4.

5 Designing and Implementing of WAF & Load Balancer

Features Specification Required Bidder’s Offer Comply?

(Y/N)
Brand Name Reputed Brand those are Leaders/Challengers in the
Gartner's and Forrester Quadrant report for Web
Application Firewall as per the latest report.
Model Must be mentioned by bidders.
Country of Origin USA or EU.

Item Two
Solution The proposed solution as dedicated appliance-based
Architecture Web Application Firewall (WAF) & L7 DDoS protection
Requirement Solution should be on single OS and Hardware platform.
Should have option to add Mobile Bot Protection,
Customizable Authentication Feature, Data Safe, DNS
and Global Server Load Balancing Feature on same
single OS and Hardware platform based on future
requirement.
The solution must support both Forward Proxy and
Reverse proxy mode as a full proxy (Forward Proxy &
Reverse Proxy) architecture to control separate user
sessions and separate application sessions on ingress
and egress point for more control and complete
Proxy support visibility of security on layer 3 to Layer 7.
Support IPv6 for Reverse Proxy deployments and It
should also support IPv4 to IPv6 and IPv6 to IPv4 Dual
Stack communication to reduce IPv6 Deployment
complexity.
Proposed device should be multi- tenanted Appliance
with VRF-instances or partitions for complete isolation
Traffic of Network partition.
Segmentation The solution should support VXLAN functionality for
Data Center SDN integration with IPv6 VXLAN
multipoint tunnels.
The appliance should have minimum one Quad (Four)
core Intel Xeon CPU based processor with 1 (physical):2
(logical) hyper threaded logical CPU cores.
Appliance The appliance should have minimum 30 GB DDR4
Resource memory or higher.

The appliance should have minimum one 480GB SSD

drives.
The proposed solution should have minimum 8 x 1G
Network Ports ports (SFP Fiber port) and 4 x 10GE ports (SFP+ Fiber
port) from day 1. Bidder must provide 2 x 1GBASE-SR
Transceivers, 2 x 1000BASE-T Transceiver and 2 x 10
GE SFP SR Transceivers for each appliance.
The proposed appliance should provide minimum L7
throughput of 20 Gbps and Layer 4 throughput of 20
Gbps.
The proposed appliance should support minimum 27
Million L4 concurrent connections from day 1.
The proposed appliance should support minimum 1
Million L4 HTTP requests per second from day 1. It can
be scalable to 2 Million L4 HTTP requests per second in
future if required without any hardware change.
The proposed appliance should support minimum 10
Gbps of SSL based Hardware Offloading throughput
from day 1. It can be scalable to 15 Gbps in future if
required without any hardware change. The SSL
encryption & decryption process must be hardware-
Throughput based processor for acceleration.
The proposed appliance must support minimum SSL
TPS of 10,000 (10K) with RSA 2048-bit keys and SSL
TPS of 6,500 (6.5K) ECDSA P-256-bit keys from day 1. It
can be scalable to SSL TPS of 20,000 (20K) with RSA
2048-bit keys and SSL TPS of 10,000 (10K) ECDSA P-
256-bit keys in future if required without any hardware
change.

The proposed appliance must have minimum 6 Gbps

compression throughput for HTTP traffic from day 1
and the performance data should be mentioned in
public datasheet. It can scalable to 10 Gbps hardware-
based compression throughputs for HTTP traffic in
future if require without any hardware changing.
The solution must have application level load balancing
including the ability to act as HTTP 2.0 Proxy.
The solution must have TLSv1.0, TLSv1.1 and TLSv1.2
and TLSv1.3 on both Client and Server side.
The solution must have server load balancing
Load Balancing algorithms like (but not limited to) round robin, Least
Connections, Weighted Least Connections, Ratio Least
Connections algorithm etc.
Flexibility during There must be minimal impact on the existing web
installation & applications and the network architecture when
removal deploying or removing the solution from network
Ethernet The solution should have a dedicated out-of-band
Management Port Ethernet management port.
HTTPS interface The solution should provide HTTPS interface
Management management for administering the device.
SSH interface The solution should provide SSH interface management
Management for administering the device.
The solution should provide online troubleshooting and
traffic analysis tool where customer can take snapshot
of appliance config and upload it on OEM’s web based
Troubleshooting
diagnostic tool to check the health and vulnerability of
appliance with recommended solution provided on
knowledge base link
The solution must allow administrators to add & modify
Modify Signature
signatures.
The solution support role-based admin access with
Role based access roles like no access, Guest, Operator, Application editor,
Resource Administrator and Administrator.
The entire solution must have a dedicated central
management system to centrally manage WAF Security
Policy, Access Management Policy, Load Balance Policy
and L7 DDOS Policy for day to day operations from
single console.
Reporting, policy creation, alert management,
troubleshooting, log collection, backup-restore policy,
Management
web application protection configuration, access policy
System
management etc. must be managed from the
management server.
The management server must centrally manage all the
different solution / appliances.
The solution must allow the user to use a standard
browser to access the management UI. Management
system can be a physical or virtual appliance.
The solution must be able to protect both HTTP Web
Applications and SSL (HTTPS) web applications. It
Application
should have support for ECC keys along with RSA keys.
Support
The solution should support Reverse proxy and
Forward proxy mode.
WAF must have capability to protect Credential Attacks
Protects against attacks that can steal credentials from
Application Layer
the user’s browser through browser-based malware,
Encryption
from data in transit and/or from the server without
installing any agent at client machine
The WAF solution must support all major cipher suites
like Camellia Ciphers Suites, SSLv3 and TLSv1.3
Cipher Support implementation for strong encryption.
The WAF solution must support elliptic curve
cryptography (ECC) acceleration in hardware
The solution must address and mitigate the OWASP Top
Application
Ten web application security vulnerabilities but not
security
vulnerabilities limited to this.

Solution should support to function as Portal access,

app tunnel, and network access with AAA server
authentication and high availability and Step-up
authentication, including multi-factor authentication
(MFA) in future if required without any additional
hardware change.

Solution should be able to support SSO with support for

Kerberos, header-based authentication, credential
caching, and SAML 2.0, SSL VPN remote access and L7
access control list (ACL) in future if required without
any additional hardware change.

Customizable The solution should support inspection of the user’s

Authentication endpoint device with OS type, antivirus software,
Feature firewall, file, process, Windows OS registry value
validation and comparison, device MAC address, CPU
ID, HDD ID, mobile device UDID and jailbroken or
rooted status through a web browser and through client
to examine security posture and determine if the device
is part of the customer domain. Based on the results, it
can assign dynamic Access Control Lists to deploy user
identity, data/application context and application-
aware security Solution must e able to support SSL VPN
remote access and L7 access control list (ACL) in future
if required without any additional hardware change.

The solution must support both the positive and

Security model
approach negative security model approach

The solution should support Application layer DoS and

Protection from DDOS attacks protection including nxdomain, stress-
vulnerable attacks based DOS and Heavy URL attacks.

The solution must support custom security rules.

Administrators should be able to define rules for the
positive and negative security model and to create
Custom security
Rules correlation rules with multiple criteria or capable with
violation correlation engine. This should be possible
without need to write any script/code.

The solution should support protection against

Protection from common attacks such as SQL Injection, Cross-site
web-based attacks Scripting, Cookie or Form Tempering etc.

The solution must support integration with industry

Virtual patching
leading Dynamic Analysis Security Testing (DAST) tools
of IBM, HP, Rapid7 etc. to perform virtual patching for
its protected web applications.

The solution should have the capability of

Webshell Attack
Detection Webshell/Backdoor Detection.

WebSocket and The solution should have the capability of inspection

Secure WebSocket and Protection WebSocket and Secure WebSocket.
Protection
WAF should have capability of Proactive BOT Defense
(both detection and Protection) mechanism beyond
signatures and reputation to accurately detect
malicious and benign bots using client behavioral
Malware/BOT
Attack Detection analysis, server performance monitoring, and escalating
JavaScript and CAPTCHA challenges. The BOT defense
feature should have Predefined Bot Defense profile to
enable quicker and easier BOT defense configuration.

WAF should have capability of Brute Force attack

detection by CAPTCHA challenges to clients and should
Brute Force Attack
Detection be capable to redirecting Brute force attack traffic to
Honey Pot page/System

WAF should have capability to detect attack try to get

CAPTCH Farming around CAPTCHAS by farming out the CAPTCHA images
Detection to pools of user that respond.

WAF should have security signatures to protect

applications from pervasive attacks that are often
Security Threat
coordinated by organized crime and nation states by
Protection from
organized crime providing threat intelligence information to fingerprint
and nation states and mitigate sophisticated attacks with nearly real-time
updates by metadata.

The solution must have in-built security engine must

address complex attacks that are ambiguous in nature.
It must also examine multiple pieces of information at
Security Engine the network, protocol & application levels over time &
correlate them to distinguish between attacks & valid
user traffic.

Malware The WAF solution must provide capabilities to

protection from obfuscate sensitive field names to defeat Man-in-The-
Man-in-The- Browser Attacks.
Browser
Solution must have protection against Layer 7
Application DDOS type of attacks including stress-based
DoS and Heavy URL attacks in full-Proxy Mode
(Forward Proxy and Reverse Proxy) using machine
learning mechanism form day 1.

The solution should provide Geo location IP detection of

clients and blocking based on Geographical region of
the clients.

The solution should protect heavy URL L7 DDOS attack

which consume considerable server resources for each
request.

The solution should protect Single Page attack which

loads a single HTML page and dynamically updates the
L7 DDoS Attack user interacts with the application to overload the Page
Prevention loading time and server response time.
Feature
(Operational from The solution must have detect DDoS attacks based on
Day 1) the volume (transactions per second) of incoming
Application traffic and protect the DDOS attack
automatically by Application thresholds.

WAF should have capability of Proactive BOT Defense

(both detection and Protection) mechanism beyond
signatures and reputation to accurately detect
malicious and benign bots using client behavioral
analysis, server performance monitoring the
application response time. The BOT defense feature
should have Predefined Bot defense profile to enable
quicker and easier BOT defense configuration.

The solution must include a pre-configured list of

comprehensive and accurate web attack signatures.

Solution must have Behavioral DoS mitigation

Behavioral DoS
Technology to detect DDOS attacks without human
mitigation
Technology intervention.

The solution should have protection against

viral/infected file uploads through ICAP integration
Upload protection
with 3rd party antivirus solution.
The solution must include a pre-configured list of
Pre-configured list
of signatures comprehensive and accurate web attack signatures.

The solution must have signature staging feature for

new signature update which will apply the new
signatures to the web application traffic but does not
Staging for New block the application by trigger those new attack
Signature Update signatures. This feature is required to reduce the
number of violations triggered by false-positive
matches regarding new signature update.

The solution must have web worm protection.

Worm protection
The solution must have CSRF checkbox attack
CSRF checkbox
attack protection protection

Protection against The solution should have protection against Cross-site

Cross- site Request Forgery.
Request Forgery
The solution should have protection against web site
Protection against
web site cloaking cloaking.

The solution should support different policies for

different web application. The solution must have Pre-
Policy
Configured policies for known applications like
Management for
different web Microsoft SharePoint, OWA, ActiveSync, SAP, Oracle
applications Applications/Portal, PeopleSoft, Lotus Domino for quick
deployment.

The solution should have protection against outbound

Outbound data
security data theft.

The solution should be able to detect and block request

Anonymous
request blocking coming from anonymous proxies.

The solution should at the minimum query signature

Signature the signature service on a daily basis and automatically
protection downloads and apply the new signatures.

The solution should be able to allow or deny traffic

based on IP address. It also should be able to protect
Traffic control FTP and SMTP traffic by allowing only legitimate
commands and doing protocol sanitation checks.

Dynamic The solution should be able to encrypt the user

protection credentials in real time i.e. when the user is typing the
credentials for the web application in user browser for
any web application that is behind the WAF. This
feature should be agentless and should not require
installation of any kind of software either on client end
or on the application end.

The solution should provide Geo location lP detection of

Geological threat clients and blocking based on Geographical region of
protection the clients.

The solution should allow the administrator to restrict

access to various HTTP and WEBDAV methods,
including HEAD, CONNECT, TRACE, etc. on a per URL
basis.

The solution must have capability of blocking access to

URL access specific URL path based on client-source-IP.
control
The solution must have capability to restrict Restricting
specific user (Administrators / web-admin / SQL
admins) login from outside of network.

The solution should be able to "cloak" error responses

Cloaking error to hide sensitive server related information in the
situations response body and response headers.

The solution should be able to perform validation on all

Validate web types of input including URLs, forms, cookies, query
environment strings, hidden fields and parameters, HTTP methods,
actions XML elements and SOAP actions

The solution profiling technology should be able to

detect and protect against threats which are specific to
Detection and the custom code of the web application. After the
protection learning phase, the solution must be able to understand
technology against the structure of each protected URL and must be able to
threats detect deviations and various anomalies (or violations)
and block attacks on the custom code of the application.

The solution must be able to defend against browser

Browser based based keyloggers that attempt to capture user's
keyloggers keystrokes and steal user credential using password
Protection field encryption mechanism.
The proposed solution should support protection from
mobile app-based attacks, if required in future without
any change in hardware. Solution should support
capability to protect against the mobile-application
Mobile
based attacks through Bot protection SDK for mobile
Application
Protection platform which Whitelist establish trust based on an
embedded software package within the application
code and corresponding cookie verification to protect
application against attacks generated from mobile.

The solution should defend against Web Scrapping.

Web Scrapping
The solution should allow the re-learning of an
Adaptability with
application profile on a per-URL or per-page basis. The
change of
approved change administrator should not be required to relearn the
of web application entire application when only a few pages have changed.

The solution must have High Availability for both TCP

session mirroring and SSL session mirroring in full-
proxy (Forward Proxy and Reverse Proxy) mode in
Active-Standby HA Architecture.

The solution should have active-active and active-

backup high availability with TCP/IP connection
High Availability
mirroring as well as SSL connection mirroring for SSL
connections that are terminated/offloaded on the WAF.
Hence old connection should not fail or forced for SSL
negotiation especially for applications for which WAF is
doing SSL offloading in full-proxy (Forward Proxy and
Reverse Proxy) mode.

The solution should be able to perform profiling of

JSON. HTTP requests in the JSON format must be learnt
by the WAF with the parameters and values.

The solution should be able to protect web applications

Validation of that include Web services (XML) content.
different web
services and The solution must have the ability to automatically
ensure security update Certificate bundles from the appropriate CA’s
without any user intervention.

The solution must able to encrypt the user credentials

of the protected applications in real time by encrypting
the password without any agent either on the client side
or on the server side. This feature could be activated at
any time with additional license on the WAF when
required.

The solution should provide a mode whereby it can

rewrite HTTP applications to HTTPS on-the-fly, e.g. by
modifying all outbound content, and redirect incoming
HTTP requests to the HTTPS.

The solution should protect session tokens, i.e. cookies:

a. Sign cookies, to prevent clients from changing them

b. Encrypt cookies, to hide contents.

c. Prevent Cookie Replay attacks

d. Allow for exempting certain cookies from security

checks

The solution should support protection of XML Web

Services with common web application as well as XML
specific attacks.

It should be possible to force conformance with full WS-

I Basic specification.

The solution should provide for validating XML

Documents and protecting against XML, DOS and
injection attacks (SQL, OS, XSS injection, etc.).

The solution should provide for validating XML

Documents and protecting against XML, DOS and
injection attacks (SQL, OS, XSS injection, etc.).

The solution must support regular expressions for the

following purposes:

- Signature definition
Supporting
regular - Sensitive data definition
expressions
- Parameter type definition

- Host names and URL prefixes definition

- Fine tuning of parameters that are dynamically learnt
from the web application profile.

The solution must support all the common web

application vulnerability assessment tolls (Web
Vulnerability
application scanners) including Qualys, Rapid 7, IBM
Assessment
scanner support Appscan etc. to virtually patch web application
vulnerabilities.

The solution must provide “anti-automation” protection

which can block the automated attacks using hacking
Anti-automation
tools, scripts, framework etc.

Support IPv6 for Reverse Proxy deployments and It

should also Support IPv4 to IPv6 and IPv6 to IPv4
IPv4 & IPv6
Security communication. The management plane should also
support IPv6.

The solution must be able to track and monitor web

applications users. This track mechanism must be
User tracking
mechanism automated, with no changes to the existing application
or authentication scheme.

The solution should support two Factor Authentication

through additional license. Bidder should mention the
Two Factor
Authentication compatible Two Factor Authentication solution
provider name for future integration.

The solution must be able to execute the following

actions upon detecting an attack or any other
unauthorized activity:
Action against
attack - Ability to drop requests & response

- Block the TCP session, user, IP

The solution must be able to perform profiling of web

applications in an environment where there is a
Differentiate good mixture of good & bad traffic. The solution must be able
& bad traffic to automatically differentiate good & bad traffic when
learning the profile. Bad traffic shouldn’t be learnt.

The solution must have API inspection, rate limiting,

API Protection behavioral analysis, anti-automation, detects
application program interface (API) threats and API
protocol security check to secure REST API, JSON,
XML/SOAP and Gateway APIs.

The solution must have an integrated dashboard

containing various features of alert and report
generation including:

a. CPU Usage

b. Memory Usage

c. Connections Statistics

d. Throughput Statistics

e. Virtual Server Status

f. Pool Status

g. Node Status

The Solution should provide the application and

network visibility and reporting with below metrics and
Dashboard entity for each application:

a. Client IP addresses / subnets as well as geographical

regions

b. Total Transactions as well as Average and Max

Transactions/sec

c. Most commonly requested URLs

d. Server Latency and Page Load times

e. Virtual Server and Pool server performance

f. Page Load Time

g. Response code

h. OS and Browser

i. URL details

The solution must provide automated, real-time event

Alert alert mechanism.
The solution must support masking of sensitive data in
Sensitive data
masking alerts.

The solution should integrate with syslog to work with

Integration with
security devices any solution and support known log formats.

The solution must provide pre-packaged reporting

capabilities out-of-the-box without user
Report generation
intervention/further configuration.

The solution must have the functionality within the UI

Flexible custom out-of-the-box that enables the administrator to create
report generation customized report on demand.

The solution should support integration with SIEM tools

Integration with
SIEM tools like Arcsight, Splunk or any other SIEM tool.

The solution must support generation of reports with

data analysis graphical views. Also, the report should be
Report views &
analysis tools formatted depending on various requirements like
executive summary, detailed analysis report etc.

The solution must support automatic reports

Schedule report
generation generation based on a defined schedule.

The reports must be distributed via email on demand

and automatically (on schedule) with PDF or CSV
Report Delivery
formats.

The proposed WAF should provide PCI DSS compliance

PCI DSS
Compliance reporting.

The proposed solution should support FIPS 140 Level 2.

FIPS Compliance
OEM should be Leaders/Challengers in the Gartner's or
Gartner &
Forrester Quadrant report for Web Application Firewall
Forrester Report
for WAF as per latest report.

OEM should have at least 4 customer references in

Customer Bangladesh in recent 3 years and the reference should
Reference be publicly available.

The WAF should be ICSA certified. Bidder must submit

ICSA Certification the OEM's certificate.
ISO 9001, ISO The OEM/Manufacturer should have ISO 9001, ISO
14001 and ISO 14001 and ISO 27001 Certification. Bidder must submit
27001 the OEM's ISO certificates.
Certification
Respective bidder also needs to ensure that the final
deployment of the data center solution is done based on
the standards design guideline and best practices
keeping in mind the data center compliance
requirements and operational requirements.

Respective bidder also ensure that the final deployment

is done basis the OEM specified and validated design
standards and best practices.
Design &
Deployment Bidder must ensure that the final deployment is done by
Requirement the OEM certified resources to validate design
standards and best practices. The cost of the
implementation should quote as separate
implementation cost.

The validated design should take into consideration for

scalability, modularity, and resiliency aspects of the
data center as well as optimization from space, power
and cooling perspective

Bidder should submit BOQ of proposed device including

the details part numbers.
Manufacturer’s
Bidder must submit the required performance
part number
document and compliance reference document for the
proposed solution.

Bidder must provide the detail compliance report with

reference. The reference URL / information of RFP
Compliance &
Reference technical specification compliance should be publicly
available, referenceable, and accessible document.

Manufacturer’s warranty part number should be

mentioned, minimum 3 (Three) year warranty for
technical solution support with Patch & New Software
Warranty Upgrade, Next Business day RMA replacement should
be provided for the proposed solution from the date of
commissioning.
OEM should have local RMA depot in Bangladesh for
fast delivery on faulty hardware / parts replacement
Local Depot
issue.

Bidder must carry out on site installation, testing and

commissioning. In consultation with IT Department,
bidder must configure appropriate security and
administration related policies, must do integration
Installation & with other related hardware/software required to
Commissioning make the network functional and shall provide
respective documentation to IT Division. Bidder should
have highest certification of relevant OEM will be
preferred.