Firewalls

Centralised Banking Project RFP Security Technical RFP - Firewalls Sr. No. 1 1.1 1.2 Technical Requirements General The firewall should be hardware based and have at least 4 slots for housing interface cards Must provide protection to Internal IP addresses through Network Address Translation (NAT) facility. Must provide inbound and outbound NAT, and should allow Pooled IP, Pooled Port and Static and Dynamic NAT. Must secure servers behind the firewall Should provide complete protection against attacks such as various Denial of Service (DoS) attacks, and prevent unauthorized access. Should support the following DoS checks Illegal Addresses Checksum control TTL Control Layer Size consistency IP Option sizes IP Source route IP Time stamp IP Bad options IP Reserved flag TCP Header size options TP Blind spoofing protection TCP Window scale TCP Time stamp TCP Alternate Checksum TCP Connection count TCP Reserved field TCP Null packets ICMP response control ARP spoofing protection Connection timeout control Vendor Comments 1.3 1.4 1.4.1 1.4.1.1 1.4.1.2 1.4.1.3 1.4.1.4 1.4.1.5 1.4.1.6 1.4.1.7 1.4.1.8 1.4.1.9 1.4.1.10 1.4.1.11 1.4.1.12 1.4.1.13 1.4.1.14 1.4.1.15 1.4.1.16 1.4.1.17 1.4.1.18 1.4.1.19 1.4.1.20 Strictly Confidential Annexure I Page 1 Centralised Banking Project RFP Security Technical RFP - Firewalls Sr. No. 1.4.1.21 1.4.1.22 1.4.1.23 1.4.1.24 1.4.1.25 1.5 1.5.1 1.5.2 1.6 1.7 1.8 1.9 1.10 1.10.1 1.10.2 1.10.3 1.10.4 1.10.5 1.10.6 1.10.7 1.10.8 1.10.9 1.11 1.12 Technical Requirements Payload size control Reassembly timing control Illegal fragments Fragmented ICMP Support for various application proxies Must provide for centralized management of all firewalls as given below: Must provide remote administration to allow management of multiple firewalls from a single-point. Must allow the deployment of the same base-line policy to all firewalls, while allowing enhancements to be made to specific firewall engines as required. Communication between the firewall management system and the firewall must be encrypted and in a secured environment (Secure Shell) Firewall should support broad range of authentication methods The firewall management system should integrate with other management systems such as IDS, Enterprise Management System, and Anti-virus management system Must support intrusion response using dynamic rules, and integration with any intrusion detection system. In the event of an attack the following activities should be possible: Should be able to prevent the IP of the attacker from entering the said firewalls. Beep or set off an alarm Send an SNMP Trap to a management console Send an event to the WinNT event log (in case of an NT system) Send an event to the UNIX syslog event system. (in case of an UNIX system) Send e-mail & SMS to an administrator to notify of the attack Page (using normal pagers) the system administrator. Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information). Save a tracefile of the raw packets for later analysis. Must support capabilities such as authentication, extensive auditing and reporting Must be extremely easy to deploy and manage Vendor Comments Strictly Confidential Annexure I Page 2 Centralised Banking Project RFP Security Technical RFP - Firewalls Sr. No. 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 1.25 1.26 1.27 1.28 1.29 1.30 1.31 1.32 1.33 1.34 1.35 1.36 1.37 1.38 Technical Requirements The configuration tool should be GUI based Must provide intuitive and useful report generation Must provide real-time monitoring of active connections and rule validation Must support IPSEC, L2TP, PPTP, etc. technologies Must support creation of custom rules Product should support all protocols Product should be OPSEC compliant Facility should be available for load balancing Product should have redundancy facility The Firewall management should be able to seamlessly talk to different products (such as checkpoint, PIX etc.) Product should have the capability to add two or more different networks (Please specify the number of networks support) Support for third-party authentication devices (e.g. two-factor authentication devices) Support for LDAP Capability for content based filtering (e.g. URL, Active-X, etc.) Support for at a minimum 32000+ concurrent conections The firewall should support 900,000 connections per second or above and a throughput of 1500 Mbps MTBF at a minimum should be 40,000 hours The 3DES performance should be a minimum of 50Mbps Port Address Translation (PAT) capability Support for advanced voice technology Support for advanced video technology & pprotocols The firewall should be ICSA certified for firewall and VPN capabilities. Support for 1500 simultaneous VPN tunnels Embedded web based management software and command line interface support IKE keepalive should be supported that allows the devices to detect a dead remote peer for IPSEC redundancy. Support for Flexible Rack Mounting Configuration Vendor Comments Strictly Confidential Annexure I Page 3 Centralised Banking Project RFP Security Technical RFP - Firewalls Sr. No. 1.39 1.40 1.41 1.42 1.43 1.44 1.45 1.46 Technical Requirements A fully loaded chassis should have less than 70% CPU utilisation at all times Support for RIP Version 2 passive mode Enhanced support for blocking TCP SYN attacks Support for IP Spoofing using network ingress and egress filtering, as per RFC 2267 Support for RADIUS, TACACS+ for authenticating users Support for Session Initiation Protocol (SIP) and Session Description Protocol as per RFC standards 2543 and 2327 respectively Support for H.323 protocol as defined by ITU Support for Multimedia e.g. Microsoft NetShow, RealNetworks RealAudio and RealVideo, Xing StreamWorks, VDOnet VDO Live, Vxtreme WebTheater, VocalTec Internet Phone, Microsoft NetMeeting, Intel Internet Video Phone, etc. Support a minimum bandwidth of 300 Mbps Support at least 6 Ethernet interfaces Support a minimum of 10 VLANs (IEEE 802.1 Q) Support interface grouping and VLAN access and bandwidth control Counters for CPU Load, Forward BPS, Forwarded pps, Buffer usage, Connections, Rule usage, pps in/out/total per Interface/VLAN / VPN Tunnel, ICMP received, User number Match Form: Best Fit or Rule Order Highest Layer Scan: Application (L7) / Session (L5) Capability to Protect against application level attacks Monitor for embedded attacks Fail-safe architecture Safe default configuration capability Should have 3rd Party CVP integration support The Firewall should be latest in the series High speed interface support of multiple 1 Gbps and 100 Mbps interfaces The firewall should be based on real time, secure, embedded operating system Inbuilt support for IPSEC VPNs with optional 168 bit encryption and VPN accelerator card Support for configurable basic Intrusion detection signatures Vendor Comments 1.47 1.48 1.49 1.50 1.51 1.52 1.53 1.54 1.55 1.56 1.57 1.58 1.59 1.60 1.61 1.62 1.63 Strictly Confidential Annexure I Page 4 Centralised Banking Project RFP Security Technical RFP - Firewalls Sr. No. 1.64 1.65 1.66 1.67 1.68 1.69 1.70 1.71 1.72 1.73 1.74 1.75 1.76 1.77 Technical Requirements On power up the firewall should use built-in system monitoring & diagnostics before going online to detect failure of hardware The firewall should support AC or DC hot swappable power supplies The firewall should support Stateful failover to prevent session losses to be minimal The firewall should support in rack serviceability with easy access to the main board High mean time between failure values should be supported to ensure long life of firewall hardware The device should support a minimum of 4 Gigabit Ethernet ports The firewall should support a minimum DRAM of at least 512MB and should be upgradeable to higher memory as needed A minimum of 16 MB flash memory is required for storing the operating system and the configuration file Flexible Rack Mounting Configurations 100BaseTX & 1000Base TX interfaces as per IEEE 802.3u and 802.3z specifications. The 100BaseTX interface should support full duplex operation The firewall should support packet-forwarding rates in excess of 200000 64-byte packets per second Split tunneling VPN support Filtering by User Name and Group The firewall should support TCP Intercept feature Vendor Comments 1.8 1.8.1 1.8.2 1.8.3 1.8.4 1.8.4.1 Network Management The NMS application for the firewall should be Windows or Solaris based and provide management for a minimum of 3 firewall devices. Additionally, Telnet client and server functionality support is must. The firewall must support FTP or TFTP for easy software upgrades over the network. Network management services should be provided using standards based protocols like SNMP & SNMP V2. The following MIBs should be supported : SNMP get, SNMP trap, MIB II, Firewall MIB, Syslog MIB Strictly Confidential Annexure I Page 5 Centralised Banking Project RFP Security Technical RFP - Firewalls Sr. No. 1.8.4.2 1.9 1.9.1 1.9.1.1 1.9.1.2 Technical Requirements Real time alerting & notification features and Syslog support Firewall chassis compliant to specification should support following minimum port requirement. Base Unit, Main power supply, Redundant Power supply, Rack mounting kit, cable management kit, Operating system. Fast Ethernet Gigabit Ethernet Vendor Comments 2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 Reporting Provision for comprehensive system for capturing information and making it available for analysis. Ability to filter, sort, and view the archived information, and to create detailed reports. Ability to view alerts and generate reports based on the consolidated information Detailed statistical reports on numbers of policy violations and where they came from, web usage, protocol distribution etc. Comprehensive “drill-down” querying and reporting facility of intrusion events that took place off the database Real-time statistics of the intrusion events detected, which could be represented in a graphical form. Web based support for remote management with data encryption Support for various versions of Simple Network Management Protocol (SNMP) and system logging for remote management The software on the firewall should support online software reconfiguration to ensure that changes made to a firewall configuration take place with immediate effect. Support for Extensive debugging capabilities The firewall should support configurations through a command Line interface as well as a GUI based Detection of teardrop attacks Strictly Confidential Annexure I Page 6 Centralised Banking Project RFP Security Technical RFP - Firewalls Sr. No. 2.12 2.12.1 2.12.2 2.12.3 2.12.4 2.12.5 2.12.6 2.12.7 3 3.1 3.2 3.3 3.4 Technical Requirements The firewall should provide following logs and related features: Connection logs Local log storage Network logging Real time log viewer Per rule logging Automatic log file compression Log file wrapping Features specific to Proxy type Application based rules is possible to be incorporated Facility to switch to stateful inspection mode if required URL filtering Content inspection Vendor Comments Strictly Confidential Annexure I Page 7 Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 1 1.1 1.1.1 1.1.2 1.2 1.3 Technical Requirements General The types of IDS should be as follows Network based (NIDS) Host based (HIDS) NIDS and HIDS should be from the same product suite If the two products are not from the same product suite, they should have the capability of integrating with each other and function under one IDS Management System. Must be able to analyse encrypted packets Supports zero bandwidth configuration Product is capable of using out-of-band communications for either or both of its communications channels Performance of upto 150 Mbps The IDS should work in a non-intrusive mode and be able to monitor all of the major TCP/IP protocols, including IP, Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP) The IDS should statefully decode application-layer protocols such as FTP, Simple Mail Transfer Protocol (SMTP), HTTP, Domain Name System (DNS), remote procedure call (RPC), NetBIOS, NNTP and Telnet.RIP Version 2 passive mode support IDS allows users to modify the engine filtering logic such that it detects incidents related to a subset of the network traffic (specific IP addresses, for example). The platforms on which the IDS tools run on should be appliance sensors which are hardware/software devices and should be latest in the series The IDS product should detect incidents that originate from inside the network perimeter, as well as from outside the network perimeter. IDS should monitor the network traffic on the local LAN segment for signs of attack like Denial of Service Attacks, pre attack probes, suspicious activity, malicious intent (pattern based signatures) unauthorized access attempts, and misuse as uniquely defined The IDS system itself is protected against attacks and uses no services on the host that might make it vulnerable to attack User-specified signatures can be created based upon content; i.e. string matching Vendor Comments 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 Strictly Confidential Annexure I Page 8 Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 1.15 1.16 1.17 Technical Requirements On power up the IDS should use built-in system monitoring & diagnostics before going online to detect failure of hardware Extensive debugging capabilities to assist in hardware problem resolution Product can process host traffic at an acceptable rate with all of the attack signatures active Vendor Comments 2 2.1 2.2 2.3 2.4 2.5 2.5.1 2.5.2 2.5.3 2.5.4 2.5.5 2.5.6 2.5.7 2.5.8 2.5.9 2.5.10 2.5.11 2.5.12 2.6 IDS Management System Communication between the IDS Management System and the IDS Sensor should be encrypted. Must have an updateable pattern file for up to date protection from the newest threats and methods of attack. Vendor must provide signature updates and must have a facility for automatically distributing these updates to all intrusion detection servers in the organization Must be able to define a rules base of which users can access specific resources on the network, ensuring only authorized access to network resources like web and ftp servers In the event of an attack the following activities should be possible Should be able to reconfigure firewalls, on the fly when an attack is detected thus preventing the IP of the attacker from entering the said firewalls. (for NIDS) Should be able to disable the user account automatically (for HIDS) Beep or set off an alarm Send an SNMP Trap to a management console Send an event to the WinNT event log (in case of an NT system) Send an event to the UNIX syslog event system. (in case of an UNIX system) Send e-mail to an administrator to notify of the intrusion Page (using normal pagers) the system administrator. Save the attack information (timestamp, intruder IP address, victim IP address/port, and protocol information). Save a trace file of the raw packets for later analysis. Forge a TCP FIN packet to force a connection to terminate (for NIDS) Should automatically terminate the user login session. (for HIDS) Should allow creation of custom attack signatures, Strictly Confidential Annexure I Page 9 Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 2.7 2.8 Technical Requirements Should allow the management of one or more Intrusion Detection sensors (both host or network based) locally or remotely. Administrators should be able to access remotely, a management server running Intrusion Detection software to view and monitor Intrusion Detection data, change rules, and create reports The system should integrate with other management systems such as firewall, enterprise management system and anti-virus management system Should be easy to update monitoring, blocking, and alerting rules Should have easy to use Graphical User Interface Product should have the capability of backing up the configuration details using a backup server and the transmission should be encrypted The Management System should be able to automatically download the latest signature files off the vendor’s web/ftp site. The vendor should provide updated signature files for any attacks carried out in any part of the world once a remedy is found; by automatically updating it’s web/ftp site and generating an e-mail with the respective signature files to the administrator. Vendor should provide updated signature files on weekly basis by making them available on it’s web/ftp site. Product should have the capability of scheduling the auto backups facility and auto updating of signature files. The product’s sensor and the management console should seamlessly talk to each other on a TCP/IP network. The product should have the facility of having Multiple Management Stations The product should have a centralized management system Automated attempts to re-establish communication between the console and the IDS device after failure The appliance should be able to carry the activity by connecting to standards based Layer 2 or Layer 3 switches using the 100 Mbps SPAN/Monitor ports The IDS should use separate communications channels for control data and for event data Web based management software and command line interface support Management software should run on standard, commercial off-the-shelf hardware platforms and operating systems Annexure I Vendor Comments 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 Strictly Confidential Page 10 Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 2.25 2.26 Technical Requirements Product engines can monitor network traffic and take action autonomously, without a console running Network management services should be provided using standards based protocols like SNMP & SNMP V2 Vendor Comments 3 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 4 4.1 4.2 4.3 Reporting Should provide a comprehensive system for capturing information and making it available for analysis. Should provide the ability to filter, sort, and view the archived information, and to create detailed reports. Administrators should be able to view alerts and generate reports based on the consolidated information Must give detailed statistical reports on numbers of policy violations and where they came from, web usage, protocol distribution etc. Product should have a comprehensive “drill-down” querying and reporting facility of intrusion events that took place off the database Product should provide real-time statistics of the intrusion events detected, which could be represented in a graphical form. Report on resource usage technique The software on the IDS should support online software reconfiguration to ensure that changes made to a IDS configuration take place with immediate effect Ability to handle 200-400 alarms per second Ability to "Kill" the session by resetting TCP connections Features Specific to NIDS Must provide surveillance, intrusion, and attack detection, inappropriate URL detection and blocking, alerting, logging, and real-time response Must protect the network from threats low-level protocol attacks and server and desktop intrusions. Should automatically detect attack patterns in network traffic that indicate potential intrusions, attacks, and abuses and take appropriate action based upon predefined policies, even while such attacks are in progress Should support detection running in a promiscuous mode without even binding with an IP address to make the IDS machine practically invisible Annexure I Page 11 4.4 Strictly Confidential Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 4.5 4.6 Technical Requirements Should work in a sniffer mode, to ensure that it does not induce any network delays while carrying out the required functionality Must detect and block access to inappropriate Web sites thus preventing use of organization’s resources to engage in unproductive communication and network utilization Should be able to monitor all the ports in the switch of the network Should be able to work on servers of different platforms of OS. (Please specify the list of OS) Support for packet reassembly Detection of attacks due to misuse of protocols Support for Honey Pot technique Support for attacks for Application and Operating System detection or finger printing Anomaly based intrusion detection Check for Security attacks at layer 3 and below Monitoring the logs of different network systems for policy violation Should have the ability to monitor the network traffic on the local LAN segment for signs of attack like Denial of Service Attacks, pre attack probes, suspicious activity, malicious intent (pattern based signatures) unauthorized access attempts, and misuse as uniquely defined IDS should work in non-intrusive monitoring mode and have the ability to configure data transmission time on per agent basis Support atleast 300 or more signatures with online download support of newer signatures The IDS should be open standard in accordance with the ICSA IDSC program Product detects incidents based on patterns in network traffic that indicate malicious intent (pattern-based signatures) Product's pattern-based signatures have a strong sense of context, so that false positives are minimized Flexible Rack Mounting Configurations Vendor updates its attack signature database at least quarterly and Vendor provides major new major product releases at least two times per year Vendor notifies automatically through e-mail about the availability of new signatures and new product releases Annexure I Vendor Comments 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 Strictly Confidential Page 12 Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 5 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 6 6.1 Technical Requirements Features specific to HIDS The system agent should record important system file attributes, including hashes of the files in the host server. The system should periodically scan log files for anomalous activity and notify the system administrator if they have detected suspicious pattern on the hosts. The system should monitor all packets as they enter and exit the host, just like a personal firewall. System should detect changes in system files and should know if someone tried to install potentially malicious software such as back doors. Should be able to work on servers of different platforms of OS. (Please specify the list of OS) Detection of attacks due to misuse of protocols Support for Honey Pot technique Support for attacks for Application and Operating System detection or finger printing Anomaly based intrusion detection Software requirements The IDS should work in a non-intrusive mode and be able to monitor all of the major TCP/IP protocols, including IP, Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP). The IDS should statefully decode application-layer protocols such as FTP, Simple Mail Transfer Protocol (SMTP), HTTP, Domain Name System (DNS), remote procedure call (RPC), NetBIOS, NNTP and Telnet.RIP Version 2 passive mode support Support for Network Address Translation (NAT) and Fixed destination ports Product’s Help system describes the incidents in adequate detail, providing sufficient information about: 1) the incident, 2) the potential damage, 3) possible false positives, 4) the systems affected, 5) how to respond immediately upon detection of the incident, and 6) how to remove the vulnerability associated with the incident. Vendor Comments 6.2 6.3 6.4 Strictly Confidential Annexure I Page 13 Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 6.5 Technical Requirements Product allows users to modify the engine filtering logic such that it detects incidents related to a subset of the network traffic (specific IP addresses, for example) Vendor Comments 7 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19 7.20 7.21 7.22 Minimum IDS Signature support for following signature titles: IP options-Bad Option List IP options-Record Packet Route IP options-Timestamp IP options-Provide s,c,h,tcc IP options-Loose Source Route IP options-SATNET ID IP options-Strict Source Route IP Fragment Attack Unknown IP Protocol Impossible IP Packet IP Fragments Overlap IP Localhost Source Spoof IP Fragmentation Buffer Full IP Fragment Overlap IP Fragment Overrun - Dgram Too Long IP Fragment Overwrite - Data is overwritten IP Fragment Missing initial Fragment IP Fragment Too Many Datagrams IP Fragment Too Small IP Fragment Too Many Frags IP Fragment Incomplete DGram ICMP Echo Reply Annexure I Page 14 Strictly Confidential Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 7.23 7.24 7.25 7.26 7.27 7.28 7.29 7.30 7.31 7.32 7.33 7.34 7.35 7.36 7.37 7.38 7.39 7.40 7.41 7.42 7.43 7.44 7.45 7.46 7.47 7.48 7.49 Technical Requirements Vendor Comments ICMP Host Unreachable ICMP Source Quench ICMP Redirect ICMP Echo Request ICMP Time Exceeded for a Datagram ICMP Parameter Problem on Datagram ICMP Timestamp Request ICMP Timestamp Reply ICMP Information Request ICMP Information Reply ICMP Address Mask Request ICMP Address Mask Reply ICMP Network Sweep w/Echo ICMP Network Sweep w/Timestamp ICMP Network Sweep w/Address Mask Fragmented ICMP Traffic Large ICMP Traffic ICMP Flood Smurf Ping of Death Attack TCP Ports TCP Port Sweep TCP SYN Port Sweep TCP Frag SYN Port Sweep TCP FIN Port Sweep TCP Frag FIN Port Sweep TCP High Port Sweep Annexure I Page 15 Strictly Confidential Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 7.50 7.51 7.52 7.53 7.54 7.55 7.56 7.57 7.58 7.59 7.60 7.61 7.62 7.63 7.64 7.65 7.66 7.67 7.68 7.69 7.70 7.71 7.72 7.73 7.74 7.75 7.76 Technical Requirements Vendor Comments TCP FIN High Port Sweep TCP Frag FIN High Port Sweep TCP Null Port Sweep TCP Frag Null Port Sweep TCP SYN FIN Port Sweep TCP Frag SYN FIN Port Sweep TCP SYN Host Sweep TCP FRAG SYN Host Sweep TCP FIN Host Sweep TCP FRAG FIN Host Sweep TCP NULL Host Sweep TCP FRAG NULL Host Sweep TCP SYN FIN Host Sweep TCP FRAG SYN FIN Host Sweep Fragmented NULL TCP Packet Fragmented Orphaned FIN packet NULL TCP Packet SYN/FIN Packet Orphaned Fin Packet Fragmented SYN/FIN Packet Queso Sweep Half-open SYN Attack Smail Attack Sendmail Invalid Recipient Sendmail Invalid Sender Sendmail Reconnaissance Archaic Sendmail Attacks Annexure I Page 16 Strictly Confidential Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 7.77 7.78 7.79 7.80 7.81 7.82 7.83 7.84 7.85 7.86 7.87 7.88 7.89 7.90 7.91 7.92 7.93 7.94 7.95 7.96 7.97 7.98 7.99 7.100 7.101 7.102 7.103 Technical Requirements Vendor Comments Sendmail Decode Alias Mail Spam Majordomo Execute Attack MIME Overflow Bug Q-Mail Length Crash Suspicious Mail Attachment FTP Remote Command Execution FTP SYST Command Attempt FTP CWD ~root FTP Improper Address Specified FTP Improper Port Specified FTP RETR Pipe Filename Command Execution FTP STOR Pipe Filename Command Execution FTP PASV Port Spoof WWW Phf Attack WWW General cgi-bin Attack WWW .url File Requested WWW .lnk File Requested WWW .bat File Requested HTML File Has .url Link HTML File Has .lnk Link HTML File Has .bat Link WWW campas Attack WWW Glimpse Server Attack WWW IIS View Source Attack WWW IIS Hex View Source Attack WWW NPH-TEST-CGI Attack Annexure I Page 17 Strictly Confidential Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 7.104 7.105 7.106 7.107 7.108 7.109 7.110 7.111 7.112 7.113 7.114 7.115 7.116 7.117 7.118 7.119 7.120 7.121 7.122 7.123 7.124 7.125 7.126 7.127 7.128 7.129 7.130 Technical Requirements Vendor Comments WWW TEST-CGI Attack IIS DOT DOT VIEW Attack IIS DOT DOT EXECUTE Attack IIS Dot Dot Crash Attack WWW php View File Attack WWW SGI Wrap Attack WWW PHP Buffer Overflow IIS Long URL Crash Bug WWW cgi-viewsource Attack WWW PHP Log Scripts Read Attack WWW IRIX cgi-handler Attack HTTP WebGais HTTP Gais Websendmail WWW Webdist Bug WWW Htmlscript Bug WWW Performer Bug Website Win-C-Sample Buffer Overflow Website Uploader Novell convert WWW finger attempt WWW count-cgi Overflow TCP Hijack TCP Hijacking Simplex Mode NetBIOS OOB Data NETBIOS Stat NETBIOS Session Setup Failure Windows Guest Login Annexure I Page 18 Strictly Confidential Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 7.131 7.132 7.133 7.134 7.135 7.136 7.137 7.138 7.139 7.140 7.141 7.142 7.143 7.144 7.145 7.146 7.147 7.148 7.149 7.150 7.151 7.152 7.153 7.154 7.155 7.156 7.157 Technical Requirements Vendor Comments Windows Null Account Name Windows Password File Access Windows Registry Access Windows Redbutton Attack Windows LSARPC Access Windows SRVSVC Access Sunkill Telnet-IFS Match Finger Bomb Rlogin -froot Attack IMAP Authenticate Buffer Overflow Imap Login Buffer Overflow POP Buffer Overflow INN Buffer Overflow INN Control Message Exploit IOS Telnet Buffer Overflow IOS Command History Exploit Cisco IOS Identity IOS Enable Bypass SSH RSAREF2 Buffer Overflow BackOrifice BO2K TCP Non Stealth BackOrifice BO2K TCP Stealth 1 BackOrifice BO2K TCP Stealth 2 UDP Packet UDP Port Sweep UDP Flood UDP Bomb Annexure I Page 19 Strictly Confidential Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 7.158 7.159 7.160 7.161 7.162 7.163 7.164 7.165 7.166 7.167 7.168 7.169 7.170 7.171 7.172 7.173 7.174 7.175 7.176 7.177 7.178 7.179 7.180 7.181 7.182 7.183 7.184 Technical Requirements Vendor Comments Snork Chargen DoS Back Orifice RIP Trace BackOrifice BO2K UDP Tftp Passwd File Ascend Denial of Service IOS UDP Bomb WWW IIS newdsn attack HTTP cgi HylaFAX Faxsurvey WWW Windows Password File Access Attempt WWW SGI MachineInfo Attack WWW wwwsql file read Bug WWW finger attempt WWW Perl Interpreter Attack WWW anyform attack WWW CGI Valid Shell Access WWW Cold Fusion Attack WWW Webcom.se Guestbook attack WWW xterm display attack WWW dumpenv.pl recon WWW Server Side Include POST attack WWW IIS BAT EXE attack WWW IIS showcode.asp access WWW IIS .htr Overflow Attack IIS Double Byte Code Page FrontPage Extensions PWD Open Attempt Annexure I Page 20 Strictly Confidential Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 7.185 7.186 7.187 7.188 7.189 7.190 7.191 7.192 7.193 7.194 7.195 7.196 7.197 7.198 7.199 7.200 7.201 7.202 7.203 7.204 7.205 7.206 7.207 7.208 7.209 7.210 7.211 Technical Requirements Vendor Comments FrontPage _vti_bin Directory List Attempt WWWBoard Password HTTP Basic Authentication Overflow WWW Cisco IOS %% DoS WWW Sambar Samples WWW info2www Attack WWW Alibaba Attack WWW Excite AT-generate.cgi Access WWW catalog_type.asp Access WWW classifieds.cgi Attack WWW dmblparser.exe Access WWW imagemap.cgi Attack WWW IRIX infosrch.cgi Attack WWW man.sh Access WWW plusmail Attack WWW formmail.pl Access WWW whois_raw.cgi Attack WWW msadcs.dll Access WWW msadcs.dll Attack WWW bizdb1-search.cgi Attack WWW EZshopper loadpage.cgi Attack WWW EZshopper search.cgi Attack WWW IIS Virtualized UNC Bug WWW webplus bug WWW Excite AT-admin.cgi Access WWW Piranha passwd attack Normal SATAN Probe Annexure I Page 21 Strictly Confidential Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 7.212 7.213 7.214 7.215 7.216 7.217 7.218 7.219 7.220 7.221 7.222 7.223 7.224 7.225 7.226 7.227 7.228 7.229 7.230 7.231 7.232 7.233 7.234 7.235 7.236 7.237 7.238 Technical Requirements Vendor Comments Heavy SATAN Probe DNS HINFO Request DNS Zone Transfer DNS Zone Transfer from High Port DNS Request for All Records DNS Inverse Query Buffer Overflow BIND NXT Buffer Overflow BIND SIG Buffer Overflow RPC Port Registration RPC Port Unregistration RPC Dump Proxied RPC Request RPC Set Spoof RPC Unset Spoof RPC RSTATD Sweep RPC RUSERSD Sweep RPC NFS Sweep RPC MOUNTD Sweep RPC YPPASSWDD Sweep RPC SELECTION_SVC Sweep RPC REXD Sweep RPC STATUS Sweep RPC ttdb Sweep ypserv Portmap Request ypbind Portmap Request yppasswdd Portmap Request ypupdated Portmap Request Annexure I Page 22 Strictly Confidential Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 7.239 7.240 7.241 7.242 7.243 7.244 7.245 7.246 7.247 7.248 7.249 7.250 7.251 7.252 7.253 7.254 7.255 7.256 7.257 7.258 7.259 7.260 7.261 7.262 7.263 7.264 7.265 Technical Requirements Vendor Comments ypxfrd Portmap Request mountd Portmap Request rexd Portmap Request rexd Attempt statd Buffer Overflow RPC.tooltalk buffer overflow RPC mountd Buffer Overflow RPC CMSD Buffer Overflow sadmind RPC Buffer Overflow RPC amd Buffer Overflow Ident Buffer Overflow Ident Newline Ident Improper Request FTP Authorization Failure Telnet Authorization Failure Rlogin Authorization Failure POP3 Authorization Failure SMB Authorization Failure Loki ICMP Tunnelling General Loki ICMP Tunneling RingZero Trojan TFN Client Request TFN Server Reply Stacheldraht Client Request Stacheldraht Server Reply Trinoo Client Request Trinoo Server Reply Annexure I Page 23 Strictly Confidential Centralised Banking Project RFP Security Technical RFP - IDS Sr. No. 7.266 7.267 7.268 7.269 7.270 7.271 7.272 7.273 7.274 7.275 Technical Requirements Vendor Comments TFN2K Control Traffic Mstream Control Traffic FTP Retrieve Password File Telnet-/etc/shadow Match Telnet-+ + Rlogin-IFS Match Rlogin-/etc/shadow Match Rlogin-+ + IP-Spoof Interface 1 IP-Spoof Interface 2 Strictly Confidential Annexure I Page 24 Centralised Banking Project RFP Security Technical RFP - RAS Sr. No. 1 1.1 1.2 1.3 1.4 Technical Requirements AUTHENTICATION SOFTWARE ON RAS Facility should be available for limiting connections to a specific TCP/IP address range Facility to embed a security code into the host and remote objects. This code should be present on both ends for a connection to be made. Facility should be available to authenticate the remote users identity with a password Facility should be available for the remote users to specify a dial back number. This facility should then drop the connection and the host should dial back that remote number for authentication purposes Facility to let host users limit the number of times a remote user can attempt to login during a single session to protect against hacker attacks. Facility to let host users limit the amount of time that a remote user has to complete a login to protect against hacker and denial of service attacks. Facility to let host users prevent remote users from reconnecting to the host if the session is stopped due to an abnormal end of session. Facility to let host users limit the amount of time that a remote caller can stay connected to the host to protect against denial of service attacks and improper use. Data transmitted on remote session to be encrypted Facility to check the host and the remote for any set up changes such as DLL files, registry changes etc to ensure hackers/employees have not changed settings which could be a security risk Ability to reject multiple concurrent sessions for the same login credentials Facility to limit the connection to a specific customer number through the CLI features REMOTE ACCESS SERVER (RAS) Should be able to support Digital and Analog lines The server should be able to accommodate multiple communication lines with the facility of expanding the number of ports for future expansion Vendor Comments 1.5 1.6 1.7 1.8 1.9 1.10 1.11 2 2.1 2.2 Strictly Confidential Annexure I Page 25 Centralised Banking Project RFP Security Technical RFP - RAS Sr. No. 2.3 Technical Requirements The server should be able to handle the techniques of RADIUS (Remote Access Dial-In User Service) as well as TACAS (Terminal Access Concentrator Access control Server). Please specify the compatibility with other authentication mechanisms. RAS should be able to communicate with central database for Authentication, Authorisation and Accounting (AAA) RAS should be able to generate records in the audit logs that indicate a number of activities, including normal connections, successful disconnection, successful call-backs, disconnects due to idle lines, timed-out authentication, and line errors. Excessive failed connections may indicate that someone is trying to break into an account. Administrators should make use of the logging and auditing facilities available Vendor Comments 2.4 2.5 Strictly Confidential Annexure I Page 26 Centralised Banking Project RFP Security Technical RFP - Encryption Sr. No. 1 1.1 1.2 1.3 1.4 1.5 1.6 2 2.1 2.2 2.3 Technical Requirements ACCELERATOR CARD FOR ROUTER (TO ACCELERATE ENCRYPTION ON THE ROUTER) The product should be compliant to IPSEC, VPN technologies Should support various encryption types such as DES, Triple DES 168 Bit. (Specify the types supported) The product should support encryption of both data and voice The product should be able to create a private tunnel between the 2 points of communication (ie the head office and the respective branch) Vendor should specify the number of tunnels the device could support Should support Digital Certificates, Digital Signature & PKI ENCRYPTION SOFTWARE FOR WEBSERVER Software should support TCP/IP protocol, Digital certificates, PKI Encryption should be at a minimum 128 Bit based Software should allow the server and client to authenticate each other and to negotiate an encryption algorithm before the application protocol transmits or receives its first byte of data The software should be application independent Server authentication process should allow users to confirm a Web server's identity Encryption software enabled on client software, such as a Web browser, should be able to automatically check that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) All data sent over an encrypted software connection should be protected with a mechanism for detecting tampering Should support both symmetric and asymmetric encryption Encryption software should support securing of multi server and multi domains Redundant server backups that allow Web sites and extranets to maximize site performance by balancing traffic loads among multiple servers Organizations running multiple servers to support multiple site names Vendor Comments 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 Strictly Confidential Annexure I Page 27 Centralised Banking Project RFP Security Technical RFP - Encryption Sr. No. 2.12 Technical Requirements Organizations running multiple servers to support a single site name Vendor Comments Strictly Confidential Annexure I Page 28