Security Consulting

We took on the planning and implementation of a migration of the Check Point infrastructure, consisting of a multi-domain server and a VSX cluster (VSLS), for a city administration in a large city in Hesse. The goal was to carry out the migration while maintaining maximum availability and minimizing downtime.

Work Performed

• Analysis of the existing operating network
• Virtualization of the multi-domain server on a VMware ESXi server
• Presentation of the migration strategy
• Execution of the migration
• Validation of the function and security of the new Check Point R81.10 infrastructure

Result
As with all other security products, it was sensible and necessary to keep the infrastructure up to date. This ensured significantly increased security in an extremely sensitive environment.

A state authority approached us because the existing Cisco Identity Services Engine was no longer supported and needed to be replaced with a current version. The ISE was operated as a virtual machine with two nodes. The rule set needed to be cleared of legacy issues. The update had to be carried out without interrupting ongoing operations.

Since the update could not be carried out in a single step, the decision was made to set up new VMs, transfer the rule set manually, and then put them into operation.

Work Performed

• Analysis of the rule set
• Reinstallation of two ISE nodes on ESXi servers
• Transfer of the rule set
• Conversion of the Radius server to an NAD, functional test
• Gradual conversion of the Radius server to additional NADs, functional tests

Result
The current ISE VMs were successfully put into operation. There were no interruptions.

A state authority operates four ASA 5516-X devices, which are configured as two high-availability firewall pairs. Since Cisco no longer supports the ASA 5516-X, a timely replacement is required. The Secure Firewall 1150 from Cisco was chosen, as it fully meets all of the customer's requirements.

One firewall pair works with security contexts, so migration to FTD is not possible here and the ASA image must continue to be used. Due to specific requirements, it was also decided to use the ASA image for the second firewall pair.

Etherchannel was configured on the previous firewalls. The new firewalls have 10-gigabit interfaces, so the Etherchannel had to be reconfigured to a 10 G interface. During migration, the rules (access control and NAT) had to be checked.

The switch to the new devices must be carried out during operation.

Work Performed

• Updating the new firewalls with the currently recommended ASA version
• Backing up the rulesets of the existing ASAs
• Checking the rulesets
• Correcting the interface configuration/interface names
• Migrating the Etherchannel configuration to 10 G interfaces
• Transfer the configuration files to the new devices, functional test
• Install the new devices and commission them
• Test the failover configuration

Result
The new devices were successfully put into operation. A minimal interruption in service was unavoidable and was accepted. The failover works reliably.