If you
are interested in seeing detailed information regarding
security assessments or penetration testing, please feel
free to contact me and I will provide you with the
appropriate documentation. This includes, but is not
limited to; State & local government, healthcare,
banking, and technology industries.
Project
Wide Area Network / Public Network Access / ASP model
redesign
Customer Description
National Litigation Service Provider
Role
Information Technology Consultant, Technology Advisor,
Security
Analyst
Responsibilities
Document existing network architecture, design new
solution for
existing and future needs, increase level of information
security
Technology
The client had in place a legacy WAN infrastructure
primarily
comprised of point-to-point T(x) and Frame Relay.
Although the number
of remote offices had increased as well as the demand
for network
access the technology was aged. As a result, the client
was
experiencing many problems related to network congestion
along with
outages. Several of the clients service offerings
relied on public
network access as they were an ASP. The existing
architecture
included a single point of failure as public network
access was
centralized and protected by one Check Point firewall.
Given the need for high availability, performance, and
security a new
WAN architecture was designed that decreased their
monthly costs and
fulfilled the above needs. The new design consisted of a
pure IP
based Private Routable Network (PRN). Remote sites no
longer relied
on a single circuit for public network access as this
was achieved at
each location. Private IP addressing was implemented and
routable
based on source and destination translation policies
within the PRN
policy. Data / communications security was achieved
using 3DES
encryption and perimeter defense systems at each
location. In the
event that any one location was to go down, all remaining
locations
could continue to communicate. This also provided the
means to
implement a highly-available ASP model. The primary ASP
systems were
replicated using a Veritas solution and the appropriate
shared storage
was implemented. In the event the primary ASP farm went
offline, the
secondary (located at a remote location) was
automatically enabled.
Another added benefit having multiple network access
points and the
ability to perform static NAT at each NAP was the
implementation of a
secondary weighted mail server (Exchange)
In addition, given the increased network communications
bandwidth a
VoIP solution was implemented. The client had recently
implemented
new NEC phone switches that had the capability of VoIP.
At the time
of this solution design the client had no idea that
their new phone
system had this option. Given the fact that many long
distance
intra-office calls were made on a daily basis this
solution decreased
their traditional telecomm costs by nearly 40%. They are
also able to
make local calls to what would normally be long distance
using call
origination / forwarding. This system has performed well
above
initial expectations.
Project
Perimeter Defense, Intrusion Detection, Internal
Security
Customer Description
A global life science
& medical research center
Role
Information Technology Consultant, Technology Advisor,
Security
Analyst
Responsibilities
Maintain and support existing perimeter defense system.
Act as
technology advisor regarding network security policies,
measures and
procedures. Attend meetings with customer IS department
and third
party technology providers. Design next generation
perimeter defense
system. Design and recommend appropriate products for
intrusion
detection, content filtering and vectoring services.
Assist in
developing enterprise security policies and technology
solutions.
Implement security and infrastructure solutions.
Technology
The existing perimeter defense system was a single Check
Point
Firewall and Websense UFP server running on a Sun
Microsystems platform
with three active interfaces. Egress and ingress
traffic was
steadily increasing due to new marketing campaigns and
other factors
and was consuming large portions of the Firewalls
available resources.
This resulted in dropped packets and network outages.
After thirty
days of system resource analysis it was determined
that the
existing system was not properly resourced and therefore
performance
problems surfaced.
After making changes to the Solaris
kernel and
network properties along with Check Point performance
tuning I was
able to stabilize the Firewall. Availability and
performance concerns
dictated that the perimeter defense system be
redesigned. Performance,
scalability and availability were of great importance.
The solution
was to design a load balanced, highly available Firewall
cluster that
was scalable and able to meet existing and future
performance needs.
Two Cisco routers attached to separate NAPs running
IBGP and HSRP
provided public network access. Two Sun Microsystems
enterprise class, Quad
processor servers with 1GB of RAM, redundant power
supplies, Znyx
teaming / trunking NICs, and mirrored disk drives were
selected as the
Firewalls. Six Alteon load-balancing switches were
selected to
provide redirection services. Two external Alteons
between the
Firewalls and the Cisco routers maintain a VIP address.
Two
internal Alteons between the Firewalls and the internal
private
network maintain a VIP address. Two additional
Alteons were
configured to service the existing DMZ. All Alteons are
connected via
gigabit Ethernet intra-switch connections. Four additional layer 2
switches were implemented in order to cluster the external
and internal
Alteons to the Firewalls. Clustering the Alteons to the
Firewalls with
the layer 2 switches allows for continued load-balancing
in the event
that one of the external or internal redirectors was to
go down.
Firewall state table replication services were
configured manually.
Check Point reporting module and third party intrusion
detection
software were specified as the intrusion detection
system along with
the strategic placement of honey pot servers.
Project
VoIP, Perimeter Defense, NOS upgrades, Server Based
Computing
Customer Description
Trust company managing over two billion in
assets
Role
Information Technology Consultant, Security
Analyst, Systems Engineer
Responsibilities
Maintain, support, and upgrade perimeter defense
system, Network
operating systems and data communications. Provide on
call support for
all internal infrastructure.
Technology
The customer was running a non-supported version
of Check Point
Firewall-1 on a Sun Microsystems platform. The
Check Point
software was upgraded to the latest version. The
existing security
policy was not adequate and was redesigned. The customer
wished to
make additional application servers available via the
public network
so additional NAT rules were created and the servers
secured. Firewall
properties and tunable parameters were modified to
increase
performance along with additional modifications to
protect against
SYN-attacks and spoofing.
The clients enterprise network included UNIX, Windows NT, and
Novell NetWare.
In an effort to consolidate the number of protocols on
the network and
preserve WAN bandwidth, the Novell Servers were upgraded
and the
remote location was converted to a Citrix server based
computing
solution. The NetWare upgrade would have been
straightforward but an
initial review of the system revealed a problem. The
clients previous
IT vendor had installed three new 10K hot swap
drives in the
system but did not recreate the logical device on the
array to
accommodate the increased drive capacity. The thought
was the array
could be expanded after the re-install. Unfortunately
the array
controller did not support online expansion of the logical
device. In order
to minimize downtime, the existing NetWare partition and
volumes were
moved to another logical device using a third party
utility. The
primary logical device was then destroyed and recreated,
maximizing
disk usage. Using the third party utility, the NetWare
partition and
volumes were moved back to the new logical device. The
NetWare upgrade
was then performed.
The customer made many calls from corporate headquarters
to the remote
location and other locations that if originated from the
remote would
be considered a local call. A VoIP solution was
implemented using two
CISCO 3810’s with VoIP modules. Each router was
attached to the
local telephony switch via a T1 interface and the
routers were
configured to provide intra-office calls between
headquarters and the
remote location. Additionally, all calls originating
from either
location to local exchanges at the other end are now
originated from
the office in the local exchange in order to reduce long
distance
charges.
Because the remote location did not have IT support
staff,
systems administration was complex. If a problem were to
arise in the
remote location, the systems administrator would have to
travel to
that location in order to resolve it. Most cases, the
problems were
minor and related to desktop issues. In order to
facilitate less
complex administration and support, the remote location
users were
moved to a Citrix server based computing solution. The
Citrix server
resides at corporate headquarters where the systems
administrator is.
The result of this is less WAN bandwidth consumed due to
the nature of
the Citrix ICA protocol and the ability to assist users
by shadowing
their desktop sessions. In addition, application updates can now
be done in
one central location and done only once.
Project
Sun
Cluster, Third Party CAD
Customer Description
Global ship building company based out of Germany with a
facility in
Philadelphia, PA. This location was being built from the
ground up to
design and build ships
Role
Information Technology Consultant, Systems Engineer,
Project Manager
Responsibilities
Design Sun Microsystems cluster server to provide
uninterrupted
application services, coordinate and participate in meetings with all parties
Technology
The design included Sun Enterprise servers clustered
with Sun Cluster
Server and connected via Super Scalable Interconnects.
Each of the
servers consisted of redundant network interface cards,
multiple power
cooling modules, multiple power supplies, redundant CPU
memory and I/O
boards, Dynamic Reconfiguration and Alternate Pathing (DRAP)
installed
to handle real-time maintenance, repair and upgrades,
and individual
power feeds and distribution units.
All system components were attached to power
conditioning and UPS
systems. Multiple StorEdge units were included as common
data storage
and configured with multiple FC-AL interface boards and
Gigabit
Interface Converters (GBICs) for performance and fault
tolerance.
Veritas File-system was implemented for disk management.
The solution
also included a Solaris workstation configured as the
control /
management system. A separate enterprise class server
was configured
as a tape backup server utilizing a tape library and
Veritas
NetBackup.
Two additional Sun systems engineers performed the
installation
under my direction. I provided high-level support during
the
installation and on several occasions it was necessary
for me to
complete certain tasks. The installation was performed
in this manner
in order to familiarize multiple systems engineers with
the
configuration so future support was more readily
available and
easier to accomplish.
Project
Secure Perimeter, High Availability, VPN services
Customer Description
Start-up online credit card bank
Role
Information Technology Consultant, Systems Engineer,
Project Manager
Responsibilities
Solution design and implementation
Technology
Customer wished to establish a broadband data connection
to the public
network for e-mail, web, and other e-collaboration
services. In
addition, the customer wanted to establish a VPN to a
remote office
and provide mobile employees access to the corporate
network. The
customer's business was financial in nature so security
was of great
importance. The design included two (2) Sun Microsystems
mid-range
servers with redundant power cooling modules, power
supplies, network
interface cards, RSC cards for remote administration and
maintenance,
and multiple internal disk drives configured as mirrored
sets with
Veritas volume manager. A Check Point firewall was
selected
as the
perimeter defense system and VPN product. Stonebeat was
selected as
the fail-over / cluster component. Multiple data
communications
providers were selected with separate NAPs in order to
decrease the
possibility of downtime due to network outages. Websense
was selected
and implemented on another workgroup class system to
provide UFP and
reporting services.
Technology
Experience Overview
I would like to point out that I have held several high
level
positions including that of Executive Vice President of
a 90 million
dollar services company and CTO of a
privately held
service company. As my references can attest, I am
very effective in technology management positions. A
large number of
technology management personnel do not have my level of
current
technology experience. My combination of technology
business
experience and current technology skills gives
me, and any
organization I am working with, a competitive advantage.
Having many years experience with multiple operating
systems, I
developed a specialty in heterogeneous operating system
integration. I was exposed to TCP/IP and various routed
and routing
protocols early in my career because I had access to UNIX
based systems at the University of Delaware, where an
associate of
mine was in the MIS department. I became interested in
network
security when I started working as a systems engineer
for one of my
previous employers some 10 years ago. In order to assist
my employer
in securing these types of opportunities, an associate
and I developed
a network security practice. Most customers, some who
already had
broadband connections to the public network, had never
heard of
perimeter defense systems and had little in the way of
internal
security policies. |
