Embed Size (px)
Citation preview
PROCUREMENT, INSTALLATION, COMMISSIONING AND TESTING OF WI-FI SYSTEM
OFC BACKBONE UPTO SWITCH AT SBIM, RAJARHAT
REF :SBI/ITS/KOL/2017-18/03 DATED 30.06.2017, CORRIGENDUM-I DATED 07.07.2017
AND CORRIGENDUM-II DATED 10.07.2017
CORRIGENDUM-III DATED 11.07.2017
Sr No
Clause No Existing Clause Revised Clause
1 RFP-3.1.1 Supply, installation, testing and commissioning Structured Wireless LAN with OFC back bone connection for Wi-Fi connectivity will be used at SBIM, Rajarhat, Kolkata.
Supply, installation, testing and commissioning and maintenance(including FMS and Internet link) of Structured Wireless LAN with OFC back bone connection for Wi-Fi connectivity will be used at SBIM, Rajarhat, Kolkata for a period of 5 years.
2 RFP – Ann-5.3
SLA Terms & Conditions The Annexure Number should be treated as 3.2 (Eligibility Criteria)
3 RFP -Scope of Work
The bidder should provide and
maintain high speed uninterrupted
wireless Internet across the SBIM
campus, except few areas/rooms, for
a period of 5 years. The areas/rooms
where access to Internet is not
required is marked at the building
plans (Annexure – ABC). All other
areas, including the open spaces,
should be covered with high speed
wireless Internet.
The bidder should provide and
maintain high speed
uninterrupted wireless
Internet services, as
mentioned in the RFP, across
the SBIM campus, including
the open spaces, for a period
of 5 years.
4 RFP -Scope of Work
The bidder should conduct Site
Survey to finalize the Network
Diagram and the Bill of Materials
(BoM), subject to approval of the
Bank.The bidder will prepare the
drawings, cable route plans and laying
of cables, rack, node and AP
locations/placement, etc. in
consultation with Bank. The bidder will
try & reuse the items already available
at the location to the extent possible
subject to its functionality & feasibility
without any adverse effect to the
The bidder should conduct
Site Survey to understand the
exact requirement. To
maintain the uniformity among
the bidders, Bank has
finalized the BOM/BOQ as
mentioned at the bottom. The
bidder will prepare the
drawings, cable route plans
and laying of cables, rack,
node and AP
locations/placement, etc. The
bidder will try & reuse the
existing utility. The bidder should
submit simulation report / Wi-Fi survey
report including heat maps as per the
survey conducted at site, at least 7
days before bid submission. Required
changes/modification in
architecture/quantity should be made
to meet Bank’s requirement.
items already available at the
location to the extent possible
subject to its functionality
&feasibility without any
adverse effect to the existing
utility. The bidder should
submit simulation report / Wi-
Fi survey report including heat
maps as per the survey
conducted at site along with
the bid. The bidder will remain
responsible for any
changes/modification
required in
architecture/quantity to meet
Bank’s requirement.
5 RFP -Scope of Work
Onsite engineer should be available
for 24 * 7 * 365 days per year.
Onsite engineer should be
available for 24 * 7 * 365/366
days per year.
6 RFP -Uptime and Penalty
Faulty Hardware / Appliances
replacement: The bidder should
provide replacement of the faulty
hardware/appliances within 24 hours
from time of detection/identification by
the onsite support team. In case of
delay beyond 24 hours, penalty will be
charged as under.
Sr
No
Equipment Penalty per
day
1 Access Points Rs.1000/-
2 For Other
Equipment
Rs.10000/-
This amount of penalty so calculated
shall be deducted at the time of
making payments to the bidder.
Onsite Helpdesk for the day-to-day
operation / Management and
Technical Support Teams: Due to
some reason on the day, if any onsite
support personnel is/are not available,
the service integrator shall arrange for
the backup onsite support persons
accordingly. If on the day number of
Faulty Hardware / Appliances
replacement: The bidder
should provide replacement of
the faulty
hardware/appliances within
24 hours from time of
detection/identification by the
onsite support team. In case
of delay beyond 24 hours,
penalty will be charged as
under.
Sr
N
o
Equipme
nt
Penalty
per day
1 Access
Points
Rs.1000/-
2 For Other
Equipme
nt
Rs.10000
/-
This amount of penalty so
calculated shall be deducted
at the time of making
payments to the bidder.
onsite support persons available is
less than 07 then SBI shall be entitled
to reduce amount(s) @ Rs.2500/- per
day per support person.
Onsite Helpdesk for the day-
to-day operation /
Management and Technical
Support Teams: Due to some
reason on the day, if any
onsite support personnel
is/are not available, the
service integrator shall
arrange for the backup onsite
support persons accordingly.
If on the day number of onsite
support persons available is
less than 07 then SBI shall be
entitled to reduce amount(s)
@ Rs.2500/- per day per
support person.
UPTIME AND PENALTIES FOR DOWNTIME: Levy of penalties is without prejudice to other rights and remedies available under this agreement:
Level of
Network
uptime per
month
Downtime
Penalty
Committed
SLA>=99.99% -NIL-
>=99.95% but
<99.99%
10% of
Monthly
Bandwidth
+ FMS
Charges
>=99.50% but
<99.95%
20% of
Monthly
Bandwidth
Charges
>=99.00% but
<99.50%
30% of
Monthly
Bandwidth
+ FMS
Charges
>=98.50% but
<99.00%
40% of
Monthly
Bandwidth
+ FMS
Charges
<98.50
50% of
Monthly
Bandwidth
+ FMS
charges
and the
Bank also
reserves
the right to
terminate
the
contract.
Further if
the
number of
link down
instances
during a
month
exceeds
3, Bank
reserves
the right to
terminate
the
contract.
PENALTIES FOR DELAY
IN UPGRADES:
The vendor should also
undertake to upgrade the
link within 4 days from
the date of Purchase
Order for up-gradation.
The Bank shall be
entitled to charge penalty
2% of the additional up-
gradation cost per day of
delay with a maximum of
20% of the additional up-
gradation cost beyond
the scheduled up-
gradation date.
If the successful bidder
fails to
commission/upgrade the
link as mentioned above,
the Bank has rights to
cancel the business
offered to the bidder and
will recommend to IBA to
blacklist the bidder from
participating in any IBA
member bank’s business
offer.
7 Corrigendum Uptime and Penalty
Uptime Penalty will be as under.
Event
Time
period Penalty
Failure of
Wireless
equipme
nt
5 Mnts-25
Mnts>upt
o 1 hours
Rs.50,000
/- or Rs.1
Lakh
Failure of
Hardwar
e
equipme
nt
25 Mnts-
60
Mnts>upt
o 2 hours
Rs.50,000
/- or Rs.1
Lakh
Failure of
system
60 Mnts-2
Hours
>upto 12
hours
Rs.2 Lakh
or Rs.4
Lakh
Please treat the Clause as
CANCELLED.
Failure of
system
12 hours
to 24
hours>upt
o 48
hours
Rs. 5 Lakh
or Rs.6
Lakh
8 RFP
*** Uptime and other Penalty clauses
should be incorporated in the RFP
*** Complete site plans and building
plans with marking of exempted
areas/rooms should be included in the
RFP. All AC Rooms/Electrical rooms
etc should be excluded from Wi-
Fiinternet network.
Typo mistake. The clause
should be treated as
DELETED.
9 Corrigendum – 4.11.3
Payment clause as against the
following heads,
Software: 50 % payment will be
released immediately after
installation, testing and
commissioning and another 50 % will
be paid after 3 months on
satisfactory performance.
Hardware: 70% payment will be
released immediate after installation,
testing and commissioning and
remaining 30% will be paid in next
five years warranty period on equal
instalment.
Installation – Normally will be paid
100% after successful commission
and testing.
Warranty Charge – Annually in
arrears.
Payment clause as against
the following heads,
Software: 50 %
payment will be released
immediately after installation,
testing and commissioning
and another 50 % will be
paid after 3 months on
satisfactory performance.
Hardware: 70% payment
will be released immediate
after installation, testing and
commissioning and remaining
30% will be paid in next five
years warranty period on
equal installment.
Installation – Will be paid
100% after successful
commission and testing.
Warranty Charge –
FMS – Quarterly in arrears. Annually in arrears.
FMS – Quarterly in
arrears.
Link Charges – Quarterly
in arrears.
10 Corrigendum Bidders will arrange for Internet
connection from two different ISP
vendors and Bank will pay to ISP
vendor directly (if required) as per the
agreement (payment will be made
quarterly basis) and PO to be issued
to ISPs by Bank only at the Banks
approved rate (already shared in
RFP)
The successful bidder has to
arrange for the links as
mentioned in the RFP. Bank
will not pay directly to any
ISP. Bank will pay to the
bidder only as per the rates
mentioned in the RFP.
11 Corrigendum **As discussed in pre-bid meeting,
Non-telco companies will not be able
to procure link on our behalf. In that
case Bank have to procure the links
separately and the RFP will be for
Hardware (with AMC),
Commissioning, Maintenance, FMS
etc. The solution should be capable
to handle 100 Mbps to 10 Gbps
Internet bandwidth.
Please treat the clause as
DELETED.
12 RFP& Corrigendum
Redundancy in hardware level as
well as in link level will be
implemented. To ensure the
availability of Internet link, the
bidder should provide two Internet
links with dual last mile from
different ISPs in ring architecture.
Switching over from one link to
other (in case of active link is
down) should be seamless without
any downtime.
Redundancy in hardware
level as well as in link level
will be implemented. To
ensure the availability of
Internet link, the bidder
should provide the Internet
link with dual last mile. The
second last mile should be
from different ISPs in ring
architecture. Switching
over from one link to other
(in case of active link is
down) should be seamless
without any downtime.
Bank may procure second
link in future, if required.
The system should be
capable to configure both
the links.
Total Wi-Fi BOQ
Sl No.
Item Description UOM Qty
1 L3 Switch 24 port 10G IP Base with 24 Nos SFP 10G populated No 2
2 12 Port Switch L3 with 4Nos 10G SFP and 1G populated Nos 12
3 L2 Managed 24 Port with 4 SFP with 4 Nos 10 G populated Nos 35
4 Router No 2
5 Network Access Control No 2
6 Link Load Balancer with Five years support No 2
7 UTM Firewall with three years subscription 24X7 support. With five Years No 2
8 Redundant WLAN Controller with 4 GigE ports and 530 AP management license from day one. Nos 2
9
Omni, outdoor access point, 802.11ac 2x2:2 , dual band concurrent, one Ethernet port, PoE input, includes mounting bracket. Nos 40
10
Dual-band 802.11abgn/ac (802.11ac Wave 2), Wireless Access Point, 2x2:2 streams, MU-MIMO, dual ports, 802.3af PoE support. Nos 460
11 Cat 6 UTP Cable (305 Mtrs / Box ) Box 60
12 Outdoor Cat 6 Cable Box 5
13 Information Outlet ,CAT6 RJ45, Unshielded Nos 500
14 24 Port CAT6 UnShielded Jack Panel Loaded Nos 28
15 Workstation/ Equipment end CAT 6 Patch Cords 1Mtrs Nos 500
16 Workstation/ Equipment end CAT 6 Patch Cords 2Mtrs Nos 500
17 Face Palate Single port Nos 500
18 12 core Central loose tube 50 micron MM OM4 cable Mtrs 6000
19 12/24 Port LIU Nos 50
20 Pigtail LC PC, beige, 50 micron,grade OM4, 1.5 m Nos 600
21 LC-LC Duplex Multimode 50 micron patch cord Nos 50
22 Adapter LC-Duplex PC, beige, OM4 Nos 50
23 Fiber splice Shelf(LIU) -12 LC Duplex Nos 50
24 OFC Multi Mode 10G Nos 50
25 12 U Wall Mount Rack with all accessories Nos 24
26 6 U Wall Mount Rack with all accessories Nos 13
27 42 U Floor Mount Rack with all accessories Nos 1
28 HDPE Pipe 1" Mtrs 6000
Service 1 L3 Switch 24 Port Installation & Commissioning Charge Nos 2
2 12 Port Switch Installation & Commissioning Charge Nos 13
3 12 Port Switch Installation & Commissioning Charge Nos 35
4 Router Installation & Commissioning Charge Nos 2
5 Link Load Balancer Installation Charge Nos 2
6 Wireless Controller Installation & Commissioning Charge Nos 2
7 Wireless AP Installation & Commissioning Charge Nos 530
8 Cat 6 UTP Cable laying charge through condute. Nos 19200
9 I/O Installation and commissioning charge Nos 500
10 Fluke Test Report for Cat 6 UTP Cable Nos 500
11 Jack pannel Installation and Punching charge Nos 28
12 Laying of OFC through HDPE Pipe including Digging, refilling of hard/soft soil and Road crossing. Mtrs 6000
13 Pigtail splicing Charge Nos 600
14 LIU Installation Charges Nos 50
15 OTDR Testing Report for OFC Nos 600
16 L2 Engineers yearly charges ( For Five Years) Nos 2
17 L1 Engineers yearly charges ( For Five Years) Nos 5
18 25 Years site certification Lot 1
19 Project Management Charge Lot 1
20 UTM Firewall Installation & Commissioning Charge Nos 2
Sr. No.
Feature Set
A Solution Requirement Complied
A1 The router should support a throughput of 10 Gbps
A2 The router architecture should be based on hardware based forwarding and switching. System should be multi processor based architecture for enhanced performance
A3
The router should have data plane and control plane hardware level of redundancy for providing self redundency and should not disrupt the system functionality at the time of any data plane or control plane hardware failure
A4 The router should support granular traffic detection and management using QoS features and should allocate network resources on application priority and requirement
A7 Router should support RFC 4012 for future implementation and Multicast Support.(Desirable)
A8 Router should support the complete STACK of IP V4 and IP V6 services
A9
The router should support Operating System (OS) redundancy in 1:1 mode to ensure high-availability of the system. In the event of running OS failure router should switchover to the redundant OS without disturbing the traffic flow. There should not be any impact on the performance in the event of active processing engine failure
A10
The router should support on line hot insertion and removal of power supply and connected modules. Any insertion line card/power supply should not require for router rebooting nor should disrupt the functionality of the system
B Hardware and Interface Requirement
B1 Router should have the following interfaces:
B2 Router should have 4 x 10 G ports & 4 X 1 G Ports or higher.
B3 Router should have console port
B4 Router should have management interface for Out of Band Management
B5 Router should be rack mountable and support side rails if required
B6 Router should have redundant power supplies (at least dual)
B7 Router should have hardware health monitoring capabilities and should provide different parameters through SNMP
B8 Router should support VLAN tagging (IEEE 802.1q)
B9 Router should support IEEE Link Aggregation and Ethernet Bonding functionality to group multiple ports for redundancy
B10 Router should have the capability of holding multiple OS images to support resilience & easy rollbacks during the version upgrades etc and should support inservice software upgrade including:
B11 a. Multiple System image
B12 b. Multiple system configuration
B13 c. Option of Configuration roll-back
B14 Router should support for different logical interface types like loopback, GRE and IPIP tunnel, VLAN etc
C Performance Requirement
C2 The router should support minimum 3,000,000 IPv4 and IPv6 routes entries including multicast routes
C5 Router should support Graceful Restart for OSPF, BGP, MP-BGP etc.
C6 Router should support required as mentioned throughput of crypto IMIX WAN traffic including the services
C6.1 a. Hardware based encryption acceleration (IPSec VPN)
C6.2 b. IPSec Encryption (ESP-AES 256 ESP-SHA-HMAC)
C6.3 c. IP Routing (Static/Dynamic)
C6.4 d. IP Forwarding
C6.6 f. NAT
C6.7 g. QoS
C6.8 h. ACL and Other IP Services
C6.9 i. MPLS with VRF Edge Routing
C6.10 j. IP V.6 host and IP V.6 routing
C7 The router should support secured connectivity using point to point and any to any dynamic IPSec VPN for secured data transfer:
C7.1 a. Hardware based IPSec Encryption
C7.3 c. Any to Any Dynamic IPSec VPN using the GDOI Protocol should be supported
C7.4 d. IPSec Idle Timeout and Dead Peer detection
C7.5 e. Support Multicast traffic over any to any dynamic VPN
C8 The router should support uninterrupted forwarding operation for OSPF, BGP etc. routing protocol to ensure high-availability during primary controller failure
D Layer2 Features
D1 Spanning Tree Protocol ( IEEE 8201.D, 802.1S)
D2 VLAN Trunking (802.1q)
D3 System should provide basic Layer 2 WAN protocols as:
D3.2 b. GRE
D3.3 c. Ethernet
E Layer3 Features
E1 The router should support IPSec Framework for Secured Data tansfer
E1.1 a. IPSec Data Encapsulation AH and ESP
E1.2 b. Key Exchange : Internet Key Exchange (IKE), IKEv2, Pre-Shared Keys (PSK), Public Key Infrastructure PKI (X.509), RSA encrypted noncesetc
E1.3 c. Encryption Algorithm: DES, 3DES, AES-128/192/256
E1.4 d. Authentication Algorithm: SHA1 and SHA2
E1.5 e. Group: Diffie-Hellman (DH) Group 1, 2, 5
E1.7 g. Different mode of communication: Tunnel mode and Transport mode
E1.8 h. IPSec NAT Traversal
E2 The router should support IPSec framework standard RFC:
E2.1 a. IPSec (RFCs 2401 to 2410)
E2.2 b. IPSec ESP using DES and 3DES (RFC 2406)
E2.3 c. IPSec authentication header using MD5 or SHA (RFCs 2403 to 2404)
E2.4 d. IKE (RFCs 2407 to 2409) and 7296
E2.5 e. GDOI Group Domain of Interpretation
E3 Router should provide basic routing feature i.e. IP Classless and default routing
E4 Router should provide static and dynamic routing using:
E4.1 a. Static routing
E4.2 b. RIP V.2 with MD5 Authentication
E4.3 d. OSPF V.2 using MD5 Authentication
E4.4 e. ISIS using MD5 Authentication
E4.5 f. BGP V.4 using MD5 Authentication
E4.6 g. Should support route redistribution between these protocols
E4.7 h. Should be compliant to RFC 4760 Multiprotocol Extensions for BGP-4 (Desirable)
E5 Router should support for policy based routing for providing different path selection for different applications and also should support best path selection using realtime parameters like:
E5.1 a. Jitter
E5.2 b. Minimum cost
E5.3 c. Network path availability
E5.4 d. Network Response Time
E5.5 e. Packet loss
E6 The router should re converge all dynamic routing protocol at the time of routing update changes i.e. Non-Stop forwarding for fast re-convergence of routing protocols
E7 Router should connecting multiple MPLS service provider using multi instance routing using VRF and do VRF Edge routing
E8 Router should be capable to work as DHCP server and relay
E9 Router should provide multicast traffic reachable using:
E9.1 PIM-SM
E9.2 PIM-SSM
E9.3 Bi-Directional PIM
E9.4 MBGP, DVMRP or equivalent
E9.5 Support RFC 3618 Multicast Source Discovery Protocol (MSDP)
E9.6 Support Any cast Rendezvous Point (RP) mechanism using PIM and Multicast Source Discovery Protocol (MSDP) as defined in RFC 3446
E9.7 IGMP V.1, V.2 and V.3
F Availability
F1 Router should have provisioning for connecting to dual power system
F2
Router should support to dynamically discover and cope with differences in the maximum allowable maximum transmission unit (MTU) size of the various links along the path, using multiple interconnected for end to end network connectivity and usability
F3 Router should automatically failover of primary interface status change or remote network not reachable to the secondary link connectivity using following realtime parameters (IP SLA):
F3.1 Jitter
F3.2 Network path availability
F3.3 Network Response Time
F3.4 Packet loss
F4 Router should provide gateway level of redundancy in Ip V.4 and IP V.6 using HSRP/VRRP & NHRP/equivalent for Dynamic VPN
G Quality of Service
G1 Router system should support 802.1P classification and marking of packet using:
G1.1 a. CoS (Class of Service)
G1.2 b. DSCP (Differentiated Services Code Point)
G1.3 c. Source physical interfaces
G1.4 d. Source/destination IP subnet
G1.5 e. Protocol types (IP/TCP/UDP)
G1.6 f. Source/destination TCP/UDP ports
G2 Router should support methods for identifying different types of traffic for better management and resilience under network attacks
G3 Router should support for different type of QoS features for ream time traffic differential treatment using
G3.1 Weighted Fair Queuing
G3.2 Weighted Random Early Detection
G3.3 Priority queuing
G4 Router should support controlling incoming and outgoing traffic using
G4.1 a. Traffic Shaping
G4.2 b. Traffic Policing
G5 Router should support for managing congested network connectivity using:
G5.1 a. TCP congestion control
G5.2 b. IP Precedence
G5.3 c. Ingress and Egress Rate Limiting
G6 Router should support for packet classification and fragmentation before applying IPSec security encryption for providing end to end QoS treatment
G7 Router should support hierarchical QoS for providing granular policy per application basis for providing bandwidth provisioning and management
H Security
H2 Router should support for deploying different security for each logical and physical interface using Port Based access control lists of Layer-2 to Layer-4 in IP V.4 and IP V.6
H3 Router processor and memory Protection from unnecessary or DoS traffic by control plane protection policy
H4 Router should support for strigent security policies based on time of day of Layer-2 to Layer-4
H5 Router should support for external database for AAA using:
H5.1 a. TACACS+
H5.2 b. RADIUS
H6 Router should support dynamic inspection of ARP for the locally connected network system
H7 Router should support for multiple service provider using edge VRF and IPSec traffic encryption
H8 Router should support GRE and IPSec WAN traffic encapsulation and encryption
H9 The router shall support unicast RPF (uRPF) feature to block any communications and attacks that are being sourced from Randomly generated IP addresses.
I Manageability
I1 Router should support for embedded RMON for central NMS management and monitoring
I2 Router should support for sending logs to multiple centralised syslog server for monitoring and audit trail
I3 Router should provide remote logging for administration using:
I3.1 a. Telnet
I3.2 b. SSH V.2
I4 Router should support for capturing packets for identifying application performance using remote port mirroring for packet captures
I5 Router should support for management and monitoring status using different type of Industry standard NMS using:
I5.1 a. SNMP V1 and V.2
I5.2 b. SNMP V.3
I5.3 c. Filtration of SNMP using Access list
I5.4 d. SNMP MIB support for QoS
I6 Router should support for basic administrative tools like:
I6.1 a. Ping
I6.2 b. Traceroute
I7 Router should support central time server synchronisation using Network Time Protocol NTP V.4
I8 Router should support for collecting real-time traffic statistics for analysis and troubleshooting using Netflow or Ipfix or equivalent
I9 Router should support for providing granular MIB support for different statistics of the LAN and WAN interface
I10 Router should support for predefined and customised execution of script for device mange for automatic and scheduled system status update for monitoring and management
I11 Router should provide different privileged for login in to the system for monitoring and management
I12 Router should support to dynamically change in configuration or operating system by using diffent local and central tools and scripts
J IPv6 features
J1 Router should support IP V.6
J2 Router should support for IP V.6 connectivity and routing required for network reachability using different routing protocols such as:
J2.1 a. RIP NG
J2.2 b. OSPF V.3
J2.3 c. BGP with IP V.6
J2.4 d. IP V.6 Policy based routing
J2.5 e. IP V.6 Dual Stack etc
J2.6 f. IP V.6 Static Route
J2.7 g. IP V.6 Default route
J2.8 h. Should support route redistribution between these protocols
J3 Router should support different types of IP V6 tunnelling mechanism, such as:
J3.1 a. Automatic IPV 6 to IPV4 tunnels/IPv4 to IPv6 IP Tunnels
J3.2 b. Automatic IP v4 compatible tunnels/IPv4 to IPv6 IP Tunnels
J3.3 c. IPv6 over IPv4 tunnelling
J4 Router should support different types of multicast routing in IP V.6 network using:
J4.1 a. PIMv2 Sparse Mode
J4.2 2. PIMv2 Source-Specific Multicast
J5 Router should support for QoS in IP V.6 network connectivity
J6 Router should support for monitoring and management using different versions of SNMP in IP V.6 environment such as:
J6.1 a. SNMPv1, SNMPv2c, SNMPv3
J6.2 b. SNMP over IP V.6
J6.3 c. RFC4292/RFC4293 MIBs for IPv6 traffic
J7 Router should support syslog for sending system log messages to centralised log server in IP V.6 environment
J8 Router should support NTP to provide an accurate and consistent timestamp over IPv6 to synchronized log collection and events
J9 Router should support for IP V.6 different type of application usage like:
J9.1 a. HTTP
J9.2 b. HTTPS
J9.3 c. ICMP
J9.4 d. TCP/UDP
J9.5 e. DNS lookup
J9.6 f. DHCP
J10 Router should support for IP V.6 different types of tools for administration and management such as:
J10.1 a. Ping
J10.2 b. Traceroute
J10.3 c. VTY
J10.4 d. SSH
J10.5 e. TFTP
Firewall
Sr. No.
Features Compliance
(Yes/No)
A Solution Requirement
A 1 Make and Model (Palo Alto/Checkpoint/Fortinet and Cisco Only)
A 2 Details of the proposed solution: name, version, date of release, date of release of next version, application/product development path, etc.
A 3
Proposed solution framework should be scalable to support large scale deployment and reduce the time and effort to deploy the entire set up. Bidder should clearly illustrate various tools and methodologies used to achieve the same
A 4
Please submit a list of all features provided by proposed solution in addition to the specifications mentioned in this document, that will be available to the bank without any additional charges and will be under support. These features will be treated at par with other features mentioned in the RFP.
A 5 Solution should support Firewall, Intrusion Prevention System, Application Visibility, SSL Inspection (in & out) functions etc.
A 6 Solution should support "Stateful” policy inspection technology. It should also have application intelligence for commonly used TCP/IP protocols, not limited to telnet, ftp, http, https etc
A 7 Not applicable
A 8 Firewall & IPS should have Recommended rating in 2015/last released respective Group tests of NSS
A 9 The communication between all the components of solution (firewall module, logging & policy and Web GUI Console) should be encrypted with SSL or PKI
A 10
Management of the entire solution including real-time monitoring, event logs collection, policy enforcement etc should be from a single device only (mgt server/appliance), however solution should have management devices at both locations
A 11 Firewall should be supplied with the support for static routing and dynamic routing with protocols, like RIP v2, OSPF, & BGP etc.
A 12 Firewall should support the multicast protocols like IGMP and PIM-DM / PIM-SM etc
A 13 Solution should support Identity Access for Granular User/ Group, location and machine based visibility
A 14 Solution should provide stateful failover among devices for all components and should be completely automatic without any sort of manual intervention
A 15 Solution should have hardened OS for both appliance and management platform
A 16 Solution Should provide protection against various types of cyber attacks evasive attacks, scripting attacks etc
A 17 Solution should have capability to store Logs and configuration of all devices, centrally in the solution and should also have capability to send logs of all devices to the generic central log collection servers
A 18 Solution should be IPV6 ready. It should have IPV6 ready logo or similar certification from any other reputed third party. No extra cost will be borne by bank for IPV6 implementation
A 19 Solution must support the complete STACK of IP V4 and IP V6 services
A 20 Solution should have capability to analyse the impact of any new policy prior to making it live.
A 21 Solution should support for multiple security levels/zones like internal, DMZ and external etc.
A 22
Independent administrative controls for all the major functions like Firewall, IPS, SSL offloading etc should be in place. Compromise with any component either by connecting with it physically or remotely should not impact other components of the solution
A 23 Not applicable
A24 Patches & updates being received from OEM should be from trusted sites
B Hardware and Interface Requirements
B 1 Each appliance of solution requires at least 6 x 10G & 2 x 1G interfaces including ports for sync, HA and other functionalities. System should support 4x40G for future requirement
B 2
B 3 Each appliance should have management interface for Out of Band Management
B 4 Each appliance should be rack mountable and support side rails if required
B 5 Each appliance should have redundant power supplies (atleast dual) and management system should have HDD/SSD with RAID enabled.
B 6 Each appliance should have hardware health monitoring capabilities and should provide different parameters through SNMP
B 7 Solution should support VLAN tagging (IEEE 802.1q)
B8 Solution should support IEEE Link Aggregation and Ethernet Bonding functionality to group multiple ports for redundancy
B 9 Solution should Support DHCP Relay
B 10 Solution should support and not limited to:
B.10.1
Active-Active & Active- Failover Load Balancing: The firewall must support Stateful active-active & Active-Failover architecture for Firewall, VPN & IPS functions and high availability for redundancy. Appliance failover should be complete Stateful.
B.10.2 Solution should provide stateful failover for Firewall and VPN functionalities
B.10.3 Solution should not require any downtime/reboot for failover
B 11 Solution should have the capability of holding multiple OS images to support resilience & easy rollbacks during the version upgrades etc
B 12 Centralized Management Solution should provide high availability at site level for enabling DR deployment
B 13
It should be possible to manage the entire solution from Primary & Secondary management server/appliance placed at DC and DR. Management solution should have the capability to be deployed in geographically different location enabling DR deployment
B 14 The firewall system should have adequate local storage in order to keep the various logs in the event of management server connection failure etc
C Performance Requirements
C 1 Each of Appliance of Solution should be properly sized for following given parameters, with all features enabled at the same time:
C1.1 Handling minimum 10 Gbps of user traffic (Incoming 10 Gbps and Outgoing 10 Gbps traffic simultaneously) and other application Zones.
C1.2 Please change this to "Should support at least10 Gbps of real world performance throughput (includes Firewall, Application Visibility & IPS)"
C1.3 Running all internet protocols etc, traffic flowing through different zones in the solution with all the features enabled and running
C 2 Request you to change this to 20 million concurrent session with AVC considering NGFW firewall and 10 Gbps real world throughput
C 3 Request you to change this to more than 1,60,000 new sessions per second
C 4
Solution should not impact the application response by adding latency. Maximum permissible latency of firewall is 50 mili second and for the complete solution at each site is 100 millisecond with all the services enabled together as asked in this RFP at any point of time
C 5 The Firewall must provide filtering capability using FQDN and URL
D Network Standards/Protocols and Firewall System Requirements
D 1 Solution should support at least 250+ protocols
D 2 Solution should have a capability to support for more than 500 VLAN
D 3 Solution should support the filtering of TCP/IP based applications with standard TCP/UDP ports or deployed with customs ports etc
D 4 Firewall Modules should support the deployment in Routed as well as Transparent Mode & should also support following:
D 4.1 Solution should mask the internal network from the external world.
D 4.2 Multi-layer, stateful, application-inspection-based filtering should be done
D 4.3
It should provide network segmentation features with powerful capabilities that facilitate deploying security for various internal, external and DMZ (Demilitarized Zone) sub-groups on the network, to prevent unauthorized access
D 4.4 Ingress/egress filtering capability should be provided for internal, external and DMZ (Demilitarized Zone) zones
D 4.5 Solution should support detection of reconnaissance attempts such as IP address sweep, port scanning etc
D 5 Solution should provide NAT functionality, including dynamic and static NAT translation etc
D 6 IPSec should have the functionality of PFS (perfect forward secrecy) and NAT-T and should support:
D 6.1 Network Address Translation (NAT) should be configurable as 1:1, 1: many, many: 1, many:many, flexible NAT (overlapping IP addresses). Reverse NAT or equivalent should be supported
D 6.2
Port address translation/Masquerading should be provided for all internet based applications should be supported and not limited to for filtering like Telnet, FTP, SMTP, http, DNS, ICMP, DHCP, ARP, RPC, SNMP, Lotus Notes, MS-Exchange etc
D 7 Solution should support integration with following standards :
D 7.1 X.509 Digital certificates
D 7.2 RSA Secure ID Certified
D 7.3 Two Factor Authentication
D 7.4 Radius/Tacacs+
D 8 Solution should support RADIUS/TACACS+ authentication protocol for Local access to devices
D 9 Solution should support PKI with:
D 9.1 PKCS 7/PKCS 10/ PKCS 12 and PEM
D 9.2 Self-signed Certificates
D 9.3 External CA support
D 9.4 Certificate Revocation List Import
D 9.5 Embedded Certificate Authority
D 10
IPSec ISAKMP methods should support Diffie-Hellman Group 1 & 2, MD5 & SHA, SHA2 , RSA & Manual Key Exchange Authentication, 3DES/AES-256 Encryption of the Key Exchange Material and algorithms like RSA-1024 / 1536
D 11 Not applicable
D 12 Firewall system should support virtual tunnel interfaces to provision Route-Based IPSec VPN
D 13 Dynamic Host Configuration Protocol (DHCP) over Virtual Private Network (VPN) should be supported for dynamic allocation of IP addresses
D 14 Solution should support to features and not limited to:
D 14.1 The firewall should support Internet Protocol Security (IPSec)
D 14.2 Key exchange with latest Internet Key Exchange (IKE), IKEv2, Public Key Infrastructure PKI (X.509)
D 14.3 Site-to-site VPN tunnels: full-mesh / star topology should be supported
D 14.4 Support Latest Encryption algorithms including AES 128/192/256(Advanced Encryption Standards), 3DES(Data Encryption Standard) etc
D 14.5 Support Latest Authentication algorithms including SHA-1(Secure Hash Algorithm-1), SHA- 2(Secure Hash Algorithm-2) etc
D 14.6 IPSec NAT traversal should be supported
D 14.7 Not applicable
D 14.8 It must include the ability to establish VPNs with gateways with dynamic public IP's
D 14.9 Not applicable
D 15
The Firewall must provide filtering capability that includes parameters like source addresses, destination addresses, source and destination port numbers, protocol type with other parameters to configure rules based on following parameters:
D 15.1 Source/Destination IP/Port
D 15.2 Not applicable
D 15.3 User/group role (Integration with AD)
D 15.4 Customizable services
D 15.5 Not applicable
D 15.6 Combination of one or multiple of above mentioned parameter
D 16 The Firewall should be able to filter traffic even if the packets are fragmented
D 17 It should be able to block Instant Messaging like Yahoo, MSN, ICQ, Skype (SSL and HTTP tunnelled) etc
D 18 It should enable blocking of Peer-Peer applications, like Kazaa, Gnutella, Bit Torrent, IRC (over HTTP) /HTTPS etc
D 19 The Firewall should support database related filtering and have support for Oracle, MS-SQL, and SQL-Net etc
D 20 Should support CLI & GUI based access to the firewall modules
D 21 Solution should support Access for Granular user, group & machine based visibility and policy enforcement etc
D 22 Should support basic attack protection features listed below but not limited to :
D 22.1 Maximum no of protections against attacks that exploit weaknesses in the TCP/IP protocol suite
D 22.2 It should enable rapid detection of network attacks
D 22.3 TCP reassembly for fragmented packet protection
D 22.4 SYN cookie protection , SYN Flood, Half Open Connections and NUL Packets etc
D 22.5 Protection against IP spoofing
D 22.6 Malformed packet protection
E IPS Feature Requirements
E 1
intrusion detection and prevention systems (IDPS), should monitor network and/or system activities for malicious activities and identify them, log information about the activities, attempt to block/stop it, and report it
E 2
It should be possible to deploy the product as an Intrusion Detection system (with logs and alerts suspected attacks) and/or as an Intrusion Prevention System located in line and which drops packets that are suspicious.
E 3 It should perform deep packet inspection up to layer-7 and take desired action based on findings
E 4 Advanced detection techniques with stateful application & Protocol intelligence
E 5 IPS should capture (but not limited to) the following important parameter about attack:
E 5.1 Identifying Network Characteristics (IP Address Src&Dst, Port Address Src&Dst and protocols etc)
E 5.2 Raw data packet, and Raw data information should be converted into the format that is compatible with the most popular sniffers, like Wire shark, etc. for the forensics.
E 6 A wide range of response options from logging and raising alarms to blocking traffic should be supported.
E 7 System should have capability to turn on or off the as and when required.
E 8 The IPS should be constantly updated with new defences against emerging threats.
E 9 IPS updates should have an option of Automatic downloads and scheduled updates so that it can be scheduled for specific days and time
E 10 Should have flexibility to define newly downloaded protections will be set in Detect or Prevent mode
E 11 Solution should provide details of Performance Impact on Signatures along with the Vulnerability severity and should have options for new signatures for avoiding false positives
E 12 The product should have signature based as well as anomaly based analysis and prevention facility
E 13 The IPS should provide easy updating of signatures to remain current with latest attacks prevention
E 14 IPS Engine should support Vulnerability and Exploit signatures, Protocol validation, Anomaly detection, Behaviour-based detection, Multi-element correlation etc
E 15
IPS processes should be hardened so as to be resistant to attacks including DoS/DDoS attacks and advance attacks from time to time. Product should offer features that make them resistant to failure due to advance attacks & emerging threats modes
E 16 IPS should have Resistance to Evasion and protection from anti-NIPS techniques
E 17 IPS Profile should have an option to select or re-select specific signatures that can be deactivated
E 18 Intrusion Prevention should have and option to add exceptions for network and services
E 19 IPS should have the functionality of Geo Protection to Block the traffic country wise and direction
E 20 IPS events/protection exclusion rules can be created and view packet data directly from log entries with RAW Packets and if required can be sent to Wire shark for the analysis
E 21 Application Intelligence should have controls for Instant Messenger, Peer-to-Peer, Malware Traffic etc
E 22 NIPS should have facility to blocking options of File Transfer, Block Audio, Block Video using Instant Messenger and other facility like Application Sharing and Remote Assistance etc
E 23 IPS should have an option to create your own signatures with an open signature language
E 24 Detailed IPS Logs to be provided post detection of attacks. The logs should have the attack Name, the Severity, Industry Reference, Confidence Level etc
E 25 Advanced capabilities that detect and prevent attacks launched against the Web infrastructure
E 26 Malicious code protector for Buffer Overflow, Heap overflow and other malicious executable code attacks that target Web servers and other applications without the need of signature
E 27 Monitor all communication for potential executable code, confirms the presence of executable code and identifies whether the executable code is malicious
E 28 Application layer protections for Cros site scripting, LDAP injection, SQL Injection, Command Injection, Directory traversal, OWASP (Open Web Application Security Project) etc
E 29 Spoofing attacks, Directory listing options and error concealment etc attacks should be prevented
E 30
NIPS should support HTTP Protocol Inspections for HTTP format size enforcement, ASCII-only request enforcement, ASCII-only response header enforcement, header rejection definitions, HTTP method definitions etc
E 31 Solution Should provide infrastructure and ways to test new signatures/version update/OS update in SBI environment before deploying the same in to prevention mode etc
E 32 Enforcements options with Active, Monitor-only, Disabled etc
E 33
The IPS should be able to monitor all of the major TCP/IP protocols, including IP, Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP). And detect latest attacks (not limited to) port scanning, unusual packet fragmentation, SYN
E 34 The IPS should be able to inspect SSL,https,SFTP,SSHetc traffic
E 35 Should have support for frequently analyzed network layer protocols such as IPv4, IPv6, ICMP (Internet Control Message Protocol).etc
E 36 Solution Should send notifications on a real time basis in the form of Session Packet Log, Session Summary, E-mail, SNMP, and any other configurable mode etc
E 37 IPS system should be capable to reconnaissance to get victimized
F Administration, Management and Logging Functionality Feature Requirements
F 1
The bidder must propose two management devices for real time monitoring, management and log collection to manage these Firewalls. All the logs should be retain in these 2 management devices. in case if primary manegement device fails, complete logs should be available at secondary management device
F 2 A centralized monitoring and management system with multiple administrators who have administrative rights based on their roles, should provide Audit Trail of the Changes etc
F 5 Solution should be able to support large scale WAN deployment with following important Criteria for Real-Time Monitoring, Management & Log Collection etc
F 5.2 To ensure business continuity all the solutions/hardware proposed should be in HA
F 6 Any changes or commands issued by an authenticated user should be logged to a database of the management system
F 7
Firewall Management system should also provide the real time health status of all the firewall modules on the dashboard for CPU & memory utilization, state table, total number of concurrent connections and the connections/second counter etc
F 8 It should support SNMP (Simple Network Management Protocol) v 2.0 and v 3.0 and NTP V.4 with all new versions of present and future release
F 9 Firewall must send mail or SNMP traps to Network Management Servers (NMS) in response to system failures or threshold violations of the health attributes.
F 10 Firewall should support the user based logging. Log levels must be configurable based on severity
F 11 Not applicable
F 12 The Firewall must provide simplified provisioning for addition of new firewalls where by a standard firewall policy could be pushed into the new firewall
F 13 The Firewall administration station must provide a means for exporting the firewall rules set and configuration
F 14 Support for role based administration of firewall
F 15 The Firewall administration software must provide a means of viewing, filtering and managing the log data
F 16 The Firewall logs must contain information about the firewall policy rule that triggered the log
F 17 Centralized Security Management should include for all the proposed security controls but not limited to:
F 17.1 Real Time Security Monitoring
F 17.2 Logging
F 17.3 Reporting functions
F 18 The solution must provide a minimum basic statistics about the health of the firewall and the amount of traffic traversing the firewall
F 19 Solution should support for configuration rollback
F 20 Solution should support Real time traffic statistics & Historical report with
F 20.1 Attacks and threat reports, etc.
F 20.2 Customized reports on HTML and CSV format etc
F 21 Solution Audit T rail should contain at a minimum:
F 21.1 The name of the administrator making the change
F 21.2 The change made
F 21.3 Time of change made
F 22
Management system should provide detailed Event analysis for Firewall and IPS and also should provide Syslog output to integrate with other major SIEM tools and specifically should support RSA SIEM tool current and future versions
F 23 Solution should support for real time analysis of all traffic the firewall may encounter (all possible SOURCE, DEST, SERVICE, including groups) etc
F 24 Provide geographic distribution of data collection from devices, processed locally, compressed and then transferred to the central manager
G Licensing Requirements
G 1
Solution should have enterprise license without any restrictions. If during the contract, solution is not performing as per specifications in this RFP, bidder has to upgrade/enhance the devices or place additional devices and reconfigure the system without any cost to bank
G 2 Solution and its various components like Firewall, IPS, VPN etc should not have any licensing restriction on number of users, concurrent connections, total connections, new connections, number of vlan,
zones, number of policies, number of appliances, other network parameters, number of equipments / servers etc
G 3 The offered product part codes have to be General Availability Part codes and not custom built Part Code for SBI. There should be cross reference to the public website of the OEM
G 4
Any third party product required to achieve the functionality should be provided with the necessary enterprise version license of software/appliance and necessary hardware, database and other relevent software or hardware etc should be provided with the s
URL FILTERING
H 1 The Proposed System Should have integrated Web Content Filtering System without external solution, devices or hardware module.
H 2 The proposed solution should be able to enable or disable Web Filtering per policy or based on firewall authenticated user, groups for both HTTP & Https traffic
H 3 The proposed system shall provide web content filtering features:
H 3.1 1. Which block web plug-ins such as Active X, java applet and cookies
H 3.2 2. Shall include Web URL block
H 3.3 3. Shall Include score based web keyword block
H 3.4 4. Shall include Web exempt List
H4 The proposed system shall be able to query a real time database of over 110 million + rated website categorised into 70+ unique content categories.
Advance Malware Protection
I 1 Solution should be capable of blocking callbacks to CnC Servers
I 2 Solution should be capable of blocking threats based on both signatures and behaviour
I 3 Detection rules should be based on an extensible, open language that enables users to create their own rules, as well as to customize any vendor-provided rules.
I 4
The solution should be capable to analysis& block TCP and UDP protocols to identify attacks and malware communications. At a minimum, the following protocols are supported for real-time inspection, blocking and control of downloaded files: HTTP, SMTP, POP3, IMAP, Netbios-ssn and FTP.
I 5 The solution should be capable of executing MS Office Documents, Portable Documents, Archive Files, Multimedia Files and executable binaries in a virtual sandbox environment
I 6
The solution should be capable of gathering Active Directory user identity information, mapping IP addresses to username and passively gathering information about network devices including but not limited to: ● Operating system vendor ● Operating system version ● Network protocols used, e.g. IPv6, IPv4 ● Network services provided, e.g. HTTPS, SSH ● Open ports, e.g. TCP:80 ● Client applications installed and type, e.g. Chrome - web browser ● Web applications access, e.g. Facebook, Gmail ● Risk and relevance ratings should be available for all applications ● Potential vulnerabilities ● Current User ● Device type, e.g. Bridge, Mobile device ● Files transferred by this device / user
I 7 The solution should be capable of white listing trusted applications from being inspected and not an entire segment to avoid business applications from being affected & in turn productivity
I 8 The solution should be capable of blocking traffic based on geo locations to reduce the attack landscape and to protect communication to unwanted destinations based on geography
I 9 The solution shall be able to detect attacks on 64-bit operating systems
I 10
The proposed solution must Detect, control access and inspect for malware at least the following file types: Microsoft Office files, executables, multimedia, compressed documents, Windows dump files, pdf, jarpack, install shield.
I 11
The solution should allow real-time detection and prevention of attacks in the following applications: Microsoft Internet Explorer, Mozilla Firefox, Chrome, Adobe Acrobat Reader, Adobe Acrobat, Microsoft Silverlight, Java SUN, Real Player, Microsoft Office and Apple QuickTime.
I 12
The proposed solution must have capability to Analysis of malwares must be performed in real-time using hybrid analysis capabilities, using various analysis and control strategies, including simultaneously, whether the local, remote or hybrid execution technology for the determination of advanced malware.
I 13 The Advance Malware Protection should support retrospective alert so that if a file turned to be malicious later on, it should provide alert and block immediately traversing from the network
Distribution switches :
Switch must have 12 nos. of 1/10 GE SFP+ based interfaces and 4 nos. of 10 GE SFP+ based uplink dedicated ports populated with 12 nos. of long range optics and 4 nos. of long range 10G optics respectively .
Switch should support switching capacity of 320 Gbps
Access (edge) switches:-
Switch must have at least 24 nos. of multispeed 10/100/1000 Ethernet Copper interfaces and 2 nos. of 10 GE SFP+ based uplink dedicated ports. Each of the switch must be populated with 2 nos. of long range 10G optics.
Date of submission of Technical Bid: By 12.00 Noon on 17.07.2017 and Opening of
Technical Bid 1500 hrs on 17.07.2017
Date of Reverse auction : Starts at 11.30 am on 20.07.2017
---------------------------------------------XXXXX---------------------------------------------------------------
