PROCUREMENT, INSTALLATION, COMMISSIONING AND TESTING OF WI-FI SYSTEM
OFC BACKBONE UPTO SWITCH AT SBIM, RAJARHAT
REF :SBI/ITS/KOL/2017-18/03 DATED 30.06.2017, CORRIGENDUM-I DATED 07.07.2017
AND CORRIGENDUM-II DATED 10.07.2017
CORRIGENDUM-III DATED 11.07.2017
Sr
N
o
1
Clause No
Existing Clause
Revised Clause
RFP-3.1.1
Supply, installation, testing and
commissioning Structured Wireless
LAN with OFC back bone connection
for Wi-Fi connectivity will be used at
SBIM, Rajarhat, Kolkata.
2
RFP – Ann5.3
SLA Terms & Conditions
3
RFP -Scope
of Work
The bidder should provide and
maintain high speed uninterrupted
wireless Internet across the SBIM
campus, except few areas/rooms, for
a period of 5 years. The areas/rooms
where access to Internet is not
required is marked at the building
plans (Annexure – ABC). All other
areas, including the open spaces,
should be covered with high speed
wireless Internet.
Supply, installation, testing
and commissioning and
maintenance(including FMS
and Internet link) of
Structured Wireless LAN with
OFC back bone connection
for Wi-Fi connectivity will be
used at SBIM, Rajarhat,
Kolkata for a period of 5
years.
The Annexure Number
should be treated as 3.2
(Eligibility Criteria)
The bidder should provide and
maintain
high
speed
uninterrupted
wireless
Internet
services,
as
mentioned in the RFP, across
the SBIM campus, including
the open spaces, for a period
of 5 years.
4
RFP -Scope
of Work
The bidder should conduct Site
Survey to finalize the Network
Diagram and the Bill of Materials
(BoM), subject to approval of the
Bank.The bidder will prepare the
drawings, cable route plans and laying
of cables, rack, node and AP
locations/placement,
etc.
in
consultation with Bank. The bidder will
try & reuse the items already available
at the location to the extent possible
subject to its functionality & feasibility
without any adverse effect to the
The bidder should conduct
Site Survey to understand the
exact
requirement.
To
maintain the uniformity among
the bidders, Bank has
finalized the BOM/BOQ as
mentioned at the bottom. The
bidder will prepare the
drawings, cable route plans
and laying of cables, rack,
node
and
AP
locations/placement, etc. The
bidder will try & reuse the
existing utility. The bidder should
submit simulation report / Wi-Fi survey
report including heat maps as per the
survey conducted at site, at least 7
days before bid submission. Required
changes/modification
in
architecture/quantity should be made
to meet Bank’s requirement.
items already available at the
location to the extent possible
subject to its functionality
&feasibility
without
any
adverse effect to the existing
utility. The bidder should
submit simulation report / WiFi survey report including heat
maps as per the survey
conducted at site along with
the bid. The bidder will remain
responsible
for
any
changes/modification
required
in
architecture/quantity to meet
Bank’s requirement.
5
RFP -Scope
of Work
Onsite engineer should be available Onsite engineer should be
for 24 * 7 * 365 days per year.
available for 24 * 7 * 365/366
days per year.
6
RFP -Uptime
and Penalty
Faulty Hardware
/
Appliances
replacement: The bidder should
provide replacement of the faulty
hardware/appliances within 24 hours
from time of detection/identification by
the onsite support team. In case of
delay beyond 24 hours, penalty will be
charged as under.
Sr
No
1
2
Equipment
Access Points
For Other
Equipment
Penalty per
day
Rs.1000/Rs.10000/-
This amount of penalty so calculated
shall be deducted at the time of
making payments to the bidder.
Onsite Helpdesk for the day-to-day
operation
/
Management
and
Technical Support Teams: Due to
some reason on the day, if any onsite
support personnel is/are not available,
the service integrator shall arrange for
the backup onsite support persons
accordingly. If on the day number of
Faulty Hardware / Appliances
replacement: The bidder
should provide replacement of
the
faulty
hardware/appliances within
24 hours from time of
detection/identification by the
onsite support team. In case
of delay beyond 24 hours,
penalty will be charged as
under.
Sr
N
o
1
2
Equipme
nt
Penalty
per day
Access
Rs.1000/Points
For Other Rs.10000
Equipme /nt
This amount of penalty so
calculated shall be deducted
at the time of making
payments to the bidder.
onsite support persons available is
less than 07 then SBI shall be entitled
to reduce amount(s) @ Rs.2500/- per
day per support person.
Onsite Helpdesk for the dayto-day
operation
/
Management and Technical
Support Teams: Due to some
reason on the day, if any
onsite support personnel
is/are not available, the
service
integrator
shall
arrange for the backup onsite
support persons accordingly.
If on the day number of onsite
support persons available is
less than 07 then SBI shall be
entitled to reduce amount(s)
@ Rs.2500/- per day per
support person.
UPTIME AND PENALTIES
FOR DOWNTIME:
Levy of penalties is without
prejudice to other rights and
remedies available under
this agreement:
Level
of Downtime
Network
Penalty
uptime
per
month
Committed
-NILSLA>=99.99%
>=99.95% but
<99.99%
10% of
Monthly
Bandwidth
+ FMS
Charges
>=99.50% but
<99.95%
20% of
Monthly
Bandwidth
Charges
>=99.00% but
<99.50%
30% of
Monthly
Bandwidth
+ FMS
Charges
>=98.50% but
<99.00%
40% of
Monthly
Bandwidth
+ FMS
Charges
50%
of
Monthly
Bandwidth
+
FMS
charges
and the
<98.50
Bank also
reserves
the right to
terminate
the
contract.
Further if
the
number of
link down
instances
during a
month
exceeds
3, Bank
reserves
the right to
terminate
the
contract.
PENALTIES FOR DELAY
IN UPGRADES:
The vendor should also
undertake to upgrade the
link within 4 days from
the date of Purchase
Order for up-gradation.
The Bank shall be
entitled to charge penalty
2% of the additional upgradation cost per day of
delay with a maximum of
20% of the additional upgradation cost beyond
the
scheduled
upgradation date.
If the successful bidder
fails
to
commission/upgrade the
link as mentioned above,
the Bank has rights to
cancel the business
offered to the bidder and
will recommend to IBA to
blacklist the bidder from
participating in any IBA
member bank’s business
offer.
7
Corrigendum
Uptime and
Penalty
Uptime Penalty will be as under.
Event
Time
period
Failure of
Wireless
equipme
nt
Failure of
Hardwar
e
equipme
nt
Penalty
5 Mnts-25
Rs.50,000
Mnts>upt
/- or Rs.1
o 1 hours
Lakh
25 Mnts60
Mnts>upt
o 2 hours
60 Mnts-2
Failure of
Hours
system
>upto 12
hours
Rs.50,000
/- or Rs.1
Lakh
Rs.2 Lakh
or Rs.4
Lakh
Please treat the Clause as
CANCELLED.
12 hours
Failure of
system
to 24
Rs. 5 Lakh
hours>upt
or Rs.6
o 48
Lakh
hours
8
RFP
Typo mistake. The clause
*** Uptime and other Penalty clauses should be treated as
DELETED.
should be incorporated in the RFP
*** Complete site plans and building
plans with marking of exempted
areas/rooms should be included in the
RFP. All AC Rooms/Electrical rooms
etc should be excluded from WiFiinternet network.
9
Corrigendum
– 4.11.3
Payment clause as against the
Payment clause as against
following heads,
the following heads,
Software: 50 % payment will be
Software: 50 %
released immediately after
payment will be released
installation, testing and
immediately after installation,
commissioning and another 50 % will
testing and commissioning
be paid after 3 months on
and another 50 % will be
satisfactory performance. paid after 3 months on
satisfactory performance. Hardware: 70% payment will be
released immediate after installation,
Hardware: 70% payment
testing and commissioning and
will be released immediate
remaining 30% will be paid in next
after installation, testing and
five years warranty period on equal
commissioning and remaining
instalment.
30% will be paid in next five
Installation – Normally will be paid
years warranty period on
equal installment.
100% after successful commission
and testing.
Warranty Charge – Annually in
Installation – Will be paid
100% after successful
commission and testing.
arrears. Warranty Charge –
FMS – Quarterly in arrears. Annually in arrears. FMS –
arrears. Quarterly
in
Link Charges – Quarterly
in arrears. 10
Corrigendum
Bidders will arrange for Internet
The successful bidder has to
connection from two different ISP
arrange for the links as
vendors and Bank will pay to ISP
mentioned in the RFP. Bank
vendor directly (if required) as per the
will not pay directly to any
agreement (payment will be made
ISP. Bank will pay to the
quarterly basis) and PO to be issued
bidder only as per the rates
to ISPs by Bank only at the Banks
mentioned in the RFP.
approved rate (already shared in
RFP)
11
Corrigendum
**As discussed in pre-bid meeting,
Please treat the clause as
Non-telco companies will not be able
DELETED.
to procure link on our behalf. In that
case Bank have to procure the links
separately and the RFP will be for
Hardware (with AMC),
Commissioning, Maintenance, FMS
etc. The solution should be capable
to handle 100 Mbps to 10 Gbps
Internet bandwidth.
12 RFP&
Corrigendu
m
Redundancy in hardware level as
Redundancy in hardware
well as in link level will be
implemented. To ensure the
availability of Internet link, the
bidder should provide two Internet
links with dual last mile from
different ISPs in ring architecture.
Switching over from one link to
other (in case of active link is
down) should be seamless without
level as well as in link level
will be implemented. To
ensure the availability of
Internet link, the bidder
should provide the Internet
link with dual last mile. The
second last mile should be
from different ISPs in ring
architecture. Switching
any downtime.
over from one link to other
(in case of active link is
down) should be seamless
without any downtime.
Bank may procure second
link in future, if required.
The system should be
capable to configure both
the links.
Total Wi-Fi BOQ
Sl
No.
Item Description
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
L3 Switch 24 port 10G IP Base with 24 Nos SFP 10G populated
12 Port Switch L3 with 4Nos 10G SFP and 1G populated
L2 Managed 24 Port with 4 SFP with 4 Nos 10 G populated
Router
Network Access Control
Link Load Balancer with Five years support
UTM Firewall with three years subscription 24X7 support. With
five Years
Redundant WLAN Controller with 4 GigE ports and 530 AP
management license from day one.
Omni, outdoor access point, 802.11ac 2x2:2 , dual band
concurrent, one Ethernet port, PoE input, includes mounting
bracket.
Dual-band 802.11abgn/ac (802.11ac Wave 2), Wireless Access
Point, 2x2:2 streams, MU-MIMO, dual ports, 802.3af PoE
support.
Cat 6 UTP Cable (305 Mtrs / Box )
Outdoor Cat 6 Cable
Information Outlet ,CAT6 RJ45, Unshielded
24 Port CAT6 UnShielded Jack Panel Loaded
Workstation/ Equipment end CAT 6 Patch Cords 1Mtrs
Workstation/ Equipment end CAT 6 Patch Cords 2Mtrs
Face Palate Single port
12 core Central loose tube 50 micron MM OM4 cable
12/24 Port LIU
Pigtail LC PC, beige, 50 micron,grade OM4, 1.5 m
LC-LC Duplex Multimode 50 micron patch cord
Adapter LC-Duplex PC, beige, OM4
Fiber splice Shelf(LIU) -12 LC Duplex
OFC Multi Mode 10G
12 U Wall Mount Rack with all accessories
6 U Wall Mount Rack with all accessories
42 U Floor Mount Rack with all accessories
HDPE Pipe 1"
UOM
Qty
No
Nos
Nos
No
No
No
2
12
35
2
2
2
No
2
Nos
2
Nos
40
Nos
Box
Box
Nos
Nos
Nos
Nos
Nos
Mtrs
Nos
Nos
Nos
Nos
Nos
Nos
Nos
Nos
Nos
Mtrs
460
60
5
500
28
500
500
500
6000
50
600
50
50
50
50
24
13
1
6000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Sr.
No.
A
A1
A2
A3
A4
A7
A8
A9
A10
B
B1
Service
L3 Switch 24 Port Installation & Commissioning Charge
12 Port Switch Installation & Commissioning Charge
12 Port Switch Installation & Commissioning Charge
Router Installation & Commissioning Charge
Link Load Balancer Installation Charge
Wireless Controller Installation & Commissioning Charge
Wireless AP Installation & Commissioning Charge
Cat 6 UTP Cable laying charge through condute.
I/O Installation and commissioning charge
Fluke Test Report for Cat 6 UTP Cable
Jack pannel Installation and Punching charge
Laying of OFC through HDPE Pipe including Digging, refilling of
hard/soft soil and Road crossing.
Pigtail splicing Charge
LIU Installation Charges
OTDR Testing Report for OFC
L2 Engineers yearly charges ( For Five Years)
L1 Engineers yearly charges ( For Five Years)
25 Years site certification
Project Management Charge
UTM Firewall Installation & Commissioning Charge
Nos
Nos
Nos
Nos
Nos
Nos
Nos
Nos
Nos
Nos
Nos
2
13
35
2
2
2
530
19200
500
500
28
Mtrs
Nos
Nos
Nos
Nos
Nos
Lot
Lot
Nos
6000
600
50
600
2
5
1
1
2
Feature Set
Solution Requirement
The router should support a throughput of 10 Gbps
The router architecture should be based on hardware based forwarding
and switching. System should be multi processor based architecture for
enhanced performance
The router should have data plane and control plane hardware level of
redundancy for providing self redundency and should not disrupt the
system functionality at the time of any data plane or control plane
hardware failure
The router should support granular traffic detection and management
using QoS features and should allocate network resources on
application priority and requirement
Router should support RFC 4012 for future implementation and Multicast
Support.(Desirable)
Router should support the complete STACK of IP V4 and IP V6 services
The router should support Operating System (OS) redundancy in 1:1
mode to ensure high-availability of the system. In the event of running
OS failure router should switchover to the redundant OS without
disturbing the traffic flow. There should not be any impact on the
performance in the event of active processing engine failure
The router should support on line hot insertion and removal of power
supply and connected modules. Any insertion line card/power supply
should not require for router rebooting nor should disrupt the functionality
of the system
Hardware and Interface Requirement
Router should have the following interfaces:
Complied
B2
Router should have 4 x 10 G ports & 4 X 1 G Ports or higher.
B3
B4
B5
B6
Router should have console port
Router should have management interface for Out of Band Management
Router should be rack mountable and support side rails if required
Router should have redundant power supplies (at least dual)
Router should have hardware health monitoring capabilities and should
provide different parameters through SNMP
Router should support VLAN tagging (IEEE 802.1q)
Router should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
Router should have the capability of holding multiple OS images to
support resilience & easy rollbacks during the version upgrades etc and
should support inservice software upgrade including:
a. Multiple System image
b. Multiple system configuration
c. Option of Configuration roll-back
Router should support for different logical interface types like loopback,
GRE and IPIP tunnel, VLAN etc
Performance Requirement
The router should support minimum 3,000,000 IPv4 and IPv6 routes
entries including multicast routes
Router should support Graceful Restart for OSPF, BGP, MP-BGP etc.
Router should support required as mentioned throughput of crypto IMIX
WAN traffic including the services
a. Hardware based encryption acceleration (IPSec VPN)
b. IPSec Encryption (ESP-AES 256 ESP-SHA-HMAC)
c. IP Routing (Static/Dynamic)
d. IP Forwarding
f. NAT
g. QoS
h. ACL and Other IP Services
i. MPLS with VRF Edge Routing
j. IP V.6 host and IP V.6 routing
The router should support secured connectivity using point to point and
any to any dynamic IPSec VPN for secured data transfer:
a. Hardware based IPSec Encryption
c. Any to Any Dynamic IPSec VPN using the GDOI Protocol should be
supported
d. IPSec Idle Timeout and Dead Peer detection
e. Support Multicast traffic over any to any dynamic VPN
The router should support uninterrupted forwarding operation for OSPF,
BGP etc. routing protocol to ensure high-availability during primary
controller failure
Layer2 Features
Spanning Tree Protocol ( IEEE 8201.D, 802.1S)
VLAN Trunking (802.1q)
System should provide basic Layer 2 WAN protocols as:
b. GRE
c. Ethernet
Layer3 Features
The router should support IPSec Framework for Secured Data tansfer
a. IPSec Data Encapsulation AH and ESP
B7
B8
B9
B10
B11
B12
B13
B14
C
C2
C5
C6
C6.1
C6.2
C6.3
C6.4
C6.6
C6.7
C6.8
C6.9
C6.10
C7
C7.1
C7.3
C7.4
C7.5
C8
D
D1
D2
D3
D3.2
D3.3
E
E1
E1.1
E1.2
E1.3
E1.4
E1.5
E1.7
E1.8
E2
E2.1
E2.2
E2.3
E2.4
E2.5
E3
E4
E4.1
E4.2
E4.3
E4.4
E4.5
E4.6
E4.7
E5
E5.1
E5.2
E5.3
E5.4
E5.5
E6
E7
E8
E9
E9.1
E9.2
E9.3
E9.4
E9.5
E9.6
E9.7
F
F1
b. Key Exchange : Internet Key Exchange (IKE), IKEv2, Pre-Shared
Keys (PSK), Public Key Infrastructure PKI (X.509), RSA encrypted
noncesetc
c. Encryption Algorithm: DES, 3DES, AES-128/192/256
d. Authentication Algorithm: SHA1 and SHA2
e. Group: Diffie-Hellman (DH) Group 1, 2, 5
g. Different mode of communication: Tunnel mode and Transport mode
h. IPSec NAT Traversal
The router should support IPSec framework standard RFC:
a. IPSec (RFCs 2401 to 2410)
b. IPSec ESP using DES and 3DES (RFC 2406)
c. IPSec authentication header using MD5 or SHA (RFCs 2403 to 2404)
d. IKE (RFCs 2407 to 2409) and 7296
e. GDOI Group Domain of Interpretation
Router should provide basic routing feature i.e. IP Classless and default
routing
Router should provide static and dynamic routing using:
a. Static routing
b. RIP V.2 with MD5 Authentication
d. OSPF V.2 using MD5 Authentication
e. ISIS using MD5 Authentication
f. BGP V.4 using MD5 Authentication
g. Should support route redistribution between these protocols
h. Should be compliant to RFC 4760 Multiprotocol Extensions for BGP-4
(Desirable)
Router should support for policy based routing for providing different
path selection for different applications and also should support best
path selection using realtime parameters like:
a. Jitter
b. Minimum cost
c. Network path availability
d. Network Response Time
e. Packet loss
The router should re converge all dynamic routing protocol at the time of
routing update changes i.e. Non-Stop forwarding for fast re-convergence
of routing protocols
Router should connecting multiple MPLS service provider using multi
instance routing using VRF and do VRF Edge routing
Router should be capable to work as DHCP server and relay
Router should provide multicast traffic reachable using:
PIM-SM
PIM-SSM
Bi-Directional PIM
MBGP, DVMRP or equivalent
Support RFC 3618 Multicast Source Discovery Protocol (MSDP)
Support Any cast Rendezvous Point (RP) mechanism using PIM and
Multicast Source Discovery Protocol (MSDP) as defined in RFC 3446
IGMP V.1, V.2 and V.3
Availability
Router should have provisioning for connecting to dual power system
F2
F3
F3.1
F3.2
F3.3
F3.4
F4
G
G1
G1.1
G1.2
G1.3
G1.4
G1.5
G1.6
G2
G3
G3.1
G3.2
G3.3
G4
G4.1
G4.2
G5
G5.1
G5.2
G5.3
G6
G7
H
H2
H3
H4
H5
H5.1
H5.2
Router should support to dynamically discover and cope with differences
in the maximum allowable maximum transmission unit (MTU) size of the
various links along the path, using multiple interconnected for end to end
network connectivity and usability
Router should automatically failover of primary interface status change
or remote network not reachable to the secondary link connectivity using
following realtime parameters (IP SLA):
Jitter
Network path availability
Network Response Time
Packet loss
Router should provide gateway level of redundancy in Ip V.4 and IP V.6
using HSRP/VRRP & NHRP/equivalent for Dynamic VPN
Quality of Service
Router system should support 802.1P classification and marking of
packet using:
a. CoS (Class of Service)
b. DSCP (Differentiated Services Code Point)
c. Source physical interfaces
d. Source/destination IP subnet
e. Protocol types (IP/TCP/UDP)
f. Source/destination TCP/UDP ports
Router should support methods for identifying different types of traffic for
better management and resilience under network attacks
Router should support for different type of QoS features for ream time
traffic differential treatment using
Weighted Fair Queuing
Weighted Random Early Detection
Priority queuing
Router should support controlling incoming and outgoing traffic using
a. Traffic Shaping
b. Traffic Policing
Router should support for managing congested network connectivity
using:
a. TCP congestion control
b. IP Precedence
c. Ingress and Egress Rate Limiting
Router should support for packet classification and fragmentation before
applying IPSec security encryption for providing end to end QoS
treatment
Router should support hierarchical QoS for providing granular policy per
application basis for providing bandwidth provisioning and management
Security
Router should support for deploying different security for each logical
and physical interface using Port Based access control lists of Layer-2 to
Layer-4 in IP V.4 and IP V.6
Router processor and memory Protection from unnecessary or DoS
traffic by control plane protection policy
Router should support for strigent security policies based on time of day
of Layer-2 to Layer-4
Router should support for external database for AAA using:
a. TACACS+
b. RADIUS
H6
H7
H8
H9
I
I1
I2
I3
I3.1
I3.2
I4
I5
I5.1
I5.2
I5.3
I5.4
I6
I6.1
I6.2
I7
I8
I9
I10
I11
I12
J
J1
J2
J2.1
J2.2
J2.3
J2.4
J2.5
J2.6
J2.7
J2.8
Router should support dynamic inspection of ARP for the locally
connected network system
Router should support for multiple service provider using edge VRF and
IPSec traffic encryption
Router should support GRE and IPSec WAN traffic encapsulation and
encryption
The router shall support unicast RPF (uRPF) feature to block any
communications and attacks that are being sourced from Randomly
generated IP addresses.
Manageability
Router should support for embedded RMON for central NMS
management and monitoring
Router should support for sending logs to multiple centralised syslog
server for monitoring and audit trail
Router should provide remote logging for administration using:
a. Telnet
b. SSH V.2
Router should support for capturing packets for identifying application
performance using remote port mirroring for packet captures
Router should support for management and monitoring status using
different type of Industry standard NMS using:
a. SNMP V1 and V.2
b. SNMP V.3
c. Filtration of SNMP using Access list
d. SNMP MIB support for QoS
Router should support for basic administrative tools like:
a. Ping
b. Traceroute
Router should support central time server synchronisation using Network
Time Protocol NTP V.4
Router should support for collecting real-time traffic statistics for analysis
and troubleshooting using Netflow or Ipfix or equivalent
Router should support for providing granular MIB support for different
statistics of the LAN and WAN interface
Router should support for predefined and customised execution of script
for device mange for automatic and scheduled system status update for
monitoring and management
Router should provide different privileged for login in to the system for
monitoring and management
Router should support to dynamically change in configuration or
operating system by using diffent local and central tools and scripts
IPv6 features
Router should support IP V.6
Router should support for IP V.6 connectivity and routing required for
network reachability using different routing protocols such as:
a. RIP NG
b. OSPF V.3
c. BGP with IP V.6
d. IP V.6 Policy based routing
e. IP V.6 Dual Stack etc
f. IP V.6 Static Route
g. IP V.6 Default route
h. Should support route redistribution between these protocols
J3
J3.1
J3.2
J3.3
J4
J4.1
J4.2
J5
J6
J6.1
J6.2
J6.3
J7
J8
J9
J9.1
J9.2
J9.3
J9.4
J9.5
J9.6
J10
J10.1
J10.2
J10.3
J10.4
J10.5
Router should support different types of IP V6 tunnelling mechanism,
such as:
a. Automatic IPV 6 to IPV4 tunnels/IPv4 to IPv6 IP Tunnels
b. Automatic IP v4 compatible tunnels/IPv4 to IPv6 IP Tunnels
c. IPv6 over IPv4 tunnelling
Router should support different types of multicast routing in IP V.6
network using:
a. PIMv2 Sparse Mode
2. PIMv2 Source-Specific Multicast
Router should support for QoS in IP V.6 network connectivity
Router should support for monitoring and management using different
versions of SNMP in IP V.6 environment such as:
a. SNMPv1, SNMPv2c, SNMPv3
b. SNMP over IP V.6
c. RFC4292/RFC4293 MIBs for IPv6 traffic
Router should support syslog for sending system log messages to
centralised log server in IP V.6 environment
Router should support NTP to provide an accurate and consistent
timestamp over IPv6 to synchronized log collection and events
Router should support for IP V.6 different type of application usage like:
a. HTTP
b. HTTPS
c. ICMP
d. TCP/UDP
e. DNS lookup
f. DHCP
Router should support for IP V.6 different types of tools for administration
and management such as:
a. Ping
b. Traceroute
c. VTY
d. SSH
e. TFTP
Firewall
Sr.
No.
A
A1
A2
A3
A4
Features
Solution Requirement
Make and Model (Palo Alto/Checkpoint/Fortinet and Cisco Only)
Details of the proposed solution: name, version, date of release, date of
release of next version, application/product development path, etc.
Proposed solution framework should be scalable to support large scale
deployment and reduce the time and effort to deploy the entire set up.
Bidder should clearly illustrate various tools and methodologies used to
achieve the same
Please submit a list of all features provided by proposed solution in
addition to the specifications mentioned in this document, that will be
available to the bank without any additional charges and will be under
support. These features will be treated at par with other features
mentioned in the RFP.
Compliance
(Yes/No)
A5
A6
A7
A8
A9
A 10
A 11
A 12
A 13
A 14
A 15
A 16
A 17
A 18
A 19
A 20
A 21
A 22
A 23
A24
B
B1
Solution should support Firewall, Intrusion Prevention System,
Application Visibility, SSL Inspection (in & out) functions etc.
Solution should support "Stateful” policy inspection technology. It should
also have application intelligence for commonly used TCP/IP protocols,
not limited to telnet, ftp, http, https etc
Not applicable
Firewall & IPS should have Recommended rating in 2015/last released
respective Group tests of NSS
The communication between all the components of solution (firewall
module, logging & policy and Web GUI Console) should be encrypted
with SSL or PKI
Management of the entire solution including real-time monitoring, event
logs collection, policy enforcement etc should be from a single device
only (mgt server/appliance), however solution should have
management devices at both locations
Firewall should be supplied with the support for static routing and
dynamic routing with protocols, like RIP v2, OSPF, & BGP etc.
Firewall should support the multicast protocols like IGMP and PIM-DM /
PIM-SM etc
Solution should support Identity Access for Granular User/ Group,
location and machine based visibility
Solution should provide stateful failover among devices for all
components and should be completely automatic without any sort of
manual intervention
Solution should have hardened OS for both appliance and management
platform
Solution Should provide protection against various types of cyber
attacks evasive attacks, scripting attacks etc
Solution should have capability to store Logs and configuration of all
devices, centrally in the solution and should also have capability to send
logs of all devices to the generic central log collection servers
Solution should be IPV6 ready. It should have IPV6 ready logo or similar
certification from any other reputed third party. No extra cost will be
borne by bank for IPV6 implementation
Solution must support the complete STACK of IP V4 and IP V6 services
Solution should have capability to analyse the impact of any new policy
prior to making it live.
Solution should support for multiple security levels/zones like internal,
DMZ and external etc.
Independent administrative controls for all the major functions like
Firewall, IPS, SSL offloading etc should be in place. Compromise with
any component either by connecting with it physically or remotely should
not impact other components of the solution
Not applicable
Patches & updates being received from OEM should be from trusted
sites
Hardware and Interface Requirements
Each appliance of solution requires at least 6 x 10G & 2 x 1G interfaces
including ports for sync, HA and other functionalities. System should
support 4x40G for future requirement
B2
B3
Each appliance should have management interface for Out of Band
Management
B4
B5
B6
B7
B8
B9
B 10
B.10.1
B.10.2
B.10.3
B 11
B 12
B 13
B 14
C
C1
C1.1
C1.2
C1.3
C2
C3
C4
C5
D
D1
D2
D3
Each appliance should be rack mountable and support side rails if
required
Each appliance should have redundant power supplies (atleast dual)
and management system should have HDD/SSD with RAID enabled.
Each appliance should have hardware health monitoring capabilities
and should provide different parameters through SNMP
Solution should support VLAN tagging (IEEE 802.1q)
Solution should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
Solution should Support DHCP Relay
Solution should support and not limited to:
Active-Active & Active- Failover Load Balancing: The firewall must
support Stateful active-active & Active-Failover architecture for Firewall,
VPN & IPS functions and high availability for redundancy. Appliance
failover should be complete Stateful.
Solution should provide stateful failover for Firewall and VPN
functionalities
Solution should not require any downtime/reboot for failover
Solution should have the capability of holding multiple OS images to
support resilience & easy rollbacks during the version upgrades etc
Centralized Management Solution should provide high availability at site
level for enabling DR deployment
It should be possible to manage the entire solution from Primary &
Secondary management server/appliance placed at DC and DR.
Management solution should have the capability to be deployed in
geographically different location enabling DR deployment
The firewall system should have adequate local storage in order to keep
the various logs in the event of management server connection failure
etc
Performance Requirements
Each of Appliance of Solution should be properly sized for following
given parameters, with all features enabled at the same time:
Handling minimum 10 Gbps of user traffic (Incoming 10 Gbps and
Outgoing 10 Gbps traffic simultaneously) and other application Zones.
Please change this to "Should support at least10 Gbps of real world
performance throughput (includes Firewall, Application Visibility &
IPS)"
Running all internet protocols etc, traffic flowing through different zones
in the solution with all the features enabled and running
Request you to change this to 20 million concurrent session with
AVC considering NGFW firewall and 10 Gbps real world throughput
Request you to change this to more than 1,60,000 new sessions per
second
Solution should not impact the application response by adding latency.
Maximum permissible latency of firewall is 50 mili second and for the
complete solution at each site is 100 millisecond with all the services
enabled together as asked in this RFP at any point of time
The Firewall must provide filtering capability using FQDN and URL
Network Standards/Protocols and Firewall System Requirements
Solution should support at least 250+ protocols
Solution should have a capability to support for more than 500 VLAN
Solution should support the filtering of TCP/IP based applications with
standard TCP/UDP ports or deployed with customs ports etc
D4
D 4.1
D 4.2
D 4.3
D 4.4
D 4.5
D5
D6
D 6.1
D 6.2
D7
D 7.1
D 7.2
D 7.3
D 7.4
D8
D9
D 9.1
D 9.2
D 9.3
D 9.4
D 9.5
D 10
D 11
D 12
D 13
D 14
D 14.1
D 14.2
D 14.3
Firewall Modules should support the deployment in Routed as well as
Transparent Mode & should also support following:
Solution should mask the internal network from the external world.
Multi-layer, stateful, application-inspection-based filtering should be
done
It should provide network segmentation features with powerful
capabilities that facilitate deploying security for various internal, external
and DMZ (Demilitarized Zone) sub-groups on the network, to prevent
unauthorized access
Ingress/egress filtering capability should be provided for internal,
external and DMZ (Demilitarized Zone) zones
Solution should support detection of reconnaissance attempts such as
IP address sweep, port scanning etc
Solution should provide NAT functionality, including dynamic and static
NAT translation etc
IPSec should have the functionality of PFS (perfect forward secrecy)
and NAT-T and should support:
Network Address Translation (NAT) should be configurable as 1:1, 1:
many, many: 1, many:many, flexible NAT (overlapping IP addresses).
Reverse NAT or equivalent should be supported
Port address translation/Masquerading should be provided for all
internet based applications should be supported and not limited to for
filtering like Telnet, FTP, SMTP, http, DNS, ICMP, DHCP, ARP, RPC,
SNMP, Lotus Notes, MS-Exchange etc
Solution should support integration with following standards :
X.509 Digital certificates
RSA Secure ID Certified
Two Factor Authentication
Radius/Tacacs+
Solution should support RADIUS/TACACS+ authentication protocol for
Local access to devices
Solution should support PKI with:
PKCS 7/PKCS 10/ PKCS 12 and PEM
Self-signed Certificates
External CA support
Certificate Revocation List Import
Embedded Certificate Authority
IPSec ISAKMP methods should support Diffie-Hellman Group 1 & 2,
MD5 & SHA, SHA2 , RSA & Manual Key Exchange Authentication,
3DES/AES-256 Encryption of the Key Exchange Material and
algorithms like RSA-1024 / 1536
Not applicable
Firewall system should support virtual tunnel interfaces to provision
Route-Based IPSec VPN
Dynamic Host Configuration Protocol (DHCP) over Virtual Private
Network (VPN) should be supported for dynamic allocation of IP
addresses
Solution should support to features and not limited to:
The firewall should support Internet Protocol Security (IPSec)
Key exchange with latest Internet Key Exchange (IKE), IKEv2, Public
Key Infrastructure PKI (X.509)
Site-to-site VPN tunnels: full-mesh / star topology should be supported
D 14.4
D 14.5
D 14.6
D 14.7
D 14.8
D 14.9
D 15
D 15.1
D 15.2
D 15.3
D 15.4
D 15.5
D 15.6
D 16
D 17
D 18
D 19
D 20
D 21
D 22
D 22.1
D 22.2
D 22.3
D 22.4
D 22.5
D 22.6
E
E1
E2
E3
Support
Latest
Encryption
algorithms
including
AES
128/192/256(Advanced Encryption Standards), 3DES(Data Encryption
Standard) etc
Support Latest Authentication algorithms including SHA-1(Secure Hash
Algorithm-1), SHA- 2(Secure Hash Algorithm-2) etc
IPSec NAT traversal should be supported
Not applicable
It must include the ability to establish VPNs with gateways with dynamic
public IP's
Not applicable
The Firewall must provide filtering capability that includes parameters
like source addresses, destination addresses, source and destination
port numbers, protocol type with other parameters to configure rules
based on following parameters:
Source/Destination IP/Port
Not applicable
User/group role (Integration with AD)
Customizable services
Not applicable
Combination of one or multiple of above mentioned parameter
The Firewall should be able to filter traffic even if the packets are
fragmented
It should be able to block Instant Messaging like Yahoo, MSN, ICQ,
Skype (SSL and HTTP tunnelled) etc
It should enable blocking of Peer-Peer applications, like Kazaa,
Gnutella, Bit Torrent, IRC (over HTTP) /HTTPS etc
The Firewall should support database related filtering and have support
for Oracle, MS-SQL, and SQL-Net etc
Should support CLI & GUI based access to the firewall modules
Solution should support Access for Granular user, group & machine
based visibility and policy enforcement etc
Should support basic attack protection features listed below but not
limited to :
Maximum no of protections against attacks that exploit weaknesses in
the TCP/IP protocol suite
It should enable rapid detection of network attacks
TCP reassembly for fragmented packet protection
SYN cookie protection , SYN Flood, Half Open Connections and NUL
Packets etc
Protection against IP spoofing
Malformed packet protection
IPS Feature Requirements
intrusion detection and prevention systems (IDPS), should monitor
network and/or system activities for malicious activities and identify
them, log information about the activities, attempt to block/stop it, and
report it
It should be possible to deploy the product as an Intrusion Detection
system (with logs and alerts suspected attacks) and/or as an Intrusion
Prevention System located in line and which drops packets that are
suspicious.
It should perform deep packet inspection up to layer-7 and take desired
action based on findings
E4
E5
E 5.1
E 5.2
E6
E7
E8
E9
E 10
E 11
E 12
E 13
E 14
E 15
E 16
E 17
E 18
E 19
E 20
E 21
E 22
E 23
E 24
Advanced detection techniques with stateful application & Protocol
intelligence
IPS should capture (but not limited to) the following important parameter
about attack:
Identifying Network Characteristics (IP Address Src&Dst, Port Address
Src&Dst and protocols etc)
Raw data packet, and Raw data information should be converted into
the format that is compatible with the most popular sniffers, like Wire
shark, etc. for the forensics.
A wide range of response options from logging and raising alarms to
blocking traffic should be supported.
System should have capability to turn on or off the as and when
required.
The IPS should be constantly updated with new defences against
emerging threats.
IPS updates should have an option of Automatic downloads and
scheduled updates so that it can be scheduled for specific days and time
Should have flexibility to define newly downloaded protections will be
set in Detect or Prevent mode
Solution should provide details of Performance Impact on Signatures
along with the Vulnerability severity and should have options for new
signatures for avoiding false positives
The product should have signature based as well as anomaly based
analysis and prevention facility
The IPS should provide easy updating of signatures to remain current
with latest attacks prevention
IPS Engine should support Vulnerability and Exploit signatures, Protocol
validation, Anomaly detection, Behaviour-based detection, Multielement correlation etc
IPS processes should be hardened so as to be resistant to attacks
including DoS/DDoS attacks and advance attacks from time to time.
Product should offer features that make them resistant to failure due to
advance attacks & emerging threats modes
IPS should have Resistance to Evasion and protection from anti-NIPS
techniques
IPS Profile should have an option to select or re-select specific
signatures that can be deactivated
Intrusion Prevention should have and option to add exceptions for
network and services
IPS should have the functionality of Geo Protection to Block the traffic
country wise and direction
IPS events/protection exclusion rules can be created and view packet
data directly from log entries with RAW Packets and if required can be
sent to Wire shark for the analysis
Application Intelligence should have controls for Instant Messenger,
Peer-to-Peer, Malware Traffic etc
NIPS should have facility to blocking options of File Transfer, Block
Audio, Block Video using Instant Messenger and other facility like
Application Sharing and Remote Assistance etc
IPS should have an option to create your own signatures with an open
signature language
Detailed IPS Logs to be provided post detection of attacks. The logs
should have the attack Name, the Severity, Industry Reference,
Confidence Level etc
E 25
E 26
E 27
E 28
E 29
E 30
E 31
E 32
E 33
E 34
E 35
E 36
E 37
F
F1
F2
F5
F 5.2
F6
F7
Advanced capabilities that detect and prevent attacks launched against
the Web infrastructure
Malicious code protector for Buffer Overflow, Heap overflow and other
malicious executable code attacks that target Web servers and other
applications without the need of signature
Monitor all communication for potential executable code, confirms the
presence of executable code and identifies whether the executable
code is malicious
Application layer protections for Cros site scripting, LDAP injection, SQL
Injection, Command Injection, Directory traversal, OWASP (Open Web
Application Security Project) etc
Spoofing attacks, Directory listing options and error concealment etc
attacks should be prevented
NIPS should support HTTP Protocol Inspections for HTTP format size
enforcement, ASCII-only request enforcement, ASCII-only response
header enforcement, header rejection definitions, HTTP method
definitions etc
Solution Should provide infrastructure and ways to test new
signatures/version update/OS update in SBI environment before
deploying the same in to prevention mode etc
Enforcements options with Active, Monitor-only, Disabled etc
The IPS should be able to monitor all of the major TCP/IP protocols,
including IP, Internet Control Message Protocol (ICMP), TCP, and User
Datagram Protocol (UDP). And detect latest attacks (not limited to) port
scanning, unusual packet fragmentation, SYN
The IPS should be able to inspect SSL,https,SFTP,SSHetc traffic
Should have support for frequently analyzed network layer protocols
such as IPv4, IPv6, ICMP (Internet Control Message Protocol).etc
Solution Should send notifications on a real time basis in the form of
Session Packet Log, Session Summary, E-mail, SNMP, and any other
configurable mode etc
IPS system should be capable to reconnaissance to get victimized
Administration, Management and Logging Functionality Feature
Requirements
The bidder must propose two management devices for real time
monitoring, management and log collection to manage these Firewalls.
All the logs should be retain in these 2 management devices. in case if
primary manegement device fails, complete logs should be available at
secondary management device
A centralized monitoring and management system with multiple
administrators who have administrative rights based on their roles,
should provide Audit Trail of the Changes etc
Solution should be able to support large scale WAN deployment with
following important Criteria for Real-Time Monitoring, Management &
Log Collection etc
To ensure business continuity all the solutions/hardware proposed
should be in HA
Any changes or commands issued by an authenticated user should be
logged to a database of the management system
Firewall Management system should also provide the real time health
status of all the firewall modules on the dashboard for CPU & memory
utilization, state table, total number of concurrent connections and the
connections/second counter etc
F8
F9
F 10
F 11
F 12
F 13
F 14
F 15
F 16
F 17
F 17.1
F 17.2
F 17.3
F 18
F 19
F 20
F 20.1
F 20.2
F 21
F 21.1
F 21.2
F 21.3
F 22
F 23
F 24
G
G1
G2
It should support SNMP (Simple Network Management Protocol) v 2.0
and v 3.0 and NTP V.4 with all new versions of present and future
release
Firewall must send mail or SNMP traps to Network Management
Servers (NMS) in response to system failures or threshold violations of
the health attributes.
Firewall should support the user based logging. Log levels must be
configurable based on severity
Not applicable
The Firewall must provide simplified provisioning for addition of new
firewalls where by a standard firewall policy could be pushed into the
new firewall
The Firewall administration station must provide a means for exporting
the firewall rules set and configuration
Support for role based administration of firewall
The Firewall administration software must provide a means of viewing,
filtering and managing the log data
The Firewall logs must contain information about the firewall policy rule
that triggered the log
Centralized Security Management should include for all the proposed
security controls but not limited to:
Real Time Security Monitoring
Logging
Reporting functions
The solution must provide a minimum basic statistics about the health
of the firewall and the amount of traffic traversing the firewall
Solution should support for configuration rollback
Solution should support Real time traffic statistics & Historical report with
Attacks and threat reports, etc.
Customized reports on HTML and CSV format etc
Solution Audit T rail should contain at a minimum:
The name of the administrator making the change
The change made
Time of change made
Management system should provide detailed Event analysis for Firewall
and IPS and also should provide Syslog output to integrate with other
major SIEM tools and specifically should support RSA SIEM tool current
and future versions
Solution should support for real time analysis of all traffic the firewall
may encounter (all possible SOURCE, DEST, SERVICE, including
groups) etc
Provide geographic distribution of data collection from devices,
processed locally, compressed and then transferred to the central
manager
Licensing Requirements
Solution should have enterprise license without any restrictions. If
during the contract, solution is not performing as per specifications in
this RFP, bidder has to upgrade/enhance the devices or place additional
devices and reconfigure the system without any cost to bank
Solution and its various components like Firewall, IPS, VPN etc should
not have any licensing restriction on number of users, concurrent
connections, total connections, new connections, number of vlan,
zones, number of policies, number of appliances, other network
parameters, number of equipments / servers etc
G3
G4
H1
H2
H3
H 3.1
H 3.2
H 3.3
H 3.4
H4
I1
I2
I3
I4
I5
The offered product part codes have to be General Availability Part
codes and not custom built Part Code for SBI. There should be cross
reference to the public website of the OEM
Any third party product required to achieve the functionality should be
provided with the necessary enterprise version license of
software/appliance and necessary hardware, database and other
relevent software or hardware etc should be provided with the s
URL FILTERING
The Proposed System Should have integrated Web Content Filtering
System without external solution, devices or hardware module.
The proposed solution should be able to enable or disable Web
Filtering per policy or based on firewall authenticated user, groups for
both HTTP & Https traffic
The proposed system shall provide web content filtering features:
1. Which block web plug-ins such as Active X, java applet and
cookies
2. Shall include Web URL block
3. Shall Include score based web keyword block
4. Shall include Web exempt List
The proposed system shall be able to query a real time database of
over 110 million + rated website categorised into 70+ unique content
categories.
Advance Malware Protection
Solution should be capable of blocking callbacks to CnC Servers
Solution should be capable of blocking threats based on both
signatures and behaviour
Detection rules should be based on an extensible, open language that
enables users to create their own rules, as well as to customize any
vendor-provided rules.
The solution should be capable to analysis& block TCP and UDP
protocols to identify attacks and malware communications. At a
minimum, the following protocols are supported for real-time
inspection, blocking and control of downloaded files: HTTP, SMTP,
POP3, IMAP, Netbios-ssn and FTP.
The solution should be capable of executing MS Office Documents,
Portable Documents, Archive Files, Multimedia Files and executable
binaries in a virtual sandbox environment
The solution should be capable of gathering Active Directory user
identity information, mapping IP addresses to username and passively
gathering information about network devices including but not limited
to:
● Operating system vendor
● Operating system version
● Network protocols used, e.g. IPv6, IPv4
● Network services provided, e.g. HTTPS, SSH
I6
● Open ports, e.g. TCP:80
● Client applications installed and type, e.g. Chrome - web browser
● Web applications access, e.g. Facebook, Gmail
● Risk and relevance ratings should be available for all applications
● Potential vulnerabilities
● Current User
● Device type, e.g. Bridge, Mobile device
● Files transferred by this device / user
The solution should be capable of white listing trusted applications
I7
from being inspected and not an entire segment to avoid business
applications from being affected & in turn productivity
The solution should be capable of blocking traffic based on geo
I8
locations to reduce the attack landscape and to protect communication
to unwanted destinations based on geography
The solution shall be able to detect attacks on 64-bit operating
I9
systems
The proposed solution must Detect, control access and inspect for
malware at least the following file types: Microsoft Office files,
I 10
executables, multimedia, compressed documents, Windows dump
files, pdf, jarpack, install shield.
The solution should allow real-time detection and prevention of
attacks in the following applications: Microsoft Internet Explorer,
I 11
Mozilla Firefox, Chrome, Adobe Acrobat Reader, Adobe Acrobat,
Microsoft Silverlight, Java SUN, Real Player, Microsoft Office and
Apple QuickTime.
The proposed solution must have capability to Analysis of malwares
must be performed in real-time using hybrid analysis capabilities, using
I 12
various analysis and control strategies, including simultaneously,
whether the local, remote or hybrid execution technology for the
determination of advanced malware.
The Advance Malware Protection should support retrospective alert so
I 13
that if a file turned to be malicious later on, it should provide alert and
block immediately traversing from the network
Distribution switches :


Switch must have 12 nos. of 1/10 GE SFP+ based interfaces and 4 nos. of 10 GE
SFP+ based uplink dedicated ports populated with 12 nos. of long range optics and 4
nos. of long range 10G optics respectively .
Switch should support switching capacity of 320 Gbps
Access (edge) switches:
Switch must have at least 24 nos. of multispeed 10/100/1000 Ethernet Copper
interfaces and 2 nos. of 10 GE SFP+ based uplink dedicated ports. Each of the switch
must be populated with 2 nos. of long range 10G optics.
Date of submission of Technical Bid: By 12.00 Noon on 17.07.2017 and Opening of
Technical Bid 1500 hrs on 17.07.2017
Date of Reverse auction
: Starts at 11.30 am on 20.07.2017
---------------------------------------------XXXXX---------------------------------------------------------------