Job Title: Network Security Engineer (Hybrid)
Location: US-MD-Pikesville
Duration: 12 Months
Overview
client is a leading global provider of digital services working at the intersection of public and private sectors. With broad capabilities across IT managed services, cybersecurity, cloud migration and application development, client provides on-site and remote support to clients within governments, healthcare, financial services, transportation, manufacturing, and other critical infrastructure sectors. client has grown to over 2,100+ employees globally and has been continually recognized as a Top Workplace in both regional and national categories.
Responsibilities
client is seeking a Network Security Engineer to successfully complete the migration from two (2) pair of Cisco (high availability) ASA firewalls to Cisco Firepower Threat Defense (FTD) image, combining Cisco ASA and Firepower features into one hardware and software inclusive system. In addition, the candidate will perform an assessment of an existing Cisco Identity Services Engine (ISE) deployment.
Duties And Responsibilities
Task 1: Collaborate with the Project Manager Senior Network Security Engineer to migrate two Cisco ASA Firewalls to Cisco Firepower Threat Defense Images:
During Configuration Planning, Firewall Rules, Security Zones, Interface Groups, NAT Policies, VPNs, ACLs, Objects, Filters, Policy-based Routing (BPR) Will Be Examined And Discussed For Architectural Decision Making. Knowledge Transfer Around Differences Between ASA And FTD, File Transfer And Management Will Be Explained With The Firewall Migration Tool (FMT) That Can Assist In Pre-migration Reporting And Migrating Workflows. The Candidate Will Provide The Following Tasks
- Client Kick-off call for introductions and set timelines, deliverables, and project expectations.
- Off-site documentation review of existing network documentation and firewall rules for migration.
- Main location (on-site) project planning and assessment to include:
- Engineering review of physical cabling, cross connects and peer connections.
- Verify Layer-3 and Layer-2 ports, SVI and routed ports, IGP, EGB protocols.
- Verify security zones and policies for enforcement.
- Verify VPN Access and Remote connectivity.
- Verify and discuss HA failover and migration path.
- Verify L2 and L3 internal switching design, spanning–tree and VLAN architecture as it relates to firewall VRF handling and routing architecture.
- Verify IP Address management, schema and address allocations for DNS, DHCP, and Gateways.
- Verify firewall software licensing, security certificates and encryption.
- On-site migration plus next day on-site support.
- Configuration Design, Testing Plan and Migration Plan development and documentation will occur after discovering all business requirements and the current state of security architecture. The Vendor will document the findings and prepare the target design and system design for analysis. The following activities will occur during the planning process:
- Off-site Engineering analysis of existing on-site findings and documentation of existing topology detailing protocol stack for HA routing and switching.
- Documentation and policy review of existing firewall and security services (Threat prevention, URL filtering, VPN, etc.)
- Documentation and policy review of existing sub-interface (networks) for internal route filtering using any existing VRF mapping and access control list.
- Documentation and export of existing certificates used for software and client access.
- Documentation of existing firewall access control list denoting each security zone mapping and privilege for access.
- Documentation of new Cisco FirePOWER firewall software upgrade using latest firmware release for General Deployment.
- Document Method of Procedure (MoP) for Client Change Control and Migration.
- Document Disaster Recovery failover testing between sites and measure recovery time objectives (RTOs)
- Provide project execution using the Method of Procedure created in the planning process. During the execution phase, will coordinate non-business hours for the firewall migration that will impact business operations. To minimize downtime and after hour support, will stage the new equipment (rack, stack, power and ping) parallel to existing and begin testing prior to making any intrusive changes.
- Conduct a project close-out meeting with the client. Deliver all final as-built documentation with any planning documents to client for final review and comments. Technical working session will be provided to include training and knowledge transfer.
Task 2
- Provide an assessment of an existing Cisco Identity Services Engine (ISE). Cisco ISE is currently deployed During this assessment the candidate will review:
- Deployment Topology of ISE Servers
- Deployment Mode
- Best Practices
- Network Architecture
- High Availability
- GA Recommended Code Levels
- Review current Configuration.
- Review Logs
- Review Integration of Infrastructure Devices
- Review Golden Configs
- Review enhanced Authentication.
In Addition
- Enable TACACS for (3) admin use cases and create up to 3 AAA device templates.
- Provide remediation from the information collected during the Assessment Phase of this project.
- Knowledge Transfer Sessions.
Wireless Health Check, Primary WLC/Dashboard: Gather assessment services of the production Wireless LAN (WLAN) environment including optimization and remediation recommendations as necessary Assessment will be based on manufacturer recommended best Practices for WLAN Design and Deployment. A closure meeting with the Client will be scheduled to review the assessment findings.
Qualifications
Education and Years of Experience:
This position requires a Bachelor’s degree from an accredited college or university with a major in computer science, information systems, engineering, business, or a related scientific or technical discipline. A Master's Degree in one of the above disciplines is equal to one(1) year of specialized and two (2) years of general experience. An additional year of specialized experience may be substituted for the required education.
General Experience
- The proposed candidate must have at least twelve (12) years of computer related experience.
Specialized Experience
- The proposed candidate must have at least ten (10) years of specialized experience in defining computer security requirements for high-level applications, evaluation of approved security product capabilities, and security management.
Required And Desired Skills/Certifications
- Cisco Identity Service Engine (ISE) Expertise. Experience migrating Cisco ASA Firewall to Cisco Firepower Threat Defense (FTD).