REQUEST FOR PROPOSAL

UNIFIED THREAT MANAGEMENT SOLUTION AND NETWORK SEGMENTATION

CBKL/ICT/UTMS/15 - 1

TABLE OF CONTENTS

1SECTION 1 – INTRODUCTION …………………………………………………..3

1.1 - Instruction to Bidders ……………………………………

2SECTION 2 - TERMS OF REFERENCE…………………………………………..7

3SECTION 3 - TECHNICAL AND ARCHITECTURE REQUIREMENTS ……10

4SECTION 4 - QUANTITIES ……………………………………………………….27

5SECTION 5 -EVALUATION CRITERIA…………………………………………28

6SECTION 6- GENERAL CONDITIONS OF CONTRACT………………….….29

7SECTION 7 - ANNEXURES …………………………………………………….….35

SECTION 1 – INTRODUCTION

This document constitutes the formal Request for Proposals (RFP) for a Unified Threat Management Solution and Network Segmentation for the Bank.

1.1Instruction to Bidders

1.1.1Purpose / Objectives of the proposal are listed in section 2. The bidder shall include in their offer any additional services considered necessary for the successful achievement of the objectives.
1.1.2Proposals / Proposals from bidders should be submitted in two distinct parts, namely technical proposal and financial proposal and these should be in two separate sealed envelopes, both of which should then be placed in a common sealed envelope marked “CBKL/ICT/UTMS/15-1”
DO NOT OPEN BEFORE 10thSeptember 2015 at 12.00 Noon.
The two separate inner envelopes should be clearly marked “Technical Proposal” and “Financial Proposal” respectively and should bear the name of the Bidder.
  1. The Bidder shall prepare original and 1 (one) hard copy of the bid, clearly marking each “ORIGINAL BID” and “COPY OF BID,” as appropriate. In the event of any discrepancy between original and the copy, the original hard copy shall govern.
  2. Valid only if initialed by the people signing the bid.

1.1.3Technical Proposal / The Proposal should contain the following:
  1. Executive Summary
  2. Profile of the firm.
  3. Vendor Information
  4. General Product Requirements
  5. Understanding of Bank Requirements
  6. Proposed Solution
  7. Functional Requirements
  8. Technical Requirements
  9. Technical Architecture
  10. Hardware & Software Requirements
  11. Implementation & Support
  12. Project Plan & Schedule
  13. Project Implementation Methodology
  14. Help Desk & Support
  15. Additional Requirements
  16. Eligibility Documentation
  17. Proof of Bidder engaged in implementing at least 3 projects globally
  18. Proof of Bidder having director support offices in Kenya
  19. Client References

1.1.4Evaluation of bids / A two-stage procedure will be adopted by the Bank for evaluating the proposals, with the technical proposals being evaluated prior to the financial proposals. Technical proposals will be evaluated based on the following general areas:
STAGE I: Functional & Technical Evaluation
In this stage, the evaluation would be made separately for each of the four sections described hereunder:-
-Functional features
-Technical features
-Vendor and Product Details
-Product Implementation & Support
STAGE II – Product Demo / Site Visits
The vendors qualifying in stage I as per the procedure prescribed hereinabove shall become eligible for evaluation in stage II.
1.1.5Bid Validity Period / Bidders are requested to hold their proposals valid for one twenty (120) days from the closing date for the submission.
1.1.6Documents Comprising the Bid / The bid submitted by a Bidder shall comprise the proposal to the requirements. Each bid shall include only one technical and one price/financial solution.
1.1.7Cancellation of the bidding process / The Bank reserves the right to accept or to reject any bid, and to annul the bidding process and reject all bids at any time prior to the award of the contract, without thereby incurring any liability to any Bidder or any obligation to inform the Bidder of the grounds for its action.
1.1.8Cost of bidding / The Bidder shall bear all costs associated with the preparation and submission of its bid, and the Bank will in no case be responsible or liable for those costs, regardless of the conduct or outcome of the bidding process.
1.1.9Clarification of Bidding Document / All correspondence related to the contract shall be made in English. Any clarification sought by the bidder in respect of the project shall be addressed at least three (3) days before the deadline for submission of bids, in writing to the Tender Committee
The queries and replies thereto shall then be circulated to all other prospective bidders (without divulging the name of the bidder raising the queries) in the form of an addendum, which shall be acknowledged in writing by the prospective bidders.
Enquiries or clarifications should be sent by e-mail to:
1.1.10Amendment of Bidding Document / At any time prior to the deadline for submission of bids, the Bank, for any reason, whether at its own initiative or in response to a clarification requested by a prospective Bidder, may modify the bidding documents by amendment.
All prospective Bidders that have received the bidding documents will be notified of the amendment in writing, and it will be binding on them. It is therefore important that bidders give the contact correct details at the time of collecting/receiving the bid document.
To allow prospective Bidders reasonable time to take any amendments into account in preparing their bids, the Bank may at its sole discretion extend the deadline for the submission of bids based on the nature of the amendments.
1.1.11
Deadline for Submission of Bids / Bids must be delivered on or before 10thSeptember 2015, 12.00 noonto:
The Chairman,
Tender Committee,
Consolidated Bank of Kenya Limited,
6th Floor, Consolidated Bank Building,
P.O. Box 51133 - 00200
Nairobi, Kenya
Bids sent by mail should reach by the same deadline. Bids received after the above-specified date and time shall not be considered.
Bids will be opened in the presence of a maximum of one representative from each bidder who chooses to attend at 12.00 noon on the same dayon 6th Floor, Consolidated Bank Building
1.1.12Bid Price / The Bidder shall, in their offer (Financial Proposal), detail the proposed fee structure for the contract with the Bank.
The fee should be a Fixed Lump Sum Fee but with sufficient elemental breakdown. The summary of the bid price will be recorded in the Bid Price schedules as included in annexes 4.2.
No price escalation under this contract shall be allowed.
1.1.13Taxes and Incidental Costs / The prices and rates in the financial offer will be deemed to be inclusive of all taxes and any other incidental costs and overheads but exclusive only of Value Added Tax (VAT), which shall be computed and indicated in the price schedule.
1.1.14Responsiveness of Proposals / The responsiveness of the proposals to the requirements of this RFP will be determined. A responsive proposal is deemed to contain all documents or information specifically called for in this RFP document. A bid determined not responsive will be rejected by the Bank and may not subsequently be made responsive by the Bidder by correction of the non-conforming item(s).
1.1.15Currency for Pricing of Tender / All bids in response to this RFP should be expressed in USD (US Dollars). Expressions in other currencies shall not be permitted.
1.1.16Correction of Errors / Bids determined to be substantially responsive will be checked by the Bank for any arithmetical errors. Errors will be corrected by the Bank as below:
  1. where there is a discrepancy between the amounts in figures and in words, the amount in words will govern, and
  2. where there is a discrepancy between the unit rate and the line total resulting from multiplying the unit rate by the quantity, the unit rate as quoted will govern.
The price amount stated in the Bid will be adjusted by the Bank in accordance with the above procedure for the correction of errors.
1.1.17Evaluation and Comparison of Bids / Technical proposals will be evaluated prior to the evaluation of the financial bids. Financial bids of firms whose technical proposals are found to be non-qualifying in whatever respect may be returned unopened.

SECTION 2 - TERMS OF REFERENCE

2.1 Information to candidates

2.1.1 Consolidated Bank will select a firm among those who submit their bids in accordance with the method of selection detailed under this section and consistent with the regulations. Firms are invited to submit a technical proposal and a financial proposal for a unified security management appliancerequired for the assignment stated in the letter of invitation.

2.1.2 Firms invited must familiarize themselves with local conditions as regards the assignment and take them into account in preparing their proposals. To obtain adequate information on the assignment and on the local conditions, candidates are encouraged to liaise with the procuring entity regarding any information that they may require before submitting a quotation.

2.1.3 The cost of preparing the proposal and negotiating the contract including any visit to the procuring entity are not reimbursable as a direct cost of the assignment. The procuring entity is not bound to accept any of the quotations submitted.

2.1.4 Consolidated Bank’s employees, committee members, board members and their relative (spouse and children) are not eligible to participate in the tender.

2.2 Clarification and amendment to the RFP documents

2.2.1 Project Objective

The key objective is to ensure attainment of the best security practices within Consolidated Bank internal network in line today’s level of technology.

2.2.2 Specific Objectives

  • Protect the bank’s infrastructure
  • Threat detection and prevention
  • Protect the bank’s image
  • Segment the bank’s network.
  • Network monitoring.

2.3 Scope of work

The exercise is expected to address all relevant areas critical for the successful implementation of infrastructural security. To demonstrate their understanding of the work involved, the vendor required to submit a clear concept based on their understanding and experience on implementation of infrastructure security.

The following are key areas to be well addressed in the proposal with clear model to be used in implementation of;

  • Unified Threat management
  • Routing, Network, Traffic Management & monitoring
  • Firewall
  • Web Content Filtering
  • Anti-Spam Features
  • User/Group Based Authentication
  • Logging & Alerting
  • IDS/IPS Features

2.4 Deliverables

During this project, the vendor is expected to understand the existing infrastructure and advise/suggest appropriate security and network design taking a holistic view of the bank’s current and future requirements.

The vendor’s work will result into the following deliverables;

  • Proposed Model and technology for Consolidated Bank infrastructural security.
  • Justification of the choice of model and design.
  • Implementation Plan including clear milestones, which include but not limited to; inception report, Implementation, work plan, monitoring and knowledge share.
  • Make a cost-benefit analysis of the option proposed and advise accordingly.
  • Assess and analyze the networking requirements for the security solution and suggest suitable option for a cost-effective networking architecture for the bank.
  • Devise a clear and workable strategy for pilot implementation and roll out.
  • Include disaster recovery procedures and Business Continuity Plan for the IT components/solutions.

2.5 Vendor Qualifications

To be eligible for this assignment, the following are mandatory requirements:-

a) Detailed organization profile including evidence of a legal business entity (mandatory)

b) The vendor should have Sound financial standing, necessary for undertaking the assignment.

c) Should have sufficient knowledge in implementation of Unified threat management (UTM) or unified security management (USM).

d) Should have hands on experience in rolling out (or just about) such solutions elsewhere. The documentary proof to be enclosed (At least three evidence; lpo, contracts, AMCs).

e) Should have a Talent pool with experience in all related security aspects with permanent staffs currently working with the vendor.

f) Should have established Project Management methods for implementing network security projects or network management.

g) Should provide the team leader who has personally been involved in at least one similar implementation of network management in Kenya or abroad and proof of successful implementation testified by the user should be enclosed.

h) The outer envelope and the technical proposals but shall remain sealed and in the custody of a procurement officer of Consolidated Bank up to the time set for opening it.

SECTION3 – TECHNICAL & ARCHITECTURE REQUIREMENTS

3.1 General requirements

S/No. / General requirements / FC, PC, NC / Comments
1. / Firewall
a. / Does the proposal cater for provision of a high availability setup at the head office
b. / Does the proposal allow for multiple ISPs at the head office
c. / Does the proposal allow for multiple ISPs at the branch office
2. / Training
a. / Does the proposal cover OEM certification training
b. / How many staff are training to certification level
3. / Support and Maintenance
a. / Have you indicated the 3 year maintenance cost for the proposed solution
4. / Installation
a. / The proposal includes the installation accessories i.e. cabling,SFPs etc
b. / The proposal covers on-site installation at all our sites; HQ, & Branch branches

3.2 UTM

3.2.1 PR Firewall

S/No. / Primary Firewall / FC, PC, NC / Comments
1. / Interface
a. / Hardware Accelerated 10 GE SFP+ Slots 2
b. / Hardware Accelerated GE SFP Slots 16
c. / Hardware Accelerated GE RJ45 Ports 16
d. / GE RJ45 Management / HA Ports 2
e. / USB Ports (Client / Server) 1 / 2
f. / Onboard Storage 120 GB
2 / Performance
a. / IPv4 Firewall Throughput (1518 / 512 / 64 byte, UDP) 52 / 52 / 33 Gbps
b. / Firewall Latency (64 byte, UDP) 3 μs
c. / Firewall Throughput (Packet per Second) 49.5 Mpps
d. / Concurrent Sessions (TCP) 11 Mil
e. / New Sessions/Second (TCP) 240,000
f. / Firewall Policies 100,000
g. / IPsec VPN Throughput (512 byte) 30 Gbps
h. / Gateway-to-Gateway IPsec VPN Tunnels 20,000
i. / Client-to-Gateway IPsec VPN Tunnels 50,000
j. / SSL-VPN Throughput 3.6 Gbps
k. / Concurrent SSL-VPN Users (Recommended Maximum) 10,000
l. / IPS Throughput 8 Gbps
m. / Antivirus Throughput (Proxy Based / Flow Based) 3.5 / 5.5 Gbps
n. / CAPWAP Clear-text Throughput (HTTP) 10.5 Gbps
o. / Virtual Domains (Default / Maximum) 10 / 250
p. / Maximum Number of APs (Total / Tunnel) 4,096 / 1,024
q. / Maximum Number of Registered Endpoints 8,000
r. / High Availability Configurations Active-Active, Active-Passive, Clustering
3. / Firewall Features
a. / Should allow for NAT, PAT, Transparent Mode (Layer 2)
b. / Allow Routing Mode (RIP v1 & v2, OSPF, BGP, & Multicast)
c. / Policy-Based NAT
d. / Policy-Based Routing
e. / Virtual IP support
f. / Virtual Contexts (NAT/Transparent Mode)
g. / VLAN Tagging (802.1Q) & Port Aggregation
h. / User Group-Based Authentication
i. / SIP / H.323 NAT Traversal
j. / Multiple WAN Link Support
k. / PPPoE
l. / DHCP Client/Server
m. / Multi-Zone Support
n. / Route Between Zones / Virtual LANs
o. / ISP Link Load balancing
p. / Link Health Check
q. / SSL offloading
r. / Intrusion Prevention
s. / Multiple IPS policies
t. / Per traffic type IPS policy
u. / Multiple DOS polices
v. / Antivirus/Worm Detection & Removal
w. / Encrypted VPN Tunnels
x. / Automatic “Push” Virus Database Update
y. / Quarantine Infected Messages
z. / Block by File Size / Type
a. / VPN Encryption
b. / PPTP, IPSec, and SSL
c. / Dedicated Tunnels
d. / Encryptions (DES, 3DES, AES)
e. / SHA-1 / MD5 Authentication
f. / PPTP, L2TP, VPN Client Pass-Though
g. / Hub and Spoke VPN Support
g. / IKE Certificate Authentication
i. / IPSec NAT Traversal
j. / Dead Peer Detection
k. / High Availability
l. / HA available
m. / Active-Passive
n. / Active-Active
o. / HA clustering with more than 2 appliances
p. / Stateful Failover (FW and VPN)
q. / Device Failure Detection and Notification
r. / Port Redundancy
s. / Link Status Monitor
t. / Link Failover
u. / Traffic Shaping
v. / Policy-Based Traffic Shaping
w. / Differentiated Services (DiffServ) configuration
x. / Guarantee/Maximum/Priority Bandwidth
y. / User Authentication
z. / Internal Database
a. / Windows Active Directory Database
b. / External RADIUS/LDAP Database
c. / IP/MAC Address Binding
d. / PKI Support
4. / System Management
a. / Command Line Interface Via Console:-
b. / Console
c. / Telnet
d. / Secure Shell
e. / Graphical User Interface:-
f. / HTTP
g. / HTTPS
h. / Centralized Management Software
i. / Role-Based Administration
j. / Multiple Administrators and User Levels
5. / Logging/Monitoring
a. / Internal Logging
b. / Log to Remote Server
c. / Graphical Real-Time and Historical Monitoring
d. / SNMP Support
e. / Email Notification of Viruses and Attacks
f. / VPN Tunnel Monitor
6. / Certification
a. / List ICSA Certified features
b. / List NSS Labs Recommended features

3.2.2 DR Firewall

S/No. / DR Firewall / FC, PC, NC / Comments
1. / Interface and Modules
a. / GE RJ45 Interfaces 10
b. / GE SFP Slots 8
c. / USB (Client / Server) 1 / 2
d. / RJ45 Console Port 1
e. / Local Storage 120 GB SSD
f. / Included Transceivers 2x SFP (SX 1 GE)
2. / System Performance and Capacity
a. / IPv4 Firewall Throughput (1518 / 512 / 64 byte, UDP) 16 / 16 / 16 Gbps
b. / Firewall Latency (64 byte, UDP) 3 μs
c. / Firewall Throughput (Packet per Second) 12 Mpps
d. / Concurrent Sessions (TCP) 6 Mil
e. / New Sessions/Sec (TCP) 280,000
f. / Firewall Policies 10,000
g. / IPsec VPN Throughput (512 byte) 14 Gbps
h. / Gateway-to-Gateway IPsec VPN Tunnels 2,000
i. / Client-to-Gateway IPsec VPN Tunnels 10,000
j. / SSL-VPN Throughput 400 Mbps
k. / Concurrent SSL-VPN Users (Recommended Maximum) 500
l. / IPS Throughput 4.7 Gbps
m. / Antivirus Throughput (Proxy Based / Flow Based) 1.7 / 3.4 Gbps
n. / CAPWAP Clear-text Throughput (HTTP) 4.85 Gbps
o. / Virtual Domains (Default / Maximum) 10 / 10
p. / Maximum Number of APs (Total / Tunnel) 512 / 256
q. / Maximum Number of Tokens 1,000
r. / Maximum Number of Registered Endpoints 2,000
s. / High Availability Configurations Active-Active, Active-Passive, Clustering

3.2.3 Mail

S/No. / Branch Access Switch / FC, PC, NC / Comments
1. / Hardware Specifications
a. / Total Network Interfaces 6 x 10/100/1000 Interfaces (Copper, RJ-45)
b. / SFP Gigabit Ethernet Interface x 2
c. / USB Interfaces 2
d. / Storage 2x 2 TB (2x 2 TB Optional)
e. / RAID StorageManagement Hardware: 1, 5, 10, 50, Hot Spare
(Based on Drive Count)
f. / Form Factor Rack Mount Appliance
g. / Redundant Hot Swappable Power Supplies
2. / System Performance
a. / Configured Domains ** 800
b. / Recipient-Based Policies (per Domain / per System) — Incoming or Outgoing 1,500 / 7,500
c. / Server Mode Mailboxes 1500
d. / Antispam, Antivirus, Authentication, and Content Profiles (per Domain / per System) 50 / 600
e. / Network Latency < 2µs
3. / Performance (Messages/Hour without queuing based on 100KB message size)
a. / Email Routing 680 K
b. / Antispam 620 K
c. / Antispam + Antivirus 500 K
4. / Certification and Compliance
a. / FCC Part 15 Class A, C-Tick, VCCI, CE, UL/cUL, CB

3.2.4 Web application

S/No. / Web Application / FC, PC, NC / Comments
1. / Hardware Specifications
a. / Total Network Interfaces 10/100/1000 Interfaces (RJ-45 ports) 6 (4 bypass)
2x SFP GbE (non-bypass)
b. / USB Interfaces 2
c. / Storage 2x 2 TB
d. / Form Factor 2U
e. / Power Supply 2U Hot Swap Redundant
2. / System Performance
a. / Throughput 750 Mbps
b. / Latency Sub-ms
c. / High Availability Active/Passive
d. / Application Licenses Unlimited
e. / Network Latency < 2µs
3. / Certification and Compliance
a. / FCC, Class A Part 15, UL/CB/cUL, C-Tick, VCCI, CE
4. / Protection
a. / Cross Site Scripting;
• SQL Injection
• Session Hijacking
• Cookie Tampering /Poisoning
• Cross Site Request Forgery
• Command injection
• Remote File Inclusion
• Forms Tampering
• Hidden Field Manipulation
• Outbound Data Leakage
• HTTP Request Smuggling
• Remote File Inclusion
• Encoding Attacks
• Broken Access Control
• Forceful Browsing
• Directory Traversal
• Site Reconnaissance
• Search Engine Hacking
• Brute Force Login
• Access Rate Control
• Schema Poisoning
• XML Intrusion Prevention
• Recursive Payload
• External Entity Attack
• Buffer Overflows
• Denial of Service
• Zero Day Attacks
5. / Support Features
a. / Auto-Learn Security Profiling, Application Layer
Vulnerability Protection,DoS Protection,Data Leak Prevention
,Site Publishing and SSO,Web Defacement
Vulnerability Assessments,HTTP RFC Compliance Validation,Antivirus,
Multiple deployment options,Geo IP and Bot Analysis,IPv6 Ready,
Authentication Offload,Pre-defined Policies,High Availability,
Centralized Logging and Reporting,Administrative Domains,
Centralized Management,Application Aware Load,
Balancing,DataCompression,SSL Offload,PCI DSS compliance,
Protects against OWASP top 10,

3.2.5 Management