REQUEST FOR PROPOSAL
FOR
SUPPLY & INSTALLATION
OF
Firewall
General Scope of Work:
Supply & installation of Firewall in the following location.
Locations of Installation:
ISI kolkata,
203 B.T. Road,
Kolkata – 700108,
West Bengal, INDIA
Bill of Material
Sl. No. Item
Qty
1.
Firewall
1
2.
Support pack of the firewall(for 3 years)
1
Firewall Specification
Sr No Feature Description
1 The FW should integrate with multiple full-featured, high-performance security services, including application-aware firewall, SSL and IPsec VPN, IPS with Global Correlation.
2 The FW should support a comprehensive command line interface (CLI), verbose syslog, and Simple Network Management Protocol (SNMP).
3 The FW should be 1 RU, 19-in. rack-mountable form factor
4 Should have a maximum throughput of 4 Gbps stateful firewall inspection throughput, 1.2 Gbps IPS throughput and 1.4 Gbps or Multiprotocol throughput.
5 Maximum 3DES/AES throughput of 700 mbps
6 Maximum Firewall Connections 1000,000
7 Maximum Firewall Connections/Second 50,000
8 Firewall should have redundant power supply
9 Should have integrated 8 nos. of 10/100/1000 Base T ports and expandable to another 6 Gigabit Ethernet copper/SFP ports
10 Maximum Virtual Interfaces (VLANs) 500
11 Should support up to 100 Virtual Firewalls
12 The software on the firewall should support online software reconfiguration to ensure that changes made to a firewall configuration take place with immediate effect.
13 Should support Active/Active and Active/Standby Failover
14 Should support integrated Ipsec and Client and Clientless SSL VPN
15 Should support up to 5000 VPN peers
16 Should support Etherchannel with Each channel group supporting up to eight active interfaces.
17 The Security appliance Support Botnet Traffic Filter database accurately and reliably identifies command and control traffic, as well as the domains or hosts receiving the information
18 Should support checking of incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses, and then logs any suspicious activity.
19 The FW should deliver per-flow, policy-based QoS services, with support for LLQ and Traffic Policing for prioritizing latency-sensitive network traffic and limiting bandwidth usage of administrator-specified applications
20 There Performance should not be significantly affected by enabling the firewall features, SSL and IPsec encryption should be performed by dedicated hardware processors.
21 Should have the ability to integrate with either on premises web-security or cloud based web security services
22 The solution should support all popular authentication mechanisms, including but not limited to Local user database, RADIUS, Windows NT LAN Manager (NTLM), Active Directory Kerberos, Native RSA SecurID, RADIUS with Expiry, one-time password (OTP) via RADIUS (State/Reply message attributes), Lightweight Directory Access Protocol (LDAP) with password expiry capabilities (including pre-expiry warning), digital certificates (including X.509), smartcards, SSO and SPNEGO. Should support CRL and OCSP for certification revocation checks. Should supports AAA and Certificate authentication
simultaneously.
23 The device should be able to act as a CA by itself
24 Should be able to bind granular policies to specific users or groups across multiple identity management systems via Dynamic Access Policies (DAP). DAPs should be created by setting a collection of access control attributes associated with a specific user tunnel or session
25 It should support feature that enables termination of SRTP/TLS-encrypted endpoints for secure remote access. Should support large scale deployments of secure phones without a large scale VPN remote access hardware deployment. End-user infrastructure is limited to just the IP endpoint, without VPN tunnels or hardware
26 The FW should be able to intercept and decrypt encrypted signaling from encrypted endpoints to the Unified Communications Manager, and apply the required threat protection and access control. It should also ensure confidentiality by re-encrypting the traffic onto the UCM servers.
27 Should have features to identify system issues and report them back to the vendor or through other user-defined channels, often before the issues exist
28 The FW should support Identity Firewall which provides more granular access control based on users' identities. You can configure access rules and security policies based on user names and user groups name rather than through source IP addresses.
29 Should support dynamic downloading and enforcement of ACLs on a per-user basis once the user is authenticated with the appliance
30 Should support inspection of IPv6 traffic based on the extension header
31 IPv6-enabled inspection services for applications based on HTTP, FTP, SMTP, ICMP, TCP, and UDP. In addition, SSHv2, Telnet, HTTP and HTTPS, and ICMP-based management over IPv6
32 The firewall must have support for virtual firewalls and include at least 2 virtual firewalls without any additional license costs
33 There must be support for bi-directional NAT
34 The firewall should have support for cut-through proxy and user authentication
VPN Features
1 The device should support IPSEC/IKEv2 for remote VPN access
2 The security appliance supports the following encryption standards for ESP: DES, 3DES, AES-128, AES-192, AES-256
3 The security appliance supports the following hashing algorithms: MD5, SHA
4 Supports the use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512
5 The Device should preserve the TOS bits as per RFC 2401. TOS bits in the original IP header should be copied to the IP header of the encrypted packet so that QoS policies can be enforced after encryption
6 Should support for acting as a L2TP/IPSec VPN headend, terminating VPN connections from native VPN clients included with Microsoft Windows 2000, Windows XP, Windows 2003, and Windows Pocket PC and also support variety of authentication methods including user ID/password, pre-shared keys, certificate, and two-factor authentication
7 Should support VPN connections between Android mobile devices and the appliance, when using the L2TP/IPsec protocol and the native Android VPN client.
8 Should have capability to automatically identify operating systems and service packs on any remote device establishing a client or clientless SSL VPN
9 Should support VPN from variety of endpoints like desktops, tablets and smartphones on the same appliance
10 Should support Start Before Login (SBL) feature which allows a VPN connection to be established prior to machine login. This functionality allows for native Windows functionality such as AD group policies, drive mapping and login scripts to be provided for VPN users
11 The vpn client should support EAP-TLS (Transport Layer Security), LEAP (Lightweight EAP), MD5 (Message Digest 5)
12 The vpn client should support mobile devices like apple, android
13 Internal websites (both http and https).
IPS Features
1 Inspect normal traffic as well as encapsulated traffic including the following
• GRE
• MPLS
• 802.1q,
• IPv4 in IPv4 • IPv4 in IPv6
• Q-in-Q double VLAN
2 Concurrent Threat Mitigation Throughput (Mbps) (Firewall + IPS Services) should be 1.2 Gbps
3 Should support custom signatures
4 It should have the capability of defining virtualized IPS sensors
5 Supports central management of policy configuration and one-touch global policy roll-out for policy changes and application
6 Support creation of baseline of normal network traffic and then uses baseline to detect worm-infected hosts
7 Should be able to determine host operating system by inspecting characteristics of the packets exchanged in the network
8 Should be able to correctly track TCP sessions in complex network configurations
9 Support inspection and mitigation of threats in Multiprotocol Label Switching (MPLS) environments
10 IPS should be capable of being installed in asymmetric network environments
11 operator should be able to change from active (inline) mode to passive mode remotely
12 ips device should have features to prioritize alerts after an alert action is taken place eg - if a high priority attack is dropped, the alert should be log, however if an high priority attack is allowed, the alert should be an email
13 The ability to define a default operating system that will be used in the attack relevance calculation - eg if a linux based attack is targeted towards a windows server, the alert severity of the attack should be lowered
14 all traffic should be scrubbed/normalized/reordered as it passes through the sensor
15 the ips should have the ability to dynamically understand the risk posed by an attack to the network so as to best adjust the rating of the alert. This risk should be assessed via various parameters like - relevance of an attack (linux vs windows) and value of target (printer vs server)
16 Ability to identify attacks in IPv6 environments through the inspection of IPv4 traffic being tunnelled in IPv6
