supply & installation of checkpoint firewall solution
TRANSCRIPT
Information Management Unit
ENQUIRY 1i-17297 Request for Proposal for:
Supply & Installation of a Firewall Solution with Licencing
1. Information Page 2. Conditions of Tender 3. General Conditions of Contract
4. Technical Specification
5. Tender Documents - (to be completed and returned by Tenderer)
Official Tender Form Checklist Tender Returnable’s Annexure 1- Contractor Acknowledgement of Responsibility in Terms of Occupational Health and Safety Act Annexure 2 – MBD4 Declaration of Interest
Annexure 3 - Declaration of Municipal Fees
Annexure 4 – MBD 9 Certificate of Independent Bid Determination
Annexure 5 - Banking Rating Questionnaire
Annexure 6 – MBD 6.1 Preference Points Claim Form
Annexure 7 – MDB 8 Declaration of Bidders Past Supply Chain Practices
Annexure 9 – MBD 2 Tax Clearance Certificate
All of which form part of the Tender Documents and should not be detached.
All annexures are not included in this pack and must be downloaded from: ftp.durban.gov.za/munidocs. These need to be printed, completed and submitted with tender response.
NOTE
SEALED TENDERS ADDRESSED TO THE TENDERS SECTION AND MARKED “ Enquiry 1I-17297 SUPPLY & INSTALLATION OF A FIREWALL SOLUTION WITH LICENSING” MUST BE PLACED IN THE TENDER BOX LOCATED IN THE FOYER, GROUND FLOOR, MUNICIPAL BUILDING, 166 KE MASINGA ROAD (FORMERLY OLD FORT ROAD), DURBAN (AND NOT ANY OTHER MUNICIPAL DEPARTMENT NOT LATER THAN 11:00 ON FRIDAY, DATE 4 October 2015
Enquiries in regard to this contract should be made to [email protected]
Supply & Installation of a Firewall Solution #1I-17297 2
1. INFORMATION PAGE In terms of eThekwini Municipality’s Procurement Policy a NON-REFUNDABLE TENDER CHARGE for tender documents collected in hard copy has been implemented. The following forms of payment will be acceptable:-
Cash
Bank Guaranteed Cheques addressed to eThekwini Municipality
Bank Deposits (information/account details reflected below) Should a bank deposit be made, a copy of the deposit slip as proof of payment must be faxed to (031) 311 7718 for the urgent attention of the Senior Contracts Officer. Once proof of payment has been received the tender document will be released. Alternatively the deposit slip could be sent with the Courier who is collecting the tender document on behalf of the company. Note: - Any company requiring a courier service will bear the cost for the service as well as have deposited the relevant tender charge into the Municipality’s account prior to the Courier collecting a document.
BANKING DETAILS
Name of Account Holder : eThekwini City Engineer’s Deposit Account
Name of Banking Institution : Standard Bank
Branch : Kingsmead
Branch Code : 04 0026
Account Number : 05 0134264
Type of Account : Business Current
Targeted Procurement Registration Documents available on:- Website Address: - http://www.durban.gov.za/Resource_Centre/Tenders/Pages/default.aspx
Supply & Installation of a Firewall Solution #1I-17297 3
2. CONDITIONS OF TENDER (GOODS/SERVICES)
1. BID INFORMATION
1.1 Each bidder shall complete fully and accurately the following all required
documents stipulated in the checklist Tender Returnable‘s with its bid. Remaining
bid documents issued with this enquiry, such as Conditions of Tender (Goods and
Services) and Government Procurement General Conditions of Contract shall be
detached and retained by the bidder.
1.2 The specification will be governed by the Conditions of Tender (Goods and
Services) and Government Procurement General Conditions of Contract, attached
hereto, and to the Occupational Health and Safety Act, Act No. 85 of 1993.
1.3 The adjudication will be based upon 90/10 procurement point system in
accordance with eThekwini Municipality’s Targeted Procurement Policy. Should
any compliant bid be received at a value below R 1 000 000 (all applicable taxes
included) eThekwini Municipality will however evaluate using the 80/20 point
system.
1.4 All bidder prices quoted by the contractor must be in South African currency
(Rand).
1.5 eThekwini Municipality reserves the right to accept more than one technically and
contractually compliant bid for part or the whole of the contract and to place orders
on the price and availability.
1.6 Bidders may submit alternative solutions that in the Bidder’s opinion are to
eThekwini Municipality’s advantage economically and technically. Full technical
details of these alternative offer(s) shall be submitted with Bid documents.
Alternative Bid(s) shall be submitted separately.
2. TAX CLEARANCE CERTIFICATE
Bidders are to include with their bid submission a valid tax clearance certificate, or obtain
one prior to the evaluation of submissions, which has sufficient validity to ensure that the
tender process is adequately covered.
3. DECLARATION OF MUNICIPAL FEES
Only those bidders whose municipal fees are fully paid or arrangements have been
concluded with the Municipality to pay the said fees are eligible to bid.
4. DECLARATION OF INTEREST
All bidders are to sign the declaration of interest wherein they declare any relationship
that may exist with an official of the Municipality involved in the evaluation process.
6. SPECIAL CONDITIONS OF TENDER / CONTRACT
Any special conditions relative to the contract will form part of this contract.
Supply & Installation of a Firewall Solution #1I-17297 4
7. PURCHASE OF GOODS FROM OTHER SOURCES
Nothing contained in this contract shall be held to restrain the Municipality from
purchasing from persons other than the contractor, any of the goods described or
referred to in this contract, if it shall in its discretion think fit to do so.
8. DELIVERY, RISK, PACKAGES, ETC
1. Unless otherwise provided, all goods are to be supplied only against the official
form of order issued by the Municipality.
2. The risk in all goods purchased by the Municipality under the contract shall remain
with the contractor until such goods shall have been duly delivered.
3. Bidders shall quote a unit price which shall include delivery to specified delivery
point within the eThekwini Municipal area.
4. Bidders shall clearly state the period within which delivery will be made after
receipt of the official order, as this may be material in the adjudication of the Bid.
9. PAYMENT
Where no conditions of payment are prescribed, payment for goods received and
accepted by the Municipality shall be made no later than 30 days after submission of
invoice or claim, provided however that all the terms of the contract are duly observed.
10. RATES OF EXCHANGE
(1) Where the goods are imported the contractor shall within seven days of date of
Official Purchase Order, arrange through his bankers for the foreign commitment
to be covered forward down to the Rand in order to fix the rate of exchange. The
contractor shall notify the Municipality as soon as possible thereafter regarding the
rate which has been fixed on such forward exchange.
Any increase or decrease between the basic rate of exchange as at a date seven
days prior to the date of closing of Bids and that existing at the date of
establishment of the forward exchange cover within the period stipulated above
shall be paid or deducted by the Municipality. Upon the failure of the contractor to
arrange forward exchange cover, the contractor shall be liable should there be any
increase in the basic rate of exchange occurring after the last mentioned date.
The bank charges incurred in obtaining the forward exchange cover shall be for
the Municipality’s account.
(2) The contractor shall on request:-
(i) submit documentary proof of the rate of exchange;
(ii) When an adjustment is claimed in terms of this sub-clause, whether by the
contractor or the Municipality, submit documentary proof to the satisfaction of
the Deputy City Manager: Treasury in respect of such claim.
Supply & Installation of a Firewall Solution #1I-17297 5
11. VALUE ADDED TAX (V.A.T)
The Bidder shall state the amount of value added tax (V.A.T) separately on the Official
Tender Form.
12. FORM OF TENDER AND CLOSING DATE
Sealed bids made out on the enclosed Official Tender Form which shall be signed by or
on behalf of the Bidder and addressed to the Head : Supply Chain Management Unit and
marked with the appropriate enquiry number must be placed in the Tender box provided
which is located in the Foyer, Ground Floor, City Engineer’s Unit, Municipal Centre, 166
K.E. Masinga Road (Formerly Old Fort Road), Durban, not later than 11:00 on the date
stated in the public advertisement inviting bids, where they will be opened publicly.
All couriered documents must be placed directly into the tender box and should not be
delivered to any other Municipal Department. Bidders are advised that bids submitted by
fax or email will not be considered.
Any bid received after the closing date and time advertised for the receipt thereof shall
not be accepted for consideration by the Head: Supply Chain Management Unit and shall
be returned to the Bidder.
13. BIDS WILL BE LIABLE TO REJECTION UNLESS MADE OUT AND SIGNED ON THE
OFFICIAL TENDER FORM ANNEXED HERETO
Failure of a tenderer to complete and sign the tender form in its entirety will invalidate the
tender.
14. ACCEPTANCE OF BID
The Municipality does not bind itself to accept the lowest or any Bid and reserves the
right to accept the whole or any part of a Bid.
15. PRICING
(1) Nett Prices
All prices shall be quoted in South African currency after deduction of any
brokerage or discount allowed to the Municipality.
(2) Firm Bids
Bidders may submit firm prices, which prices shall be free from all fluctuations,
including any statutory increases.
(3) Unit Prices
Bidders shall quote only one price in respect of each item, such price to hold good
for the full duration of the contract period, being subject to variation only in
accordance with specified criteria.
Supply & Installation of a Firewall Solution #1I-17297 6
16. WITHDRAWAL OF BIDS
Bids must hold good until 16h00 on the Friday of the twelfth week (85 calendar days)
following the Friday on which Bids are opened or during such other period as may be
specified. The Municipality may, during the period for which Bids are to remain open for
acceptance, authorize a Bidder to withdraw his/her Bid in whole or in part on condition
that the Bidder pays to the Municipality on demand, a sum of R1 000. The Municipality
may, if it thinks fit, waive payment of such sum in whole or in part.
17. DIFFERENCES OR DISCREPANCIES
(1) Prices
Should there be any difference or discrepancy between the prices or price
contained in the Official Tender Form and those contained in any covering letter
from the Bidder, the prices or price contained in the Official Tender Form shall
prevail.
(2) Complete Acceptance of Conditions
Unless otherwise expressly stipulated in the letter covering the Bid every Bidder
shall be deemed to have waived, renounced, and abandoned any conditions
printed or written upon any stationery used by him for the purpose of or in
connection with the submission of his Bid, which are in conflict with the General
Conditions of Contract or Conditions of Tender (Goods/Services). Bidders are
advised that any material divergences from the official Conditions or Specification
will render their Bids liable to disqualification.
18. BRIBERY AND COMMUNICATION WITH COUNCILLORS / OFFICIALS
(1) Bribery
No Bidder shall offer, promise or give to any person or person connected with a
bid or the awarding of a contract, any gratuity, bonus or discount etc, in connection
with the obtaining of a contract.
(2) Communication, Councillors and Officials
(1) A Bidder shall not in any way communicate with a member of the Municipality
or with any official of the Municipality on a question affecting any contract for
the supply of goods or for any work, undertaking or services which is the
subject of a bid during the period between the closing date for receipt of Bids
and the dispatch of the written notification of the Municipality’s decision on
the award of the contract; provided that a Bidder shall not hereby be
precluded:
- at the request of the Head : Supply Chain Management Unit or his
authorized representative, from furnishing him with additional information
or with a sample or specimen for testing purposes or otherwise or from
giving a demonstration so as to enable the recommendation to the Bid
Committee on the award of the contract to be formulated;
Supply & Installation of a Firewall Solution #1I-17297 7
- from obtaining from the Head : Supply Chain Management Unit his
authorised representative information as to the date upon which the
award of the contract is likely to be made or, after the decision upon the
award has been made by the Municipality or any Committee to which the
Municipality has delegated its powers, information as to the nature of the
decision or such information as was publicly disclosed at the opening of
bids or from submitting to the Accounting Officer in writing any
communication relating to his/her Bid or the award of the contract or a
request for leave to withdraw his/her bid;
- and provided further that nothing contained herein shall be construed so
as to prevent information being sought and obtained from an Official in
regard to any decision taken at an open Municipal meeting, or any
Committee to which the Municipality has delegated its powers.
A contravention of subsection (1) and / or (2) or an attempt to contravene such
subsection shall be reported to the Accounting Officer, who may on receipt of such
report may disqualify the bid of the Bidder concerned.
19. IMPORT PERMITS
(1) In order to minimize special importation, Bidders should, where possible, have
recourse to local suppliers and/or manufacturers.
(2) Bidders must state whether their bid is dependent upon the issue of a special
import permit or whether they are able to supply the goods by making use of the
import facilities available to them.
(3) In the event of a Bid being dependent upon the issue of a special import permit,
application for such special import permit shall be made by the Bidder, unless
otherwise provided in the Special Conditions of Tender (Goods and Services).
Supply & Installation of a Firewall Solution #1I-17297 8
20. LEGAL STATUS OF BIDDER
It is essential for the purpose of entering into a legal contract that Bidders state on the
Official Tender Form their full legal status, for example the full registered name of the
company Bidding; or if the Bidder is a person conducting business under a recognised
trading name then state the name of the person/s - Trading as ____________ (state
recognised trading name) and state whether owner, co-owner, proprietor, etc.
21. AUTHORITY OF SIGNATORY
Bidders should submit with their bids a certified copy of the Resolution of the Company
authorising the signatory to sign Bid documents on behalf of the Company. If the Bidder
is not a registered company, the signatory shall indicate in what capacity and under what
authority the bid documents were signed by him/her.
22. ALTERATIONS TO BID DOCUMENTS
Any alterations effected upon any of the bid documents must be clearly shown by means
of a hand written/typed entry and must be signed in full by the Bidder.
23. MANUFACTURERS
The names of the manufacturers and brands of the Goods or Equipment offered must be
stated in the bid.
24. FACTORING
Payment will be made only to the contractor(s). Factoring arrangements will not be
accepted.
25. PREFERENTIAL PROCUREMENT
25.1 Applicable Documentation
These conditions of tender are to be read together with the following
documents:-
- eThekwini Municipality Targeted procurement Policy document.
It is a requirement of this Tender that all the Contractors, Joint Ventures and
Targeted Enterprises, must be registered, or be eligible for registration, on the
eThekwini Municipal Procurement Database such that their classification, as
described above, has been or can be determined and verified prior to Tender
adjudication and award.
Supply & Installation of a Firewall Solution #1I-17297 9
26. TENDERS WILL ONLY BE ACCEPTED ON CONDITION THAT:
(a) The tender is signed by a person authorised to sign on behalf of the Tenderer;
(b) A valid original Tax Clearance Certificate is received prior to the evaluation of
tenders which has sufficient validity to ensure the process is adequately covered;
(c) A Tenderer who submitted his/her tender as a Joint Venture has included an
acceptable Joint Venture Agreement with his/her tender.
27. PERFORMANCE SECURITY (SURETY BOND)
The attention of Tenderers is drawn to Clause 7 of the General Conditions of Contract
relative to “Performance Security”. No Performance Security (Surety Bond) is required
with this tender.
28. MUNICIPAL FEES
All tenderers are to sign a declaration wherein they declare that their municipal fees are
in order, or proper arrangements have been made with the Municipality, and include the
relevant account numbers in the declaration. Failure to include account numbers or sign
will invalidate the tender. The completion of the declaration is also applicable to
tenderers outside of the eThekwini Municipal Area.
Supply & Installation of a Firewall Solution #1I-17297 10
29. NON REFUNDABLE TENDER CHARGE
The non-refundable tender fee paid for this document, is relevant only for this tender.
The tenderer who purchases this document, is the only tenderer who will be allowed to
submit a price for this contract i.e. No other tenderer will be allowed to use this document
to submit a tender, be it the original or a photocopied specimen. Should this occur, all
who are party to this will not be considered in the adjudication process.
30. APPEAL PROCESS
In terms of Regulation 49 of the Municipal Supply Chain Management Regulations
persons aggrieved by decisions or actions taken by the Municipality, may lodge an
appeal within 14 days of the decision or action, in writing to the Municipality.
Tenderers are advised that the following is the appeal process and in dealing with these
appeals the Municipal Manager shall follow the following procedure:-
1. The appeal (clearly setting out the reasons for the appeal) and queries with regard
to decision of award are to be directed to the office of the City Manager, Attention :
Mr T Siemela, P O Box 1014, Durban, 4000; Facsimile : (031) 311-3261
2. A copy of the appeal will be forwarded to the Chairperson of the Bid Adjudication
Committee, who must provide a response in writing within seven days.
3. In the event that there are allegations made against third parties, they will also be
given an opportunity to respond to the allegations within seven days.
4. These responses will then be sent to the appellant for a reply within five days.
5. The appeal will be considered on these written submissions, unless the appeal
authority is of the view that there is a need for oral submissions, in which case, the
appellant will be notified of the date, place and time of such hearing.
6. The Appeal Authority will consider the appeal and may confirm, vary or revoke the
decision of the Committee, but not such variation or revocation of a decision may
detract from any rights that may have accrued as a result of the decision.
7. The Appeal Authority must commence with the appeal within six weeks and decide
the appeal within reasonable period.
Supply & Installation of a Firewall Solution #1I-17297 11
31. PROHIBITION ON AWARDS TO PERSONS IN THE SERVICE OF THE STATE
Regulation 44 of the Supply Chain Management Regulations states that the Municipality
or Municipal Entity may not make any award to a person:-
(a) Who is in the service of the state
(b) If that person is not a natural person, of which any Director, Manager, Principal,
Shareholder or Stakeholder is a person in the service of the state; or
(c) Who is an advisor or consultant contracted with the municipality or municipal
entity.
Should a contract be awarded, and it is subsequently established that clause 44 has
been breached, the employer shall have the right to terminate the contract with
immediate effect.
32. AGREEMENTS
All tenderers that are not manufacturers, accredited agents or distributors must provide
agreements which cover the contract period. The aforementioned must also agree with
all of the conditions of the contract.
33. NEGOTIATIONS WITH PREFERRED BIDDERS
The municipality reserves the right to invoke Section 24 of the Municipal Finance
Management Act if so desired.
(1) The Accounting Officer may negotiate the final terms of a contract with bidders
identified through a competitive bidding process as preferred bidders, provided
that such negotiation:-
(a) Does not allow any preferred bidder a second or unfair opportunity;
(b) Is not to the detriment of any other bidder; and
(c) Does not lead to a higher price than the bid as submitted.
(2) Minutes of such negotiations must be kept for record purposes.
(3) Such negotiation may be delegated to the designated Senior Manager by the
Accounting Officer.
3. GENERAL CONDITIONS OF CONTRACT
Government Procurement; General Conditions of Contract must be downloaded and read prior to submission of tender response. Documents can be downloaded from: ftp.durban.gov.za/munidocs. The Document in question is: “General Conditions of Contract.pdf”.
Supply & Installation of a Firewall Solution #1I-17297 12
Technical Specification
Information Management Unit
ENQUIRY 1I-17297
Supply and Installation of a Firewall
Solution
July 2015
Supply & Installation of a Firewall Solution #1I-17297 13
Contents I. Definitions ........................................................................................................................................ 15
II. Background ....................................................................................................................................... 16
III. Current technical environment .................................................................................................... 16
IV. Scope of requirements ................................................................................................................. 18
General requirements .......................................................................................................................... 19
2. Requirements for Next Generation Firewall ............................................................................ 20
2.1 Firewall ................................................................................................................................. 20
2.2 Intrusion Prevention System ................................................................................................ 20
2.3 User Identity Acquisition ...................................................................................................... 22
2.4 Application Control and URL Filtering .................................................................................. 22
2.5 Anti-Bot and Anti-Virus ......................................................................................................... 23
2.6 Threat Emulation .................................................................................................................. 23
2.7 Anti-Spam & Email Security .................................................................................................. 24
2.8 IPsec VPN .............................................................................................................................. 24
2.9 Security Management .......................................................................................................... 24
2.10 Threat Prevention Updates .................................................................................................. 26
2.11 Logging & Monitoring ........................................................................................................... 26
2.12 Event Correlation and Reporting .......................................................................................... 27
2.13 Management Portal .............................................................................................................. 29
2.14 Data Loss Prevention (DLP)................................................................................................... 29
2.15 Mobility ................................................................................................................................. 29
2.16 Security Gateway Sizing and Recommendations ................................................................. 29
3. Solution Evaluation ........................................................................................................................... 31
Appliance: Firewall ............................................................................................................................... 32
Appliance: Management Server ........................................................................................................... 32
4. Response requirements .................................................................................................................... 34
a. General Requirements .................................................................................................................. 34
Supply & Installation of a Firewall Solution #1I-17297 14
b. Post Project Support Requirements ............................................................................................. 34
c. Previous Implementation History ................................................................................................. 34
i. Number and size of Client Base ................................................................................................ 34
ii. Provide reference sites, in South Africa, with contact details.................................................. 34
d. Technical Support ......................................................................................................................... 35
i. Technical competencies within your organization. .................................................................. 35
ii. Number of Network support resources. Specify how many are locally based in Durban. ...... 35
iii. Provide Certificates of the Network support resources. .......................................................... 35
e. Professional Services .................................................................................................................... 35
i. Specify what technical documentation and training material will be provided. ..................... 35
ii. Specify the project controls that will be place ......................................................................... 35
iii. Specify how change management will be delivered. ............................................................... 35
5. Pricing structure ............................................................................................................................... 36
6. Evaluation of Responses ................................................................................................................... 36
6.1 Technical Evaluation ....................................................................................................................... 37
6.1.1 Critical/ Mandatory Requirements (Please Fill In)............................................................ 37
6.1.2 Non Mandatory Evaluation .............................................................................................. 38
6.1.3 Product & Company Details.............................................................................................. 40
6.1.4 Schedule of Experience .................................................................................................... 41
6.1.5 Schedule of Compliance with specification ...................................................................... 42
7. RATE OF EXCHANGE QUESTIONNAIRE ............................................................................................. 43
8. Costs ................................................................................................................................................. 45
8.1 Year One ................................................................................................................................. 45
8.2 Year Two ................................................................................................................................. 46
9. Required Documentation and Tender Returnable‘s ........................................................................ 47
9.1 Tender Returnable’s Checklist .................................................................................................. 47
10. Form of Offer ................................................................................................................................ 48
Supply & Installation of a Firewall Solution #1I-17297 15
I. Definitions
Term Definition
Vendor Refers to the equipment manufacturer
Reseller/service
provider/supplier
Refers to the company supplying, installing and/or
providing service with a Vendors equipment
FWSM Firewall Services Module
DMZ Demilitarized Zone
DLP Data Loss Prevention
IPS Intrusion Prevention System
SR Short Range
LR Long Range
Gb Gigabyte
Mb Megabyte
FMB Florence Mkhize Building
OFP Old Fort Place
NGFW Next Generation Firewall
HSRP Hot Standby Router Protocol
VLAN Virtual local area network
Gbps Gigabits per second
Mbps Megabits per second
OSI Open standards Interconnect
RFC Request for comments
GHz Gigahertz
Supply & Installation of a Firewall Solution #1I-17297 16
II. Background EThekwini Municipality is looking for a Company to Supply and Install a Firewall solution with licensing. EThekwini municipality current Firewall Solution sits on the Cisco Catalyst 6500 switches, the solution controls traffic to the Server Farm from Internal Network and also provides up to OSI Layer 4 protection to protect the datacentre from various internal attacks and provide relevant access to authorized users or systems. The solution has reached its end of life and is not supported anymore.
III. Current technical environment eThekwini Municipality has two FWSMs, one installed on the Cisco Catalyst 6509 at FMB and
the other at on the Cisco Catalyst 6509 at OFP. These FWSM are setup in an Active/Standby
mode. Should the Active Cisco 6509 chassis go down the other will become the active firewall.
The FWSM controls traffic to the Server Farm from Internal Network. The FWSM provides up
to OSI Layer 4 protection to all servers in the datacentre. The FWSM is also connected to the
Checkpoint 12600 firewalls which control access to the DMZ and Internet access via a 1 Gb
Ethernet interface
The following is current setup on the existing system:
The FWSM is setup in routed mode
Hardware specifications
• CPU: Pentium III @ 1Ghz • Ram: 1024mb • Flash: 40mb
The software version is
• FWSM Firewall Version 4.0(5) • Device Manager Version 6.1(3)F
Its MAX concurrent handled connection is 1000 000 (1 million)
Its MAX new connections handled per second is 100000 (1 hundred thousand)
The FWSM directly controls access to 34 VLANs
The 6509 directly controls access to 31 VLANs
The FWSM utilises the existing HSRP for high availability
The FWSM Also Controls Access To The Following:
MTN and Vodacom APN Lawyers Access Web SMME companies based at SmartXchange Standard Bank via our InfoConnect Link Access to Library catalogue services
How the End User Is Affected By the FWSM
The end user is affected if they try to access resources located in the server farm (mail, database etc.) from the Internal Network Resources, also access to the internal resources for APN and VPN users are controlled via the FWSM. Access to the Standard Bank Info-Connect Service is controlled via the FWSM. SMME access to the Server Farm is controlled via the FWSM
Supply & Installation of a Firewall Solution #1I-17297 17
The diagram below provides an overview of the current network architecture Installed with the Cisco Catalyst 6500 Series:
Supply & Installation of a Firewall Solution #1I-17297 18
IV. Scope of requirements Below is a diagram of a proposed architecture
Installation, migration & configuration of the firewall solution would be performed by the
nominated service provider of the proposed vendor solution.
This would include, but is not limited to:
Active/Active clustering of solution.
Migration of existing rules and rule sets from the current system into new
solution.
Implementation of routing (Dynamic, Static, Policy based or combination of the
mentioned).
Ensure critical systems as defined by eThekwini to be fully operational within the
given time frame.
Migration of existing VLANs present on both the Cisco Catalyst 6509 and FWSM
into the solution.
Implementation of the new features as required.
The nominated service provider would plan for, implement and design a solution that
incorporates the above as well as any other recommendations deemed necessary from
the service provider in order to achieve full effectiveness of the solution. Due to the
nature of this project the implementation must be handled by staff that are certified in
both Cisco firewall technologies, to handle the FWSM migration, and the proposed
vendor’s product. The proposed solution must also minimize impact on eThekwini
Municipality’s user base and deliver a “best practice” environment. The service provider
is also required ensure the transfer of skills to eThekwini staff to understand & maintain
solution. A quote for the official vendor‘s respective training must be in their submission.
Planning and deployment will be for two sites, FMB (251 Anton Lembede Street), and
the Data Centre based at the OFP (31 Old Fort Complex). Note that partnerships
between the service provider and 3rd parties are allowed for goods or services, provided
the proof of agreement between the various parties are submitted in their response. On
award of this tender, a service level agreement will be entered into with the service
provider.
Supply & Installation of a Firewall Solution #1I-17297 19
General requirements
1.1. The Vendor of the gateway software must have at least 15 years of experience in the
security market
1.2. The vendor must exclusively provide Internet security solutions.
1.3. The vendor must be capable of serving the entire scope of security gateway
requirements, including throughput, connection rate and next generation security
application enablement for all network deployments, from small office to data center in a
single hardware appliance.
1.4. The vendor must have a virtualized security gateway solution that can support the
enablement of all next generation firewall security applications, including intrusion
protection, application control, Threat Emulation, URL filtering, Anti-Bot, Anti-Virus, all
managed from a central platform.
1.5. The next generation gateway must be capable of supporting these next generation
security applications on a unified platform.
1.5.1. Stateful Inspection Firewall
1.5.2. Intrusion Prevention System
1.5.3. User Identity Acquisition
1.5.4. Application Control and URL filtering
1.5.5. Anti – Bot and Anti – Virus
1.5.6. Anti – Spam and Email Security
1.5.7. IPSec VPN
1.5.8. Data Loss Prevention- Capable
1.5.9. Mobile Access
1.5.10. Security Policy Management
1.5.11. Logging and Status
1.5.12. Event Correlation and Reporting
1.6. These applications must be exclusively supplied by and managed by the vendor.
1.7. The vendor solution must provide a mechanism to constantly educate end users of the
security policy in real time.
1.8. The vendor must supply all industry certifications of the solution.
1.9. Vendor must have the capability to provide a solution to mitigate Distributed Denial of
Service attacks.
Supply & Installation of a Firewall Solution #1I-17297 20
2. Requirements for Next Generation Firewall
2.1 Firewall
2.1.1 The security gateway must use Stateful Inspection based on granular analysis of
communication and application state to track and control the network flow.
2.1.2 The security gateway must be capable of supporting throughput, connection rate,
concurrent connections requirements of eThekwini municipality.
2.1.3 Solution must support access control for at least 150 predefined /services/protocols
2.1.4 Must provide security rule hit count statistics to the management application.
2.1.5 Must allow security rules to be enforced within time intervals to be configured with an
expiry date/time.
2.1.6 The communication between the management servers and the security gateways
must be encrypted and authenticated with PKI Certificates.
2.1.7 The firewall must support user, client and session authentication methods.
2.1.8 The following user authentication schemes must be supported by the security
gateway and VPN module: tokens (ie -SecureID), TACACS, RADIUS and digital
certificates.
2.1.9 Solution must include a local user database to allow user authentication and
authorization without the need for an external device
2.1.10 Solution must support DCHP, server and relay
2.1.11 Solution must support HTTP & HTTPS proxy
2.1.12 Solution must include the ability to work in Transparent/Bridge mode
2.1.13 Solution must support gateway high availability and load sharing with state
synchronization
2.2 Intrusion Prevention System
2.2.1 Vendor must provide evidence of year over year leadership position of Gartner
Magic Quadrant for Intrusion Prevention solutions and/Or Eneterprise network
Firewall Gartner Magic Quadrant .
2.2.2 IPS must be based on the following detection mechanisms: exploit signatures,
protocol anomalies, application controls and behavior-based detection.
2.2.3 IPS and firewall module must integrated on one platform.
2.2.4 The administrator must be able to configure the inspection to protect internal hosts
only.
2.2.5 IPS must have options to create profiles for either client or server based
protections, or a combination of both.
2.2.6 IPS must provide at least two pre-defined profiles/policies that can be used
immediately.
2.2.7 IPS must have a software based fail-open mechanism, configurable based on
thresholds of security gateways CPU and memory usage.
2.2.8 IPS must provide an automated mechanism to activate or manage new signatures
from updates.
Supply & Installation of a Firewall Solution #1I-17297 21
2.2.9 IPS must support network exceptions based on source, destination, service or a
combination of the three.
2.2.10 IPS must include a troubleshooting mode which sets the in use profile to detect
only, with one click without modifying individual protections.
2.2.11 IPS application must have a centralized event correlation and reporting
mechanism.
2.2.12 The administrator must be able to automatically activate new protections, based on
configurable parameters (performance impact, threat severity, confidence level,
client protections, server protections)
2.2.13 IPS must be able to detect and prevent the following threats: Protocol misuse,
malware communications, tunneling attempts and generic attack types without
predefined signatures.
2.2.14 For each protection the solution must include protection type (server-related or
client related), threat severity, performance impact, confidence level and industry
reference.
2.2.15 IPS must be able to collect packet capture for specific protections.
2.2.16 IPS must be able to detect and block network and application layer attacks,
protecting at least the following services: email services, DNS, FTP, Windows
services (Microsoft Networking), SNMP
2.2.17 Vendor must supply evidence of leadership in protecting Microsoft vulnerabilities.
2.2.18 IPS and/or Application Control must include the ability to detect and block peer to
peer traffic using evasion techniques.
2.2.19 The administrator must be able to define network and host exclusions from IPS
inspection.
2.2.20 Solution must protect from DNS Cache Poisoning, and prevents users from
accessing blocked domain addresses.
2.2.21 Solution must provide VOIP protocols protections.
2.2.22 IPS and/or Application Control must detect and block remote controls applications,
including those that are capable tunneling over HTTP traffic.
2.2.23 IPS must have SCADA protections.
2.2.24 IPS must have a mechanism to convert SNORT signatures.
2.2.25 Solution must be allow the administrator to easily block inbound and/or outbound
traffic based on countries, without the need to manually manage the IP ranges
corresponding to the country.
Supply & Installation of a Firewall Solution #1I-17297 22
2.3 User Identity Acquisition
2.3.1 Must be able to acquire user identity by querying Microsoft Active Directory based
on security events.
2.3.2 Must have a browser based User Identity authentication method for non-domain
users or assets.
2.3.3 Must support a dedicated client agent that can be installed by policy on users'
computers that can acquire and report identities to the Security Gateway.
2.3.4 Must support terminal server environments
2.3.5 Impact on the domain controllers must be less than 3%.
2.3.6 Must be able to acquire user identity from Microsoft Active Directory without any
type of agent installed on the domain controllers.
2.3.7 Must support Kerberos transparent authentication for single sign on.
2.3.8 Must support the use of LDAP nested groups.
2.3.9 Must be able share or propagate user identities between multiple security
gateways.
2.3.10 Must be able to create identity roles to be used across all security applications.
2.4 Application Control and URL Filtering
2.4.1 Solution must not have any known published vulnerabilities in the last year to the
existing architecture which can be exploited.
2.4.2 Solution must be able to create a filtering rule with multiple categories.
2.4.3 Solution must be able to create a filtering for single site being supported by multiple
categories.
2.4.4 Solution must have users and groups granularity with security rules.
2.4.5 The solution must have an easy to use, searchable interface for applications and
URLs
2.4.6 The solution must categorize applications and URLs and applications by Risk
Factor.
2.4.7 The application control and URL Filter security policy must be able to be defined by
user identities.
2.4.8 The application control and URL Filter database must be updated by a cloud based
service
2.4.9 The solution must have unified application control and URL Filter security rules.
2.4.10 The solution must provide a mechanism to inform or ask users in real time to
educate them or confirm actions based on the security policy.
2.4.11 The solution must provide a mechanism to limit application usage based on
bandwidth consumption.
2.4.12 The solution must allow network exceptions based on defined network objects
2.4.13 The solution must provide the option to modify the Blocking Notification and to
redirect the user to a remediation page.
Supply & Installation of a Firewall Solution #1I-17297 23
2.4.14 Solution must include a Black and White lists mechanism to allow the administrator
to deny or permit specific URLs regardless of the category
2.4.15 Solution must have a configurable bypass mechanisms
2.4.16 Solution must provide an override mechanism on the categorization for the URL
database.
2.4.17 The application control and URL Filter security policy must report on the rule hit
count.
2.5 Anti-Bot and Anti-Virus
2.5.1 Vendor must have an integrated Anti-Bot and Anti-Virus application on the next
generation firewall.
2.5.2 Anti-bot application must be able to detect and stop suscpicous abnormal network
behaviour .
2.5.3 Anti-Bot application must use a multi-tiered detection engine, which includes the
reputation of IPs, URLs and DNS addresses and detect patterns of bot
communications.
2.5.4 Anti-Bot applications must be able to scan for bot actions.
2.5.5 Anti-Bot and Anti-Virus policy must be administered from a central console.
2.5.6 Anti-Bot and Anti-Virus application must have a centralized event correlation and
reporting mechanism.
2.5.7 Anti-virus application must be able to prevent access to malicious websites
2.5.8 Anti-virus application must be able to inspect SSL encrypted traffic.
2.5.9 Anti-Bot and Anti-Virus must be have real time updates from a cloud based service
2.5.10 Anti-Virus must be able to stop incoming malicious files.
2.5.11 Anti-Virus and Anti-Bot policies must be centrally managed with granular policy
configuration and enforcement.
2.6 Threat Emulation
2.6.1 The solution must provide the ability to Protect against zero-day attacks before
static signature protections have been created
2.6.2 The solution must provide the ability for analyzing and detecting malware in
business documents such as Adobe PDFs and MS Office files as well as EXE and
Zip files
2.6.3 The solution must provide the ability for flexible deployment using local appliances
or the cloud .
2.6.4 The solution must provide the ability for Zero false-positives
2.6.5 The solution must provide the ability to emulate attacks targeting multiple Windows
OS environments, at least :windows xp,windows 7 , windows 8
2.6.6 The solution must provide the ability to be centraly managed
2.6.7 The solution must provide the ability to Increase security with automatic sharing of
new attack information with other gateways in means of signature updates etc.
Supply & Installation of a Firewall Solution #1I-17297 24
2.7 Anti-Spam & Email Security
2.7.1 Anti-Spam and Email security application must be content and language agnostic.
2.7.2 Anti-Spam and Email security application must have real-time classification and
protections based on detected spam outbreaks which are based on patterns and
not content.
2.7.3 The Anti-Spam and Email security application must include IP reputation blocking
based on an online service to avoid false positives
2.7.4 Solution must include a Zero-hour protection mechanism for new viruses spread
through email and spam without relying solely in heuristic or content inspection
2.8 IPsec VPN
2.8.1 Internal CA and External third party CA must be supported.
2.8.2 Solution must support 3DES and AES-256 cryptographic for IKE Phase I and II
IKEv2 plus "Suite-B-GCM-128" and "Suite-B-GCM-256" for phase II.
2.8.3 Solution must support at least the following Diffie-Hellman Groups: Group 1 (768
bit), Group 2 (1024 bit), Group 5 (1536 bit), Group 14 (2048 bit), Group 19 and
Group 20
2.8.4 Solution must support data integrity with md5, sha1 SHA-256, SHA-384 and AES-
XCBC
2.8.5 Solution must include support for site-to-site VPN
2.8.6 Solution must support clientless SSL VPNs for remote access.
2.8.7 Solution must support L2TP VPNs, including support for iPhone L2TP client
2.8.8 Solution must allow the administrator to apply security rules to control the traffic
inside the VPN.
2.8.9 Solution must support domain based VPNs and route based VPNs using VTI’s and
dynamic routing protocols.
2.8.10 Solution must include the ability to establish VPNs with gateways with dynamic
public IPs
2.8.11 Solution must include IP compression for client-to-site and site-to-site VPNs
2.9 Security Management
2.9.1 Security management application must be able to co-exist on the security gateway
as an option.
2.9.2 Security management application must support role based administrator accounts.
For instance roles for firewall policy management only or role for log viewing only.
2.9.3 Solution must include a Certificate-based encrypted secure communications
channel among all vendor distributed components belonging to a single
management domain
2.9.4 Solution must include an internal x.509 CA (Certificate Authority) that can generate
certificates to gateways and users to allow easy authentication on VPNs
2.9.5 Solution must include the ability to use external CAs, that supports PKCS#12,
CAPI or Entrust standards.
Supply & Installation of a Firewall Solution #1I-17297 25
2.9.6 All security applications must be managed from the central console.
2.9.7 The management must provide a security rule hit counter in the security policy.
2.9.8 Solution must include a search option to be able to easily query which network
object contain a specific IP or part of it.
2.9.9 Solution must include the option to segment the rule base using labels or section
titles to better organize the policy
2.9.10 Solution must provide the option to save the entire policy or specific part of the
policy.
2.9.11 Solution must have a security policy verification mechanism prior to policy
installation.
2.9.12 Solution must have a security policy revision control mechanism.
2.9.13 Solution must provide the option to add management high availability, using a
standby management server that is automatically synchronized with the active one,
without the need for an external storage device
2.9.14 Solution must include a comprehensive map with all network objects and their
connections that can be export to Microsoft Visio or to an image file
2.9.15 Solution must include the ability to centrally distribute and apply new gateway
software versions
2.9.16 Solution must include a tool to centrally manage licenses of all gateways controlled
by the management station
2.9.17 Solution must have the capabilities for multi-domain management and support the
concept of global security policy across domains.
2.9.18 The management GUI should have the ability to easily exclude IP address from the
IPS signature definition
2.9.19 The Log Viewer should have the ability to easily exclude IP address from the IPS
logs when detected as false positive
2.9.20 The management GUI should have the ability to easily get to IPS signature
definition from the IPS logs
2.9.21 The Log Viewer should have the ability view all of the security logs (fw,IPS ,urlf...)
in one view pane (helpful when troubleshooting connectivity problem for one IP
address )
2.9.22 The Log Viewer should have the ability in the log viewer to create filter using the
predefined objects (hosts ,network,groups,users...)
2.9.23 The Log Viewer should have the ability in the log viewer to create custom multiple
"saved filter" for use at a later time
Supply & Installation of a Firewall Solution #1I-17297 26
2.10 Threat Prevention Updates
2.10.1 Vendor must provide the details of its threat prevention update mechanism and its
ability to handle zero day attacks across all next generation threat prevention
applications including IPS, Application Control, URL filtering, Anti-Bot and Anti-
Virus.
2.10.2 Vendor must provide details on the re-categorization of URL, under the
circumstances that a website has been comprised and possibly distributing
malware.
2.10.3 Vendor should have the capability to provide incident handling
2.11 Logging & Monitoring
2.11.1 The central logging must be part of the management system. Alternatively
administrators can install deedicated Log Servers.
2.11.2 Solution must provide the option to run on the management server or on a
dedicated server
2.11.3 Solution must be able to run on an X86 based open servers listed on a hardware
compatibility list.
2.11.4 Solution must have the ability to log all rules (+30k logs/sec)
2.11.5 Log viewer must have an indexed search capability
2.11.6 Solution must have the ability to log all integrated security applications on the
gateway and including IPS, Application Control, URL Filtering, Anti-Virus, Anti-Bot,
Anti – Spam, User Identity, Data Loss Prevention, Mobile Access.
2.11.7 Solution must include an automatic packet capture mechanism for IPS events to
provide better forensic analysis
2.11.8 Solution must provide different logs for regular user activity and management
related logs
2.11.9 Solution must be able to move from security log record to the policy rule with one
mouse click.
2.11.10 For each match rule or type of event Solution must provide at least the following
event options: Log, alert, SNMP trap, email and execute a user defined script
2.11.11 The logs must have a secure channel to transfer logging to prevent eavesdropping,
Solution must be authenticated and encrypted
2.11.12 The logs must be securely transferred between the gateway and the management
or the dedicated log server and the log viewer console in the administrator’s PC
2.11.13 Solution must include the option to dynamically block an active connection from the
log graphical interface without the need to modify the rule base
2.11.14 Solution must support exporting logs in database format
2.11.15 Solution must support automatic switch of the log file, based on a scheduled time
or file size
2.11.16 Solution must support adding exceptions to IPS enforcement from the log record
Supply & Installation of a Firewall Solution #1I-17297 27
2.11.17 Solution must be able to associate a username and machine name to each log
record.
2.11.18 Solution must include a graphical monitoring interface that provides an easy way to
monitor gateways status
2.11.19 Solution must provide the following system information for each gateway: OS, CPU
usage, memory usage, all disk partitions and % of free hard disk space.
2.11.20 Solution must provide the status of each gateway components (i.e. firewall, vpn,
cluster, antivirus, etc)
2.11.21 Solution must include the status of all VPN tunnels, site-to-site and client-to-site
2.11.22 Solution must include customizable threshold setting to take actions when a certain
threshold is reached on a gateway. Actions must include: Log, alert, send an
SNMP trap, send an email and execute a user defined alert.
2.11.23 Solution must include preconfigured graphs to monitor the evolution in time of
traffic and system counters: top security rules, top P2P users, vpn tunnels,
network traffic and other useful information. Solution must provide the option to
generate new customized graphs with different chart types
2.11.24 Solution must include the option to record traffic and system views to a file for later
viewing at any time.
2.11.25 Solution must be able to recognize malfunctions and connectivity problems,
between two points connected through a VPN, and log and alert when the VPN
tunnel is down.
2.12 Event Correlation and Reporting
2.12.1 Solution must be fully integrated in the management application.
2.12.2 Solution must include a tool to correlate events from all the gateway features and
third party devices
2.12.3 Solution must allow the creation of filters based on any characteristic of the event
such as security application, source and destination IP, service, event type, event
severity, attack name, country of origin and destination, etc.
2.12.4 The application must have a mechanism to assign these filters to different graph
lines that are updated in regular intervals showing all events that matches that
filter. Allowing the operator to focus on the most important events.
2.12.5 The event correlation application must supply a graphical view events based on
time.
2.12.6 Solution must show the distribution of events per country on a map.
2.12.7 Solution must allow the administrator to group events based on any of it
characteristics, including many nesting levels and export to PDF.
2.12.8 Solution must include the option to search inside the list of events, drill down into
details for research and forensics.
2.12.9 It the event list view Solution must include the option to automatically generate
small graphs or tables with the event, source and destination distribution.
2.12.10 Solution must detect Denial of Service attacks correlating events from all sources.
2.12.11 Solution must detect an administrator login at irregular hour
Supply & Installation of a Firewall Solution #1I-17297 28
2.12.12 Solution must detect credential guessing attacks
2.12.13 Solution must report on all security policy installations.
2.12.14 Solution must include predefined hourly, daily, weekly and monthly reports.
Including at least Top events, Top sources, Top destinations, Top services, Top
sources and their top events, Top destinations and their top events and Top
services and their top events.
2.12.15 The reporting tool must support filters that allow to customize a predefined report to
be closest to administrator’s needs
2.12.16 Solution must support automatic reports scheduling for information that need to
extract on regular basis (daily, weekly, and monthly). Solution must also allow the
administrator to define the date and time that reporting system begins to generate
the scheduled report.
2.12.17 Solution must support atleast two of the following reports formats: HTML, CSV,
PDF and MHT
2.12.18 Solution must support automatic report distribution by email, upload to FTP/Web
server and an external custom report distribution script
2.12.19 The reporting system must provides consolidated information about:
2.12.20 The volume of connections that were blocked by security rule.
2.12.21 Top sources of blocked connections, their destinations and services
2.12.22 Top Rules used by the security policy
2.12.23 Top security attacks detected by enforcement point (perimeter) determining their
the top sources and destinations
2.12.24 Number of installed and uninstalled policies in the enforcement point
2.12.25 Top networking services
2.12.26 Web activity by user detailing the top visited sites and top web users
2.12.27 Top services that created most load for encrypted traffic
2.12.28 Top VPN users performing the longest duration connections
Supply & Installation of a Firewall Solution #1I-17297 29
2.13 Management Portal
2.13.1 Solution must include a browser based access to view in read-only the security
policies, manage firewall logs and users providing access to managers and
auditors without the need to use the management application
2.13.2 Solution must include SSL support and configurable port
2.14 Data Loss Prevention (DLP)
2.14.1 Vendor must have an option to add a fully integrated Data Loss Prevention
application
2.14.2 DLP policy must be centrally managed with all other security applications
2.14.3 DLP application must have a mechanism for end user self-incident handling
2.14.4 DLP application must have over 500 pre-defined data types.
2.14.5 DLP must have an open scripting language to create custom data types relevant to
eThekwini municipality
2.14.6 DLP must alert the data type owner when an incident occurs.
2.14.7 DLP application must cover transport types SMTP, HTTP/HTTPS, and FTP TCP
protocols
2.15 Mobility
2.15.1 The vendor should have an option to provide a fully integrated secure mobility
solution on the next generation firewall.
2.15.2 The solution must support both managed and unmanaged access devices, such as
BYOD
2.16 Security Gateway Sizing and Recommendations
2.16.1 Vendor must have a dedicated hardware solution to meet all next generation
requirements of eThekwini Municipality
2.16.2 Vendor must be able to supply a recommended hardware configuration based on
the criteria of real world traffic and next generation security applications provided
by eThekwini municipality. Vendor must be able to supply the recommended
platform for any combination of these next generation firewall application, with
supporting evidence that the appliance will perform as expected.
2.16.3 Internet Bandwidth requirements
2.16.4 Total Throughput requirements
2.16.5 Network Address Translation enabled
2.16.6 Logging Enabled
2.16.7 Maximum Users
2.16.8 IMIX traffic blend of HTTP, SMTP, DNS
2.16.9 Enablement of next generation firewall applications
2.16.10 Firewall
2.16.11 Intrusion Prevention
2.16.12 Application Control and URL filtering
Supply & Installation of a Firewall Solution #1I-17297 30
2.16.13 Anti-Bot
2.16.14 Anti-Virus
2.16.15 IPsec VPN
2.16.16 Data Loss Prevention
2.16.17 Anti-Spam
2.16.18 Threat Emulation (Sandboxing)
2.16.19 Local or remote management
2.16.20 Clustering or high availability
2.16.21 Network Interface requirements
2.16.22 Virtual Contexts or Domains
Supply & Installation of a Firewall Solution #1I-17297 31
3. Solution Evaluation
Below are minimum specifications of the solution required by the eThekwini
municipality:
Hardware Minimum requirements
2 x Next Generation Firewall Appliances.
Appliance must be equipped with a 10Gig SFP+ interface card with 4
available ports.
Appliance must equipped with 1Gig RJ45 Ethernet interface card with 8
available ports.
Appliance must support additional expansion slots for future use.
Appliance should allow for hardware components to be
upgradeable/replaceable.
Appliance must support load balancing (Active/Passive, Active/Active &
Clustering).
Appliance must support Lights Out Management.
Firewall must make use of stateful packet inspection technology. Firewall production throughput no less than 20 Gbps per appliance. IPS production throughput no less than 5.5 Gbps per appliance. The minimum firewall concurrent connections required is 4000 000(four million). The minimum firewall connections per second required is 190 000(one hundred
ninety thousand).
The maximum latency should be 10𝜇𝑠(10 microseconds) or less. The Platform must be able to work with both IPv4 and Ipv6 Appliance must be configured (hardware & software) optimally to perform as
required. Appliance must be equipped with:
4 x Long Range 10Gig SFP+ transceivers (2 per appliance).
4 x Short Range 10Gig SFP+ transceivers (2 per appliance).
In addition supplier must provide:
2 x Short Range 10Gig SFP+ transceivers for Checkpoint 12600 Appliances. (1 per appliance).
Other
Standard enterprise swap out or equivalent support for 1 year for all supplied hardware.
SLA hardware for swap out support.
Cisco Firewall experience (for migrating existing FWSM to new solution).
Vendor Partner status.
Project Plan.
Network Documentation including network datacentre design.
The service provider must, on completion of this project, is to provide knowledge skills
transfer and onsite training for technical and support staff. The service provider will
plan and deliver business change delivery process that will minimize the business
change impact. Technical support would be provided by the service provider
Appliance: Firewall
Appliance: Management Server
Vendor Appliance Model Network interfaces Operating System Quantity Documentation:
Annexure/Document _____
MAX SFP+: MAX Gigabit Ethernet: Slots:
Page No:
Firewall/IPS Components Response Documentation: Annexure/Document _____
Firewall Engine Type Page No:
IPS Engine Type (Signature, Anomaly etc) Page No:
LAB testing using the following RFCs (1242, 2544, 2588, 2647, 3511, 4487)
Page No:
Raw Firewall throughput (Gbps) Page No:
Production Firewall throughput (Gbps) Page No:
Raw IPS throughput (Gbps) Page No:
Production IPS throughput Page No:
Connections per second Page No:
Concurrent connections Page No:
Latency Page No:
Maximum NAT translations Page No:
Data Threat Management Supported(Yes/No) #Signatures Real-time
updates(Yes/No) %Catch rate
Documentation: Annexure/Document _____
Anti-Virus Page No:
Malware Page No:
Anti-bot/Botnets Page No:
Vendor Appliance Network Interfaces Operating System Quantity Documentation:
Annexure/Document _____
MAX SFP+: MAX Gigabit Ethernet : Slots:
Page No:
Supply & Installation of a Firewall Solution #1I-17297 33
Zero-day Page No:
Internet Management Supported(Yes/No) WEB 2.0
compliant(Yes/No) HTTPS
inspection(Yes/No) # Categories
Real-time updates(Yes/No)
Documentation: Annexure/Document
__________
Application Control Page No:
URL Filtering Page No:
Future proof features Supported(Yes/No) Licences required(Yes/No) Documentation: Annexure/Document
_____
Firewall Contexts(virtual domains)
Additional Expansion slots Page No:
Upgradable hardware components Page No:
Data loss prevention Page No:
Sandboxing/Threat emulation Page No:
Reports Logs Supported Licenses(Yes/No) Documentation: Annexure/Document _____
Real time Page No:
Event correlation Page No:
Usage Reports Page No:
Analytics(Trend statistics) Page No:
Industry Standard Report as at Q1 2015 Overall Recommendation level Overall Quadrant position Documentation: Annexure/Document
_____
Gartner Page No:
NSS Labs Page No:
4. Response requirements
a. General Requirements
Please provide the following together with your response:
Service Level Agreement to be provided to eThekwini Municipality
Call Logging facility and procedure.
Please supply a risk mitigation strategy of how the proposed solution will be implemented whilst minimizing the business change impact
Please provide us with your pricing review policy
Please include an implementation project plan and timelines as part of your response.
b. Post Project Support Requirements
In order to ensure the solution is stable and adequately supported post the project
completion a support contract should be included.
The support must include:
Swap-out of faulty equipment in the event of failure
Support must be available in locally in Durban
c. Previous Implementation History
Indicate the number of customers where you have deployed this type of solution.
Please indicate services that are procured by the customers.
i. Number and size of Client Base
ii. Provide reference sites, in South Africa, with contact details
Supply & Installation of a Firewall Solution #1I-17297 35
d. Technical Support
Demonstrate how you would support this implementation and migration to give the
municipality a peace of mind, and ability to deliver on your proposed solution.
i. Technical competencies within your organization.
ii. Number of Network support resources. Specify how many
are locally based in Durban.
iii. Provide Certificates of the Network support resources.
e. Professional Services
Indicate your professional service capacity to design, configure and install the
solution to an industry best practice? Demonstrate your ability to deliver a breadth of
professional services, including implementation and design, maintenance, security,
managed services and consultation. Demonstrate a proven methodology and ability
of adherence to relevant standards.
i. Specify what technical documentation and training material will be
provided.
ii. Specify the project controls that will be place
iii. Specify how change management will be delivered.
Supply & Installation of a Firewall Solution #1I-17297 36
5. Pricing structure
The cost structure must be reflected as found on tables, page 25. The price
proposal must contain all of the following:
Year 1 (2015)
Once off cost for supply and delivery of hardware, modules and hardware
items.
Once of cost for licensing and software features, if any for 1 year
Once off cost for Standard Enterprise Swap out support or equivalent on all
supplied items for 1 year.
Once off cost for planning , designing and implementing solution
Once off cost for training
Cost of any additional supplied hardware if any
All pricing to be given in South African Rands. Indicate if your prices are
linked to the Rand/Dollar or Rand/Euro exchange rate (7. Exchange rate
questionnaire page 43).
Year 2 (2016)
Once off cost for renewal of software features and/or licenses for supplied
items for a further 2 years
Once off cost for Standard Enterprise Swap out support or equivalent for a
further 2 years on supplied items
6. Evaluation of Responses
Evaluation will be done on a points system in three phases
Technical Evaluation – to ensure the responses meet the critical\mandatory
requirements (100%) and achieve a satisfactory (70 % or above) score on the
non-mandatory criteria.
Price evaluation – to establish the lowest cost technically compliant option over
the full period of the contract.
Preference points will be added as per Annexure 6 MDB 6.1 Preference Points
Claim form.
Supply & Installation of a Firewall Solution #1I-17297 37
6.1 Technical Evaluation
The technical evaluation will be on the following basis:
6.1.1 Critical/ Mandatory Requirements (Please Fill In)
NO. Requirement YES NO Supplier Response
1. Vendor Partner Status
Please provide Proof Annex/Doc: _____ Page #:______
2
Hardware minimum requirements
Distributed Architecture: Management and Gateway
separate
4 x SFP+ 10gig interface slot
8 x RJ45 1 Gig Ethernet interface slot
2 x SFP+ 10 Gig Short Range modules
2 x SFP+ 10 Gig Long Range modules
2 x SFP+ 10 Gig Short Range Checkpoint modules
Please provide Proof Annex/Doc: _____ Page #:______
.3
Firewall:
Engine: Stateful packet inspection
Minimum Production Throughput(IMIX traffic blend) :
20Gps per appliance
Minimum Concurrent Connections : 4 Million connections
Minimum Connection rate: 190 000 connections per
second
Must support Virtual Firewall Contexts
Load balancing support: Active/Passive, Active/Active &
Clustering
Please provide Proof Annex/Doc: _____ Page #:______
4
IPS:
Integrated IPS
Engine: Signature based
Minimum Production throughput(IMIX traffic blend): 5.5
Gbps per appliance
Policy based rule inspection
Fail-open threshold
Please provide Proof Annex/Doc: _____ Page #:______
5
User Identity:
Active directory integration
LDAP integration
Radius and TACACS support
Please provide Proof Annex/Doc: _____ Page #:______
6
Application Control with URL filtering:
Supports HTTPS inspection
Real time updates
Support Rule flexibility with users and group objects
WEB 2.0 Compliant
Please provide Proof Annex/Doc: _____ Page #:______
Supply & Installation of a Firewall Solution #1I-17297 38
7
Data Threat Management:
Anti-Virus
Anti-bot
Malware
Anti-spam
Real time updates
Please provide Proof Page #:______
8
Reporting and Logging:
Central Logging to management for all features
Graphical reports
Granular reporting for all features based on
o Usage
o Attacks
o Audit tracking
Real time event correlation
Please provide Proof Page #:______
9
Future proof features:
DLP
Threat emulation/Sandboxing
Hot-swappable hardware components
Additional Slots for expansion
Please provide Proof Page #:______
6.1.2 Non Mandatory Evaluation
The supplier will need to score an average of at least 70% to be considered
Supply & Installation of a Firewall Solution #1I-17297 39
QUALITY CRITERIA
SUB CRITERIA
Table 1- INDICATORS
Poor
(Score 40%)
Satisfactory
(Score 70%)
Good
(Score 80%)
Very Good
(Score 100%) Ref Page #
RESPONSE TO BRIEF
level of understanding
(weighting=15)
The proposal shows limited
understanding of the business, has
not adequately dealt with the key
challenges
The opportunity is well understood,
clearly articulated and key business
sectors are adequately addressed. The
proposal reflects necessary concepts
but has insufficient detail for it to be
distinctive.
The proposal clearly demonstrates an
understanding of the programme’s
vision
All key business criteria are identified
and adequately addressed.
A unique proposal that is strongly aligned
to and identifiable with the programme. It
identifies and deals well with all the
business plan criteria. 18-34 & 37
proposed methodology
(weighting=15)
The proposal does not address
many of the criteria identified in
the brief. The methodology is weak
in important areas and is unlikely
to meet the programme
requirements.
The proposal meets most of the
criteria listed in the brief. The
proposed methodology is in line with
standard practice, covers the key
aspects and should meet the
programme requirements.
The proposal meets all the criteria
listed in the brief. The proposed
methodology is detailed and well-
conceived, has made allowance for key
aspects and risk areas. It meets
programme requirements.
Besides the good rating, the methodology
is innovative and is poses no risk to the
Municipality in terms of Connectivity
Downtime. A temporary solution would be
in place and the cutover to the permanent
solution would be seamless.
35
EXPERTISE & EXPERIENCE
Tenderer’s experience with similar projects
(weighting=15)
The tenderer has limited
experience in projects of a similar
nature and has not undertaken a
project of this magnitude
The tenderer has relevant experience
in projects of a similar nature but has
not directly undertaken a project of
this magnitude
The tenderer has extensive experience
in projects of a similar nature, and has
directly undertaken similar projects
The tenderer has outstanding experience in
projects of a similar nature and has taken
many such projects
34 & 41
Experience of key staff
(weighting=15)
Key personnel allocated to the
project have limited relevant
experience
Key personnel allocated to the project
have reasonable relevant experience.
Have 1 certified personnel in their
field of work that pertains to this
project
Key personnel allocated to the project
have extensive relevant experience.
Have 2 certified personnel in their field
of work that pertains to this project
and have a least one staff based locally
in Durban
Key personnel allocated to the project have
outstanding relevant experience. The
personnel have at least. Have 3 or more
certified personnel in their field of work
that pertains to this project and have a
least two staff based locally in Durban
41
FINANCIAL
Cost Effectiveness
(weighting=20)
The financial proposal is excessive
and did not substantiate costs. The financial proposal is acceptable
The financial proposal is exceptionally
competitive and has favourable pricing
incentives for future demands.
The tenderer provided proof of financial
resources which are well in excess of what
is required for the contract
36
CAPACITY & CAPABILITY
Operational plan and resources
(weighting=20)
Operational plan is sketchy, there is no clarity in terms of rates and/or resources.
Operational plan is complete & reasonably detailed. Rates and resources appear adequate.
Besides meeting “satisfactory” rates
and resources have been clearly
defined and make provision for key risk
areas
Besides meeting the “good” rating, the
plan make provision for every eventuality
Supply & Installation of a Firewall Solution #1I-17297 40
6.1.3 Product & Company Details
1. What is your company name:-
(a) Is this a cc, (Pty) Ltd, Partnership, Sole Trader, Joint Venture - (tick):-
(i) Cc
(ii) (Pty) Ltd
(iii) Partnership
(iv) Sole Trader
(v) Joint Venture
(b) If (iii), (iv) or (v) name of partners or owner must be stated below.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
_________________________________
__
2. Are you a registered VAT Vendor (YES / NO)?
Please state VAT Number
3. (a) Are you the Manufacturer - (YES / NO)?
(b) If not, who is the manufacturer of the equipment?
Supply & Installation of a Firewall Solution #1I-17297 41
6.1.4 Schedule of Experience
Please indicate sales of similar nature recently successfully executed by your company.
References need to be given of Corporate Customer that have more than 6000 employees and
purchase more than one type of internet service.
Name and
Address of
Company
Contact Person
and Telephone
Number
Nature of Sale Value of Work
(incl. of VAT)
Date Completed
or Expected to be
Completed
Supply & Installation of a Firewall Solution #1I-17297 42
Please state the number and certification level of maintenance and support staff.
Name Certification Years of Experience
6.1.5 Schedule of Compliance with specification
Please indicate below your compliance with the tender requirement.
I/We hereby agree that this tender will hold good and remain open for acceptance until 16:00
on the Friday of the twelfth week (85 calendar days) following the Friday on which
tenders are opened or during such other period as may be specified in the Special Conditions
of Tender.
Delivery time (must be stated in days or weeks from date of receipt of order). I/We
hereby undertake to deliver the above goods or to carry out the services within the
following period/s:-
.......................................................................................................................................................
.......................................................................................................................................................
I/We hereby agree that this tender, together with the Council's letter of Acceptance
thereof, will constitute a binding contract which will take effect from the business day
following the date of despatch of the letter of acceptance. A separate Service Level
agreement (SLA) will however be entered into to govern the contractual relationship
between the parties.
Any alterations effected upon any part of the tender documents must be clearly shown by
means of a handwritten entry and signed by the tenderer.
Please state your Procurement Reference Number: - PR (refer Clause 20 -
Special Conditions of Tender (Goods/Services)).
Supply & Installation of a Firewall Solution #1I-17297 43
7. RATE OF EXCHANGE QUESTIONNAIRE
This page to be completed by Bidders offering goods ex import. Rate Of Exchange (i.e. ROE) will only be applicable if Rate of Exchange change by 5%, either way, from tendered ROE.
a) Country of origin and/or manufacture:
b) Price each f.o.b country of origin.
Item 1:
Item 2:
c) Delivery charges each from f.o.b country of origin to c.i.f Durban (Prices and delivery charges must be shown in South African currency)
*Item 1:
Item 2:
d) Ocean freight rate:
per 1000 kg/m³ or 2 240 lbs/40 cu.ft.
e) Marine insurance rate:
% of value of goods.
Please indicate basis of valuation:
f) Marine war risk insurance rate:
% value of goods.
g) Wharfage rate:
per R 100 value.
h) Landing charges rate:
per 1 000 kg or m³. **
per 100 kg or m³. **
Supply & Installation of a Firewall Solution #1I-17297 44
i) Delivery charges rate:
j) Customs tariff heading and description (Brussels Nomenclature):
k) Customs duty
% of value of goods for duty purposes, or
rated duty per kg/m³ article.**
l) Import surcharge:
% of value of goods.
m) Railage rate:
per 100 kg.
n) Basic rate of exchange (ie. seven days prior to the date of closing of tenders):
See Clause 5 of the Special Conditions of Contract (Goods/Services).
o) Will the Tenderer comply in all respects with Clause 5 of the Special Conditions of Contract (Goods/Services)?
(State ‘Yes’ or ‘No’)
* Additional items should be scheduled on a separate page which should be signed and dated by the Tenderer.
** Delete whichever is not applicable.
Supply & Installation of a Firewall Solution #1I-17297 45
8. Costs
8.1 Year One All Costs Must Be Reflected As Once-Off Cost for Year 1 (2015/2016)
Item
No Description/Part No Quantity
Price
(Excl. VAT) VAT Total (Incl. VAT)
1
Appliance Gateway
Vendor:
Model:
2
2
Appliance Management
Vendor:
Model:
___
3 Installed 8 x 1Gig Ethernet module 1
4 Installed 10G SFP+ Compliant
Module cards 2
5
10G SFP+ Long range Transceiver
for fibre ports
4
6
10G SFP+ Short range Transceiver
for fibre ports
4
7 10G SFP+ Short range Transceiver for Checkpoint 12600 appliance
2
8
Standard Enterprise Support swap
out or equivalent for supplied
hardware items
9 Official Vendor Training for
Administrator level of the solution 2
10 Official Vendor Training for
Professional level of the solution 2
11 Project Cost for Implementation
* Other (please define)
12
13
14
Total
Supply & Installation of a Firewall Solution #1I-17297 46
8.2 Year Two All Costs Must Be Reflected As Once-Off Cost for Year 2 (2016/2017)
Item
No
Description/Part No Quantity Price (Excl. VAT) VAT Total (Incl. VAT)
1
Renewal of licenses and/or
any software features on
all supplied appliances for
2 years
1
2
Renewal Enterprise swap
out support or equivalent
for supplied appliances for
2 years
1
Total
Supply & Installation of a Firewall Solution #1I-17297 47
9. Required Documentation and Tender Returnable‘s
9.1 Tender Returnable’s Checklist
In addition to the tender document, the following must be submitted/attached thereto. The standard
forms are attached to this tender document.
Description Yes No
Official Tender Form
Banking Rating Questionnaire
Critical/ Mandatory Checklist
Checklist Tender Returnables
Contractor Acknowledgement of Responsibility in of Occupational Health and Safety Act
Declaration of Interest
Declaration of Municipal Fees
Original Valid Tax Clearance Certificate
Valid Agreement with Manufacturer Or Accredited Distributor/agent
Schedule of Experience
Rate of Exchange Questionnaire
Proof of Resolution As A Close Corporation Or Company
Original Signed Company Letterhead Reflecting Banking Details and Cancelled Cheque
Procurement Reference (PR) Number or Supplier Registration Form
MBD 9 Certificate of Independent Bid Determination
MDB 6.1 Preference Points Claim Form
BBB-EE Certificate
MDB 8 Declaration of Bidders Past Supply Chain Practices
SIGNATURE
DATE
CAPACITY
NAME OF SIGNATORY
(In Block Letters)
Supply & Installation of a Firewall Solution #1I-17297 48
10. Form of Offer In response to your Enquiry 1I-17297 Supply & Installation of Firewall Solution
Dated.............................. I/we hereby offer to supply the products and services detailed
hereunder in accordance with the Technical Specification, and subject to the Conditions of
Tender (Goods/Services) and Government Procurement; General Conditions of Contract
which accompanied your Enquiry (with which I/we acknowledge myself/ourselves to be fully
acquainted) at the price/s stated in the appropriate column below :-
Item Description Total Price
(Excluding VAT) VAT Total Price
(Including VAT)
1. Total Price
(Year 1)
2. Total Price
(Year 2)
3. Grand Total
brought forward
for year 1 and 2
Tenders Value added TAX Registration number
NAME AND ADDRESS OF TENDERER:-
_______________________
_______________________
SIGNATURE
TELEPHONE NO :
NAME OF SIGNATORY IN BLOCK LETTERS
FAX NUMBER :
DATE :
CAPACITY OF SIGNATORY
NB: - This Official Tender Form must be completed in its entirety and signed, non-compliance
will render this tender invalid.