supply & installation of next generation web viewwindows active directory i. ntegration: the...

Appendix 1Vendors are required to completely fill and Submit this page onwards

Select the products bided for

☐ Firewall with UTM ☐ Firewall without UTM ☐ Separate Web Security ☐ Web Application Firewall

PART A [I] – MANDATORY FEATURES – Firewall and Web Security

Specifications ComplianceYES NO

CORE FUNCTIONAL REQUIREMENTS1 Identify applications within the HTTP/HTTPS protocol (browser-

based applications): The solution must provide an application controlfeature that must be able to identify the application in use within theHTTP/HTTPS protocol, as well as Mobile Applications, for any TCP Portused. Once identified, applications can be allowed, blocked and limit available bandwidth.

☐ ☐

2 Identify applications outside of HTTP/HTTPS traffic (desktopapplications): The solution must provide an application control feature that must be able to identify the application in use when the traffic is not sent via HTTP or HTTP Secure (HTTPS). Once identified, applications can be allowed, blocked and limit available bandwidth.

☐ ☐

3 Windows Active Directory Integration: The solution must provide an interface to Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) to pull user IDs and groups that can then be used in firewall rules. Must support multiple independent AD/LDAP domains.

☐ ☐

4 Integrated Windows Authentication: For all domain based devices, the solution must be able to seamlessly authenticate using Integrated Windows Authentication

☐ ☐

5 Enforce policy on individual users and user groups: The solution mustprovide a policy to allow, deny and limit available bandwidth. Traffic must be enforceable on individual users or user groups.

☐ ☐

6 Support for application information feed: The solution must provide an application control function and must allow for the importation and use of information about applications. The feed should include information about how applications are used and provide recommendations to the University regarding actions to take if the application is discovered in use.

☐ ☐

7 User-developed application signatures: The solution must provide thenecessary interface for the University to create, edit and deploy customapplication signatures.

☐ ☐

8 Application whitelist/blacklist: The solution must provide an applicationcontrol function, must allow the University to create or import whitelists and blacklists for applications and have the lists used to enforce policy on network traffic

☐ ☐

1 | P a g e F i j i N a t i o n a l U n i v e r s i t y

University Information Management System 2016


9 Categorize and Filter URLs: The solution must be able to block, allow and limit available bandwidth specific URL categories and/or reputation of the URL.

☐ ☐

10

Identify applications within SSL protocol: The application control feature should be able to identify the application in use within SSL traffic. Once identified, applications can be allowed, blocked and limit available bandwidth. The solution must participate in the initial SSL key exchange and then decrypt session traffic to examine the contents for attacks, including both inbound and outbound inspection based on policy, without availing of off-load to alternate system.

☐ ☐

11

Block specific browsers: The application control function must be able toblock the use of specific browsers and applications (i.e. Java version). ☐ ☐

12

Block upload of data even when allowing access to the site: Theapplication function must be able to block the upload of data to a site even if access to the site is allowed by policy. This includes input into forms as well as the upload of files.

☐ ☐

13

Block unauthorized browser plugins: The application control functionmust be able to block the use of specific browser plugins that are visible innetwork traffic.

☐ ☐

14

The solution should provide Advanced Persistent Threat (APT)protection functionality: The solution must provide Advanced PersistentThreat (APT) protection functionality. This will include features such as network traffic and user behavioral analysis and anomaly detection.

☐ ☐

15

Redundancy in physical appliances: The solution must support redundanthot-swappable power supplies and disk drives. ☐ ☐

16

Out-of-band management: The solution must support out-of-bandmanagement interfaces (either Ethernet or serial) ☐ ☐

17

System availability (active/standby): The solution must provide twoFirewalls and allow failover to support 99.999% availability in active/passive or active/standby mode.

☐ ☐

18

Site-to-site IPsec VPN: The solution must act as VPN gateways for site-to-site VPNs must support remote site recognition that is based on certificates or pre-shared key.

☐ ☐

19

SSLVPN: The solution must act as VPN gateways for SSLVPN. VPNs must support 2 factor authentication and certificates. ☐ ☐

20

Signature-based IPS: The solution must have a signature-based IPS function where the signatures are created by the manufacturer and automatically applied once they are published.

Detection and prevention of vulnerabilities. Detection and prevention of protocol misuse. Detection and prevention of malware communications. Detection and prevention of tunneling attempts. Detection and prevention of covert channel communications.

☐ ☐




21

DoS protection: The solution must include the mechanism to protectitself from basic Denial of Service (DoS) attacks, such as flooding and resource consumption attacks, and application layer DoS for Web applications

☐ ☐

22

User developed signatures for IPS: The solution must provide thenecessary interface for the customer to create, edit and deploy custom IPSsignatures

☐ ☐

23

Integrated content filtering functionality: The solution must includeintegrated content filtering functionality for:

Threat Emulation Threat Extraction Antivirus Anti-bot Application Control URL Filtering

☐ ☐

24

Integrated malware protection: The solution must provide integratedmalware protection ☐ ☐

25

Administrator audit: The solution must ensure that all administrativeactions be logged to include the action taken, a time stamp, and the source IP address of the endpoint used to make the change and the administrator user ID

☐ ☐

26

Centralized advanced Reporting console: The solution must providereporting engine that allows the customer to create custom and reports linked to specific queries must be provided. Reports must include and correlate logs from all functions (firewall, IPS, application control, etc.) without requiring for customization or scripting.

☐ ☐

27

Email Alerts, based on policy or thresholds for: Hardware High Availability Networking Resources Log Server Connectivity Firewall rule triggered User defined

☐ ☐

28

SIEM integration: The solution must be capable of sending logs to a SIEM system via syslog. ☐ ☐

29

Export of log information: The solution must be capable of exporting loginformation in multiple formats (minimum comma-separated values (CSV) and text formats).

☐ ☐

30

Role-based administration: The solution must provide Role-based administration (RBA). ☐ ☐




31

Centralized Management: The solution must be manageable via a ‘singlepane of glass’ management console for all features included in thesolution. Management system must be provisioned as a virtual systemcompatible with VMware 5.x/6.x.

☐ ☐

32

Change then commit: The solution must allow for a rule base to be changed and then saved before being committed to the firewalls ☐ ☐

33

Version Control and Compare: The solution must provide version control (backup) for all modifications made to the system to facilitate compare, rollback.

☐ ☐

34

Rule verification mechanism: The solution must provide a notification tothe administrator when a new rule either masks another rule, duplicates, and overlaps or interferes with an existing rule.

☐ ☐

35

Reason/tracking of rule changes: The solution must provide a mechanismto record the reason for a rule change ☐ ☐

36

Rule usage statistics: The solution must provide the administrator withstatistics on rule usage. ☐ ☐

37

Threat intelligence feeds: The solution must provide a threat intelligencefeed that automatically updates the firewall based on the most current threat intelligence.

☐ ☐

38

Traffic profile verification: The solution must provide a search/filtermechanism to list rules matching specified criteria. ☐ ☐

39

Geolocation: The solution must provide traffic control based on country orlocation. ☐ ☐

40

Dynamic Host Configuration Protocol (DHCP) relay: The solution mustprovide a DHCP relay function. ☐ ☐

41

Routing protocols:The solution must provide at a minimum, the following routing protocols; static, OSFP and BGP

☐ ☐

42

IPv6 Support: The solution must be IPv6 ready ☐ ☐43

Time & Data Based Quota: The web security solution must allow creating time and bandwidth based quota for daily, weekly or monthly basis.

☐ ☐

44

WIFI Controller based Authentication: The bidders must provide list of all wireless controllers supported to pass authentication information transparently.

☐ ☐

45

Quality of Service: The solution must shape and prioritize traffic based on rules defined for Quality of Service. ☐ ☐

SUPPORT & MAINTENANCE46

Manufacturer must include 3 years of 7x24 hardware & software support, threat intelligence subscription and any other annual fee required as part of the bidder’s solution.

☐ ☐




INSTALLATION & KNOWLEDGE TRANSFER47

Manufacturer will provide approximately 2-3 days onsite information gathering and scoping engagement to be used to create an implementation plan. Engagement will cover the relationship and configuration of existinghardware to be replaced by the bidder’s solution.

☐ ☐

48

Manufacturer will provide up to 4 days onsite implementation andknowledge transfer based on the implementation plan generated in theinformation gathering engagement.

☐ ☐

49

Manufacturer, or authorized partner, will provide 3-5 day formal, certified, onsite training for the bidder’s solution, including instructor, courseware and travel related expenses for up to ten staff.

☐ ☐

50

Manufacturer will execute four post implementation Health Checks on a quarterly basis to ensure that the solution is configured and performingoptimally.

☐ ☐

COMPATIABILITY & SIZING51

The solution must include, at a minimum, two (2) 10 Gbps fibre (SFP) links and four (4) 1 Gbps Copper interfaces plus any additional interfacerequirements for the HA cluster.

☐ ☐

52

Combined inspection throughput must be capable of maintaining a minimum of 1Gbps with all specified feature configured, enabled and tuned based on manufacturers best practice and recommendations;

malware protection antivirus IPS application visibility URL filtering IPSec / SSL VPNs data filtering Full SSL decrypt and inspect at 1Gbps

☐ ☐

53

Minimum 1Gbps Stateful Inspection Throughput (IMIX) ☐ ☐

PART A [II] – MANDATORY FEATURES – Web Application Firewall


1 The solution must address and mitigate the OWASP Top Ten web application security vulnerabilities ☐ ☐

2 Must Support Reverse Proxy Deployment Method ☐ ☐3 Protection against common attacks (Not limited to)

SQL injection Cross-site scripting Cookie or forms tampering

☐ ☐




4 Protection through Adaptive security ☐ ☐7 JSON payload inspection ☐ ☐8 Outbound data theft protection

Credit card numbers Custom pattern matching (regex)

☐ ☐

9 Granular policies to HTML elements ☐ ☐10

Protocol limit checks ☐ ☐11

File upload control – Scanning of all files being uploaded to the publishing servers ☐ ☐

14

High availability ☐ ☐15

SSL offloading as well as full SSL of both Internal and External Traffic ☐ ☐16

Load balancing ☐ ☐17

Content routing ☐ ☐18

XML Firewall XML DoS Protection Schema/WSDL enforcement WS-I conformance checks

☐ ☐

19

DDoS Protection ☐ ☐20

Role Based Administration ☐ ☐21

IP Reputation ☐ ☐22

Protocol Validation ☐ ☐23

Attack Signatures ☐ ☐24

Antivirus / Data Loss Protection ☐ ☐25

Advanced Persistent Threat ☐ ☐26

Advanced Protection ☐ ☐28

Session Hijacking ☐ ☐29

Brute Force Protection ☐ ☐



PART B – REPORTS


REPORTS1 The solution should be able to provide summary reports based on

application and URL category usage ☐ ☐2 The solution should be able to provide summary reports based on top

policies by bandwidth ☐ ☐3 The solution should be able to provide summary reports based on top users

by browse time by social media ☐ ☐4 The solution should be able to provide summary reports based on top sites

visited ☐ ☐5 The solution should be able to provide summary reports based on top

blocked sites by request ☐ ☐6 The solution should be able to provide summary reports based on top sites

by browse time ☐ ☐7 The solution should be able to provide summary reports based on top users

by bandwidth ☐ ☐8 The solution should be able to provide summary reports based on top sites

by bandwidth ☐ ☐9 The solution should be able to provide summary reports based on top users

by browse time ☐ ☐10

The solution should be able to provide summary reports based on Blocked Files by Security Threat ☐ ☐

11

The solution must allow to perform investigative report for minimum of three months of usage ☐ ☐

12

The solution must allow scheduling reports on groups of users and auto send via email to the specified email addresses ☐ ☐

13

The solution must allow scheduling reports on overall user activity, performance, and security threats ☐ ☐

14

The solution must allow alerts on custom defined user activities. ☐ ☐15

The samples of reports are provided with the bid ☐ ☐

PART C – TECHNICAL SPECIFICATIONS & SYSTEM PERFORMANCE

TECHNICAL SPECIFICATIONSLine

Component Description Specify Answers Here

1 Number of 10-GbE SFP+ Interfaces2 Number of 10/100/1000 Interfaces (RJ-45)3 Number of GbE SFP or 10/100/1000 Interfaces4 Number of Management Interfaces5 Size of Internal Storage (GB)



6 Size of Built-in cache (GB)7 Number of USB Ports

SYSTEM PERFORMANCE8 Maximum Firewall Throughput (Gbps)9 Maximum Firewall Latency (µs)10 Firewall Throughput (Packets Per Second)12 Concurrent TCP Sessions13 New TCP Sessions Per Second14 Maximum Number of Firewall Policies15 Maximum IPS Throughput (Gbps)16 Number of Virtual Firewalls17 Number of User License (Limited to or Unlimited)18 Number of Power Supply (1 or 1+1)

PART D – PRICE & TIMELINE

Price must include all related costs associated with this solution. Price must have separate components for VEP Price, Withholding Tax (if applicable),

GST (if applicable), VAT, etc

PRICING TABLEAttach detailed Part/Component descriptions for the proposed solution including quantity, unit cost and extended cost to the Bid. List the total VIP Price below for each sectionLine

Component Description Total Cost

1 Proposed solution including three years of support, applicable fees and subscriptions

2 Cost of Implementation3 Certified, onsite training.4 Post implementation Health Checks.

TOTAL COSTSpecify the Currency Used

Timeline

The bidder must provide timeline for delivery and installation from the date of award of contract.

Approximate Delivery TimelineScope Time (working days)Delivery of HardwareInstallationTrainingComplete Commissioning Report including user manuals



PART E – REFERENCE CUSTOMERS

Each bidder must provide list of five customers similar to FNU’s context (preferable other Universities) who are using their products similar to proposed version.

Product 1: (Select 1 that is applicable from the following)


Product 1 Name:

Customer 1Company Name:Application of Product:Hardware Specifications:Software Versions:Contact Name:Phone:Email:







Product 2: (Select 1 that is applicable from the following) [Continue only if applicable]


Product 2 Name:










Product 3 Name:






Product 4 Name:








The End


supply & installation of next generation web viewwindows active directory i. ntegration: the...

Documents