Technical Specification A. Supply, delivery, installation and configuration of the following brand new and branded server hardware components with the following minimum specifications: #

Item and its description

Qty

1.

Branded 1 and brand new Converge Infrastructure for DepED Central Office and DepED R7 Cebu City with the following minimum specification:

2 units

 

2.

1 TB total RAM capacity using DDR4 192 virtual CPUs using Intel Xeon E5 series version 3. One (1) virtual CPU is measured as 1 hyper-thread in multi-core processor.  20TB raw storage w/ the following minimum specification: o hybrid configuration of HD 10K rpm and SSD o 80/85-20/15 HD - SSD ratio capacity o RAID 0, 1, 10, 5 and 50 option o 8 Gbps FC adapter o IOPS minimum requirement w/ 50-50 Read-Write ratio:  for 80% HD is 2.2K for RAID 5 and 1.35 for RAID 10 at 50/50 RW.  for 20% SSD is 2.2K for RAID 5 and 1.35 for RAID 10 at 50/50 RW.  42U standard Rack w/ cable management  w/ console and Software management and monitoring of the converge infrastructure including OS license  VMWare vCloud Suite 6 Enterprise license for each socket processor w/ 5 year maintenance upgrade and basic technical support 12x5  RHEL Virtual Datacenter (2 sockets, no physical, unlimited virtual) subscription for each socket processor w/ unlimited guest and 5 year 8x5 NBD subscription and technical support  5 years warranty on all equipment w/ 8x5 technical support to include regular onsite update of firmware Branded and brand new network switch for 1 unit of converged infrastructure w/ 5 years warranty on all equipment w/ 8x5 technical support to include regular onsite update of firmware to be part of the of server unit in DepED R7 Cebu City       

10Gbps port w/ transceivers w/ 24 100/1000Base-T, auto-DMIX Modular Operating System o Supports individual upgrade of software modules o Supports scripting capability Supports Data Center Bridging Exchange Hot swappable redundant power supply and fan tray VoIP-Ready POE-Ready

2 switches



3.

IPv6 – ready. Should provide the following IPv6 features: o IPv4 and IPv6 dual stacking and DNS client o Ping, Traceroute, Telnet and SSH-2 o ICMPv6 and Neighbor discovery o Stateless Address Auto Configuration o DHCPv6 Relay o IPv6 Access Control List o RA (router advertisement) filtering 6to4 and 6in4 tunneling  Layer 2/3  Manageability: RMON, Flexible Netflow, CLI, SSHv2, SSL,SNMPv1/v2/v3  High Availability: Cross-Stack EtherChannel; Rapid Spanning-Tree Protocol (RSTP), IEEE802.1w; Multiple Spanning-Tree Protocol (MSTP), IEEE802.1s; Per-VLAN Rapid Spanning-Tree (PVRST+); Switch-port Autorecovery (Err-disable)  Quality of Service: Traffic prioritization, Class of Service (CoS),Rate limiting  Layer 2 Switching: VLAN support and tagging, VLAN stacking (IEEE802.1ad and Q-in-Q), IGMP and MLD snooping  Layer 3 Routing: o IPv4 routing: Static IP, RIPv1/v2, OSPF, ISIS, EIGRP stub, 24K routes capacity o IPv6 routing: RIPng, OSPFv3, EIGRPv6, Policy-Based Routing (IPv4 & IPv6), o IPv6 tunneling o IGMPv1/v2/v3 o Protocol Independent Multicast (PIM): PIM-SM / PIM-SSM / PIM-DM, Static multicast, MBGP, SDP, PIMv6  Connectivity: MSTP (IEEE802.1s), RSTP (IEEE802.1w), STP (IEEE8021d), Link Aggregation (IEEE802.1ad)  Security: ACL, Kerberos Snooping, RADIUS/TACACS+, SSH, HTTPS and SSL, Port Security and MAC Address Filtering, DHCP snooping  Certification: ISO 9001:2008 Certified, ISO 14001:2004 Certified, FCC Compliant, CE Compliant, ROHS Compliant  Warranty: 3 years warranty before End of Life plus Limited Lifetime Warranty, (Limited Lifetime Warranty refers to the guarantee issued by the manufacturer on a particular device and will last until five (5) years after that device was discontinued/End-of-Life.)  8x5 onsite Technical Support: response time: 1-2 hours, Next business day hardware replacement, 24x7 Remote Assistance  1RU Fiber Optic Patch Panel, Fiber Optic Patch Cords and appropriate connectors, Rack mounting kits Branded and brand new 8 port KVM Analog Console Switch w/ :  

Rack-mounting hardware kit, Power Cord, power jumper cable, documentation kit, DB9-RJ45 (VGA+USB) 3 years warranty

1

For installation and delivery in Manila

B. Supply and delivery of the following software licenses/subscriptions and brand new and branded mobile device with the following minimum specifications: # Item and its description

Qty

1. VMWare vSphere 6 Operations Management Enterprise Plus license for each socket processor w/ 5 year maintenance upgrade and basic technical support 12x5

12 sockets

2. RHEL Virtual Datacenter (2 sockets, no physical, unlimited virtual) w/ 5 year subscription and Standard business hours technical support

6

3. Windows Server 2012R2 Standard w/ 5 CALS each

4

4. NGINX Plus Standard 

5 year support for production instances



14

5 year upgrade maintenance for development/testing/QA instances 5. Branded and brand new 1 TB USB 3.0 Portable SSD

6

6. SSL Digital Certificate for one (1) main domain and sub-domain for 5 years w/ the following specification:

1

          

Extended Validation, displays the green bar and organization name Full organization authentication Vulnerability assessment Daily scan of public web pages under DepED’s hostname 256 bit and 128 bit encryption RSA, ECC,DSA algorithm support w/ the same SSL certificate SSL v3/TLS compatible Support for SAN (UC) - secure up to 25 fully-qualified domains with a single certificate. Support for IDN Licensing for multiple servers hosting a single main domain, support for load balancing, redundant, backup servers and SSL accelerators Free 24x7 technical support thru toll free numbers, chat, email and online support thru knowledge base

8

C. Supply, delivery, installation and configuration of brand new Next Generation Firewall (NGFW) with the following minimum specifications: # Item and its description Supply, delivery, installation and configuration of branded and brand new Next Generation Firewall (NGFW) in Manila and Cebu w/ the following technical specification 1

Network/Content Security     

2

Firewall Intrusion Prevention System (IPS) Web Application Firewall (WAF) Web Content/Application Filtering Gateway Anti-virus/Anti-Spyware/Anti-Spam (in-bound/outbound),  HTTPS/SSL content security  Content filtering System Performance

3

 Firewall Throughput (UDP): 20gbps  Firewall Throughput (TCP): 15gbps  New sessions/second: 150K  Concurrent sessions: 4M  IPSec VPN Throughput: 2gbps  No. of IPSec Tunnels: 5k  SSL (3DES/AES) VPN Throughput: 500mbps  WAF Protected Throughput: 1gbps  Gateway Anti-Virus Throughput: 4gbps  IPS Throughput: 5gbps  NGFW Throughput: 3gbps  Fully Protected Throughput: 2gbps Interfaces

4

 Maximum number of Available Ports: 8  Fixed Copper GbE Ports: 8  Supports expandable/scalable I/O port for Copper/Fiber 1G/10G  Console Ports (Rj45): 1  With configurable Internal/DMZ/WANPorts  USBPorts: 2  Hardware Bypass Segment: 2 Stateful Inspection Firewall  

Multiple Security Zones Location-aware and Device-aware Identity-based

Qty 4

5

 Access Control Policy  Access Control Criteria (ACC) User-Identity  Source and Destination Zone  MAC and IP address  Service Security policies IPS  Web Filtering  Application Filtering, Anti-virus  Anti-spam and QoS  Country-based Traffic Control  Access Scheduling Policy based Source and Destination NAT  Gateway  Specific NAT Policy  H.323  SIP NAT Traversal  DoS and DDoS attack prevention  MAC and IP-MAC filtering  Spoof Prevention Intrusion Prevention System 

6

4.5k Signatures - allow custom signature and w/ Pre-configured Zone-based multiple  filter based on different category, severity, platform and client/server,  w/ IPS actions configuration for recommended, allowed/drop/disable and reset/bypass pocket/session,  User-based policy creation, Automatic/manual signature updates,  Protocol Anomaly Detection,  SCADA-aware IPS with pre-defined category for ICS and SCADA signatures Application Filtering      

7

Layer 7 (Applications) control and visibility, Inbuilt Application Category Database, Control over 2,000+ Applications w/ classified categories, Filter based by category, risk level, characteristics, technology, etc, Schedule-based access control, visibility and controls for HTTPS based Micro-Apps like Facebook chat/apps/games, Youtube video upload,  Securing SCADA Networks, SCADA/ICS Signature-based Filtering for Protocols, Modbus, DNP3, IEC, Bacnet, FINS, Secure DNP3  Control various Commands and Functions Web Application firewall   

Positive Protection model Protection against SQL Injections, Cross-site Scripting (XSS), Session Hijacking, URL Tampering, Cookie

8

 Poisoning etc.  Support for HTTP 0.9/1.0/1.1 Web Filtering    

9

On-Cloud Web Categorization schedule based access control controls based on URL Keyword and File type, w/ customizable and default web categories and external URL,  supports HTTP and HTTPS, blocks the ff: Malware, Phishing, Pharming URLs, Java Applets, Cookies, Google Cache pages  CIPA compliant  data leakage control  block HTTP/HTTPS upload  safe search enforcement Gateway Anti-virus/Anti-Spyware

10

 Virus, Worm, Trojan Detection and Removal  Spyware, Malware, Phishing protection  Automatic virus signature database update  Scans HTTP/ S, FTP, SMTP, POP3, IMAP, VPN Tunnels  Customize individual user scanning  Self Service Quarantine area  Scan and deliver by file size  Block by file types Gateway Anti-spam

11

          VPN      

Inbound and Outbound Scanning Real-time Blacklist (RBL), MIME header check Filter based on message header, size, sender, recipient Language and Content-agnostic spam protection using RPD Technology Zero Hour Virus Outbreak Protection Self Service Quarantine area IP address Black list/White list Spam Notification through Digest IP Reputation based Spam filtering

IPSec, L2TP, PPTP Encryption/Hash Algorithms - 3DES, DES, AES, Twofish, Blowfish, Serpent, MD5, SHA-1 Authentication: Preshared key, Digital certificates IPSec NAT Traversal Dead peer detection and PFS support Diffie Hellman Groups - 1, 2, 5, 14, 15, 16

      

12

External Certificate Authority support Export Road Warrior connection configuration Domain name support for tunnel end points VPN connection redundancy Overlapping Network support Hub & Spoke VPN support IPSSec VPN client should be compatible w/ major IPSec VPN gateway  VPN (SSL/IPSec) Client support both linux and windows SSL VPN

13

 TCP & UDP Tunneling  Authentication - AD, LDAP, RADIUS  Multi-layered Client Authentication - Certificate,  Username/Password  User & Group policy enforcement  Network access - Split and Full tunneling  Browser-based (Portal) Access - Clientless access  Lightweight SSL VPN Tunneling Client  Granular access control to all the enterprise network  resources  Administrative controls - Session timeout, Dead Peer  Detection, Portal customization  TCP based Application Access - HTTP, HTTPS, RDP,  TELNET, SSH Networking                  

w/ multi-link load balancing for ISP providers, multiple gateway Automated Failover/Failback Interface types: Alias, Multiport Bridge, LAG (port trunking), VLAN, WWAN, TAP DNS-based inbound load balancing IP Address Assignment - Static, PPPoE (with Schedule Management), L2TP, PPTP & DDNS, Client, Proxy ARP, Multiple DHCP Servers support, DHCP relay Supports HTTP Proxy, Parent Proxy with FQDN Dynamic Routing: RIP v1& v2, OSPF, BGP, PIM-SIM, Multicast Forwarding Support 16 and 32 bit Autonomous Service Number (ASN) Support of ICAP to integrate third-party DLP, Web Filtering and AV applications Discover mode for PoC Deployments IPv6 ready and support, IPv6 Route – static and source, IPv6 tunneling (6in4, 6to4, 6rd, 4in6), management over IPv6 Dual Stack Architecture: Support for IPv4 and IPv6 Protocols

14

 Alias and VLAN  DNSv6 and DHCPv6 Services  Firewall security over IPv6 traffic  High Availability for IPv6 networks Bandwidth Management 

15

IP, group, policy, Application, Web Category and Identity based Bandwidth Management for inbound and outbound  w/ Bandwidth prioritization, dedicated or shared bandwidth and scheduling  Guaranteed & Burstable bandwidth policy  Application & User Identity based Traffic Discovery  Data Transfer Report for multiple Gateways Administration and System Management      

16

Centralize Web-based configuration wizard role-based Access control support of API Firmware Upgrades via Web UI or manually via file upload Web 2.0 compliant UI (HTTPS) Command Line Interface (Serial, SSH, Telnet) SNMP (v1, v2, v3), English

Logging/monitoring 

17

Real-time and historical Monitoring, w/ log Viewer on IPS, Web filter, WAF, Anti-Virus, Anti Spam, Authentication, System and Admin Events by IP, mac address, time/date, ports, application, inbound/outbound, gateway  Forensic Analysis with quick identification of network, attacks and other traffic anomalies,  Syslog support, 4-eye Authentication, packet monitoring/viewing Dashboard/Reporting 

18

w/ default and customizable dashboards on all monitoring aspects including network traffic and utilization, Integrated Web-based Reporting tool, w/ drilldown reports, compliance reports - HIPAA, GLBA, SOX, PCI, FISMA, zone based application reports, by username, Host, Email ID specific Monitoring  Dashboard, Reports on Application, Internet & Web Usage, Mail Usage, Attacks, Spam, Virus, Search Engine, Client Types Report including BYOD Client Types,  Export reports in - PDF, Excel, HTML  Email notification of reports  Report customization - (Custom view and custom logo) High Availability

19

 Active-Active  Active-Passive with state synchronization  Stateful Failover with LAG Support Compliance CE, FCC

21

Site Delivery

20

 2 Firewall in DepED Manila  2 Firewall in DepED Region 7, Lahug, Cebu City Subscription/Warranty/Maintenance and Support    

5 years subscription for Firewall, IPS/IDS, WAF, Web Content/Application filtering, Gateway Anti-virus/AntiSpyware/Anti-Spam 5 years Warranty w/ parts and labor, onsite replacement 5 years 8x5 support and maintenance w/ local (Manila) technical support via email, web, chat and telephone, onsite support in configuration when needed Unlimited incident report

D. Training # Item and its description

Qty

1. Orientation and training on converged infrastructure for at least 8 to 12 pax based on DepED needs to include the following:

8 - 12 pax/2 batches



Hardware components, parts and configuration to include switch, network connectivity, storage and server  Administration, monitoring and troubleshooting 2. Training (Knowledge Transfer) on VMWare vCloud and VSphere OM for at least 8 to 12 pax based on DepED needs to include the following:

8 - 12 pax/2 batches

 

VMWare portfolio Installation, configuration, administration and customization to include cloud, data center virtualization and network virtualization 3. Training (Knowledge Transfer) on RHEL installation, administration and maintenance for at least 8 pax

8 - 12 pax/2 batches

4. Training Knowledge Transfer on Firewall administration and maintenance for at least 6 pax

6 - 8 pax/2 batches

5. All training should be delivered within 12 months of acceptance of the equipment into 2 batches.