Professional Documents
Culture Documents
Technical Specifications
1. Introduction
It’s all about operations! The value of a cyber range can be found in its
ability to support operations and the multiple roles that operations
personnel perform at security centers, network centers, and data centers.
The best cyber ranges are designed and developed by engineering teams
with operation experience in theater operations, security operations, and
network operations.
The similarities between a football game and a cyber range exercise are many.
Both require good defense and offense strategies. Government and military often
use the terms red team and blue team to reference offensive and defensive
operations. Red teams play the role of attack teams and blue teams play the role of
network defenders. A cyber range that does not provide realism in its simulations
does not prepare cyber warriors to succeed in the cyber space domain.
Multiple teams are responsible for NOSC operations. The teams often reside in the
same facility and under the same management but they can also be geographically
dispersed. Successful operations require that all teams understand the roles and
responsibilities of their teammates. An Operational Nodes Connectivity Diagram is
used to facilitate understanding of the different roles and responsibilities that the
teams play. An operational node represents a team. It could be the management
team, network team, security team or IRT team. The diagram connects the nodes
that communicate with each other using what is commonly reference as “need-
lines.” The need-lines are assigned identification numbers and have labels for the
type of information that they represent.
Operational activity models are used to capture all the activities performed at the
NOSC. A typical activity model will include over a hundred activities and will be
captured using Integration Definition for Function Modeling (IDEF) charts with flow
arrows.
Offensive operations require a cyber range with the ability to generate security
attacks using broadband networks, wireless networks and satellite networks. A
cyber range should be able to generate security attacks that target Common
Vulnerabilities and Exposures (CVE) for application layer protocols, security layer
protocols, transport layer protocols, network layer protocols, data layer protocols,
and the physical layer spectrum. The cyber range should also be able to launch or
simulate Denial of Services (DoS), Distributed DoS (DDoS) and Botnet attacks.
Botnet attacks are the most difficult to simulate and detect since they require master
to slave transactions at different time intervals.
User interfaces that group countries by the seven continents should display a
user selectable map of the same. Government or military personnel prefer to
group countries by military commands or geographical regions. The Figure
above illustrates a typical world map that could be use to select background
Internet traffic for countries or regions.
Cyber range need traffic generators for multiple functions. They are needed to
emulate realistic IP addresses for all the countries in the world using the pre-
defined IP blocks managed by the Internet Assigned Number Authority (IANA).
A traffic generator needs to be able to generate traffic for hundreds of IANA
country codes. Traffic generators also need to simulate thousands of server
and client computers with their respective application, security, transport and
network protocols. The ability to generate security attacks is essential to any
cyber range environment and has to be supported by the traffic generator.
The cyber range traffic generator should be able to generate traffic simulating
the most popular Internet social Apps. Web site traffic rankings for any country
show that social Apps like twitter and Facebook are always ranked in the top
five. A cyber range traffic generator should also simulate search engine traffic
for Google, Yahoo, and Bing in addition to web mail and chat services like
Gmail, Yahoo Mail, Hotmail and Yahoo Messenger. The traffic generator
should also simulate entertainment Apps and games.
Mobile Apps continue to grow, accounting for a big chunk of the Internet
traffic. A cyber range traffic generator should be able to simulate hundreds
of mobile Apps for the most popular mobile devices. The traffic generator
should generate Android and iOS client to server transactions for multiple
user agents and App IDs. The engine should also simulate VoIP, and
OTP apps communication traffic.
4.1.2.3. BOTNETS
In order to avoid a single point of failure, Next Generation (NG) Firewalls used
in a cyber range environment should not be configured to perform all security
functions in one appliance. Multiple layers of protection or defense-in-depth is
still the best risk mitigation architecture to protect enclaves and enterprises. A
cyber range needs to be able to detect BOTNET security attacks. BOTNETS
are programs or malware that exploit servers and other network devices.
A cyber range requires network devices to route Internet traffic from client
computers to server computers. Network devices are also needed in order for
trainees to be able to switch and route network traffic, isolate network links
and block devices using Access Control Lists (ACL) s. ideally a cyber range
should include Layer-2 & Layer-3 switches and routers. Network devices
should support both IPv4 and IPv6 network protocols in addition to the most
popular routing protocols. OSPF, BGP, IGMP and multicast protocols should
be supported.
Learning Management Systems (LMS) are often bundled with cyber ranges to
help deliver training lectures and operational exercises.
4.7 Automation/Orchestration
Automation is required to stitch all the components in cyber range mentioned above
as per the respective use cases. This will make it easier for the ranger or user to
run the use cases automatically and results would be populated accordingly.
Orchestration would support in stitching the services and topology of the
components. It will give a single view to test the use cases and generate its results.
NGFW
o Provides control and monitoring of incoming and outgoing network traffic based
on a defined set of rules (e.g. access control, advanced threat and breach
detection etc.) for both virtual and physical infrastructure.
Physical L3 – switch
o 10G Ethernet switch for connecting to physical firewall and server and for
management.
Physical Servers
Workstations
o For controlling and managing infrastructure for Red team and Blue team.
LEDs
The solution should preferably be a proven and validated solution by OEM. The System
Integrator (SI) will be responsible for implementing the simulation environment and then
engaged for up to 3 years with effect from the date of issuance of Final Acceptance Certificate
(FAC) by MIST for updating installed equipment with appropriate threat intelligence updates.
The SI is responsible for providing latest attack and threat scenarios at least once every year.
The SI will also ensure a handover workshop and training detailing the installed simulation
environment and attack defense scenarios, which can be simulated in the environment.
e) Asses Skills and Knowledge; to be used for assessment team’s skills and knowledge
in defending cyber attacks.
f) Cyber War Games; to be used as a platform for red, blue and white teams to test their
offensive and defensive skills and strategies.
g) The objective design should fulfill both the requirements of attack-based simulation of
various situations for students/ financial sector professionals and war game training for
military.
h) SOC and SIEM Operations: First hand working experience on incident response using
SIEM and SOC.
a) Standardize – A comprehensive test solution and test plan with appropriate test cases,
which test and verify key aspects of a Cyber Range
b) Efficiency and Repeatability – A solution which provides timely testing with minimal
engineering time on a per incident basis
c) Valuable Reporting and Analysis – A solution which enables a customer to quickly
gauge performance, quantify results, and actionable information
10. Training:
11. Teams (The Cyber must cater to the following team composition)
Task - 10: Warranty for Three Years from the date of completion of Cyber Range
Integration
Full device installation and configurations inside Cyber Range environment, including:
a. Next Generation Firewall
Provides control and monitoring of incoming and outgoing network traffic based
on a defined set of rules (e.g. access control, advanced threat and breach
detection etc.) for both virtual and physical infrastructure
b. IPS (Intrusion Prevention System)
Provides application visibility and control, threat protection, real-time contextual
awareness, intelligent security automation with optional subscription licenses of
Advanced Malware Protection (AMP) for both virtual and physical infrastructure
c. Network Net Flow and Behaviour Security
Detect anomalous traffic and behaviours, including zero-day malware, distributed
denial-of-service (DDoS) attacks, insider threats, and advanced persistent
threats (APTs) on both virtual and physical infrastructure
d. Web Security
Provide proxy service that combines traditional URL filtering with dynamic
content analysis in real time to mitigate compliance, liability, and productivity risk
for corporate users and applications.
e. Email Security
Provides preventive and reactive measures of various viruses, spam,
ransomware, phishing (fraud), spoofing, data leakage and advanced malware
attack to strengthen email security.
f. Network Access Control and Policy
Allow to see and control users and devices connecting to the corporate network.
It does all this from a central location.
g. Threat Generator
Simulating real-world legitimate traffic, distributed denial of service (DDoS),
exploits, malware, and intrusions
h. SIEM and Data Analytics System
Provides a single pane of glass interface into correlated security data.
i. SOC (Security Operations Centre)
Once the Cyber Range is established, it should be capable enough to train personnel from
private and public organizations like:
• Financial Sectors
• Enterprises
With the increase of internet facing corporate networks, risk exposure to state-
sponsored and threat actors are often inevitable.
- Forensic
Type 12–Spams
In a Hybrid Cyber Range, Cyber Test Systems should be able to generate advanced type of
cyber attack scenarios. Multi Vectors Attack is the combination of multiple types of Single
Vectors.
Reproduce the behavior of cyber attack media campaign like APT (Advanced Persistent
Threat) including Malicious Domains, Malicious Websites, Botnet Communications and Web
Exploit Kits. Identifying who introduced malware into your system. The aim is to place teams
into the exact environment as during the original campaign.
The implementation part of assignment mentioned in this invitation for bids must be completed
within 6 calendar months from the date of signing the contract, and implementation timeline is
180 Calendar days from the date of signing of contract. (Implementation time should be reduced
preferably to six months).
Detailed technical designs and relevant documentation must be provided including physical,
logical and service oriented layout designs, test case designs, etc.
Roles and responsibilities of all stakeholders regarding the activities and services must be
provided in details with clear separation of duties.
16.1. Implementation Schedule
Note: Specify if applicable, if any/each of the following software or tools is open source or
proprietary.
Specify the quantity or for which team a specific tool might be provided (Bidder must provide
BOQ for each material).
Item No. 1: L4-L7 Traffic and attack generator (Application and Security Testing
Appliances) (Qty – 1 Set)
5 Replay Capability :-
6 Replay Method:-
7 DDoS Testing:-
10 General Features:-
13 Type of simulation:-
14 IP Version:-
TCP
UDP
SSLv2
SSLv3
TLSv1
TLSv1.2
TLS 1.3
QUIC
16 Data Protocol :-
HTTPS
17 Traffic Generation
18 Graphic Display
19 Report Generation :-
22 Malware Category:-
23 Fuzzing:
Ports
2 Interface
a. 1 G Interface
a. 1nS or better
4 Storage Size
a. Greater than 8 TB
1 Interface:
1G
2 Ports
1G Ethernet
3 OpenFlow/SDN enabled
10 1k filters
Bidder’s
Description Required Technical Specification
Response
Quality
ISO, FCC, UL, CE or To be mentioned by the bidder
Certification
Country of
Assemble / To be mentioned by the bidder
Manufacture
Router Processor
High-performance multi-core processors
Type
Redundant power
Should have redundant power supply from day one.
supply
Interface:
3
The device should have at least 8 x 1GbE built-in
Copper, 2 x 1G SFP and 4x 10GbE SFP+ interfaces from
day 1 and should be freely configurable as LAN, WAN &
DMZ ports. 4x Dual Rate 10GBase-SR 10GbE Fiber
Transceiver (GBIC) should be from the same vendor.
4 Power Supply: AC
1 GUI
6 Secure Spaces
7 Encrypted communications
10 Security realms
12 Security APIs
14 Logs dashboards
15 Logs app
17 Uptime dashboards
18 Uptime app
21 Alerting on anomalies
22 Population/entity analysis
25 Data Visualizer
26 Data frames
Item No. 10: Application Server (Should be of 1U Rack Size) (Qty -1)
Item No. 11: Hypervisor Server (Server should support HyperV. VMware and Xen) (Qty –
3 nos.)
5 Hard Drives:
15 Server Management:
11 I/O slots:
16 Availability:
Redundant Fans
17 Quality Certifications:
18 Form Factor:
19 Warranty& support:
Quantity 3 (Three)
Switch should support both front and back beacon LEDs for
easy identification of the switch being accessed.
Bidder's
Component/ Item Required Technical Specification
Response
Country of
To be mentioned by bidder
Manufacturer
The Switch Stack Architecture should allow the end user to stack
24 Port Switch with 48 Port of the same model.
Shall have RJ-45 & Mini USB Console Ports for Management
The switch should be rack mountable and should not take space
more than 1 Rack Unit.
Support RSPAN
Quality of Services The switch should support Auto QoS for certain device
types and enable egress queue configurations
1 42" or higher
2 Display port x 01
1 Output
Crest Factor 3 : 1
2 Input
RBC Quantity 2
4 Backup
E. Exhaust fan
Item No. 19: Virtual Network Devices (Open Source/Proprietary) (Qty – 1 each)
1 Analysis
2 Firewall
Geo IP blocking
Anti-Spoofing
Connection limits
Dynamic DNS
Reverse proxy
DHCP server
DNS forwarding
Wake-on-LAN
PPPoE Server
3 Packet capturing
Packet capturing and storage with smart capturing and
analysis.
4 load balancer
High Availability
High Throughput.
Low Latency
Static IP support
Elastic IP support
TLS Offloading
Preconfigured
infrastructure should be
backed up by using
Platform infrastructure and
management module
Configurable scenario
items have to be stored
and unlocked for
modification in Exercise
repository module
Stage 1 ‐ attacking
websites.
Vulnerability
exploitation
SQL injections
DDoS
It should be possibility to
run advanced attacks
manually in addition to the
automated attacking
baseline if blue teams are
performing well.
WikiDocs capability or
similar from Exercise
repository module should
be used to document a
manual.
WikiDocs capability or
similar from Exercise
repository module should
be used to document a
manual.
Preconfigured
infrastructure should be
backed up by using
Platform infrastructure and
management module
Configurable scenario
items have to be stored
and unlocked for
modification in Exercise
repository module
Anonymous access
to a FTP
Vulnerability
exploitation
SQL injections
DDoS
It should be possibility to
run advanced attacks
manually in addition to the
automated attacking
baseline if blue team is
performing well.
WikiDocs capability or
similar from Exercise
repository module should
be used to document a
manual.
WikiDocs capability or
similar from Exercise
repository module should
be used to document a
manual.
Preconfigured
infrastructure should be
backed up by using
Platform infrastructure and
management module
Configurable scenario
items have to be stored
and unlocked for
modification in Exercise
repository module
Stage 1 ‐ attacking
websites.
Stage 3 ‐ attacking
applications and private
network zones
WikiDocs capability or
similar from Exercise
repository module should
be used to document a
manual.
WikiDocs capability or
similar from Exercise
repository module should
be used to document a
manual.
Preconfigured
infrastructure should be
backed up by using
Platform infrastructure and
management module
Configurable scenario
items have to be stored
and unlocked for
modification in Exercise
repository module
WikiDocs capability or
similar from Exercise
repository module should
be used to document a
manual.
Item No. 22: Center Operations Manual and Self-Organising Capabilities Module (Qty – 1)
Warranty Service: Three (3) years OEM branded support and parts replacement warranty
to be provided for all equipment, systems and software items.
Technical Assistance: Supplier should provide Technical assistance on call basis during
warranty period.
Support for hardware: faulty part replacement, for software – new software releases, and
fixes provision, support for bugs.
The Supplier shall not use as replacements, any parts/components which are not original,
parts/components which have not been approved by the Manufacturers of the
server/equipment unless he has the prior consent of the purchaser.
In the case where the substitute equipment or components require interfacing software
drivers, the Supplier shall immediately provide the purchaser at his own expense, with such
software, subject to the purchaser’s satisfaction, for the period during which the substitute
equipment or part remains in operation at premise. The substitute equipment or part thereof
must be of equivalent or higher performance to the original equipment or part.
The Supplier shall not remove/replace any server or part(s) thereof without the consent of
the purchaser or its appointed representative.
Any defective part that is removed from the equipment is the property of the purchaser. It
must be returned to the purchaser or its appointed representative.
There must be a Non Disclosure Agreement (NDA) between the selected bidder and the
purchaser.
System Integration: All equipment including software should need to be installed in the
designated location by BCC. Vendor must install, implement, and integrate all the systems
supplied and required for functioning of Training Center. The following requirements must be
performed by the supplier:
The Supplier shall conduct the tests on the System in the testing and production
environments to ensure that the equipment and systems have been installed and setup
properly.
The supplier must verify and ensure that all related systems maintain data integrity and can
operate in coordination with other systems in the same environment. The supplier must
ensure that all components are integrated successfully to provide expected results.
Vendor should provide necessary subscription services to update the simulation environment
with threat intelligence once every year for a minimum of 3 years. After the warranty period the
approximate yearly licensing fee would to be clearly mentioned in BOQ for each service. If
MIST does not renew the yearly subscription, existing system would continue without the
updates as it is an educational institute. A special discount for yearly renewal fee may be
considered and proposed after the expiry of warranty period.
The solution should preferably be a proven and validated solution by OEM. The System
Integrator (SI) will be responsible for implementing the simulation environment and then
engaged for up to 3 years with effect from the date of Final Acceptance Certificate (FAC) by
MIST or updating installed equipment with appropriate threat intelligence updates. The SI is
responsible for providing latest attack and threat scenarios at least once every year. The SI will
also ensure a handover workshop and training detailing the installed simulation environment
and attack defense scenarios, which can be simulated in the environment.