Network security · architecture · Bremen
Highly secure firewall architectures for mid-sized companies.Professional migration & Zero Trust.
Vendor-neutral. No hardware margins. Migrated without downtime. I translate strategic business risks like operational downtime and ransomware into resilient network architectures – through clean segmentation, identity-based rules, and complete visibility into encrypted traffic.
Free initial consultation (30 minutes)
Do you know what is really happening in your network?
Four business-critical questions about your IT security. If you hesitate here, your infrastructure lacks fundamental resilience against current threats.
Are sensitive areas like production or accounting strictly isolated?
Ransomware spreads lightning fast. If a single click on a phishing email in sales can unhinderedly shut down the machines in production, you lack elementary network segmentation.
Does your IT also detect malware in encrypted connections?
Over 90% of today's traffic is encrypted. Without the active ability to securely inspect these connections, your network is flying blind and modern attacks remain completely invisible.
Is your remote access (VPN) tied to more than just a password?
A stolen password must never be sufficient to access your corporate network. If mandatory multi-factor authentication (MFA) is not enforced alongside a background check on whether the endpoint is secure – meaning: current patch status, active antivirus scanner, domain membership, and a valid client certificate – the door is wide open for attackers.
Do you still receive prompt security updates for your critical firewalls?
It is not enough for the hardware to formally still be under a maintenance contract. What matters is whether OS security patches are applied regularly to close critical vulnerabilities in the system itself. Postponed updates leave known entry points wide open – and when a system reaches end-of-life (EoL), that is the latest moment to put the entire architecture to the test.
IT security is a business issue, not an IT issue
As digital connectivity advances, the attack surface for mid-sized companies is growing rapidly. Whether automated mass attacks, data theft, or ransomware: a future-proof security architecture is not an optional IT project – it is the foundation of your business continuity.
Business downtime & costs
When IT stops, the business stops. Days without production or paralysed departments cost mid-sized companies far more than any well-planned security project. A modern next-generation firewall isolates and intercepts the incident before a widespread infection of your systems can even begin.
Reputational damage & loss of trust
A cyber attack rarely goes unnoticed. When customer data leaks or your business is unreachable for days, the hard-won trust of your partners and clients suffers massively. In the worst case, customers permanently switch to competitors. A modern security architecture protects not only your servers, but the most valuable asset of your business: your reputation in the market.
Loss of cyber insurance
The days of straightforward policies are over. Before signing any contract, cyber insurers now require proof of strict network segmentation, multi-factor authentication (MFA), and full network transparency. Without these measures, you risk losing your coverage entirely in the event of a claim – or you may not be insured at all.
How I eliminate risks technically
No simple hardware swap. I design a firewall architecture that addresses your specific business risks through clean, maintainable controls – step by step, without business disruption.
Application-aware filtering
App-ID · Vulnerability Protection · Threat Prevention
I replace outdated port filters with a rule set that precisely identifies applications, content, and users. Malicious communications and unwanted applications are reliably blocked – not because a port number appears on a list, but because the firewall understands what traffic is actually being transmitted.
SSL Forward Proxy · SSL Inbound Inspection · Antivirus
SSL Forward Proxy · IPS
Over 90% of modern traffic is encrypted – and therefore invisible to traditional security solutions. The firewall breaks these connections in a controlled manner and scans the content live for malware and policy violations. Privacy-compliant exceptions (e.g. banking, HR) ensure that sensitive areas remain completely untouched.
Hardened remote access
GlobalProtect · HIP profiles · MFA
GlobalProtect is far more than a conventional VPN tunnel. I configure your gateway so that users must authenticate with MFA and the endpoint is checked for compliance fully automatically: patch status, active antivirus scanner, corporate membership (Entra ID / Active Directory), and a valid client certificate. Access is only granted once all checks have passed.
Identity-based access rules
User-ID · AD groups
Static IP-based access permissions belong in the past. Via User-ID, I bind access rights directly to your Active Directory or Entra ID groups. An employee gains access to an application because they hold the relevant permission – completely independent of which IP address they are logged in with. This keeps your rule set transparent and audit-ready.
Robust site connectivity
Route-Based IPSec · SD-WAN
Secure and highly available connectivity between your locations. For standard setups, I rely on redundant, Route-Based IPSec tunnels with dynamic routing. For complex or growing multi-site networks, I migrate your infrastructure to Prisma SD-WAN for intelligent, application-based path routing and maximum failover resilience.
Central policy management
Panorama · Strata Cloud Manager
A consistent rule set across all firewalls. Via Panorama or the Strata Cloud Manager, we standardise device groups, templates, and security policies. All system and threat logs flow compliantly into central storage, giving you full transparency at all times.
My tool for your network security: Palo Alto Networks
For the implementation of your security infrastructure, I consistently rely on the platform that industry analysts have ranked as the undisputed leader for years. Palo Alto Networks offers technology that performs just as well in the rough reality of IT operations as it does on the data sheet.
Technologies I work with
Certified Palo Alto Networks Expert
Independent expertise, no sales pressure
I bring deep Palo Alto Networks know-how to your project – entirely free from reseller sales pressure. You purchase hardware and subscriptions directly from the distributor or your existing supplier. We work out the precise sizing together at eye level. Once the systems are ready, I handle the turnkey implementation.
The Single-Pass Architecture
The decisive advantage of PAN-OS: the core components App-ID, User-ID, and Content-ID are evaluated in parallel in a single hardware pass. Maximum protection depth and complete protocol analysis – without the massive latency penalties of traditional proxy systems.
Cloud-delivered threat prevention
Palo Alto Networks operates one of the globally leading threat intelligence platforms. Cloud services like Advanced WildFire (zero-day sandbox), Advanced Threat Prevention, and DNS Security are updated by the minute – your firewall benefits from global threat data fully automatically, without any manual configuration effort.
Enterprise security for mid-sized companies
Palo Alto Networks is the technically leading platform when IT security is non-negotiable. What used to be reserved for large corporations has long become affordable for the mid-market through current hardware generations – without compromise on throughput, scalability, or functionality.
Palo Alto Networks is my considered technical recommendation – not because I earn hardware margins, but because the platform delivers precisely what it promises in productive operation.
From invisible traffic to secure infrastructure
Migrations often fail due to poor preparation. My process guarantees predictability, minimal downtime, and a clean transition from legacy rules to App-ID.
BPA Audit & Analysis
Every project starts with a Best Practice Assessment (BPA) of your current environment. We analyse existing port rules, open ports, and unused policies based on their hit counts to create a risk-free baseline for the migration.
Zero Trust Concept
Design of the new zone model and communication matrix. We define which user groups may access which resources, plan the threat prevention setup, and define a privacy-compliant SSL decryption strategy including all necessary exceptions.
Staging & Flexible Cut-over
Concept design and staging of the new firewall take place entirely in the background – either in parallel operation for a phased migration, or prepared for a direct hardware swap. The final cut-over is scheduled specifically during off-peak hours or at weekends.
As-Built Documentation & Handover
You receive full admin authority and complete documentation of the new security architecture. No vendor lock-in: your team can take over the logically structured environment immediately in Day-2 operations. On request, I can also support you with ongoing operations long-term.
Corporate architectures without overhead
I bring enterprise-grade solutions to mid-sized companies – affordable, specialised, and without the inertia of an anonymous IT system house.
Experience from the enterprise
In my main job, I manage complex firewall and infrastructure environments in the European aerospace sector under the highest availability and stability requirements.
Independent, no margins
I earn exclusively from consulting, architecture design, and the build. You purchase hardware and subscriptions without any mark-up directly from the distributor or your existing supplier.
Certified knowledge
I only recommend what I have found to be technically superior in practice – backed by current vendor certifications. What has proven itself in enterprise deployments flows directly into your SME architecture.
Transparent handover
After project completion, the entire zone and security architecture is cleanly documented. I leave behind no tangled silos or proprietary know-how – just a self-explanatory, logically structured rule set.
The direct line
Short lines, no ticket backlog: you speak directly with the certified security engineer who designs your network infrastructure and personally implements it. No miscommunication via first-level support – just competence at eye level.
Bremen & Remote
In person on-site in Bremen and the surrounding area for strategic alignment, remote nationwide for configuration and staging. I schedule critical migration windows flexibly outside your working hours.
The before-and-after comparison
The transformation from a mere packet filter to an intelligent, auditable control point in your network.
Hundreds of undocumented L4 rules (Any/Any) that no one can see through anymore.
A lean, App-ID-based rule set – transparent, auditable, and secure.
A flat network where malware can spread laterally and reach every system.
Clean zone-based segmentation – a security incident is forced to remain isolated within the affected network zone.
A legacy VPN that grants uncontrolled access to the entire network after a password is entered.
Secure remote access via GlobalProtect – mandatory MFA at the gateway and automatic endpoint compliance check (HIP).
Encrypted HTTPS traffic as a complete blind spot for your security components.
Controlled L7 visibility through SSL decryption – malware in the TLS tunnel is detected and blocked in real time.
Uncertainty about whether you actually meet the tightened technical requirements of your cyber insurer.
Fully auditable – the required "state of the art" is technically enforced within the infrastructure.
The constant uncertainty of whether an unexpected hardware failure will bring the entire business to a standstill.
Highly available Active/Passive cluster – automatic, uninterrupted failover when it matters.
What you are probably wondering
Clear answers to the most important questions about firewall projects and my role.
My goal is not to make myself irreplaceable. I build standardised PAN-OS architectures strictly in line with vendor best practices. After project completion, you receive complete documentation. Any qualified network administrator or official Palo Alto Networks partner can take over day-to-day management immediately. For ongoing Day-2 operations, I offer flexible support on request.
No. I am a certified expert and consultant, not a classic hardware reseller. I calculate the exact sizing and provide a full bill of materials (BoM) for your needs. You order the systems transparently from an IT distributor of your choice or your existing supplier. No hidden hardware margins.
No. I am not a classic IT service provider for first-level support. While established system houses have their strengths in client management, end-user support, and standard office infrastructure, I act purely as a specialised third-level expert for complex network and security architectures. Exactly this coexistence brings mid-sized companies maximum efficiency.
Yes. We agree on the exact plan individually based on your operational processes. We use two proven approaches: either we build the new infrastructure in parallel and migrate your networks step by step during live operation, or we prepare everything in the background and swap the systems in a planned maintenance window at night or on weekends. Our goal is to minimise operational disruption to an absolute minimum.
That used to be the case. With the latest hardware generations, this enterprise technology has become economically very attractive for the upper mid-market. If the automated, cloud-powered threat prevention stops even a single serious security incident, the investment pays for itself immediately.
Historically grown legacy firewalls are the absolute norm. We initially adopt the existing rule set on a port-by-port basis to ensure everything stays stable at cut-over. In live operation, we then use the Palo Alto Networks Policy Optimizer to identify unused rules and safely migrate traffic step by step to precise App-ID policies.
The project duration depends on the scope of your rule set. Since concept design and staging take place entirely in the background and critical adjustments are scheduled specifically during off-peak hours, your day-to-day operations remain unaffected. A standard single-site project can be completed within a few weeks. I will give you a reliable timeframe directly after the initial assessment.
Your firewall has been running reliably for years. It was set up back then by someone who has long since left the company — and since then, everything internally has changed. New servers, new services, new staff. What is really happening between all these systems? Nobody can see anymore.
Is your network still fit for purpose?
How many systems in your LAN are communicating completely freely with each other right now, without anyone ever explicitly allowing it? In most SME networks, the honest answer is: pretty much all of them.
Who actually has access to what?
When was the last time you truly checked who is operating with admin rights in your Active Directory? A strong firewall won't protect you if chaos rules on the inside.