Transcript
S.No
SPECIFICATIONS FOR INTERNAL / CORE FIREWALL
APPENDIX-25
Functional Requirements : Next Generation Security Platform
Complie Remark d (Yes / s No)
1.1 General Requirements: 1 The Firewall must be appliance based. The Firewall should have purpose built ASIC architecture or 2 CPU based architecture for packet processing and content scanning function Licensing: should have per device license .There should not 3 be any user/IP/host based licenses – Please specify if the product does not follow the required licensing policy. 4 Support for firewall virtualization The platform should be based on realtime, secure 5 embedded operating system Should support multi ISP with automatic ISP failover as well 6 as ISP load sharing for outbound traffic. Should support USB interfaces for config backup/restore 7 &upgrading images. 1.2 Interface and Connectivity Requirements: The platform must be capable of supporting 4x10 Gig SFP+ 1 and 6 x 1 Gig SFP and 12 x GE RJ-45 ports The platform should support the standards based Link 2 aggregation technology (IEEE 802.3ad) to achieve higher bandwidth. 3
The Firewall should support IEEE 802.1q VLAN Tagging with about 4096 VLANs supported (in NAT/Route mode)
4 Should support a minimum of 1 USB port Should support 240GB of Local storage either on the box or 5 on a central device to store logs 1.3 Performance Requirements: The Firewall must support at least 10 Million concurrent 1 connections The Firewall must support at least 250,000 new sessions 2 per second processing. The Firewall should support throughput of minimum 30Gbps 3 of production performance. No performance degradation based on packet sizes & protocol mixes. 4
The firewall should support a minimum of 15 Gbps of IPSec VPN Throughput and should be hardware accelerated
Should support 10000 gateway to gateway VPN tunnels for branch connectivity. Should support for at least 5000 client to gateway VPN 6 tunnels. Should have an option to configure up to 10000 Firewall 7 policies. 5
S.No
SPECIFICATIONS FOR INTERNAL / CORE FIREWALL
APPENDIX-25
Functional Requirements : Next Generation Security Platform
Complie Remark d (Yes / s No)
Should support firewall virtualization and minimum 5 Virtual Firewall licenses should be included. Firewall should support low latency of less than 25 micro 9 seconds. The firewall should support a minimum of 10 Gbps of IPS 10 Throughput 11 Firewall should support Anti Virus Throughput of 3 Gbps 8
12
13 14 15 1.4 1 2 3 4 1.5 1 2 3 4 5
6 7 8 9
Firewall should support up to 5000 Concurrent SSL VPN connectivity. Licenses should be provided from day one. Firewall should comply to all safety standards & should have CE marking with necessary EMC standards & RHoS2 compliant. Details to be provided The firewall unit should be Rack mountable The firewall should have a Redundant power supply Network/Routing Requirements: Static routing must be supported. Policy based Routing must be supported Dynamic Routing: RIPv1 and v2, OSPF v2 and v3, ISIS, BGP4 Multicast Routing must be supported Firewall Features Requirement: The Firewall technology should be ICSA Labs and EAL 4 certified. Firewall should able to operate in "transparent mode” apart from the standard NAT mode The Firewall must provide NAT functionality: NAT64, NAT46, static NAT, dynamic NAT, PAT Should support “Policy-based NAT” and "central NAT " Table The Firewall should provide advanced NAT capabilities, supporting NAT Traversal for services like SIP/H.323 /SCCP Firewall should support Voice based protocols like H.323, SIP, SCCP, MGCP etc The Firewall should support Address objects: subnet, IP, IP range, GeoIP (Geography), FQDN The Firewall should support User-Group based Authentication (Identity based Firewalling) & Scheduling The Firewall should support device based security policy and device identification
S.No
10
11 12 1.6 1 2 3 4
SPECIFICATIONS FOR INTERNAL / CORE FIREWALL
APPENDIX-25
Functional Requirements : Next Generation Security Platform
Complie Remark d (Yes / s No)
Should support integrated Traffic shaping and QOS: shared policy shaping, per-IP shaping, maximum & guaranteed bandwidth, maximum concurrent connections per IP, traffic prioritization, Type of Service (TOS) and Differentiated Services (DiffServ) IPv6 Support: Management over IPv6, IPv6 routing protocols, IPv6 tunneling, firewall and UTM for IPv6 traffic, NAT46, NAT64, IPv6 IPSEC VPN Should support Built-in DHCP, NTP, DNS Server Authentication Requirements: Support for authentication for Users and Firewall Administrators (Local and Remote – RADIUS, LDAP & TACACS+) Should support single sign on for Windows AD, Novell eDirectory, Citrix and Terminal Server Agent Support for RSA SecureID or other 3rd party Token. Should support PKI / Digital Certificate based two-factor Authentication for both Users and Firewall Administrators
5 Should support captive portal authentication Device should support separate guest group profile and it 6 should have expiry time for all the guest Device should support local user password expiration 7 feature Firewall Should support device Identification ,OS, User, 8 destination hostname & geographic visibility Firewall should also support Real-time client reputation 9 monitoring 1.7 High Availability Requirements: The device must support Active-Active as well as Active1 Passive redundancy. 2 Should support Redundant heartbeat interfaces 3 Should have HA reserved management interface The Firewall must support stateful failover for both Firewall 4 and VPN sessions. 5 Should support Port, local & remote link monitoring 6 Should support Failure detection notification 1.8 IPSec / SSL VPN Requirements The VPN should be integrated with firewall and should be 1 ICSA Labs certified for both IPSec and SSL-TLS. Should support the following protocols a DES & 3DES b MD5, SHA-1 & the more secure SHA-256 authentication
S.No
c
SPECIFICATIONS FOR INTERNAL / CORE FIREWALL
APPENDIX-25
Functional Requirements : Next Generation Security Platform
Complie Remark d (Yes / s No)
Diffie-Hellman Group 1, Group 2, Group 5 & the more secure Group 14.
d Internet Key Exchange (IKE) v1 as well as IKE v2 algorithm e 2 3 4 5 6 7 8
9 10 11 12 13
The new encryption standard AES 128, 192 & 256 (Advanced Encryption Standard) IPSec VPN should support XAuth over RADIUS and RSA SecurID or similar product. Should have integrated SSL VPN with no user license restriction. Please specify if the product does not follow the required licensing policy Should support SSL portal concurrent users limiting Should support one time login per user options: prevents concurrent logins using same username Should support SSL-VPN Two-factor Authentication Should support single sign-on for FTP and SMB Should support Windows, and MAC OS for SSL-VPN (Should have always-on clients for these OS apart from browser based access) Should support Host integrity checking and OS check (for windows terminals only) prior to SSL tunnel mode connections Should support MAC host check per portal Should have Cache cleaning option just before the SSL VPN session ends Should also support Virtual desktop option to isolates the SSL VPN session from the client computer’s desktop environment Should able to view and manage current IPSEC and SSL VPN connections in details
14 Device should support client for both IPSec and SSL-VPN 15 Should support NAT within IPSec/SSL VPN tunnels Should also support PPTP and L2TP over IPSec VPN 16 protocols. 1.9 IPS, AV and Web Filtering: 1
Should have integrated Network Intrusion Prevention System (NIPS) and should be ICSA and NSS Labs certified.
Should have a built-in Signature and Anomaly based IPS engine on the same unit. Should support SSL inspection for IPS and Application 3 Control 4 Should support minimum 5000+ IPS signatures 5 Should support automatic pull or push signature update 2
S.No
SPECIFICATIONS FOR INTERNAL / CORE FIREWALL
APPENDIX-25
Functional Requirements : Next Generation Security Platform
Complie Remark d (Yes / s No)
Should have IPS Actions: default, monitor, block, reset, or 6 quarantine (attackers IP, attackers IP and Victim IP, incoming interface) with expiry time 7 Should have Packet logging option Should have Filter Based Selection: severity, target, OS, 8 application and/or protocol 9 Should support IPv4 and IPv6 Rate based DOS protection 10 11 12 13 14 15
Supports user-defined signatures (ie Custom Signatures) with Regular Expressions. Should support Application based control feature for over 3000 applications and in 18 Categories Should have Filter based selection: by category, popularity, technology, risk, vendor and/or protocol Should have Actions: block, reset session, monitor only, application control traffic shaping Custom application signature support Should Support SSH inspection
16 Should support Deep inspection for cloud based application Should support replacement message for blocked Applications 18 Should able to protect from Botnet and Phishing 17
19
Should perform Traffic Shaping of popular P2P applications like KaZaa, Gnutella, BitTorrent, WinNY, eDonkey etc
Should control popular IM/P2P applications regardless of port/protocol like Yahoo, MSN, Skype, AOL, ICQ etc The appliance should facilitate embedded antivirus support 21 which is ICSA Labs certified. 20
Gateway AV should be supported for real-time detection of 22 viruses and malicious code for HTTP,HTTPS, FTP, SMTP, SMTPS, POP3 and IMAP, NNTP and IM Should have configurable policy options to select which traffic to scan for viruses Device should able to support cloud based sandboxing 24 feature to prevent from advanced threat/attack Should have options to prevent user downloads based on 25 file extension as well as file type 23
26 Should support Botnet C&C blocking with IP reputation DB 27
Should support both proxy based and flow based AV scanning
S.No
SPECIFICATIONS FOR INTERNAL / CORE FIREWALL
APPENDIX-25
Functional Requirements : Next Generation Security Platform
Complie Remark d (Yes / s No)
Should support endpoint client management feature to control user machine centrally Administrator shall be able to configure DoS policies that are used to associate DoS settings with traffic that reaches an 29 interface based on defined services, source and destinations IP/Range. Supports attack recognition inside IPv6 encapsulated 30 packets 28
31 Should have an ability of Antivirus scanning for IPv6 traffic The appliance should facilitate embedded Web Content Filtering feature Should support DNS based web filtering and The solution 33 shall allow administrators to override Online URL Database ratings with local settings 32
34 Should support Filter Java Applet, ActiveX and/or cookie 35 Block HTTP Post, Rate images by URL 36 Should support Web Browsing quota by categories Should have Web filtering profile override feature: allows 37 administrator to temporarily assign different profiles to user/user group/IP 38 Should support safe search for Google and Yahoo 39 Should support content type scanning Should able to block different categories/sites based on 40 User Authentication. URL database should have more than 2 billion URLs under 41 78+ categories. 2 Other Requirements: Provision to create secure zones / DMZ (ie Multi-Zone 1 support) Should support Gateway Data Loss Prevention (DLP) 2 feature for popular protocols like HTTP, HTTPS, FTP, POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS 3
The DLP feature should support popular file types like MSWord, PDF etc. Should also support DLP fingerprinting
Should support DLP watermarking: allows filter files that pass through the unit and contain a corporate identifier (a 4 text string) and a sensitivity level (Critical, Private, and Warning) hidden in a watermark. Should Support Packet Capture/sniffer to capture and examine the contents of individual data packets that 5 traverse the firewall appliance for troubleshooting, diagnostics and general network activity
S.No
SPECIFICATIONS FOR INTERNAL / CORE FIREWALL
APPENDIX-25
Functional Requirements : Next Generation Security Platform
Complie Remark d (Yes / s No)
The device should belong to a family of products that attains 6 NSS Approved Certification, IPv6 Ready Phase 2 and USGv6 IPv6 Certified Should able to support Geo-IP block and able to block 7 country wise traffic. ICSA labs certification for Firewall, SSL, IPSEC VPN, AV, 8 IPS
