Provided clients with on-site and remote CheckPoint FW-1 Nokia appliance administration and support including; firewall rule creation, OS Admin., log review, ect. Proven experience in installing, maintain, configuring, and troubleshooting CheckPoint FW-1 running on Nokia IPSO.
In addition, I consulted performing, day to day, network and security admin. services. Including, setting up user ports on Cisco 4500 IDF switches and enabling data center ports on the 6509 (dual core) and maintaining several local and remote Cisco ASA pairs.
'Day to Day': Implemented firewall change requests while managing multiple firewall environments including: 20+ Nokia appliances running CheckPoint FW-1 NGX, Microsoft ISA 2004/06 firewalls, BlueCoat Proxies and Cisco PIX firewalls. Managed Cisco VPN account creation process: Cisco ACS, eToken and Microsoft Certificate Server. Administered Cisco VPN 3000 Series Concentrators in a HA pair. Solved complex network issues using Wireshark (Ethereal) and 'tcpdump'. Additional responsibilities, included maintaining and troubleshooting, InfoExpress CyberGateKepper NAC (Network Access Control / 802.1x) used to enforce internal LAN users and remote VPN users. Using the concept of endpoint posture assessment, which ensures that hosts on the LAN and VPN have the latest: A/V DAT files, security patches and updated application versions. Used Citrix/NetScaller load balancers (GSLB) to establish DNS fail over between data centers, in order to maintain application availability.
Supported the corporate web access infrastructure, which included a dual ISP architecture on the WAN side and a mix of HSRP, NLB and CARP, on the LAN side. As far as equipment, in this design, BlueCoat Proxy Servers (HA Pair), Sendmail OpenBSD (CARP) bastion SMTP servers and HA Microsoft ISA servers (NLB). Provided 3rd level support and engineering for complex Nokia IPSO and FW-1 NG related issues, for the i-Deal/Ipreo Nokia firewall infrastructure. Had access to corporate, and client, Cisco routers and core switches (6509), and worked maintaining and monitoring this infrastructure: 24x7.
Also, designed a secure method for a client to share and publish documents with a 3rd party. Internal, network access to the document pulblishing staging area needed to be secured so that 3rd parties could not tamper with the original documents. But the resulting Final documents would need to get published on a Public Internet site accessable from all points across the internal WAN backbone and the Public Internet (in a secure manner).
As part of the Bank of America Firewall Engineering team, I worked with CheckPoint FW-1 running on three diffrent hardware platforms: Nokia, Sun and Nortel/Alteon. My specific focus is CheckPoint FW-1 on Nokia, but I am very familiar with the Sun and Nortel firewalls also. This includes Nokia models: IP330, IP440, IP530, IP650 and IP740. Running Nokia IPSO 3.7 and CheckPoint FW-1 NG FP3 and NG AI (R55). The team was also responsible for administrating the banks Cisco TACACS+ authentication infrastructure, by maintaining Cisco the ACS servers. In addition the team managed Nortel Contivity VPN servers: Nortel Contivity Extranet Switches (CES): 1600, 2600, 4600 and FTP/Telnet proxy server.
While at Digifone (now O2), a very innovative GSM provider located in Ireland. I designed the network infrastructure and advised on the creation of a hybrid WAP/Wireless ISP (DigiPhone On-Line DOL) that ran on top of the GSM network (an early WISP). Digifone was "the world's first GSM operator to offer on-line shopping to customers using their dot digifone on-line (WAP) service." Hence I got to work on cutting edge WAP and Wireless ISP security issues.
While at Cognotec I worked with the IT Security groups at the following banks and assisted with integrating Cognotec's AutoDeal Lite product with the banks networks: Credit Suisse First Boston, First Union, Wells Fargo, Bank One, Swedbank, Soc Gen, West LB, Sanwa (Japan), Royal Bank of Canada. Also in this capacity I designed the model of how Cognotec should connect to banks and worked with UUNet system engineers to create standard Cisco router configurations to ease rollout to banks. Also, at Cognotec I was responsible for designing and implementing full BGP peering with three ISPs: Digital Isle, UUNet and BT.
NetWatch Strategic Support Group (4/97 to 7/98)
NetWatch was created to provide PSINet's top 50 strategic customers with a focused level of technical assistance of the type enumerated under "Corporate Installations" below, yet targeted towards high profile customers such as: The White House, TWA, Merrill Lynch & Co., Inc. Goldman Sachs, The Department of Defense, WebTV, Earthlink, PBS, United Airlines and the Council on Foreign Relations.
Corporate Installations (1/97 to 4/97)
Responsible for the integration of customer LANs with the Internet. Assisted corporate ISDN and leased line (128K-T1,T3,SMDS) customers both through e-mail and over the phone. Specific tasks included; troubleshooting SMTP servers, routers and CSU/DSU configurations, LAN/WAN security, connectivity issues, subnetting internal networks and maintaining/troubleshooting DNS zone records. The role required knowledge of TCP/IP, familiarity with multiple software and hardware platforms, and solid network troubleshooting skills. I created LAN and Leased Line "troubleshooting flowcharts" that where shipped to every new PSINet customer as part of the "getting started" pack.
Firewalls: Cisco Pix Firewalls (525, 520, 515, 506), FWSM and Cisco ASA 5520/5525 Firewalls, Checkpoint FW-1 4.1 to NGX65 (running on Nokia IPSO 3.1 to 4.2, Checkpoint SPLAT & Provider-1) and Juniper (Netscreen/SSG/ISG) firewalls
Load Balancers: Citrix Netscaler, Alteon (Nortel), F5 BigIP/3DNS and Cisco CSS (ArrowPoint)
VPNs: Cisco VPN Concentrator 3000 series, Juniper SA-series SSL VPN appliances, CheckPoint FW-1/NGX (client and site-to-site), Cisco Router and ASA/PIX (client and site-to-site), Nortel Contivity Extranet Switch (CES) 1600, 2600, 4600 ; Microsoft IPSec and PPTP, Linux FreeS/WAN
Cisco Routers & Switchs: Cisco 1600, 2800, 3600 and 7200 Routers ▪ Cisco 6500, 4500, 3650 Catalyst switches
Network Routing: BGP4, EIGRP, IGRP, OSPF, RIP, IP Static Routes, GRE, IPX, ATM, SNA, DLSw+
Proxy Servers: Proxy Blue Coat SG Appliance, Microsoft ISA 2004/2006, NetCache, Squid, FWTK 'plug-gw' proxy'
IDS: Snort, NFR, Shadow, Enterasys Dragon, Cisco NIDS (Cisco ASA 5520 IPS with AIP-SSM-20 module installed), ISS - RealSecure
Network Access: MPLS and MPLS VPN's, DS1/T1, DS3/T3, ATM, DSL, Frame Relay, SMDS, PPP, HDLC, ISDN BRI/PRI, digital-trunks, clear-channel T1, wireless T1, Wireless 802.11 a/b/g/n/i, Fast Ethernet "hand-off" (Straight, Trunked 802.1q or EtherChannel). Gigabit EtherChannel technology and IEEE 802.3ad (Link Aggregation Control)
Remote Access: Cisco VPN Client, RSA Ace Server/SecurID, RADIUS, CheckPoint FW-1 SecureClient/SecureRemote, CyptoCard, Cisco Secure Access Control Server (ACS) [TACACS+], Aladdin USB eToken, Integrity CheckPoint (formerly Zone Alarm) Endpoint Security server
Packet Filters: Linux Netfilter (ipchains or ipfwadm), PF on OpenBSD, Cisco IOS Firewall Feature Set, Cisco IOS Access Control Lists (ACLs) standard and CBAC
High Availability: HSRP, Nokia/Alteon VRRP, Juniper NSRP cluster, Netscaler GLSB, StoneBeat, SMTP using DNS MX, OpenBSD CARP, Microsoft NLB, Citrix Pres Server along with BGP4 and plain old DNS 'round robin'
Wireless: Ciscoís 350, 1200, 1300, and 1400 series access points, Cisco WiSM WLC's (4402 and 5508), Lightweight Access Points, LWAPP, WCS, Cisco WLSE 1030 server and Air Magnet IDS hardware sensors and wireless IDS management products
Encryption: SSL, IPSec, SSH, PKI (x509), PGP, STFP, Secure FTP, NDM Secure+, S/MIME, RSA, ISAKMP, EFS, FWZ, DES, MD5, SHA1
Protocol Analyzers: Network General Sniffer, NetScout Sniffer, WireShark/Tshark (Ethereal), Wild Packets, TCPdump, Snoop, Cisco SPAN, RSPAN, or port mirroring, 'fw monitor' (CheckPoint FW-1), Cisco ASA packet 'capture' and Juniper FW 'Snoop'
Nokia IPSO: Proxy ARP, 'fw monitor', Upgrade and Install, Migrate from Hard-Drive to Flash-Based, CLISH, iclid, TcpDump, VRRP, Lynx, Voyager, backup and restore, IP Routing (Static, RIP, OSPF and BGP)