text document word document pdf document


CheckPoint FW-1/Nokia Firewall

Engineer/Architect

Astoria, Queens NY 11102


(718)  607-2138





Job Experience



IT Security Consultant
New York, New York
Feb 2008 to Present
IT security Consultant
Performed perimeter network security audits on production network infrastructure and made recommendations based on the results, including router, switch, and firewall hardening documents and network diagrams. Beyond the perimeter, I also conducted enterprise wide router and switch security baseline audits.


Provided clients with on-site and remote CheckPoint FW-1 Nokia appliance administration and support including; firewall rule creation, OS Admin., log review, ect. Proven experience in installing, maintain, configuring, and troubleshooting CheckPoint FW-1 running on Nokia IPSO.


In addition, I consulted performing, day to day, network and security admin. services. Including, setting up user ports on Cisco 4500 IDF switches and enabling data center ports on the 6509 (dual core) and maintaining several local and remote Cisco ASA pairs.






Ipreo (formally i-Deal LLC)
1359 Broadway, 2nd Floor
New York, NY 10018
www.ipreo.com
May 2006 to Feb 2008
Network Security Engineer
Ipreo (formally i-Deal LLC) makes trading, work flow and analytical software used by the largest banks in the world. Most of the bond market trades on i-Deal's MuniLink solution (formally Thompson Dalcomp). i-Deal was founded by Thompson, Citibank, Merrill Lynch and Microsoft. I worked with developers and traders to roll-out new applications and kept current applications running. Customers accessed Ipreo's applications across many types of networks: Internet, Radianz, TNS, Bloomberg and Leased Lines.


'Day to Day': Implemented firewall change requests while managing multiple firewall environments including: 20+ Nokia appliances running CheckPoint FW-1 NGX, Microsoft ISA 2004/06 firewalls, BlueCoat Proxies and Cisco PIX firewalls. Managed Cisco VPN account creation process: Cisco ACS, eToken and Microsoft Certificate Server. Administered Cisco VPN 3000 Series Concentrators in a HA pair. Solved complex network issues using Wireshark (Ethereal) and 'tcpdump'. Additional responsibilities, included maintaining and troubleshooting, InfoExpress CyberGateKepper NAC (Network Access Control / 802.1x) used to enforce internal LAN users and remote VPN users. Using the concept of endpoint posture assessment, which ensures that hosts on the LAN and VPN have the latest: A/V DAT files, security patches and updated application versions. Used Citrix/NetScaller load balancers (GSLB) to establish DNS fail over between data centers, in order to maintain application availability.


Supported the corporate web access infrastructure, which included a dual ISP architecture on the WAN side and a mix of HSRP, NLB and CARP, on the LAN side. As far as equipment, in this design, BlueCoat Proxy Servers (HA Pair), Sendmail OpenBSD (CARP) bastion SMTP servers and HA Microsoft ISA servers (NLB). Provided 3rd level support and engineering for complex Nokia IPSO and FW-1 NG related issues, for the i-Deal/Ipreo Nokia firewall infrastructure. Had access to corporate, and client, Cisco routers and core switches (6509), and worked maintaining and monitoring this infrastructure: 24x7.





IT Security Consultant
New York Metro area / New Jersey
July 2005 to May 2006
IT security Consultant
Performed half a dozenCheckPoint FW-1 on Nokia HA Pair (VRRP) installs. Helped clients plan CheckPoint and Nokia upgrades, in large production DataCenter environments.


Also, designed a secure method for a client to share and publish documents with a 3rd party. Internal, network access to the document pulblishing staging area needed to be secured so that 3rd parties could not tamper with the original documents. But the resulting Final documents would need to get published on a Public Internet site accessable from all points across the internal WAN backbone and the Public Internet (in a secure manner).






Bank of America
65 State Street
Albany NY 10027
www.bankofamerica.com
Jan 2003 to July 2005
CheckPoint FW-1/Nokia Firewall Engineer
Bank of America is the fourth largest, and fifth most profitable, company in the world. I worked as a member of Information Security - Perimeter Security Firewall Engineering Team. This team secured the external network infrastructure for an organization that services 33 million consumer relationships with more than 5,800 retail banking offices, more than 16,700 ATMs and award-winning online banking with more than 13 million active users.


As part of the Bank of America Firewall Engineering team, I worked with CheckPoint FW-1 running on three diffrent hardware platforms: Nokia, Sun and Nortel/Alteon. My specific focus is CheckPoint FW-1 on Nokia, but I am very familiar with the Sun and Nortel firewalls also. This includes Nokia models: IP330, IP440, IP530, IP650 and IP740. Running Nokia IPSO 3.7 and CheckPoint FW-1 NG FP3 and NG AI (R55). The team was also responsible for administrating the banks Cisco TACACS+ authentication infrastructure, by maintaining Cisco the ACS servers. In addition the team managed Nortel Contivity VPN servers: Nortel Contivity Extranet Switches (CES): 1600, 2600, 4600 and FTP/Telnet proxy server.





Independent IT Security Consultant
Dublin, Ireland
July 1999 to Dec 2002
IT security Consultant
During my three and a half years of IT Security consulting in Dublin, Ireland I worked for the following clients: Cognotec, Irish Aviation Authority, The Irish Times (Ireland.com), Digifone Ltd. (now O2) and Allianz Ireland. Generally the security projects were network perimeter design focused. Usually, this included the evaluation and re-design of different firewall architectures (B2B, Internet facing and 3rd party): including external and internal choke routers and firewalls, proxy servers, IDS and VPN. I created network designs that included a resilient HA firewall architectures that used two different firewall technologies (FW-1 and Cisco Pix), in a "defense in depth" approach. I also had responsibility for day to day firewall administration (Gauntlet, SunScreen, and multiple CheckPoint FW-1 boxes), on Solaris and Nokia IPSO.


While at Digifone (now O2), a very innovative GSM provider located in Ireland. I designed the network infrastructure and advised on the creation of a hybrid WAP/Wireless ISP (DigiPhone On-Line DOL) that ran on top of the GSM network (an early WISP). Digifone was "the world's first GSM operator to offer on-line shopping to customers using their dot digifone on-line (WAP) service." Hence I got to work on cutting edge WAP and Wireless ISP security issues.


While at Cognotec I worked with the IT Security groups at the following banks and assisted with integrating Cognotec's AutoDeal Lite product with the banks networks: Credit Suisse First Boston, First Union, Wells Fargo, Bank One, Swedbank, Soc Gen, West LB, Sanwa (Japan), Royal Bank of Canada. Also in this capacity I designed the model of how Cognotec should connect to banks and worked with UUNet system engineers to create standard Cisco router configurations to ease rollout to banks. Also, at Cognotec I was responsible for designing and implementing full BGP peering with three ISPs: Digital Isle, UUNet and BT.






PSINet
Performance Systems International
165 Jordan Road
Troy, NY 12180
www.psinet.com
Jan 1997 to April 1999
multiple positions (see below)

Security Planning and Response Team (SPART) (7/98 to 4/99)
Configured and administrated TIS Gauntlet firewalls for PSINet's Secure Enterprise customers (Gauntlet ver. 3.2 to 4.2 on BSDI ver 3.0 to 3.1). Also responsible for setting up and maintaining Intranets and dynamic packet filters for PSINetís Managed Service customers. Additional services provided to Managed Service customers included router and CSU/DSU configuration via remote administration and consulting on the creation of an overall Internet security policy.


NetWatch Strategic Support Group (4/97 to 7/98)
NetWatch was created to provide PSINet's top 50 strategic customers with a focused level of technical assistance of the type enumerated under "Corporate Installations" below, yet targeted towards high profile customers such as: The White House, TWA, Merrill Lynch & Co., Inc. Goldman Sachs, The Department of Defense, WebTV, Earthlink, PBS, United Airlines and the Council on Foreign Relations.


Corporate Installations (1/97 to 4/97)
Responsible for the integration of customer LANs with the Internet. Assisted corporate ISDN and leased line (128K-T1,T3,SMDS) customers both through e-mail and over the phone. Specific tasks included; troubleshooting SMTP servers, routers and CSU/DSU configurations, LAN/WAN security, connectivity issues, subnetting internal networks and maintaining/troubleshooting DNS zone records. The role required knowledge of TCP/IP, familiarity with multiple software and hardware platforms, and solid network troubleshooting skills. I created LAN and Leased Line "troubleshooting flowcharts" that where shipped to every new PSINet customer as part of the "getting started" pack.






Education

University at Albany, State University of NY (SUNY)
1400 Washington Ave, Albany, NY 12222
Graduated May 1992
Bachelor of Arts (B.A)
Political Science (Departmental Honors Program) GPA: 3.92 summa cum laude



Technical Highlights



Firewalls: Cisco Pix Firewalls (525, 520, 515, 506), FWSM and Cisco ASA 5520/5525 Firewalls, Checkpoint FW-1 4.1 to NGX65 (running on Nokia IPSO 3.1 to 4.2, Checkpoint SPLAT & Provider-1) and Juniper (Netscreen/SSG/ISG) firewalls


Load Balancers: Citrix Netscaler, Alteon (Nortel), F5 BigIP/3DNS and Cisco CSS (ArrowPoint)


VPNs: Cisco VPN Concentrator 3000 series, Juniper SA-series SSL VPN appliances, CheckPoint FW-1/NGX (client and site-to-site), Cisco Router and ASA/PIX (client and site-to-site), Nortel Contivity Extranet Switch (CES) 1600, 2600, 4600 ; Microsoft IPSec and PPTP, Linux FreeS/WAN


Cisco Routers & Switchs: Cisco 1600, 2800, 3600 and 7200 Routers ▪ Cisco 6500, 4500, 3650 Catalyst switches


Network Routing: BGP4, EIGRP, IGRP, OSPF, RIP, IP Static Routes, GRE, IPX, ATM, SNA, DLSw+


Proxy Servers: Proxy Blue Coat SG Appliance, Microsoft ISA 2004/2006, NetCache, Squid, FWTK 'plug-gw' proxy'


IDS: Snort, NFR, Shadow, Enterasys Dragon, Cisco NIDS (Cisco ASA 5520 IPS with AIP-SSM-20 module installed), ISS - RealSecure


Network Access: MPLS and MPLS VPN's, DS1/T1, DS3/T3, ATM, DSL, Frame Relay, SMDS, PPP, HDLC, ISDN BRI/PRI, digital-trunks, clear-channel T1, wireless T1, Wireless 802.11 a/b/g/n/i, Fast Ethernet "hand-off" (Straight, Trunked 802.1q or EtherChannel). Gigabit EtherChannel technology and IEEE 802.3ad (Link Aggregation Control)


Remote Access: Cisco VPN Client, RSA Ace Server/SecurID, RADIUS, CheckPoint FW-1 SecureClient/SecureRemote, CyptoCard, Cisco Secure Access Control Server (ACS) [TACACS+], Aladdin USB eToken, Integrity CheckPoint (formerly Zone Alarm) Endpoint Security server


Packet Filters: Linux Netfilter (ipchains or ipfwadm), PF on OpenBSD, Cisco IOS Firewall Feature Set, Cisco IOS Access Control Lists (ACLs) standard and CBAC


High Availability: HSRP, Nokia/Alteon VRRP, Juniper NSRP cluster, Netscaler GLSB, StoneBeat, SMTP using DNS MX, OpenBSD CARP, Microsoft NLB, Citrix Pres Server along with BGP4 and plain old DNS 'round robin'


Wireless: Ciscoís 350, 1200, 1300, and 1400 series access points, Cisco WiSM WLC's (4402 and 5508), Lightweight Access Points, LWAPP, WCS, Cisco WLSE 1030 server and Air Magnet IDS hardware sensors and wireless IDS management products


Encryption: SSL, IPSec, SSH, PKI (x509), PGP, STFP, Secure FTP, NDM Secure+, S/MIME, RSA, ISAKMP, EFS, FWZ, DES, MD5, SHA1


Protocol Analyzers: Network General Sniffer, NetScout Sniffer, WireShark/Tshark (Ethereal), Wild Packets, TCPdump, Snoop, Cisco SPAN, RSPAN, or port mirroring, 'fw monitor' (CheckPoint FW-1), Cisco ASA packet 'capture' and Juniper FW 'Snoop'


Nokia IPSO: Proxy ARP, 'fw monitor', Upgrade and Install, Migrate from Hard-Drive to Flash-Based, CLISH, iclid, TcpDump, VRRP, Lynx, Voyager, backup and restore, IP Routing (Static, RIP, OSPF and BGP)