Andrei Firsov

Providing day-to-day L2 and L3 network support for all the network security related aspects (Cisco ASA, Checkpoint, Palo Alto firewalls, Email and Web security appliances, F5LTM&WAF, IPS solutions, IPSec tunnels).
Datacenter technology refresh (move from Catalyst-based three-tier architecture to Cisco ACI) - technical design & implementation.
Participated in migration of DCI (L2/L3) between main DC and DR site. From Cisco 7604 (QnQ/EoMPLS/GRE/IPSec) to ASR9K+ASR1K (EVPN/MPLSoIPSec). Developed configuration, plan of actions.
Working on optimization of WAN network performance, redundancy and cost (new QoS policies, additional cheaper backup links, etc.)
Deploying web-applications on BIG-IP solutions (LTM, WAF) - initial setup, support, troubleshooting.
Working on network automation of operations routine tasks, mostly with python scripts. Example: applying blacklist (IP/URL/emails) on different multivendor netowrk-security equippment (IPS, proxy, ESA) from text documents in Sharepoint with all required checks and reporting.
Review and adjustment of procedures for switching of all the network services from primary to backup datacenter in controlled environment, relying on various implemented HA solutions (HSRP for L2, ASA clusters and A/S pairs, Checkpoint ClusterXL, F5 Big-IP LTM&WAF in A/A failover with several traffic groups, PaloAlto firewalls A/P HA, etc.).
Created descriptive visual network diagrams (HLD/LLDs) and other network documentation for DC, corporate LAN and WAN.

Designed new IP addressing scheme for the company, having a lot of subnets/teams in a different branches with summarization and scalability in mind, partially implemented it.
Implemented wired 802.1x authentication and authorization on access-layer switches company-wide (mostly for dynamic VLAN assignment based on AD group membership, auth-fail VLAN, etc.).
Migrated several Juniper SRX devices on the Internet edge and DC to Cisco ASA.
Designed in details and implemented redundant connectivity scheme between company offices in different countries (several IPSec and IPSec over GRE tunnels via Internet and ISP VPLS with OSPF).
Deployed from scratch new proxy solution based on Cisco WSA (direct/transparent modes, sophisticated access policies for different teams, SSL decryption, different schemes of authentication, etc) as a replacement for squid.
Planned and implemented easily manageable and user-friendly architecture for remote-access VPN via Anyconnect (AD-auth/authz, flexible access policies with inheritance on Internal firewalls, 2factor auth with DUO, etc).
Significantly improved wireless network architecture (Cisco WLC and LAPs, several SSIDs with different access and QoS, AAA through AD (NPS), guest network with WebAuth and simple Internet access, etc).
Configured and managed all L2L tunnels to contractors and between company offices (IPSec IKEv1, v2).
Created applied naming conventions for firewall objects, groups, policies, ACLs, etc, restructured filtering policies on ASA and linux firewalls - all this added a lot to readability and simplicity of network policies and significantly reduced number of rules/lines.
Wrote comprehensive network documentation for company LAN&WAN (HLD, LLD of key network elements), a lot of procedures and instructions for IT and HelpDesk teams.
Was responsible and did all the network-related written and verbal communications with number of contractors in different countries regarding set-up and support of new and existing projects environments from network standpoint.
Provided L3/2 support on all network-related operations. Did some most critical routine tasks, like adding/replacing switches in stacks (2960x, 3859), updating software on ASAs, Catalyst Switches, WLC, WSA, etc.

Designed, developed configs and run implementation of the solution for company WAN between CO and 80+ remote - several DMVPN clouds with IPSec protection via different medias (MPLS VPN, Internet, 4G) for redundancy. Here’s the detailed old description on my blog in russian (http://kickself.com/dmvpn-nme-rvpn).
Implemented Cisco ISE 1.2 with AD integration from scratch as main corporate access-policy enforcement AAA solution for Wireless, Anyconnect, management access to servers and network devices.
Deployed Wi-Fi network for the Central office (Cisco WLC 5508 and 16 Aironet 2600 LAPs across 4 floors) with 802.1x auth against ISE/AD and guest access.
Deployed external firewall (a/s pair of ASAs) and IPS (Stonesoft) solutions on the Internet edge, which replaced outdated iptables based linux firewall.
Implemented BGP on the internet edge for redundancy instead of VRRP and SLA/RTR after getting PI address block.
Installed SolarWinds NPM solution and moved monitoring function for all the network devices to it from Nagios.
Provided day-to-day support of all the network-related activities in the company with main focus on security.