and optimizing cache performance per site
viii) Appliance support asymmetric acceleration.
Appliance should support ASSYMMETRIC deployment without any need to deploy any WAN optimization device. The user can log into the application from any location and get similar experience from any appliance
ix) Support content and white space Stripping
Reduce Web page load time on but stripping unwanted Data on WAN
x)Support Content Reordering This feature will help to reorder the Web page content to improve user experience and reduce the page loading time
IPv6 Support
27 The product should support IPv6 ALG and NAT64
As per Govt. of India Bank/Telco and PSU need to be IPv6 shortly due to shortage of ipv4 ip addresses
28 WAF as well as ADC and Load Balancer should complied and support IPv4 and IPv6 both
This feature help Dual Stack Support for old as well as new schema
29 Should support rewrite of Legacy Web Server
Support for Rewrite Legacy/ Hard coded IP address on Web Server with IPv6 Addresses.
Web Application Firewall
31 The proposed solution Should have Web Application Firewall with Minimum Throughput of 1 Gbps for Internet segment .
The proposed solution should provide minimum 1 Gbps throughput with all features enabled ( load balancing, SSL offloading, Compression, Cluster, Caching, Web application firewall- advanced and logging) to ensure the solution is scalable and more applications can be added later
32 The proposed Solution should have Inbuilt Web Application Firewall in the same appliance
The Appliance should be able to handle Top 10 OWASP Attacks as well as Zero Day Attacks , Should have Vulnerability Scanner or Support integration with 3rd Party Vulnerability Scanner
example Cenzic, Whitehat, Qualsy etc , Should Support Application compliance reporting , should support HTTP, XML, JASON & AJAX protocol, Should support positive and negative signature Module, should support inbuilt reporting.
33 Solution should Support Layer 3 to Layer 7 Support with advance protection for http request and response
Application firewall should be able to prevent any attack from Layer 3 to layer 7
34 The solution should have reporting feature on same appliance
Should be able to generate WAF report on same appliance
Reporting & Management
35 The solution should Support High Speed Logging
Solution should Support integration with RSA Envision and 3rd Party Logging Engine.
36 The solution should support Customize Logging
Customize Logging Attributes to reduce Logging size
37 The proposed solution should give real Time Reporting and Monitoring
This feature will help to get real time report and fault identification etc. e.g. real server response and outstanding requests, real server/virtual server status and system statistics etc. Reporting is important and required for ensuring real time and historical trending and base lining for trending usage, Should support reporting of all modules on same platform/appliance
38 The appliance should have feature of SSH , HTTPs and Console access
The appliance should have multiple management options which are secure and easy to use for configuration
39 The appliance should Support for segmentation and routing per service
Segmentation controls application flow to respective gateway per server and helps multiple segment control for various applications
40 Http logs can be configured in the appliance with options like url, header, referrer, source and destination servers
Client logs need to be captured for http request with various details which are useful for developers for making user specific access and reporting
41 The proposed solution should provide DNS reporting per user request with statistics last second, minute, hour usage and peak usage per application host name
DNS trending report can help application request and DNS planning and also help prevent DNS dos attacks
42 The appliance should have feature of Inbuilt Packet logging and capture on
Inbuilt packet captures can help check packet flow and analyse any issue which needs packet
demand level log checking 43 The appliance should have feature of
Syslog server with regex option available with external log collection
Syslog are important for sending all system and access log to a SIEM or report manager where regex or particular keyword based option may help get only needed logs like send only "down" log to syslog and not send all info level request as it will be too large to analyze later
44 OEM should have Support Centers / Service Center in India
Support Center and service center in India is important for quick support , replacement and help
45 Appliance should have next business day turn around for hardware replacement and 24*7 support center availability
This is important SLA for ensuring support and replacement for any faulty issue
46 The proposed solution should have ability to divide a single setup in to multiple policies operating independently without compromising on network security
This is important to ensure independent working with segmentation support