Modernizing It Infrastructure - Phase 1: Itsd

MODERNIZING IT INFRASTRUCTURE – PHASE 1
HyperconvergedInfrastructure (HCI)is a software-defined, unified system that

combines all the elements of a traditional data center using a commodity hardware. It
includes a hypervisor for virtualized computing, software-defined storage, virtualized
networking, and management.Eight nodes will be clustered together to create pools of
shared compute and storage resources, serving as a platform of COMPANY private
cloud.
Next Generation Firewall (NGFW)protects COMPANY private cloud from

cybercriminal remote attacks by actively seeking and blocking external threats in real-
time from known and unknown vulnerabilities.It has SD-WAN functionalityto ensure that
COMPANY geographically dispersed users have fastsecure access to applications
running in the cloud and the COMPANY data center using redundant cheaper Internet‐
based connectivity.
Cloud-Based Security Includes Secure Web Gateway (SWG) andZero Trust Network
Access (ZTNA) solutions. It augments the NGFW to provides the entire security stack
that securely connect COMPANY users to the public internet and to COMPANY
corporate applications, regardless of device, location, or network. This will help enable
COMPANY to embrace Cloud Computing in compliance with Cloud First Policy and
Data Privacy Act.
Advanced Web Application Firewall (WAF) provides advanced security to detect and
block sophisticated web-based attacks by enforcing security policies at the application
level. This is needed to protect COMPANY web-based services such as the COMPANY
Corporate Website, MAP, HRS, and CAS.
ITEquipmentsuch as Ethernet Switches and Access Points (AP) will be deployed to

upgrade our Local Area Network (LAN) in the Head Office, Satellite Office,andselected
branch. Wi-Fi 6 AP is chosen for its capability to serve multiple clients at the same
time.
HYPERCONVERGED INFRASTRUCTURE (HCI)
1.0 HCI Nodes
1.1 Quantity  Supply, delivery, and installation Eight
(8) nodes pre-configured, pre-tested,
and pre-validatedhyperconverged
infrastructure system at COMPANY co-
location site.
1.2 Minimum  Form factor shall not exceed 2RU per
Hardware node.
Requirements  Shall come with two (2)Intel® Xeon
Gold 6246R3.4GHz 16C/32T Processor
or its latest transition model.
 Shall come with two (2) M.2 240G SSD.
 Shall come with Four (4) 2.5" SAS
12Gbps 1.6TB Write-Intensive SSD and
Twenty (20) 2.5” SAS 12Gbps 2.4TB
10K-RPM HDD.
 Shall come with twenty-four (24) 32GB
2666MT/s DDR4 RDIMMs.
 Shall come with two (2) dual ports
25GbENetwork Interface Cards.
1.3 General  The proposed HCI solution shall be a
Requirement converged compute and storage, scale-
out architecture.
 Shall support automated non-disruptive
ITSD | Page 1 of 38
upgrades, patches, node additions or
retirement to ensure the integrated
infrastructure is in a continuously
validated state. It must have a full-stack
lifecycle management, ensuring
administrators can seamlessly upgrade
and update their infrastructure without
workload disruption.
 Shall support different model of nodes
in expanding the cluster.
 Shall enable customers to mix node
configurations in a single cluster.
 Shall support cluster auto remediation.
 Shall support storage thin provisioning.
 Shall support Per-VM snapshots and
replication.
 Shall support synchronous and
asynchronous replication with as low as
ZERO second Recovery Point Objective
(RPO).
 Shall support continuous data protection
solution to recover data from logical
errors and data corruption.
 Shall have the capability to orchestrate
disaster recovery workflows to failover
and failback.
 Shall support native Block Services via
iSCSI.
 Shall support moving of data from
hyper-converged cluster to public cloud
such as Amazon Web Services (AWS)
and Azure.
 Shall come with management software
providing single pane of glass
regardless of solution size.
 Shall have Health checks, resource
utilization, and consumption forecasting.
It shall include cloud-based multi-cluster
centralized data collection and analytics
management using machine learning
and AI, providing actionable insights to
optimize infrastructure performance and
improve serviceability.
 Shall support MS Hyper-V (2012 R2
and 2019) or VMWarevSphere.
 Shall have integrated or native
hypervisor.
 Shall support data-at-rest and data-in-
transit encryption.
 Shall support file services supporting
SMB and NFS protocols.
 Shall have a single point of global
contact available 24x7 for both
hardware and software support.
 Shall support call home remote support.
ITSD | Page 2 of 38
 Shall have licensevalid for at least Five
(5) Years.
 The proposed HCI system must be in
the Leader of Forrester
Wave:Hyperconverged Infrastructure
evaluation, Q3 2020 or later.
 The Bidder must beCertified Partner of
both HCI Software and
Hardwarecomponents of the proposed
solution.
1.4 Warranty and  The Bidder and the Manufacturer shall
Support include and provide Five (5) Years
Warranty and 24x7 Professional
Support with 4 Hours Onsite Service
including hardware (repair,
replacement, and/or upgrade), software
supports updates,firmwareupdates,
configuration, reconfiguration,
troubleshooting, and other advanced
services for the proposed HCI system.
2.0 HCI EthernetSwitch
2.1 Quantity  Supply, delivery and installation of Two
(2) units24-ports ethernet switches at
COMPANY co-location site.
2.2 Form Factor  1RU form factor.
 Each switch shall come with:
o One (1) QSFP28 to QSFP28
100GbE One (1) Meter Direct Attach
Copper Cable.
o Two (2) QSFP28 SR 100GbE fiber
transceiver modules.
o Two (2) SFP 1GbE-T copper RJ45
transceiver modules
o Six (6) SFP28 SR 25GbE fiber
o Sixteen (16) SFP28 to SFP28
25GbE Three (3) Meters Direct
Attach Copper Cable.
2.3 Minimum  Shall support at least four (4) 100GbE
Capacity & ports.
Performance  Shall support at least twenty-four (24)
25GbE ports.
 Minimum Switching Fabric Capacity of
2Tbps full duplex.
 Minimum Throughput Capacity of
950Mpps.
 Shall have advance features: SSHv2,
TACACS, SNMP-V1/V2c, OSPFv2 and
OSPFv3
 Shall support sFlow.
 Switch must support line-rate
throughput for each port.
ITSD | Page 3 of 38
 Not more than 900 nanoseconds
switching latency.
 Packet buffer memory shall beat least
32MB.
2.4 Layer 2  Support Port-based (IEEE 802.1Q) and
Switching Frame extension for VLAN tagging
(IEEE802.3ac)
 Support IEEE802.1X
 Support IEEE 802.3ad Link
Aggregation, with support for
aggregation groups across switches in
stack.
 Support Auto-negotiation of port speed
and duplex
 Support IEEE 802.3x full-duplex flow
control
 Support IEEE 802.1D Spanning Tree
Protocol (STP)
 Support IEEE 802.1w Rapid Spanning
Tree
 Support IEEE 802.1t RPVST+
 Support IEEE 802.1s Multiple Spanning
Tree Protocol instances (MSTP)
 Support LLDP and LLDP-MED
2.5 Layer 3  Support Layer-2 and Layer-3 switching
Switching and routing protocols.
 Support OSPF (Open Shortest Path
First), v2 and v3.
 Support DHCP Relay (Dynamic Host
Configuration Protocol Server/Relay).
 Support TCP/IP protocol stack ARP with
minimum of 30,000 ARP entries.
 Support VRRP (Virtual Router
Redundancy Protocol) v3.
 Support IPv4 and IPv6 Routing.
 Support IGMP v1/v2/v3 and MLD v1/v2
Snooping.
2.6 Quality of  Support Ingress and egress queue.
Service (QoS)  Support Queuing algorithms.
 Support Port based QoS such as
IEEE802.1p, rate policing and rate
shaping.
 Support Policy based QoS configuration
such as DSCP and strict priority queue.
2.7 Switch Security  Support Network login with IEEE 802.1x
user authentication.
 Support Local authentication and
RADIUS authentication.
 Support TACACS (Terminal Access
Controller Access Control System)
authentication.
 Support encrypted management traffic
using SSH.
2.8 Management  Support CLI (Command Line Interface)
configuration mode.
ITSD | Page 4 of 38
 Support Configuration via the console
(control console) port.
 Support Port mirroring.
 Support Syslog.
 Support Ping and Traceroute.
 Support Network Time Protocol (NTP)
v4.
2.9 Power Supply  Shall come with redundant hot-
swappable AC power supplies.
 Input voltage: 100-240 VAC auto-
ranging.
 Operating frequency: 50/60 Hz.
including hardware (repair and
replacement), firmware updates,
services for the proposed HCI ethernet
switches.
3.0 Management Switch
3.1 Quantity  Supply, delivery and installation of One
(1) unit Ethernet Switches.
3.2 Switch Features  Shall come with Twenty-Four (24) 1GbE
RJ45 ports and Two (2) 10GbE fiber
ports with SFP+ transceivers.
 Line-rate performance capability using
non-blocking switching and routing
architecture.
 Able to operate in an environment with
up to 45°C temperature.
 Support Static, RIP, and OSPF Layer 3
routing protocol.
 Minimum Switching Capacity of 200
Gbps.
 Minimum Forwarding Capacity of 150
Mpps.
 Packet buffer memory of 4MB.
 Support RSTPand MSTP.
 Support SNMP V1/2/3 for monitoring.
 Power consumption shall not exceed
200 watts.
3.3 Management  CLI, Telnet, and SSHv2.
including hardware (repair and
services for the proposed Management
ethernet switch.
ITSD | Page 5 of 38
4.0 HCI Full Height Rack
4.1 Quantity  Supply, delivery and installation of One
(1) unit Full Height Server Rack, 600mm
x 1070mm at COMPANY Primary Site.
4.2 Form Factor  42 Rack Height with 230V Fan Kit.
 Shall be EIA-310-D and RoHS
Compliant.
 Shall come with two (2) Metered
Vertical Power Distribution Units, 230V
32A with attached cords.
 Shall come with sixteen (16) sets of C13
to C14 power cords.
4.3 KVM  Minimum of 16-ports Digital KVM
Switches.
 Able to accommodate at least 1 local
and 1 remote user.
 Mounting kits and sixteen (16) server
cable sets.
 Minimum of 19” wide monitor.
 English Keyboard with touchpad.
4.4 Warranty and  The Bidder shall include and provide
Support Five (5) Years Warranty and
Professional Support with 4 Hours
Onsite Service including hardware
replacementand other services for the
proposed Rack and its components.
IT SECURITY
1.0 Cloud-Based Secure Web Gateway (SWG)
1.1 Subscription  Shall come with licenses capable of
Period and supporting a minimum of1800 users.
Support  Shall come with at least One (1)
Yearsubscription period subject to
renewal upon satisfactory service
delivery of the provider.
 The bidder shall provide One (1)
YearProfessional Support with 4 Hours
Onsite Service including configuration,
reconfiguration, troubleshooting, and
other services for the proposed Cloud-
Based SWG.
1.2 Security  The solution shall have multiple Anti
Malware and Anti Spyware engines to
protect users against websites
containing malicious code or malware.
o Shall be able to scan and block
rar, zip and 7zip archived
malwares.
o Support to scan files which have
been archived by more than 3
layers to detect and block
malwares.
 The solution must be capable of
inspecting both inbound and outbound
traffic through the solution (for SSL as
well as non-SSL traffic) without
ITSD | Page 6 of 38
noticeable performance degrade with
full content inspection enabled.
 The solution shall perform sandbox
analysis (execution) of binaries to detect
true Zero Day attacks. Please describe
the capabilities of your solution in
defending against APTs (for SSL as
well as non-SSL traffic). How does the
proposed solution protect, detect, and
contain attacks?
 The sandbox solution shall have the
ability to hold file delivery until the
analysis of the file is completed.
 The sandbox solution shall be able to
provide a detailed post-analysis report.
 The supported file types for the sandbox
functionality shall include:
o Archive
 7-Zip
 Bzip2
 Tar
 RAR
 ZIP
 ZIP with Suspicious Script
File
o Executable
 Windows Executables
 Windows Library
o Microsoft Office
 Microsoft Word
 Microsoft Excel
 Microsoft PowerPoint
 Microsoft RTF
o Mobile
 Android Application
Package
o Web Content
 Adobe Flash
 Java Applet
o Other
 Adobe PDF
 The solution shall be capable of
detecting Cross Site Scripting attacks
such as XSS, a common attack.
o Explain how and measures to
minimize false positives.
o Describe how malicious scripts
are blocked i.e Malicious
javascript.
o The solution must detect and
block outbound Botnet and
Trojan malware communications
from infected systems. System
must log and provide detailed
information on the originating
system sufficient to enable
ITSD | Page 7 of 38
identification of infected units for
mitigation based on known IP
addresses, known domains,
known data patterns from
unknown IP addresses and
domains. This feature must be
available to both web and non-
web traffic.
 The solution must detect, and block
known and unknown fraudulent/phishing
applications.
 The solution must be capable of
providing DNS security
o The solution shall be able to
create granular rules to detect
and control DNS tunnels traffic.
o The solution shall provide DNS
logs including details of user,
client IP, server IP, domain
category, resolved IP, request
type and error code.
o The solution shall support
creation of policy based on the
DNS category for access control.
DNS categories shall include but
not limited to adult, pornography,
webmail, online file sharing,
instant messaging, malicious
contents, DNS over HTTPS,
phishing, and botnet.
 Through additional subscription, the
solution shall have the browser isolation
capability to isolate users from
downloading and uploading data to and
from the internet by loading the
accessed web page on an isolated
remote browser.
o The browser isolation feature
shall be managed from the
management portal, to reduce
maintenance overhead.
o The browser isolation feature
shall be developed and
maintained by the same
manufacturer, to maximize the
compatibility with other security
features.
 The solution shall have integrated
cloud-based next-generation firewall
capabilities that allow granular control
over outbound TCP, UDP, and ICMP
traffic. The cloud-based next generation
firewall capabilities shall be managed by
the same management port to reduce
management overhead.
o The functionalities of the firewall
ITSD | Page 8 of 38
capabilities shall be managed
within a single integrated portal.
This includes policy creation and
analytics view.
o The capabilities of the cloud-
based firewall shall allow secure
SaaS and internet access with
full outbound layer 7 cloud
firewall and IPS.
 The solution shall support customer to
block local area network (LAN) traffic
when client devices are used outside
the office, to avoid potential data
leakage or security threats from other
devices from the same wireless or LAN
(e.g. file uploading or downloading from
local network-attached storage).
 The solution shall have an integration
with Microsoft with regards to Office 365
resulting in seamless service adoption.
o The solution shall provide
automated way to allow Office
365 traffic.
o The solution shall provide
capability to only allow
employees to access corporate
Office 365 tenants.
o Through additional subscription,
the solution shall also support
scanning data at rest in Office
365 based on customizable DLP
dictionaries, to deny resharing of
sensitive data to third parties
from the cloud.
o Through additional subscription,
the solution shall also support
malware scanning for data at rest
in Office 365 to quarantine or
remove malwares and archived
(including but not limited to rar,
zip and 7zip file types) malwares
there.
solution shall also support API based
out-of-band data scanning for popular
SaaS applications, including but not
limited to Salesforce.com, ServiceNow,
Github.
solution shall support granular network
DLP features.
predefined dictionary, included
but not limited source code,
credit card, financial statement
data
ITSD | Page 9 of 38
structured data fingerprinting, so
that customer shall be able to
create data hash locally and
upload to the cloud for content
scanning and blocking
o DLP scanning and blocking
mentioned in above shall be
available to all FTP, HTTP and
HTTPS traffic between client
devices and the Internet.
 The cloud solution must support full
SSL Man-in-the-middle (MITM)
inspection.
 The solution must allow SSL MITM
inspection to be turned on or off only for
specific URL lists or
categories.Configuration must work for
on premise and mobile users.
 The cloud solution must support using
our own organization’s root certificate to
sign MITM certificates.
 The solution must provide policies for
controlling types of file downloaded or
uploaded and the filetype detection
must be based on True filetype vs. file
extension.
 The cloud solution shall support
granular Web 2.0 filtering features and
shadow IT applications control. For
example, allow Gmail as a read-only
access for some contractors. For others
allow Gmail to send email but no PDF
attachments.
 The solution must allow the organization
to change categorization of any URL
into any pre-existing OR custom
category. The change must take effect
almost instantaneously.
 The cloud solution shall have more than
90 URL categories with grouping by
business requirements.
 The cloud solution shall have more than
90 URL categories with grouping by
business requirements.
 The cloud solution shall support
customizable blocked pages with ability
to modify.
 The cloud solution shall have flexibility
to define policy based on:
o User
o Group
o Browser
o File type
o Time schedule
 The cloud solution shall have at least
ITSD | Page 10 of 38
the following types of actions for a
policy rule:
o Allow
o Block
o Caution (Warn)
o Redirect
o Block with password override
 The cloud solution shall allow for a role-
based Administrative model based on
different user groups include but not
limited to the following:
o Full Administrative Access
o Read-only Access
o Report user Access
o Obfuscated Usernames
 The cloud solution shall provide an audit
trail to keep track on the authorized
changes made by users and
Administrators.
 The solution must provide a mechanism
for prioritizing bandwidth for business-
critical web/cloud applications such as
M365/Salesforce over non-critical apps
such as Facebook/YouTube.
 The cloud solution shall support end-
point agents fully compatible with:
o Windows
o Mac
o iOS
o Android
1.3 Architecture  The solution must be capable of
dynamically scaling to demand without
advance notification to the vendor.
o Must be capable of bringing a
new location online of at least 50
Mbps without any special
notification.
o Please specify when the
customer shall contact the
vendor regarding new sites.
 The cloud-based service must have at
least 99.999% service availability.
 Cloud solution shall provide per
transaction latency statistics from the
log available to the management portal.
Please describe specific latency related
statistics provided by the service.
 The cloud solution shall provide latency
specific SLAs. Please describe the
SLAs in place.
 The time to implement a policy change
regardless of location shall be less than
1 minute.
 The solution must provide real-time
update of the status of all your cloud
nodes:
o This information shall be publicly
available.
o Any planned changes must be
published
o There must be real-time alerts.
 The cloud solution shall support the
latest version Internet browsers,
including but not limited to the following:
o Internet Explorer
o Mozilla Firefox
o Google Chrome
o Safari
 The cloud solution shall have failover
ability. In the event of the Data Centre
failure; the cloud solution shall have
intelligence to divert users to the other
nearest Data Centre.
 The cloud solution shall be scalable to
accommodate more users. Describe
how sudden capacity need is
accommodated by your solution.
 The cloud solution shall support multiple
traffic-forwarding/ingestion options
includes but not limited to:
o Explicit proxy
o GRE Tunnel
o VPN
o Software Agent
o On-premise proxy chaining
o Port Forwarding
o MDM configuration push
1.4 Reporting &  The cloud solution shall have
Logging transaction log retention for all HTTP &
HTTPS transactions. The minimum
retention window shall be 6 months,
with options to expand.
 The solution shall consolidate logs from
different locations around the world and
make them available for analysis in as
close to real time as possible.
o Real-time reporting data shall be
available after not more than a 5-
minute interval.
o The interval starts counting from
the point of time users web traffic
scanned through the Data Centre
till the reporting data available on
the portal.
 The solution must be able to integrate
with an enterprise SIEM in real-time.
Describe how logs from anywhere in the
world would be sent to the SIEM.
 The solution must have protections in
place to prevent a security agency from
illegally tapping logs being sent on your
backhaul network. Logs and reporting
data must always be encrypted during
transmission.
 The vendor must have precautions in
place that ensure that log data is not
available to any third party, including the
vendor. Please describe technologies
and processes in place to ensure data
privacy.
 The real-time and scheduled reports
type shall include but not limited to the
following report type:
o Top 100 URL Category
o Top 100 Users
o Top Departments by Bandwidth
o Top Locations by Bandwidth
o Top URL Categories, Malware
Types and Web Applications for
any user.
 The real-time and scheduled reports
shall include but not limited to the
following graphical presentation:
o Pie chart
o Bar chart
o Table of detailed reports
o Trend Graphs
 The solution must have the ability to
obfuscate usernames to protect
individual identity. The names shall be
decrypted only in the presence of an
auditor who provides the authorization
password. (4-Eye Principle).
1.5 Authentication  The cloud solution shall support but not
limited to:
o Active Directory (AD)
o SAML 2.0
o Secure LDAP
o Cloud Database
o Novell E-Directory
 The cloud solution shall support real-
time directory queries.
 The solution must support direct
AD/LDAP directory synchronization.
Synchronizing AD/LDAP credentials to
the cloud directly must be done
securely.
 The solution must support
authentication methods that are fully
transparent to the user and integrate
with ID Federation systems.
 The solution must cache credentials for
a user to minimize the number of times
a user has to go to the ID Provider. The
frequency for ID provider check must be
configurable by the administrator as:
Per Session or Every X hour or Every Y
Days.
1.7 Management  From the management portal, each log
and line must contain information about all
Maintenance engines that were engaged including
but not limited to: Antivirus, Advanced
Malware, Botnet detection,
Browser/Plugin detection, User, Group,
Department, Location, Web Application
classification, and DLP classification.
 User identification and directory
synchronization must be done only once
and applied to all engines including
Malware detection for both inbound and
outbound, as well as Data Loss
Prevention.
 It shall be possible to turn on any
products offered by simply adding a
subscription. No new hardware/agents
shall be required. There must be no
noticeable performance impact from
additional features. Explain how this is
achieved.
1.8 Compatibility  The proposed SWG shall be compatible
and with the proposed Next Generation
Membership Firewall. Deployment guide shall be
readily available and downloadable from
the website of the proposed Cloud-
based SWG solution.
 The proposed SWG shall be in the list
of validated partner solutions for
Microsoft 365 Networking Partner
Program.
 The solution supplier shall be member
of the Microsoft Active Protection
Program (MAPP), so that they shall
receive security vulnerability information
from the Microsoft Security Response
Center in advance of Microsoft’s
monthly security update to provide zero
day protections for Microsoft Patch
Tuesday vulnerabilities relating to Web
& Internet traffic.
2 Cloud-Based Zero Trust Network Access (ZTNA)
2.1 Subscription  Shall come with licenses capable of
Period and supporting up to 500 users.
Support  Shall come with at least One (1) Year
subscription period subject to renewal
upon satisfactory service delivery of the
provider.
 The bidder shall provide One (1)
Professional Support with 4 Hours
Onsite Service including configuration,
reconfiguration, troubleshooting, and
other services for the proposed ZTNA
solution.
2.2 Architecture  Solution shall be cloud-based service,
so that authenticated clients shall get
access to private applications through
cloud brokers provided by the solution
provider.
 Solution must enable secure access to
enterprise applications hosted in a
private datacenter or hosted in a cloud
providing the same level of security.
 Solution shall be newly designed based
on the Zero-Trust Architecture.
 Solution shall not require additional site-
to-site VPN connections for connectivity
across multiple private networks.
 Architecture needs to be highly
available and provide at minimum
99.999% of availability per year backed
by relevant SLA contracts.
 The solution shall require no
administration of IP addresses due to
the assurance of zero IP address
conflicts/problems and shall not utilize a
client-issued IP addresses for routing
within the established network.
 The cloud solution’s architecture must
be able to support global locations
around the world.
 The solution shall provide granular
application level access, removing the
network level connectivity which permits
users to access approved applications
on defined TCP/UDP ports, minimizing
the attack surface.
 Solution shall use proxy architecture.
Layer 4 reverse proxy shall be installed
in customer data centers, so that clients
shall only request TCP and UDP-based
application access through the reverse
proxy without landing or connecting to
private networks.
 Solution requires no inbound
connectivity;therefore, firewalling is not
necessary. In addition, the cloud
solution provides application level
control which is analogous to firewall
processing.
 Solution shall not be remote access
virtual private network (VPN) or SSL
VPN feature from firewall appliance or
firewall service, to follow the
segregation of duties best practice.
 When there are more than one paths
available to connect to a specific private
application, the solution shall
automatically decide the best available
path to maximize the user experience,
and also provide automatic failover from
the best path to the next best path.
 The solution shall allow the deployment
of an on-premise virtualized instance of
the cloud broker. The virtualized broker
shall be managed and patched as part
of the managed solution.
2.3 Application and  Solution must support TCP and UDP
Analytics based applications and not be limited
support only to web based (http/https)
applications.
 Solution shall provide application
discovery across multiple DNS
domains. Preferred is passive discovery
without infrastructure probing. Please
explain how applications are
discovered.
 Solution must provide visibility via
dashboards in a real-time per user
transaction view and the ability to
monitor the availability of the various
components within the infrastructure
service.
 Solution shall support log streaming to
private SIEM.
2.4 Authentication  Solution must support single-sign-on
and features with minimum SAML 2.0 based
Authorization IdP.
 Solution must support multiple identity
providers simultaneously
 Solution shall support integrating with
third party SAML solutions, including but
not limited to Azure Active Directory,
Okta and ADFS for multi-factor
authentication.
 Solution shall support users to group
mapping updates through System for
Cross-domain Identity Management
(SCIM).
2.5 Data Privacy  Solution must prohibit MITM (man-in-
and Security the-middle) attacks. Please explain how
your solution is defending users from
MITM (certificate pinning or other
methods).
 Solution shall provide a possibility to
secure end-to-end communication in
case connection is brokered by
transition point. Please explain how
end-to-end security is achieved.
 Solution shall allow data encryption with
customer signed certificates by
enterprise PKI. Please explain how your
solution increases security of private
applications.
Traffic  Solution shall support agent-based
Forwarding access and browser-based access
(agentless) for web applications
 When an agent is utilized, Windows,
MacOS, iOS and Android platforms
must be supported as minimum and
device posture check must be ensured
before service can be enabled.
 The same endpoint agent shall also
support sending traffic to internet
access security services proposedcloud
based SWG solution to control all TCP
& UDP traffic.
Policy  Solution must provide identity-based
Management policy access to applications.
 Solution shall provide role-based
administration.
 The solution shall allow administrators
to define different timeouts per private
application or private applications
groups, so that more sensitive
application or application groups shall
be authenticated more frequently before
access is granted.
 The solution must be able to implement
and propagate policy changes across
the whole Cloud infrastructure under 1
minute.
3 Next Generation Firewall (NGFW)
3.1 Quantity  Supply, delivery, installation, and
configuration ofFour(4) units
NGFWphysical appliances and Two (2)
units NGFW virtual appliances.
 Two (2) units shall be deployed at the
Head Office
 Two (2) units shall be deployed at
COMPANY Co-located site.
 Two (2) units shall be deployed at Azure
Cloud.
3.2 General  The proposed solution shall come with
Requirements three (3) years security subscription
services.
 Shall support unlimited IP
addresses/Users license.
 Shall come with proprietary Operating
System.
 Shall attain Phase-2 IPv6 Ready Logo
Certification and successfully fulfilled all
requirements for IPv6 Phase-2 Core
Support as a router product.
 Shall be from a family of products that
are Azure Virtual WAN connectivity
partners.
 Shall be able to operate on either
Transparent (bridge) mode to minimize
interruption to existing network
infrastructure or NAT/Route mode. Both
modes can also be available
concurrently using Virtual firewalls.
 When running the unit in transparent
mode, the system shall be capable of
configuring firewall policies to translate
source or destinations addresses of
packets as they pass through the unit.
 Shall be able to support routing
protocols including RIP, OSPF and BGP
 Shall be able to operate as a Protocol
Independent Multicast (PIM) version 2
router.
 Shall support PIM sparse mode (RFC
4601) and PIM dense mode (RFC3973)
and can service multicast servers or
receivers on the network segment to
which an interface is connected.
3.3 Operating  The proposed solution OS shall have
System and the following specifications:
Management o Be proprietary to prevent
Requirements inheriting common OS
vulnerabilities
o Reside on flash disk for reliability
over hard disk
o Upgradeable via Web UI or TFTP
 The configurations on the device shall:
o Be easily backed-up or restored
via GUI and CLI to/from local PC,
remote centralized management
or USB disk
o Provide CLI command
configuration file that is readable
by Windows Notepad
o Have option for encrypted
backup file
 Shall minimally provide management
access through:
o GUI using HTTP or HTTPs
access which administration
service port can be configured,
example via TCP port 8080
o CLI console using console port,
SSHv2, telnet or on GUI’s
dashboard
 The administrator authentication shall
be facilitated by local database, PKI
& remote services such as Radius,
LDAP and TACACS+
 Shall support profile base login account
administration, offering gradual access
control such as only to Policy
Configuration & Log Data Access
 Shall be able to limit remote
management access from certain
trusted network or host with
corresponding administrator account
 Shall be able to facilitate administration
audits by logging detailed activities to
event log - management access and
configuration changes.
3.4 Head Office &  The proposed appliances form factor
Co-located shall not exceedTwo (2) RU.
SiteHardware  Shall come with Active-Active HA
Requirements licenses.
 Each appliance shall come with at least:
o Eight (8) 1GbE-T ports.
o Two (2) 100GbE fiber ports with
QSFP28transceivers.
 Shall be based on a dedicated ASIC-
based standalone appliance which
should include:
o Content Processor that
accelerates content scanning
activities such as flow-based
inspection for IPS and
Application Control, high
performance VPN bulk
processing, and key exchange
processing
o Network Processors that is used
for acceleration of many key
security functions including
stateful packet header
inspection, VPN
encryption/decryption, protocol
anomaly offloading, and quality
of service enforcement. It should
also provide acceleration for
processing all packet sizes which
includes time sensitive
applications such as VoIP, real-
time protocols, and multimedia
applications.
 Shall come with hardware accelerated
VXLAN technologies to enables
scalable segmentation.
 Shall come with hardware accelerated
DDoS protection.
 Shall at least provide the following
system performance:
o IPS throughput of 20 Gbps.
o SSL Inspection of 20 Gbps
o SSL VPN throughput of at least
16 Gbps.
o Threat Protection/Prevention
(Firewall, IPS, App Control, and
Malware Protection enabled)
throughput of at least 16 Gbps.
o Concurrent TCP Session of 24
Million.
o New TCP Session per Seconds
of 1Million.
o The device shall come with 10
virtual firewalls.
 Shall be able to provide the following
feature components:
o Firewall
o IPSEC & SSLVPN
o IPS
o Antivirus
o Application Control
o URL Filtering
o Antispam
o User Group settings
o Routing
o Logging & reporting
o Cloud-based central
management
o Cloud-based analytics and
reporting
o Cloud-based SD-WAN
Orchestrator
Monitoring
 Shall be able to operate under the
following conditions:
o Temperature from 0 to 40
degrees C)
o Humidity from 10% to 90% non-
condensing
 Shall come with redundant AC power
supply unit.
3.5 Cloud Firewall  Each of the proposed virtual firewall
Virtual appliances shall have the following
Appliance capacity specifications:
Capacity o Support up to Eight (8) virtual
Requirements CPU.
o Support up to Twenty-Four (24)
virtual NIC.
o Support up to Two (2) TB
storage.
o Support unlimited RAM.
o Support high availability.
 Shall be able to provide the following
feature components:
o Firewall
o IPSEC & SSLVPN
o IPS
o Antivirus
o Application Control
o User Group settings
o Routing
o Logging & reporting
o Cloud-based central
management
o Cloud-based analytics and
reporting
Orchestrator
Monitoring
3.8 Firewall  The next-generation firewall capability
Requirements shall minimally attain Internet Computer
Security Association (ICSA) AV
Certification.
 The firewall policy table shall support
both IPv4 and IPv6 GUI configurations.
 The firewall policy table shall also allow
display of filtered firewall policies based
of selected objects
 The firewall shall be able to handle VoIP
traffic securely.
 Shall be able to block, allow, or monitor
only using IPS, Application Control, or
AV scanning based on per firewall
policy based or based on firewall
authenticated user groups with
configurable selection of the following
services:
o HTTP
o SMTP
o POP3
o IMAP
o NNTP
 Shall provide ability to allow, block and
intercept (allow but quarantine)
attachments or downloads according to
file extensions and/or file types,
including:
o Executables (.com, .exe, .elf)
o HTTP (.html, .hta)
o Java (.jad, .class, .cod,
javascript)
o Microsoft Office
o Packer (.fsg, upx, petite, aspack)
o Windows Help file (.hlp)
o Activemime
o Batch File (.bat)
o Archive
(.arj, .cab, .lzh, .rar, .tar, .zip, .bzi
p, .gzip, .bzip2)
o Common Console Document
(msc)
o Encoded Data (.uue, mime,
Base64, binhex)
 Shall provide ability allow or block
specific grayware groups such as
adwares, BHO and keyloggers
 Shall provide the ability to
enable/disable heuristics engine and
block suspected file attachments.
 Shall be able to block or allow oversize
file based on configurable thresholds for
each protocol types and per firewall
policy.
 The Propose system Antivirus
protection shall include the following
advance malware protection:
o Virus Outbreak Protection
o Content Disarm and
Reconstruction (CDR)
 Shall provide Real Time Visibility of the
following:
o Sources (Top sources)
o Destination (Top Destinations)
o Policies (Top usage Policies)
o Countries
o All Sessions
o Application (Top Application
Usage)
o Web Sites (Top Web sites)
o Threats (op Threats detected)
o Threats Map
o VPN
o System Events
o Endpoint Vulnerability
o Interfaces
3.9 Application  The proposed system shall have the
Control ability to detect, log and act against
Requirements network traffic based on over 1,000
application signatures
 The application signatures shall be
manual or automatically updated
 The administrator shall be able to define
application control list based on
selectable application group and/or list
and its corresponding actions
 The administrator shall be able to set
the Session TTL of the selected
application/group.
 The proposed system shall have the
ability to identify, block or rate limit the
following common P2P applications:
o Gnutella (Napshare, iMesh,
Mldonkey, morph, Xolox,
BearShare, FOXY)
o BitTorrent
o Torrentz
o BitTorrent_HTTP.Track
3.10 SSL Content  The proposed system shall have the
Scanning and ability intercept and inspect content of
Inspection SSL encrypted traffic of the following
Requirements protocols:
o HTTPS
o IMAPS
o POP3S
o SMTPS
 Shall be able to perform AV Scanning
tasks over SSL encrypted traffic.
Support include and provide Three (3) Years
(NBD for Branch Firewall) including
hardware (repair, replacement, and/or
upgrade),firmware updates,
services for the proposed NGFW.
4 Advanced Web Application Firewall (WAF)
4.1 Quantity and  Supply, delivery and installation of Two
Subscription (2) units advanced Web Application
Period Firewall (WAF) virtual Appliance at
COMPANY Primary site and supply and
installation Two (2) units advanced Web
Application Firewall (WAF) Virtual
Appliance at Azure Cloud Platform.
 The proposed solution shall come with
three (3) years security subscription
services.
4.2 General  The proposed solution shall support four
Requirements different deployment modes: Inline
Transparent, True Transparent Proxy,
Reverse Proxy and Non-Inline Sniffing.
 Shall support VMware, Hyper-V, Citrix
Xen Server, and Open Source Xen.
4.3 Availability  Support for Active/Passive,
Active/Active Clustering High-availability
options
 Shall support Active Passive failover
with sub second failover.
 Both units in a high availability solution
shall use the same MAC address and
only the primary unit shall respond.
 Shall be able to synchronize the
following objects: ruleset, configured
policies, and objects.
4.4 WAF Virtual  Each of the proposed unit shall have the
Appliance following minimum capacity
Capacity specifications:
Requirements o 2 Gbps of HTTP traffic
throughput.
o Support unlimited number of
applications
o Support up to Eight (8) virtual
CPU.
o Support up to Ten (10) virtual
NIC.
o Support up to Two (2) TB
storage.
o Support unlimited memory.
o Support high availability.
4.5 Security  The proposed solution shall provide the

Features following positive security model:
o Shall not automatically move the
learned details into detection or
prevention as it would violate
change control policies in most
enterprises. Instead, an
administrator should have easy
deployment controls.
o Positive security rule deployment
and learning shall be possible
while still aggressively enforcing
appropriate negative policies.
During learning of this positive
security model, the security level
shall not be lowered.
o The solution administrator should
not be forced to choose between
“learning on/off” and “protection
on/off”. These should co-exist.
 Shall provide the following negative
security model:
o Per-signature configuration of
exceptions
o Exceptions can be created from
the log file
o Default policies shall be available
in various classifications, Alert
Only, Medium Security, and High
Security.
o Signatures shall be grouped in
logical, searchable dictionaries.
The list shall containat least:
 Cross Site Scripting
 SQL Injection
 Generic Attacks
 Known Exploits
 Trojans
 Information Disclosure
 Bad Robot
 Credit Card Detection
 Shall provide the following Anti-DoS
capabilities:
o Shall offer Layer 7 DDoS.
o The application layer detection
shall support:
 HTTP Request limit per
source
 TCP Connections using
same cookie
 HTTP requests using the
same cookie
 A challenge response
mechanism which will be
fully transparent for the
end-user
 Shall provide the following Anti-Virus
(AV) capabilities:
o AV database shall be
automatically updated.
o AV database must come from a
3rd party tested vendor with high
rankings for effectiveness and
false-positive avoidance.
o File uploads need to be restricted
on file type and file size.
o AV solution shall NOT introduce
additional software or hardware
deployments nor 3rd-party
integration requirements.
 Shall provide the following Bot detection
and protection capabilities:
o Shall be capable of detecting and
distinguishing two sets of Bots
from the Internet:
 Known search engines
 Bad robots (scanners,
crawlers, spiders)
o Shall have a dashboard to show
event statistics from the robot-
based and normal clients.
 Shall provide the following file transfer
protection:
o Shall inspect for malware during
file transfer.
 Shall provide the following data leak
prevention capabilities:
o Shall support data leak
prevention for the following
types:
 PHP information leakages
 IIS default location
 Application Availability /
Errors
 File or Directory Names
Leakage
 ASP/JSP Source Code
Leakage
 SQL Errors Leakage
 IIS Errors Leakage
 Directory Listing
 HTTP Header Leakage
 Shall provide the following anti web
defacement capabilities:
o Shall have the ability to prevent,
detect and restore web
defacement.
o Shall copy the content of the
webserver to its own hard drive
and compare on a definable time
schedule if files have been
changed on the webserver
o Shall be able to restore the
changed files
 Shall provide the following HTTP RFC
Compliance validation capabilities:
o Shall have the option to verify the
HTTP RFC standards
o The following objects need to be
checked and enforced:
 Illegal Host Name
 Illegal HTTP Version
 Illegal HTTP Request
Method
 Content Length
 Body Length
 Header Length
 Header Line Length
 Number of Header Lines
in Request
 Total URL and Body
Parameters Length
 Number of URL
Parameters
 Number of Cookies in
Request
 Number of ranges in
Range Header
 Malformed Request
 Shall provide the following application
business logic enforcement capabilities:
o Shall be capable of enforcing
start pages
o Shall be capable of enforcing
application logic by defining a set
of page access rules
o Appropriate page access
methods shall be learned and
enforceable by the solution
o Required parameters on a given
URL page shall be learned and
enforceable by the solution
o Shall be able to track the use of
cookies on a URL page-by-page
granularity
 Shall provide the following machine
learning enforcement capabilities:
o Shall support machine-learning
function that enables it to
automatically detect malicious
web traffic and bots. In addition
to detecting known attacks, the
feature can detect potential
unknown zero-day attacks to
provide real-time protection for
web servers.
o Shall support anomaly detection
model which observes the URLs,
parameters, and HTTP Method
of HTTP and/or HTTPS sessions
passing to the web servers. It
shall build mathematical models
to detect abnormal traffic.
o Shall perform the following tasks
to learn about whether a request
is legitimate or a potential
malicious attack attempt:
 Captures and collects
inputs, such as URL
parameters, to build a
mathematical model of
allowed access
 Observes the HTTP
method of the traffic
 Matches anomalies
against pre-trained threat
models
 Detects attacks
o Shall employ two layers of
machine learning to detect
malicious attacks.
 First layer uses the
Hidden Markov Model
(HMM) and monitors
access to the application
and collects data to build a
mathematical model
behind every parameter
and HTTP method. Once
completed, it will verify
every request against the
model to determine
whether it's an anomaly or
not.
 Second layer verifies
whether it's a real attack
or just a benign anomaly
that should be ignored.
Second layer includes pre-
built trained threat models.
Each represents a certain
attack category, such as
SQL Injection, Cross-site
Scripting, and so on. Each
threat model is already
trained based on analysis
of thousands of attack
samples.
4.6 Application  Shall be capable of load balancing the
Delivery protected traffic to multiple servers.
Features  The following algorithms shall be
supported:
o Round Robin
o Weighted Round Robin
o Least Connection
 Shall have configurable persistency
features to maintain sessions to the
load balanced backend servers.
 Shall be capable of supporting the
following persistency features:
o Persistent IP
o Persistent Cookie
o Insert Cookie
o ASP Session ID
o PHP Session ID
o JSP Session ID
 Shall support a connection draining
mode in order to allow maintenance of a
protected server without disrupting the
client experience with the application.
 Shall be capable of implementing
health-checks for your protected servers
for the purpose of load balancing pool
removal and administrator notification.
This feature should work on both load-
balanced and non-load-balanced
servers if desired.
4.7 Compliance  The proposed solution shall provide
protection against common threats such
as those identified in the OWASP top 10
Security Risks or application
vulnerabilities.
 Shall be ICSA Certified
4.8 Monitoring and  Shall be able to locally store event
Reporting (audit) information.
 Shall be able to locally store alert
information.
 Shall be able to locally store traffic
information.
 Shall be able to send all 3 log types
above to a centralized logging system
supplied by the vendor (optional)
 Shall be able to send all log types
above to an external syslog server.
 The alert information shall contain at
least the following information:
o Source to Destination connection
information
o Extensive packet header
information
o Full Parameter view
o Highlighting the attack in the
attack log
o With cookie alerts, to show the
alerted cookie and changed
values
o The solution should aggregate
logging per day and per attack
type
o The log should show both
original encoding and decoded
values for analysis
 The solution should have a dashboard
for data analytics in which you can see:
o Attacks per Country
o Hits per Country
o Data per Country
o Exportable to PDF
o Clickable view of the various
attacks per website
o World map with color coding of
attacks
 Shall have a view of all blocked IP
addresses and the blocked time period.
4.9 Sandbox  The proposed solution shall include a
Integration virtual sandbox solution (two at Azure
and two at COMPANY co-located site)
which could be deployed in either a
private virtual environment or public
cloud environment such as:
o VMWare
o Hyper-V
o KVM
o AWS
o Azure
 The sandbox solution shall support
high-availability deployment
 The sandbox solution shall support the
following integration features:
o File submissions
o File feedback and report
o Dynamic Threat Database
updates
following advanced threat protection
features:
o AI-based behavior analysis
o Anti-evasion techniques
o Pattern-based analysis
o Heuristic-based analysis
o Reputation-based analysis
o Callback detection
following file types:
o .7z
o . bat
o . cmd
o .dll
o .docx
o .eml
o .exe
o .gz
o .html
o .jar
o .js
o .pdf
o .ppt
o .pptx
o .rar
o .rtf
o .swf
o .tar
o .tgz
o .vbs
o .xls
o .xlsx
o .zip
following protocols and applications:
o HTTP
o SMTP
o POP3
o IMAP
o FTP
ff:
o Unlimited vCPU
o Unlimited RAM
o 16TB virtual storage
o 6 virtual network interfaces
Support include and provide Three (3) Years
including hardware (repair,
replacement, and/or upgrade), firmware
updates, configuration, reconfiguration,
services for the proposed WAF.
IT EQUIPMENT
1 Head Office Core Switch
1.1 Quantity  Supply, delivery and installation of Two
(2) unit’s 24-ports Ethernet switches.
1.2 Form Factor  1RU form factor.
 Each switch shall come with:
o Ten (10) SFP28 25GbE fiber
transceiver modules
o Two (2) QSFP28 100GbE fiber
o One (1) QSFP28 to QSFP28
100GbE One (1) Meter Direct Attach
Copper Cable.
1.3 Minimum  Shall support the following
Capacity & 10/25/40/100GbE ports.
Performance  Shall support at least twenty-four (24)
10/25GbE ports.
 Shall support at least four (4)
40/100GbE ports.
 Minimum Switching Fabric Capacity of
2Tbps full duplex.
 Minimum SwitchingThroughput
Capacity of 950Mpps.
 Shall have advance features: SSHv2,
TACACS, SNMP-V1/V2c, OSPFv2,
OSPFv3, and BGP.
 Shall support sFlow
 Switch shall support line-rate throughput
for each port.
 Less than 900 nanoseconds switching
latency.
 Packet buffer memory minimum 32MB
 Shall be able to operate in an
environment with temperature reaching
up to 45°C.
1.4 Layer 2  Support Port-based (IEEE 802.1Q) and
Switching Frame extension for VLAN tagging
(IEEE802.3ac)
 Support IEEE802.1X
 Support IEEE 802.3ad Link
Aggregation, with support for
aggregation groups across switches in
stack.
 Support Auto-negotiation of port speed
and duplex
 Support IEEE 802.3x full-duplex flow
control
 Support IEEE 802.1D Spanning Tree
Protocol (STP)
 Support IEEE 802.1w RSTP
 Support IEEE 802.1t RPVST+
 Support IEEE 802.1s Multiple Spanning
Tree Protocol instances (MSTP)
 Support LLDP and LLDP-MED
1.5 Layer 3  Support Layer-2 and Layer-3 switching
Switching and routing protocols.
 Support OSPF (Open Shortest Path
First), v2 and v3
 Support DHCP Relay (Dynamic Host
Configuration Protocol Server/Relay)
 Support TCP/IP protocol stack ARP with
minimum of 128,000 ARP entries
 Support VRRP (Virtual Router
Redundancy Protocol) v3
 Support IPv4 and IPv6 Routing
1.6 Quality of  Support minimum 4 hardware queues
Service (QoS) per port
 Support Ingress and egress queue
 Support Queuing algorithms
 Support Port based QoS such as
IEEE802.1p, rate policing and rate
shaping.
 Support Policy based QoS configuration
such as DSCP and strict priority queue
1.7 Switch Security  Support Network login with IEEE 802.1x
user authentication
 Support Local authentication and
RADIUS authentication
 Support TACACS (Terminal Access
Controller Access Control System)
authentication.
 Support encrypted management traffic
using SSH
1.8 Management  Support CLI (Command Line Interface)
configuration mode
 Support Configuration via the console
(control console) port
 Support Port mirroring
 Support Syslog
 Support Ping and Traceroute
 Support Network Time Protocol (NTP)
v4
1.9 Power Supply  Shall come with redundant hot-
swappable AC power supplies.
 Input voltage: 100-240 VAC auto-
ranging,
 Operating frequency: 50/60 Hz.
2 Power over Ethernet (PoE) Switch
2.1 Quantity  Supply, delivery and installation of
Seven (7) units 24 Ports PoE
Multigigabit Ethernet Switches.
2.2 Switch Features  Shall come with following ports:
o At least Four (4) 25GbE fiber ports
with Two (2) SFP28 transceivers.
o Twelve (12) 1G/2.5G auto-sensing
802.3at ports
o Twelve (12) 1G/2.5G auto-sensing
802.3bt ports
 Line-rate performance capability using
non-blocking switching and routing
architecture.
 Able to operate in an environment with
up to 45°C temperature.
 Support Static, RIP, and OSPF Layer 3
routing protocol.
 Minimum Switching Capacity of
480Gbps.
 Minimum Forwarding Capacity of
660Mpps.
 Packet buffer memory of 4MB.
 Support RSTP, RSTP-Per-VLAN, and
MSTP.
 Support SNMP V1/2/3 for monitoring.
 Power consumption shall not exceed
1500 watts.
2.3 Management  GUI access via http/https.
 CLI via console, Telnet, and SSHv2.
3 Wireless Access Point
3.1 Quantity  Supply, delivery and installation
(including redundant structured
cablings) of Forty-Six(46) units Dual
Radio 4x4 802.11ax (Wi-Fi 6) Access
Points.
3.2 General  The proposed solution shall not be a
Requirement rebranded OEM product.
 Shall come with all the licenses needed
to securely deploy and manage the
proposed Access Points for at least
Three (3) years.
3.3 Network  All wireless access points shall be
Management managed through a Public Cloud hosted
management platform.
 Solution must provide seamless
scalability, mix-and-match, pay-as-you-
grow option
 Failure of the entire control plane must
not impact the WLANs ability to forward
traffic, either active sessions or new
users attempting to establish sessions.
 Easy firmware upgrades or
configuration updates to an individual
access point or to a group of access
points
 Ability to group access points in a
hierarchy, by location for example, to
allow an organized management and
deployment, local or remote, from the
central location.
 Provide an easy to use, integrated
graphical tool to display the location of
the access points, clients and rogue
devices.
 Ability to create, modify and apply
configuration, firewall policies and traffic
shaping (QoS) policies based on
application, user, device type, device
OS, SSID or any combination thereof.
 Integrated client health monitoring and
help-desk optimized troubleshooting
tool.
 Supports the network administrator to
choose the timeline for visibility into the
network policy, device, application,
client and user events and trends.
 Single Interface, no vendor add-ons or
third-party applications to achieve
functionalities listed above
3.4 Hardware  Dual Radio 4x4 5GHz and 2.4GHz
Functionality 802.11ax integrated omni-directional
MIMO antenna.
 Support dual band 5GHz operation.
 One (1) autosensing 10/100/1000
Ethernet port
 One (1) 2.5GbE port.
 PoE+ capability.
 Supports Orthogonal Frequency-
Division Multiple Access (OFDMA) 1024
Quadrature Amplitude Modulation
(QAM).
 Ceiling, Desktop and Wall mountable
 Plenum Rated
 Kensington Lock Point or equivalent
 Reset Pinhole Button
3.5 Software  TPM hardware-based encryption
Functionality  Self-healing mesh failover, best path
forwarding and dynamic mesh routing
 Multiple -VLAN tagging on a specific
SSID
 Distributed intelligence protocols for
communication between access points
for session state forwarding to support
stateful firewall on the access layer and
fast roaming
 Automatic Configuration Roll-back upon
detection of misconfiguration to prevent
remote site visits
 Ability to auto-provision devices without
any prestaging and/or post-deployment
location specific changes
 Supports the functionality to provide
different user experiences (firewall
settings, QoS, rate limits, SLA, dynamic
airtime scheduling etc.) on a single
SSID based upon user identification
during authentication.
3.6 Security  Support for Active Directory or
Requirements equivalent user database (LDAP)
integration
 Integrated RADIUS server and RADIUS
Proxy
 Support for multiple pre-shared keys for
unique identification and classification
on a single SSID.
 Rogue access point and rogue client
detection. Support for WIPS dedicated,
full spectrum sensor configuration.
 Deep Packet Inspection (DPI) based
application visibility and control. Control
shall include firewall, prioritization and
rate limiting and marking for upstream
traffic, based on available user context.
 Support separate inbound and
outbound firewall policies that perform
stateful packet inspection that keeps
track of the state of network
connections, like TCP streams and UDP
communications.
 Support the functionality to provide
different user experiences (firewall
settings, QoS, rate limits, SLA, dynamic
airtime scheduling etc.) on a single
SSID based upon user identification
during authentication.
3.7 Guest Access /  Secure guest access shall allow each
BYOD guest to receive a unique pre-shared
key without the use of certificates.
 Support for different types of Captive
Web Portals (CWP). CWPs must be
customizable and must support major
world languages.
 Guest access solution shall support
guest self-registration from a browser
 BYOD solution shall support an easy
and secure self-service onboarding
solution for employees’ personal
devices with unique keys without the
complexity of certificates.
 Solution shall support different guest
types on the same SSID with the option
to revoke the key and force the change
of the key.
 Solution shall support detailed
scheduling rules for a
daily/weekly/monthly recurring
schedule, providing the capability to
schedule availability by SSID, user type
and device type.
4 Uninterruptible Power Supply(UPS)
4.1 Quantity  Supply, delivery and installation of Six
(6) units Rack-mountable UPS.
4.2 Features  Shall support input frequency of 60Hz
+/- 3Hz
 Shall support input voltage range from
180 to 280 Volts
 Output voltage distortion shall not
exceed 5%.
 Output frequency (sync to mains) shall
be 57-63Hz
 Shall be capable of providing at least
2000 Watts of power output.
 Expected battery life shall be 3 years
 Battery type shall be leak-proof
maintenance-free sealed Lead-Acid with
suspended electrolyte.
OTHER REQUIREMENTS
1 Patch Cords,  Supply and delivery of Sixteen (16)
DAC, and OM4 Multi-Mode LC-LC Fiber 3 Meter
Transceivers Cable
 Supply and delivery of Sixteen (16)
OM4 Multi-Mode LC-LC Fiber 3 Meters
Cable.
 Supply and delivery of Eight (8) SFP+ to
SFP+ 10GbE Passive Copper Direct
Attach 3Meters Cable.
 Supply and delivery of Four (4) SFP28
to SFP28 25GbE Passive Copper Direct
Attach 3 Meters Cable.
 Supply and delivery of Four (4) QSFP+
SR 40GbE fiber transceiver modules for
the Head Office NGFW’s.
 Supply and delivery of Four (4) QSFP+
SR 40GbE fiber transceiver modules for
COMPANY existing Top-Of-Rack
switches.
2 Display Monitor  Supply, delivery, and installation of One
(1) widescreen monitor with the
following specs:
o Shall be at least 54.5 inches
diagonal OLED or Full Array with
Local Dimming VA LCD/QLED.
o Shall be 4K High Dynamic Range
with at least 3840x2160 panel
resolution.
o Shall support HDR10+ or Dolby
Vision HDR format.
o Shall come with HDMI 2.1 ports
capable of supporting up to48Gbps
bandwidth.
o Shall support Analog and Digital TV
System
o Shall have at least Wi-Fi Certified
802.11ac and Ethernet port.
o Shall be 2020 or later model.
o Shall come with slim wall-mount
bracket.
o Shall support web browser to display
dashboard and visualization
indicating security events, alerts,
threats, etc.
o Shall come with Two (2) Years
Warranty.
3 Warranty and  All equipment under warranty contract
Support found to be defective shall be replaced
by the vendor or supplier on the next
business day without additional cost to
COMPANY.
 All equipment shall come withThree (3)
YearsWarranty (unless specifically
specified)and 24x7 Professional
Support with NBD On-site Services
(unless specifically specified) including
hardware supports (repair or
configuration,
reconfiguration,troubleshooting, and
other advanced services for the
proposed equipment.
4 Responsibility  The Supplier shall deliver, install, and
of the Supplier configure the proposed equipment
including all components, software if
required, structured cabling (fiber optics
and transceivers if warranted) and
power outlets within one hundred eighty
(180) calendar days upon receipt of
Notice to Proceed (NTP).
 The Supplier shall migrate all the IT
services hosted on our existing servers
and storage to the proposed HCI
System.
 The Supplier shall re-provision and
update the firmware of the existing
servers, storage, and network
appliances.
 The Supplier shall provide
documentation of all the configuration
made to the proposed equipment within
180 days upon receipt of NTP.
 The Supplier shall provide a knowledge
transfer training for twelve (12) ITSD
personnel.
5 Market  The supplier must be existing
Presence continuously for at least Ten (10) Years
in the Philippine market reckoned from
the date of publication of the ITB.
6 Budget  ABC shall not exceed () inclusive of all
taxes and charges.

Modernizing It Infrastructure - Phase 1: Itsd

Uploaded by

Copyright:

Available Formats

Modernizing It Infrastructure - Phase 1: Itsd

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Modernizing It Infrastructure - Phase 1: Itsd

Uploaded by

Copyright:

Available Formats

MODERNIZING IT INFRASTRUCTURE – PHASE 1

HyperconvergedInfrastructure (HCI)is a software-defined, unified system that

Next Generation Firewall (NGFW)protects COMPANY private cloud from

ITEquipmentsuch as Ethernet Switches and Access Points (AP) will be deployed to

4.5 Security  The proposed solution shall provide the

You might also like