Previous Job
Solution / Security Architect
Ref No.: 17-05310
Location: New York City, New York
Start Date: 10/10/2017
Solution architect will analyze the prerequisite End User information provided by the Customer in order to create the
high-level design (HLD). The HLD will contain the Customer's security requirements and information on how the
Client will be implemented to address the requirements at the Customer's network based on Cisco Client leading
Work with Customer to understand End User's environment and underlying network infrastructure to achieve a
common understanding of Customer's requirements.
  Provide the High-Level Design Pre-Requisite Document, requiring the Customer to gather the End
User's business, operational, logistical and technical requirements.
  Provide up to three remote review sessions to review HLD with Customer. The review sessions shall
commence within two weeks following receipt of the Customer's Pre-requisite documentation.
  Review the HLD document, including:
o Objectives.
o Client design description.
o Business, operational, logistical and technical requirements.
o Design recommendations and proposed network changes to meet design goals. o Traffic flows in the proposed
network design.
o Redundancy requirements of Client components.
 Determining any risks of the design and providing design recommendations and any proposed changes to help
mitigate risks.
Customer Responsibilities.
Provide to Partner all requested information, including all Customer network information pertaining to End User's
network which may include:
  Design objectives (for example, details concerning security policy requirements, scalability, resilience
and number of users/endpoints).
  Business, operational, logistical and technical requirements.
  Current physical network and WAN topology.
  Bandwidth attributes of LAN and WAN infrastructure.
  Future growth requirements and network build out time frames.
  Site-specific information.
  Bill of materials.
  Provide the HLD including physical and logical network schematics for Customer's existing network.
  Participate in remote session(s) in order to review with xxx the recommended changes to the HLD.
Network Implementation Plan Review.
Review the network implementation plan ( "NIP”) that documents the processes necessary to implement and operate
Cisco Client.
  Provide the "Network Implementation Plan Pre-Requisite Document” which specifies the required
business, operational, logistical and technical requirements.
  Review the NIP. The NIP document provides information necessary for xxx or Customer to carry out
the implementation of the equipment at the Customer location and to verify basic operation and readyfor-
service configuration.
  Ready-for-service means that the Cisco Client, or a sub-set of it, is functioning as per the specifications
documented in the NIP.
  Provide up to five remote or onsite (as deemed necessary) review sessions to review the NIP with
Customer Responsibilities.
  Provide to xxx all requested information including End User network information documented by
Customer in the Network Implementation Plan Pre-requisite.
  Provide and verify IP address requirements.
  Provide to xxx the required documentation which may include:
o  Site specific implementation requirements.
o  Site contacts, location and considerations.
o  Site specific installation requirements.
o  Site specific information from bill of materials.

  Participate in remote or onsite session(s) to review any recommended changes to the Network
Implementation Plan.
Low Level Design. `
1. Responsibilities.
o  Create a low-level design document which includes the following:
o  Recommendations on how Cisco Client will be implemented to meet requirements.
o  Recommendations on user and device policies to meet requirements.
o  Recommendations and guidelines for device configuration.
o  Document the low-level design in the Low-Level Design Document, and provide it to
o  Review with Customer the Low-Level Design Document.
Customer Responsibilities.
 Review with the Low-Level Design Document. Implementation Deliverables.
Cisco Client Configuration.
o  Deploy Cisco Client 2.1 HA solution.
o  Configure Client management access.
o  Configuring Client Provisioning using native supplicant.
o Test and validate against Windows 7/10 clients.  Certificates and Certificate Authorities.
o Will use existing internal CA for internal users.
o  Active Directory Integration.
o  Add Network Devices.
o partner will configure existing Cisco switches for Client configuration and integration. o Configure
Authorization Policies based on LLD.
o Configure access ports with base radius settings
 Configure existing WLC to use Cisco Client as Radius Server.
o Create wACL for Posture Assessment for Corporate End User. o Configure Cisco Client to accept
Wireless Authentication requests.
 Enable Device Profiling Probes.
o Work with customer to identify and resolve any unknown profiled devices.
 Authentication Policies. o Wired 802.1X.
o Wireless Web Authentication.
o Mac Address Bypass.
  Create Authentication Policy for non-supplicant enabled devices.
  Implement Base-Identity Use Cases.
o Monitor Mode.
o Authenticated Mode. o Enforced Mode.
 Configure Identity Stores. o Active Directory.
o Internal Users.  Posture Assessment.
o Configure posture services.
  Agent Profiles
  Agent Compliance Modules
  Create corporate finger print, and antivirus compliance policies based on HLD
  Create policy to check for specific settings pushed by AD GPO
  Validate posture assessment on Windows OS
 Guest/Sponsor
o Configure Guest services.
  Create a custom Guest and Sponsorship portal
  Define guest approval permissions with AD
  Define custom guest roles and approval process
  Configure SMS and SMTP functions to support self-registration
  Validate guest wireless process on Windows, Mac, IOS and Android OS
  Validate guest wired process on Windows and Mac OS
o Configure Guest services.
  Create a custom BYOD portal
  Digital certificates issued to BYOD devices will be provided by existing Windows CA
  Configure Client Provisioning elements required to support BYOD
  Validate BYOD wireless process on Windows, Mac, IOS and Android OS
  Validate BYOD wired process on Windows and Mac OS
 FirePower Integration
o Configure FirePower(FP) Client integration and remediation base on LLD
  Configure native supported integration between Client 2.1 and FS 6.1
  Configure necessary FP policies to auto quarantine attackers via Client
  Configure necessary Client policies to auto quarantine attackers detected via FP
  V alidate auto quarantine process
o Configure Device Administration to support AAA functions for Cisco devices
  Migrate AAA devices from existing Cisco Client to Client
  Configure Client to support AAA integration with Cisco Prime
 Location Based Authorization
o Integrate Mobility Service Engine (MSE) with Client
  Add MSE to Client Location Services
  Configure necessary location authorization policies
  Validate that Client is able to change authorization based upon location and or movement
1. Customer is responsible for any System or Data backups required.
2. Partner will not be held responsible for any Data loss during this engagement except due to
the willful misconduct or
gross negligence of Partner.
3. Customer is responsible for any and all password and/or user account administration during
this engagement.
4. Customer MUST change all passwords and delete any user accounts utilized by
Partner during this engagement.
5. Customer will provide adequate on-site workspace for assigned resources.
6. Partner s is not responsible for delays caused by Customer's systems, personnel, or
environment, or incorrect or insufficient
data provided by Customer.
7. Customer will provide remote access to all components related to the Statement of Work.
8. Customer is responsible for any IOS remediation based on Client best practices.
9. Partner is not responsible for any installation of physical equipment.
10. Partner is not responsible for any cable management or patch management.
11. Customer is responsible for providing certificates necessary to support Client deployment.
12. Partner isnotresponsibleforanyfeaturelimitationsbetweenISEandthirdpartydevices.
13. Customer is responsible for providing all required devices for endpoint testing.
14. Services performed under this SoW will be provided by non-union labor.
15. All Services are performed at the discretion and direction of the customer.
16. All resources assigned to this SOW will be considered "Not for Hire”.
a. If Customer hires a resource assigned to this SOW, then Client agree to pay a hiring fee equal to 30%
of the hired resources annual base salary.
Timeframes / Working Hours
1. Unless otherwise defined or stated within this SoW all Hours / Days / Timeframes outlined are
Changes in Scope / Additional Time
1. Should the scope of work change or if additional time is required:
17. Partner will notify the Customer in writing through email or an addendum SoW.
18. Any changes in the SoW will be mutually agreed upon by Partner and the Customer.
19. All changes will be documented in writing.
Acceptance / Completion Criteria
1. Partner will have fulfilled its obligations when one of the following first occurs:
20. Completion of Services as defined within this SoW; or,
21. Customer or Partner s terminates the project in accordance with the provisions of this SoW
or governing
i. Customer will be responsible for all fees up to the point of termination.
Information Security
22. Partner does not anticipate or require any access to any Personally Identifiable Information
(PII) during this engagement.
23. If it is determined that access to PII Data is required at any point during this engagement, the
Customer must notify
Partner to discuss changing the scope via a Change Request.
24. It will be the responsibility of the Customer to protect this information since access is not
Customer Policies
25. Customer must provide and present any applicable customer policies to the assigned
resources under this SoW prior to the
commencement of any services under this SoW.
26. Partner will not be held responsible for non-compliance with any customer policy not
provided to each assigned resource
regardless of any other stipulation agreed to verbally or in writing by agreement or