ANNEX A Server Infrastructure Requirements Scope of Services 1. 2. 3. 4.

Supply, delivery, installation and configuration of server infrastructure including its hypervisor and operating system Supply and delivery of software licenses/subscriptions and mobile device Supply, delivery, installation and configuration of Next Generation Firewall (NGFW) Training

Technical Specification A. Supply, delivery, installation and configuration of the following brand new and branded server hardware components with the following minimum specifications: # 1.

Item and its description Branded 1 and brand new Converge Infrastructure for DepED Central Office and DepED R7 Cebu City with the following minimum specification:  1 TB total RAM capacity using DDR4  192 virtual CPUs using Intel Xeon E5 series version 3. One (1) virtual CPU is measured as 1 hyper-thread in multi-core processor.  20TB raw storage w/ the following minimum specification: o hybrid configuration of HD 10K rpm and SSD o 80/85-20/15 HD - SSD ratio o RAID 0, 1, 10, 5 and 50 option o 8 Gbps FC adapter  42U standard Rack w/ cable management  w/ console and Software management and monitoring of the converge infrastructure including OS license  VMWare vCloud Suite 6 Enterprise license for each socket processor w/ 5 year maintenance upgrade and basic technical support 12x5

Qty 2 units



2.

3.

RHEL Virtual Datacenter (2 sockets, no physical, unlimited virtual) subscription for each socket processor w/ unlimited guest and 5 year 8x5 NBD subscription and technical support  5 years warranty on all equipment w/ 8x5 technical support to include regular onsite update of firmware Branded and brand new network switch for 1 unit of converged infrastructure w/ 5 years warranty on all equipment w/ 8x5 technical support to include regular onsite update of firmware to be part of the of server unit in DepED R7 Cebu City Branded and brand new 8 port KVM Analog Console Switch w/ :  Rack-mounting hardware kit, Power Cord, power jumper cable, documentation kit, DB9-RJ45 (VGA+USB)  3 years warranty For installation and delivery in Manila

2 switches

1

B. Supply and delivery of the following software licenses/subscriptions and brand new and branded mobile device with the following minimum specifications: # Item and its description 1. VMWare vSphere 6 Operations Management Enterprise Plus license for each socket processor w/ 5 year maintenance upgrade and basic technical support 12x5 2. RHEL Virtual Datacenter (2 sockets, no physical, unlimited virtual) w/ 5 year subscription and Standard business hours technical support 3. Windows Server 2012R2 Standard w/ 5 CALS each 4. NGINX Plus Standard  5 year support for production instances  5 year upgrade maintenance for development/testing/QA instances 5. Branded and brand new 1 TB USB 3.0 Portable SSD 6. SSL Digital Certificate for one (1) main domain and sub-domain for 5 years w/ the following specification:  Extended Validation, displays the green bar and organization name  Full organization authentication  Vulnerability assessment  Daily scan of public web pages under DepED’s hostname  256 bit and 128 bit encryption  RSA, ECC,DSA algorithm support w/ the same SSL certificate  SSL v3/TLS compatible  Support for SAN (UC) - secure up to 25 fully-qualified domains with a single certificate.  Support for IDN  Licensing for multiple servers hosting a single main domain, support for load balancing, redundant, backup servers and SSL accelerators  Free 24x7 technical support thru toll free numbers, chat, email and online support thru knowledge base

Qty 12 sockets 6 4 14 6 8 1

C. Supply, delivery, installation and configuration of brand new Next Generation Firewall (NGFW) with the following minimum specifications: # Item and its description Supply, delivery, installation and configuration of branded and brand new Next Generation Firewall (NGFW) in Manila and Cebu w/ the following technical specification 1 Network/Content Security  Firewall  Intrusion Prevention System (IPS)  Web Application Firewall (WAF)  Web Content/Application Filtering  Gateway Anti-virus/Anti-Spyware/Anti-Spam (in-bound/out-bound),  HTTPS/SSL content security  Content filtering 2 System Performance  Firewall Throughput (UDP): 20gbps  Firewall Throughput (TCP): 15gbps  New sessions/second: 150K  Concurrent sessions: 4M  IPSec VPN Throughput: 2gbps  No. of IPSec Tunnels: 5k  SSL (3DES/AES) VPN Throughput: 500mbps  WAF Protected Throughput: 1gbps  Gateway Anti-Virus Throughput: 4gbps  IPS Throughput: 5gbps  NGFW Throughput: 3gbps  Fully Protected Throughput: 2gbps 3 Interfaces  Maximum number of Available Ports: 8  Fixed Copper GbE Ports: 8  Supports expandable/scalable I/O port for Copper/Fiber 1G/10G

Qty 4

4

5

 Console Ports (Rj45): 1  With configurable Internal/DMZ/WANPorts  USBPorts: 2  Hardware Bypass Segment: 2 Stateful Inspection Firewall  Multiple Security Zones  Location-aware and Device-aware Identity-based  Access Control Policy  Access Control Criteria (ACC) User-Identity  Source and Destination Zone  MAC and IP address  Service Security policies IPS  Web Filtering  Application Filtering, Anti-virus  Anti-spam and QoS  Country-based Traffic Control  Access Scheduling Policy based Source and Destination NAT  Gateway  Specific NAT Policy  H.323  SIP NAT Traversal  DoS and DDoS attack prevention  MAC and IP-MAC filtering  Spoof Prevention Intrusion Prevention System  4.5k Signatures - allow custom signature and w/ Pre-configured Zone-based multiple  filter based on different category, severity, platform and client/server,  w/ IPS actions configuration for recommended, allowed/drop/disable and reset/bypass pocket/session,  User-based policy creation, Automatic/manual signature updates,  Protocol Anomaly Detection,  SCADA-aware IPS with pre-defined category for ICS and SCADA signatures

6

7

8

9

Application Filtering  Layer 7 (Applications) control and visibility,  Inbuilt Application Category Database,  Control over 2,000+ Applications w/ classified categories,  Filter based by category, risk level, characteristics, technology, etc,  Schedule-based access control,  visibility and controls for HTTPS based Micro-Apps like Facebook chat/apps/games, Youtube video upload,  Securing SCADA Networks, SCADA/ICS Signature-based Filtering for Protocols, Modbus, DNP3, IEC, Bacnet, FINS, Secure DNP3  Control various Commands and Functions Web Application firewall  Positive Protection model  Protection against SQL Injections, Cross-site Scripting  (XSS), Session Hijacking, URL Tampering, Cookie  Poisoning etc.  Support for HTTP 0.9/1.0/1.1 Web Filtering  On-Cloud Web Categorization  schedule based access control  controls based on URL  Keyword and File type, w/ customizable and default web categories and external URL,  supports HTTP and HTTPS, blocks the ff: Malware, Phishing, Pharming URLs, Java Applets, Cookies, Google Cache pages  CIPA compliant  data leakage control  block HTTP/HTTPS upload  safe search enforcement Gateway Anti-virus/Anti-Spyware  Virus, Worm, Trojan Detection and Removal  Spyware, Malware, Phishing protection  Automatic virus signature database update

10

11

12

 Scans HTTP/ S, FTP, SMTP, POP3, IMAP, VPN Tunnels  Customize individual user scanning  Self Service Quarantine area  Scan and deliver by file size  Block by file types Gateway Anti-spam  Inbound and Outbound Scanning  Real-time Blacklist (RBL), MIME header check  Filter based on message header, size, sender, recipient  Language and Content-agnostic spam protection using  RPD Technology  Zero Hour Virus Outbreak Protection  Self Service Quarantine area  IP address Black list/White list  Spam Notification through Digest  IP Reputation based Spam filtering VPN  IPSec, L2TP, PPTP  Encryption/Hash Algorithms - 3DES, DES, AES, Twofish, Blowfish, Serpent, MD5, SHA-1  Authentication: Preshared key, Digital certificates  IPSec NAT Traversal  Dead peer detection and PFS support  Diffie Hellman Groups - 1, 2, 5, 14, 15, 16  External Certificate Authority support  Export Road Warrior connection configuration  Domain name support for tunnel end points  VPN connection redundancy  Overlapping Network support  Hub & Spoke VPN support  IPSSec VPN client should be compatible w/ major IPSec VPN gateway  VPN (SSL/IPSec) Client support both linux and windows SSL VPN

13

 TCP & UDP Tunneling  Authentication - AD, LDAP, RADIUS  Multi-layered Client Authentication - Certificate,  Username/Password  User & Group policy enforcement  Network access - Split and Full tunneling  Browser-based (Portal) Access - Clientless access  Lightweight SSL VPN Tunneling Client  Granular access control to all the enterprise network  resources  Administrative controls - Session timeout, Dead Peer  Detection, Portal customization  TCP based Application Access - HTTP, HTTPS, RDP,  TELNET, SSH Networking  w/ multi-link load balancing for ISP providers, multiple gateway  Automated Failover/Failback  Interface types: Alias, Multiport Bridge, LAG (port trunking),  VLAN, WWAN, TAP  DNS-based inbound load balancing  IP Address Assignment - Static, PPPoE (with Schedule  Management), L2TP, PPTP & DDNS, Client, Proxy ARP,  Multiple DHCP Servers support, DHCP relay  Supports HTTP Proxy, Parent Proxy with FQDN  Dynamic Routing: RIP v1& v2, OSPF, BGP, PIM-SIM,  Multicast Forwarding  Support 16 and 32 bit Autonomous Service Number (ASN)  Support of ICAP to integrate third-party DLP, Web Filtering  and AV applications  Discover mode for PoC Deployments  IPv6 ready and support, IPv6 Route – static and source, IPv6 tunneling (6in4, 6to4, 6rd, 4in6), management over IPv6

14

15

16

17

 Dual Stack Architecture: Support for IPv4 and IPv6  Protocols  Alias and VLAN  DNSv6 and DHCPv6 Services  Firewall security over IPv6 traffic  High Availability for IPv6 networks Bandwidth Management  IP, group, policy, Application, Web Category and Identity based Bandwidth Management for inbound and outbound  w/ Bandwidth prioritization, dedicated or shared bandwidth and scheduling  Guaranteed & Burstable bandwidth policy  Application & User Identity based Traffic Discovery  Data Transfer Report for multiple Gateways Administration and System Management  Centralize Web-based configuration wizard  role-based Access control  support of API  Firmware Upgrades via Web UI or manually via file upload  Web 2.0 compliant UI (HTTPS)  Command Line Interface (Serial, SSH, Telnet) SNMP (v1, v2, v3), English Logging/monitoring  Real-time and historical Monitoring, w/ log Viewer on IPS, Web filter, WAF, Anti-Virus, Anti Spam, Authentication, System and Admin Events by IP, mac address, time/date, ports, application, inbound/outbound, gateway  Forensic Analysis with quick identification of network, attacks and other traffic anomalies,  Syslog support, 4-eye Authentication, packet monitoring/viewing Dashboard/Reporting  w/ default and customizable dashboards on all monitoring aspects including network traffic and utilization, Integrated Web-based Reporting tool, w/ drilldown reports, compliance reports - HIPAA, GLBA, SOX, PCI, FISMA, zone based application reports, by username, Host, Email ID specific Monitoring



18

19 21

20

Dashboard, Reports on Application, Internet & Web Usage, Mail Usage, Attacks, Spam, Virus, Search Engine, Client Types Report including BYOD Client Types,  Export reports in - PDF, Excel, HTML  Email notification of reports  Report customization - (Custom view and custom logo) High Availability  Active-Active  Active-Passive with state synchronization  Stateful Failover with LAG Support Compliance CE, FCC Site Delivery  2 Firewall in DepED Manila  2 Firewall in DepED Region 7, Lahug, Cebu City Subscription/Warranty/Maintenance and Support  5 years subscription for Firewall, IPS/IDS, WAF, Web Content/Application filtering, Gateway Anti-virus/Anti-Spyware/Anti-Spam  5 years Warranty w/ parts and labor, onsite replacement  5 years 8x5 support and maintenance w/ local (Manila) technical support via email, web, chat and telephone, onsite support in configuration when needed  Unlimited incident report

D. Training # Item and its description 1. Orientation and training on converged infrastructure for at least 8 to 12 pax based on DepED needs to include the following:  Hardware components, parts and configuration to include switch, network connectivity, storage and server  Administration, monitoring and troubleshooting 2. Training on VMWare vCloud and VSphere OM for at least 8 to 12 pax based on DepED needs to include the following:  VMWare portfolio  Installation, configuration, administration and customization to include cloud, data center virtualization and network virtualization 3. Training on RHEL installation, administration and maintenance for at least 8 pax 4. Training on Firewall administration and maintenance for at least 6 pax 5. All training should be delivered within 12 months of acceptance of the equipment into 2 batches.

Qty 8 - 12 pax/2 batches

8 - 12 pax/2 batches

8 - 12 pax/2 batches 6 - 8 pax/2 batches