INDIAN OVERSEAS BANK Information Technology Department Central Office, 763, Anna Salai, CHENNAI – 600 002 RFP Ref No. RFP Ref No. RFP/ITD/005/18-19 dated 05.10.2018 FOR SUPPLY, INSTALLATION AND MAINTENANCE OF NETWORK ACCESS CONTROL (NAC) SOLUTION AMENDMENT NO.6 13.12.2018 All other terms and conditions given in various clauses / sub-clauses / Annexure in the above referred RFP to the extent not modified below, shall remain Unchanged and continue to be applicable. ___________________________________________________________________________________________________ Page 1 of 27 Sl. No RFP Clause Existing RFP Terms Amended RFP Terms 1 1.3.a.2 The proposed NAC solution of the OEM must be in Gartner's Leaders Magic Quadrant for NAC Solution in 2 out of last 3 years. Documentary Proof to be submitted. The proposed NAC solution of the OEM must be in Gartner's Leaders Magic Quadrant for NAC Solution in 2 out of last 5 published reports (from 2010 to 2014) for Network Access Control. Documentary Proof to be submitted. 2 1.3.a.3 The proposed NAC solution from the OEM should be functional in any two organizations (Bank /Insurance/Government) with a minimum of 10000 endpoints each, in India on the date of the RFP. (Documentary proof to be submitted). The proposed NAC solution from the OEM should be functional in atleast one of any organizations (Bank/Insurance/Government) with a minimum of 10000 endpoints each, in India on the date of the RFP. (Documentary proof to be submitted). 3 1.3.a.4 Proposed Managed Switches & NAC Solution should be from the same OEM. The proposed solution (NAC & Managed Switches) should be of the latest model and should not be declared End of Service Life for the duration of the contract period (7 years for NAC & 7 years for Managed Switches). Proposed solution should not have been declared EOL as on the date of submission of bids. Documentary Proof (Annexure IV) to be attached. The proposed solution (NAC & Managed Switches) should be of the latest model and should not be declared End of Service Life for the duration of the contract period (7 years for NAC & 7 years for Managed Switches). Proposed solution should not have been declared EOL as on the date of submission of bids. Documentary Proof (Annexure IV) to be attached.
27
Embed
INDIAN OVERSEAS BANK · INDIAN OVERSEAS BANK Information Technology Department Central Office, 763, Anna Salai, CHENNAI – 600 002 RFP Ref No. RFP Ref No. RFP/ITD/005/18-19 dated
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
protocols, profiling identity, or other external attribute
sources. Attributes can also be created dynamically and
saved for later use
45
It should allow Administrators to create their own device
templates. These templates can be used to
automatically detect, classify, and associate
administrative-defined identities when endpoints
connect to the network. Administrators can also
associate endpoint-specific authorization policies based
on device type.
Amendment no. 6 for RFP Ref: RFP/ITD/005/18-19 dated 05.10.2018
Page 16 of 27
46
Verifies endpoint posture assessment for PCs connecting
to the network. Works via either a persistent client-based
agent or a temporal web agent to validate that an
endpoint is conforming to a company's posture policies.
Provides the ability to create powerful policies that
include but are not limited to checks for the latest OS
patches, antivirus and antispyware software packages
with current definition file variables (version, date, etc.),
registries (key, value, etc), and applications. Solution
should support auto-remediation of PC clients as well as
periodic reassessment to make sure the endpoint is not in
violation of company policies
47
Solution should classify a client machine, and should
support client provisioning resource policies to ensure
that the client machine is set up with an appropriate
agent version, up-to-date compliance modules for
antivirus and antispyware vendor support, and correct
agent customization packages and profiles, if necessary
48 Solution should have automatic switch port provisions for
end device based on pre-defined rule
49
Solution should support Security compliance policy –
Security validations the solution is capable of such as
antivirus, patch update, o/s, etc.
50
Solution should support automated remediation and
integration with all major OEM Antivirus, patch update
,O/S systems, AD, etc.
51 Solution should support URL redirection for remediation or
other purposes
52
Solution should have ability to meet each of the follow
features:
a. Base lining for endpoints determines the status of a
large variety of endpoint devices, including differing
device type, operating system, etc.
b. Profiling for endpoints identifies all connected devices,
including advanced mobile identification.
c. Guest management is performed from a central,
“single pane” viewpoint allowing full visibility into current
guest provisioning.
53
Solution should support integration with leading helpdesk
ticketing system. It should support self remediation
through end user self support and automatic remediation
including guided remediation, quarantine, manual
remediation etc.
54
Solution should be capable of Integration with firewall,
IPS, Router, Switch, Wireless Access Points, Active
Directory, LDAP, MDM solutions etc of major OEMs. Bank
may go for bidirectional integration as per future
requirements.
Amendment no. 6 for RFP Ref: RFP/ITD/005/18-19 dated 05.10.2018
Page 17 of 27
55
Solution should support granular level policy
enforcement and provide information about users
beyond that obtained in a login system
56
Solution should detect network threats by itself or by
integrating with other Security defences and should be
prevented from spreading and notifications to be sent to
end user and administrator concerning the network
threat activity via e-mail and http notification
57
NAC solution should take feedback from external systems
like Syslog servers, IDS/IPS, Firewalls etc and block a user if
compromised on the network.
58
Solution should deliver customizable self service portals
and web pages for device onboarding, registration etc.
for standard PC and mobile computing platforms.
59
Should support full guest lifecycle management,
whereby guest users can access the network for a limited
time, either through administrator sponsorship or by self-
signing via a guest portal. Allows administrators to
customize portals and policies based on specific needs
of the enterprise
60
Solution should have profiling capabilities integrated into
the solution in order to detect headless host. The profiling
features leverage the existing infrastructure for device
discovery. Should support the use of attributes from the
following sources or sensors: profiling using MAC OUIs,
profiling using DHCP information, profiling using RADIUS
information, profiling using HTTP information, profiling
using DNS information, profiling using Net Flow/JFlow etc.,
profiling using SPAN, profiling using SNMP etc.
61
Solution should support threat monitoring, containment,
and remediation, extending beyond rogue detection
and authentication
62
Support for importing endpoints from LDAP/AD server.
Should allow to import MAC addresses and the
associated profiles of endpoints securely from an
LDAP/AD server
63
Must incorporate a complete set of tools for reporting
(Audit trailing, customizable reporting and data export
capabilities), analysis, and troubleshooting. Data from
access transactions can be organized by customizable
data elements and used to generate graphs, tables, and
reports. Must correlate and organize user, authentication,
and device information together
64 Monitor an endpoint after it has gained access to the
network
65 Endpoint audit via NESSUS or NMAP scanning
66 The system should provide standard based external
facing APIs to extend support and integration with
Amendment no. 6 for RFP Ref: RFP/ITD/005/18-19 dated 05.10.2018
Page 18 of 27
external applications like SIEM, Firewall, IDS/IPS solutions
etc
67
Solution should support troubleshooting authentication
issues by triggering session re-authentication to follow up
with an attempt to re-authenticate again
68
Must support complex PKI deployment where TLS
authentication requires validating client certificate from
multiple CA trust chain. Must also support AAA server
certificate being signed by external CA whilst validating
internal PKI signed client certificates.
69
Must be able to issue certificates using an inbuilt
Certificate Authority as well as external certificate as per
the bank's need.
70
Encryption of traffic to the wireless and wired network
using protocols for 802.1X such as EAP-TLS, EAP-PEAP or
EAP-MSCHAP.
71
Quarantine (A quarantine network is a restricted IP
network that provides users with routed access only to
certain hosts and applications). Non Complied
devices/endpoints should be quarantined by moving the
switch port to a different VLAN or by pushing
dynamic/static ACL to the switch port to restrict the
access to limited resources.
72
Captive portals (A captive portal intercepts HTTP access
to web pages, redirecting users to a web application that
provides instructions and tools for updating their
computer. Until their computer passes automated
inspection, no network usage besides the captive portal
is allowed)
73
Solution should enforce security policies by blocking,
isolating, and repairing noncompliant machines in a
quarantine area without requiring administrator
attention. Allow administrators to quickly take corrective
action (Quarantine, Un-Quarantine, or Shutdown) on risk-
compromised endpoints within the network.
74
Solution should support automated remediation system
including starting process, killing process, setting registry
keys, starting antivirus, update anti-virus, starting windows
updates and running custom scripts. The same should
also be user customisable.
75
When endpoints are discovered on the network, they
can be profiled dynamically based on the configured
endpoint profiling policies, and assigned to the matching
endpoint identity groups depending on their profiles.
76
Provides a wide range of access control mechanisms,
including downloadable access control lists (dACLs),
VLAN assignments, URL redirect, and Security Group
Access (SGA) tagging.
Amendment no. 6 for RFP Ref: RFP/ITD/005/18-19 dated 05.10.2018
Page 19 of 27
77
The Solution should have capability to see endpoints
attribute data via passive network telemetry or
alternatively from the infrastructure via device sensors on
switches at Core, Distribution and Access Layer.
78
Solution should have capability which allows users /
administrators to add a device on a portal, where the
device goes through a registration process for network
access. Should allow users / administrator to mark as
lost any device that you have registered in the
network, and blacklist the device on the network,
which prevents others from unauthorized network
access when using the blacklisted device. Should
have capability to reinstate a blacklisted device to its
previous status in Device Portal, and regain network
access without having to register the device again in
the Devices Portal. Should also support removing any
device in the enterprise network temporarily, then
register the device for network access again later.
Solution should be able to provide seamless user
experience.
79
Site Specification Requirements: The bidders should
submit, as a part of Technical bid the dimensions and
weight of each piece of equipment with necessary
power and wiring requirements. The Rack space required
at DC and DRS to be stated while providing the
requirements.
80 The solution should not add another point of failure and
by-pass for business continuity
81
The Solution should have enterprise license without any
restriction to use the features mentioned in the RFP from
day one. If during the contract, solution is not performing
as per specifications in this RFP, bidder has to upgrade /
enhance the devices or place additional devices and
reconfigure the system without any cost to Bank till the
required performance is achieved.
82
The solution should detect all applications / softwares
/services installed or running in the endpoint and allow
administrators to implement policies governing those
applications /softwares / services.
83
For non 802.1X devices, network access to be provided
with MAC address Bypass (MAB) with device profiling. If
the MAC is not matching with the device profiled record,
it has to be immediately blocked (to prevent MAC
spoofing)
84
Solution should have the capability to alert and detect
the underlying device profiling if any switch port is
detected to be connected with more than 2 MAC IDs. It
should have the capability to automatically shift the
switch port to quarantine VLAN or implement dynamic
ACL to the port to restrict access.
Amendment no. 6 for RFP Ref: RFP/ITD/005/18-19 dated 05.10.2018
Page 20 of 27
85
The Solution should be capable of working with various
Operating Systems like Windows, Linux. For Linux, the
solution should atleast support 802.1 X Auth.
86
The bank has Static IP address schema of /24 and /27 IP
address segment at its locations. The solution proposed by
the bidder should not involve any change in the IP
address schema at the locations.
87
Bidder shall submit Bill of Materials for the Solution (with
make & model) along with the technical bid.
88
Solution should integrate with Enterprise level SIEM
solutions and Syslog server. The Solution should be
able to share information to leading SIEM vendors
using standard protocols (Syslog, CEF).
89
Vendor shall provide documented security use
cases for proposed solution.
90
Solution should have the technical specifications
defined and documented with security baselines for
implementation.
Authorized Signatory Name and Designation Office Seal
Place:
Amendment no. 6 for RFP Ref: RFP/ITD/005/18-19 dated 05.10.2018
Page 21 of 27
Annexure I (C) Technical Specifications: 24 & 48 Port Managed Switch
Sr. No Product Specifications(Managed Switches)
Bidders
Compliance
(Yes / No)
Bidders
Remarks, if
any
Type II & III Managed Switch (24 Port & 48 Port
Respectively)
1
Minimum of 24 port 10/100/1000Mbps Gigabit Ethernet
auto sensing ports for Type II Switches and Minimum of
48 port 10/100/1000Mbps Gigabit Ethernet auto sensing
ports for Type III Switches
2
Should have at least 2 Gigabit Ethernet port 1000Mbps
SFP
interface for uplink connectivity
3
Switch should be supplied with console cable, power
cable (suitable for 5 Amps socket) and rack mounting
kits.
4 Full-Duplex operation on Fast Ethernet & Gigabit
Ethernet
5 Multiple Load Sharing Trunks
6 Minimum of 512MB DRAM and 256MB Flash Memory
7 Support for minimum 16000 MAC addresses
8 IEEE 802.1Q VLAN support – Port based VLANs
9 RADIUS Support
10 High MTBF support
11
The Switch must be able to generate Syslog Messages
with timestamp and Severity codes, which can be
exported to a syslog server
12
HTTP/HTTPS access to the Switch to monitor and
configure most of the functionalities in addition to
command line interface
13
Support for Address Resolution (ARP) to work in
conjunction with Private VLAN Edge to minimize
broadcasts and maximize available bandwidth
14
The proposed Switch should be IPV6 compliant. The
device should be IPV6 Tested device and IPV6 should
support from the day one
15 Support 100 Base-TX and L2 switching
16 Multi-Link Trunking
17 Support for Spanning-Tree protocol (IEEE 802.1D)
18 STP Fast calculation features as RSTP for faster
convergence
19
Per-port broadcast, multicast and storm control to
prevent faulty end stations from degrading overall
system performance
20 Support for classification and scheduling based on
802.1 P/Q
Amendment no. 6 for RFP Ref: RFP/ITD/005/18-19 dated 05.10.2018
Page 22 of 27
21
Support for 802.1P class-of-service (CoS), Ability to
Mark/Override
802.1P Cos per port
22 Configurable Tail Drop should be supported for
congestion avoidance
23
Multicast must be supported in hardware so that
performance is not
affected by multiple multicast instances
24 L2 Multicast support – IGMP Snooping
25 Should support both IPV4 and IPV6 addresses in a
multicast group
26 Support for external RADIUS for console access
restriction and authentication
27
Multi-Level access security on switch consoled to
prevent
unauthorized users
28
Support for 802.1X port based authentication. Radius
change of Authorization (CoA) for Network Access
Control, URL redirection for posture, VLAN and ACL
assignment.
29
The proposed Switch must support below IEEE 802.1X
based security requirements and available from day
one
• IEEE 802.1X
• 802.1X with VLAN assignment
• 802.1X with Guest VLAN
• 802.1X with guest VLAN enhancements
• 802.1X with Auth Fail VLAN
• 802.1X with Auth fail Open
• 802.1X with Mac Auth Bypass
• 802.1X with Mac Auth bypass for Voice VLAN
• 802.1X with ACL’s
• 802.1X with port security
• 802.1X with accounting
• NAC-L2 IEEE 802.1X
• NAC-L2 IP
• NAC-L2 IP Auth Fail open
• Web authentication for non 802.1X clients
• Multi-Domain Authentication (802.1X for IP Phone + 1
Host Behind phone)
• Switch should support concurrent deployment of
802.1X and MAB Authentication.
30
Port Based Access Control List (ACL) for Layer 2
interfaces to allow Security policies to be applied on
individual Switch ports using Layer 2, Layer 3 and Layer
4 parameters.
31 Configuration change tracking
32 System Event Logging
33 Network Time Protocol (NTP) / Simple Network time
protocol (SNTP) with authentication
Amendment no. 6 for RFP Ref: RFP/ITD/005/18-19 dated 05.10.2018
Page 23 of 27
34 Switch should support SNMP Version 3
35 Support to DHCP is desirable, support DHCP to manage
IP networks and supports DHCP client and server
36
Support for Secured Ports which restrict a port to a user-
defined group of authorized stations, when secure
addresses are assigned to a secure port. The switch
should not forward any packets with source addresses
outside the defined group of addresses
37 Switch should prevent DHCP Snooping
38 IP Root Guard
39 Broadcast and Multicast storm control to avoid
degradation in overall systems performance
40
Downloadable ACL (dACL) assigned dynamically per
port & Port Security
1. Switches should support dACLs per port.
2. Should support downloading of dACLs created
on a central NAC server
3. Each dACL rule should support specification of
multiple ports/IP address.
4. Switch should support display of number of
times dACL rules gets matched.
41 Should able to integrate with SIEM solution
42 The Switch should seamlessly integrate with existing
Network equipment’s
43 Support for Per-port broadcast, multicast and unicast
storm control
44 Should support DNS
45 Should support BPDU guard to avoid topology loop
46 Unicast MAC filtering, unknown unicast and multicast
port blocking
47
Support for MAC address notification allows
administrators to be notified of users added to or
removed from the network
48
Support Bidirectional data support on the SPAN port
allows Intrusion Prevention System (IPS) to take action
when an intruder is detected
49 Provision for Dynamic policies at Layer 2-4 for QoS and
Security
50 Embedded support for web based management using
standard secured web browser.
51 Support for SNMP V3 with encryption
52 support for TFTP based software download
53 Support for port mirroring measurement using a
network analyzer or RMON probe.
Amendment no. 6 for RFP Ref: RFP/ITD/005/18-19 dated 05.10.2018
Page 24 of 27
54 Switch must be remotely managed via one telnet
session for all module configuration.
55 Should have functionality to add new features like OS/
firmware upgrades from central location.
56
Support for dynamic VLAN assignment either through
IEEE 802.1x for implementation of VLAN membership
policy server client functions to provide flexibility in
assigning ports to VLANs. Dynamic VLAN helps enable
fast assignment of IP addresses.
57 Real time multi port statistics.
58 Device and port groupings for navigation and policy
management.
59 TACACS + server support
60 Enterprise MIB
61 Admin access right
62 Traffic volume/ error/ congestion monitoring
63 The Switch should support IEEE 802.1Q VLANS, 802.1P,
802.1D, 802.3U, 802.1X, 802.3ab, 802.3ad, 802.1s.
64 Should support RFC 768, 783, 791, 792, 826, 854, RFC 951.
65 The quoted model should be complied for
EAL3/NDPP from day one
Amendment no. 6 for RFP Ref: RFP/ITD/005/18-19 dated 05.10.2018
Page 25 of 27
ANNEXURE – III
FORMAT FOR INDICATIVE COMMERCIAL BID
1. Name of Bidder :
2. Address of Corporate Office :
TABLE I – COST OF NETWORK ACCESS CONTROL SOLUTION:
Sl.No Description Qty
(a)
Unit
Price
(Rs.)
(b)
Total price
(Rs.)
(a*b)
1.a Network Access Control Appliance* with 3
year comprehensive onsite warranty for DC
& DR as per Annexure – I (A).
1.b Licenses for endpoints / devices as per
Annexure – I (A) endpoints / devices with 3
year warranty
60000
1.c 24 Port Managed Switch with 3-year
comprehensive onsite warranty. 4590
1.d 48 Port Managed Switch with 3-year
comprehensive onsite warranty. 197
2. Total (I.a to 1.d) *quantity to be quoted by bidder as per Bill of Materials
TABLE II – COST OF IMPLEMENTATION:
Sl.No Description Total Cost
(Rs.)
1 Total Cost of Installation and Implementation of Network Access
Control Solution at Bank’s DC, DR, Branches, ATMs & Other
locations.
2 Total Implementation Cost
TABLE III – AMC FOR NAC APPLIANCE (4th to 7th Year):
Sl.No Description Qty Unit
Price(Rs.) Total price
(Rs.)
1.a AMC for Network Access Control
Appliance for 4th year
1.b AMC for Network Access Control
Appliance for 5th year
1.c AMC for Network Access Control
Appliance for 6th year
1.d AMC for Network Access Control
Appliance for 7th year
2. Total cost of AMC (1.a to 1.d)
Amendment no. 6 for RFP Ref: RFP/ITD/005/18-19 dated 05.10.2018
Page 26 of 27
TABLE IV – AMC FOR MANAGED SWITCHES (4th to 7th Year):
Sl.No Description Qty Unit
Price(Rs.) Total price
(Rs.)
1.a AMC for 24 Port Managed Switch for 4th
year
4590
1.b AMC for 24 Port Managed Switch for 5th
year
4590
1.c AMC for 24 Port Managed Switch for 6th
year
4590
1.d AMC for 24 Port Managed Switch for 7th
year
4590
1.e AMC for 48 Port Managed Switch for 4th
year
197
1.f AMC for 48 Port Managed Switch for 5th
year
197
1.g AMC for 48 Port Managed Switch for 6th
year
197
1.h AMC for 48 Port Managed Switch for 7th
year
197
2 Total cost of AMC (1.a to 1.i)
TABLE V – COST OF ONSITE SUPPORT (1ST year to 7th year)
Sl.No Description Qty Unit Cost (Rs.) Cost of Support (Rs.)
1.a Cost of Onsite Support for 1st year 2
1.b Cost of Onsite Support for 2nd year 2
1.c Cost of Onsite Support for 3rd year 2
1.d Cost of Onsite Support for 4th year 2
1.e Cost of Onsite Support for 5th year 2
1.f Cost of Onsite Support for 6th year 2
1.g Cost of Onsite Support for 7th year 2
2. Total Cost of Onsite Support
TABLE VI – ATS FOR END POINT LICENSES (4th to 7th Year):
Sl.No Description Qty Unit
Price(Rs.) Total price
(Rs.)
1.a ATS for End Point Licenses for 4th year 60000 1.b ATS for End Point Licenses for 5th year 60000 1.c ATS for End Point Licenses for 6th year 60000 1.d ATS for End Point Licenses for 7th year 60000
2. Total cost of ATS (1.a to 1.d)
Amendment no. 6 for RFP Ref: RFP/ITD/005/18-19 dated 05.10.2018
Page 27 of 27
TABLE VII- SITE VISIT CHARGES FOR ADDITIONAL PROCUREMENT ONLY
Sl.No Description Qty Unit
Price(Rs.) Total price
(Rs.)
1 Cost of Engineer Visit for implementation of
NAC and installation of Managed Switch
for additional procurement as per clause
1.13
100
2. Total cost of Visit
TABLE VIII – TOTAL COST OF OWNERSHIP (TCO):
Sl.No Description TABLE Total Price (Rs.)
A Total amount under Serial No. 2 TABLE I B Total amount under Serial No. 2 TABLE II C Total amount under Serial No. 2 TABLE III D Total amount under Serial No. 2 TABLE IV E Total amount under Serial No. 2 TABLE V F Total amount under Serial No. 2 TABLE VI G Total amount under Serial No. 2 TABLE VII
H GRAND TOTAL
Note:
1. L1 will be determined based on the total cost of ownership (TCO) quoted by any of the
technically short-listed bidder, whose commercial bid is opened, under Table VIII Serial
No. H (Grand Total).
2. Quantities mentioned for Managed Switches, End Point Licenses and Site Visits for
Additional Procurement are indicative in nature and should not be construed as
commitment from the Bank. Actual count may differ as per the discretion of the Bank.
We certify that the items quoted above meet all the Technical specifications as per Annexure
I of the RFP Ref No. RFP/ITD/005/18-19 dated 05.10.2018 and prices quoted are all in
compliance with the terms indicated in clause 1.10 of the RFP Ref No. RFP/ITD/005/18-19 dated
05.10.2018. We also confirm that we agree to all the terms and conditions mentioned in this