Senior Network Security Engineer & Architect
Resume:
CJ (Joseph) Ondeck
**.*********@*********.***
PROFILE
Senior Network Security Engineer/Architect with hands-on experience in network and perimeter security engineering and architecture. Proven track record in troubleshooting, diagnosing, and developing secure solutions to improve security and productivity in technically advancing environments.
•Expertise: Worked with cutting-edge technologies from Checkpoint, Cisco, Juniper, Citrix, F5, Tufin, Algosec, Firemon, Splunk, LogLogic, QRadar (IBM), Sumo Logic, and many others.
•Technical Skills: Motivated to pivot and expand technical expertise into new network and security technologies.
•Security Engineering/Architecture: Knowledgeable in “Defense in Depth”, “Defense by Diversity”, Zero Trust Network Access (ZTNA), “SANS Top 20” standards, and various regulatory practices (FFIEC, OCC, PCI-DSS, HIPAA, NIST, NSA, etc.).
•Collaboration: Experienced in working with technical and non-technical stakeholders throughout detailed design, installation, and implementation phases of network security projects.
•Security Policies: Authored corporate network security policies for international IT departments.
•Checkpoint Expertise: Subject Matter Expert in Checkpoint firewall architecture, configuration, and troubleshooting across various product lines.
•Advanced Training: Completed SANS SEC502 (Perimeter Protection In-Depth) and SEC503 (Intrusion Detection In-Depth) courses.
•Other Core Competencies: DMZ Segmentation, Perimeter Segmentation, Zero Trust, NGFW Design/Rule and Policy Analysis, IPS/IDS Design/Rule and Policy Analysis, Data Packet Analysis, Advanced Security Analysis, HTTPS Inspection, Data Loss Prevention, Behavioral NDR, Team Mentorship, Risk Management.
TECHNICAL EXPERIENCE
NGFW / Security Appliances
Checkpoint R65/R75/R77/R80/R81
Checkpoint GAIA/IPSO/SPLAT
Checkpoint Provider-1/MDSM
Checkpoint NGFW Blades:
• Firewall/NGFW
• IPS/IDS
• Anti-Bot/Anti-Virus/Anti-SPAM
• Application Control/URL Filtering
• Data Loss Prevention (DLP)
• HTTPS Inspection
• Identity Awareness (IA)
• Log Server
• SSLVPN/IPSEC VPN/Remote Access
• SmartEvent
• Threat Emulation
Cisco ASA
Juniper Netscreen
Citrix Netscaler
NitroSecurity IPS/IDS Appliances
Nokia IP Appliances
Nortel Contivity VPN
Perimeter Security
DMZ
Network Address Translation (NAT)
Network Access Control (NAC)
RSA SecurID Mgmt SW
Zero Trust Network Access (ZTNA)
VRRP
Network/Security Mgmt Tools
Tufin SecureTrack
AlgoSec AFA
Firemon
Wireshark
TCPDUMP
pcap
Fiddler
snoop
Snort
Metasploit
Nessus
Nmap
NAI Distributed Sniffer
NAI Sniffer Pro
Symantec SESA
Symantec ESM
SIEM
Splunk
SumoLogic
LogLogic
LogRhythm
QRadar Security Intelligence
Load Balancer
F5 BIG-IP Local Traffic Manager (LTM)
F5 BIG IP Link Controllers (LC)
Cisco Content Service Switch
Routers / Switches
Cisco Routers/Switches/IOS
Dell Switches
Foundry Switches
Nortel Networks Switches
Ethernet/Gigabit Ethernet
Border Gateway Protocol (BGP)
DHCP
EIGRP/IGRP
NetFlow
OSPF
RIP v2
Switching (Layer2/3)
DSU/CSU
Taps
Network Monitoring Tools
Cisco CiscoWorks
HP OpenView
Nortel Networks Optivity
Fluke Enterprise LANMeter
Software / System OS
Microsoft Visio
Microsoft Office
Microsoft Windows
Microsoft Server
RedHat Linux
Sun Solaris
PROFESSIONAL EXPERIENCE
Hays USA @ Truist Bank – Full Remote
Sr. Network Security Engineering Consultant
Oct. 2022 – Oct. 2023
Successfully managed Checkpoint VSX Firewall migrations of secure DMZs and other protected management networks for a year-long Data Center move project.
Conducted audit of legacy and newly requested firewall rules for each VSX FW moved to bring the FW rulebase up to current network security “best practices” and/or correction to current internal security standards and regulatory practices.
Provided valuable recommendations for future “best practice” firewall engineering and improved FW rule design for legacy FW rules and protocols.
In-depth troubleshooting and resolution of Level 3 and Level 4 Network and Network Security issues and design flaws during the transfer of networks from the legacy data center to the new data center.
MUFG – Jersey City, NJ / Hybrid
AVP / Sr. Network Security Engineer
Nov. 2016 – Aug. 2021
Lead Network Security Engineer responsible for coordinating with our Head Office and other locations in the Americas, EMEA, and ASPAC on multiple projects involving network segmentation and the implementation of Zero Trust communication to the US data centers.
Lead Network Security Engineer responsible for IPS/IDS engineering deployment decisions and software/signature updates using the Know Your Environment (KYE) principles.
Remediated multiple regulatory network security findings (MRAs) to a level that met or exceeded the current regulatory requirements and within the set deadlines.
Completed segmentation projects for LATAM networks across five different countries.
Recommended and implemented a complete re-engineering of FW Rules for AD Protocols using only the necessary protocols during an AD domain server upgrade deployment cycle.
Ensured corporate network security policies, “best practices”, and proper regulatory practices were followed during the design and implementation phases of all firewall changes or that risks were understood and mitigated to acceptable levels with all stakeholders.
One of the team of Lead Engineers responsible for secondary review and approval of all Network Perimeter Security changes to ensure corporate and regulatory standards were being followed.
Updated FW rule push automation scripts within the Checkpoint API to minimize the time needed to complete within Change Management windows, leading to a 50% time savings.
Mentoring less experienced IT engineers/analysts on Network Security FW/IPS engineering and rule design met “best practices” and regulatory standards.
Monitor Change Management application for FW rule add, delete, and change requests and fulfill those requests within the appropriate SLA timeframe. An average of 25 requests were completed per month.
In-depth troubleshooting and resolution of Level 3 and Level 4 Network and Network Security issues and design flaws during on-call rotations and escalation callouts.
Shearman & Sterling, LLP – New York, NY / Hybrid
Sr. Network Security Engineer
Nov. 2014 – Dec. 2015
Successfully led efforts to stabilize and regain IT and user community confidence in the Checkpoint Blade environment caused by R77 initial version issues (memory corruption bugs) and misconfiguration of Blade settings.
Tracked and performed upgrades of FW code as more stable versions were released and/or recommended by Checkpoint Support.
Met with lead development executives and technical staff within Checkpoint to voice concerns on their product that led to enhancements and corrections within their product.
Led firewall engineering effort to build out Lab environment to test new versions of Checkpoint software and firewall rules so that fixes were tested before deployment to production.
Provided security design and firewall engineering support for a clientless SSL VPN-accessible e-Discovery private cloud, allowing centralized legal matter access to firm attorneys and clients.
In-depth troubleshooting and resolution of Level 3 and Level 4 Checkpoint Blade technology issues, including NGFW, IPS/IDS, Identity Awareness (IA), Threat Emulation (TED), HTTPS Inspection, URL Filtering, Application Control, and Data Loss Prevention (DLP).
Ensured the firm’s network security policies, “best practices”, and proper regulatory practices were followed during the design and implementation phases of all firewall changes or that risks were understood and mitigated to acceptable levels with all stakeholders.
Monitor Change Management application for FW rule add, delete, and change requests and fulfill those requests within the appropriate SLA timeframe. An average of 30 requests were completed per month.
Developed a standardized format for requesting and implementing Firewall rule changes to streamline processes between IT Security and IT Operations.
Designed, configured, installed, and maintained Checkpoint FW-1, VPN-1, and other Checkpoint Blade modules on the GAIA platform in an international high availability (HA) Cisco Nexus network environment (HA).
Consulting Assignments – Various Locations
Network Security Engineering Consultant
Mar. 2008 – Aug. 2014
TEKSystems @ IFS (International Fund Services – A State Street Company) – Provided level 2 and level 3 Network Security support to the Production and Development environment. Upgraded Checkpoint firewalls to R75. Audit and modification of firewall rules/policies aided by tools such as AlgoSec, Firemon, and QRadar to align with corporate security policy and regulatory practices. Provided new and updated documentation to policies and procedures. Provided level 2 and level 3 network engineering support for international high availability (HA) Cisco Nexus network environment.
The Judge Group @ OPTUM (Subsidiary of United HealthCare) – Provided network security guidance and support for Data Center moves. Delivered guidance on the use and operation of the Checkpoint IPS blade, including decisions on which IPS signatures were activated. Supplied level 2 and level 3 network security operational support for the Checkpoint environment and Data Center moves. Prepared documentation for Checkpoint troubleshooting tools and commands.
OpenSky @ EMC2 – Provided staff augmentation and support to the Security Operations and Security Architecture teams working on firewall rule redesign, firewall upgrade projects, and proof of concept (POC) implementations. The environment included Checkpoint Provider-1 with multiple CMAs and 250+ Checkpoint firewall locations.
SPC Pro @ Company Confidential – Provided network and network security engineering consulting and implementation services to a Fortune 25 company, which provided business continuity and resiliency services during disaster recovery exercises at their backup site for multiple significant clients.
The Goal @ Verizon Business – Professional Security Services – Major Internet/Intranet perimeter security upgrade to 4 datacenters for an International Financial Services firm. Installation and cutover support of Checkpoint R70 firewalls and Provider-1 MDS on SPLAT and Nokia IPSO platforms. Placement and configuration of IDS/IPS management servers and sensors. Rollout of Tufin SecureTrack for firewall operations and change management, auditing, and compliance. Implementation of LogLogic LX and ST appliances for log management and backup.
SARCOM @ General Electric – Danbury CT – Design, configuration, installation, & maintenance of Checkpoint NGX FW-1 and SmartCenter solutions in a large corporate environment. Configuration and maintenance of F5 BIG-IP Local Traffic Manager (LTM) load balancers and F5 BIG-IP Link Controller (LC) in a load-balanced configuration. Processing of customer requests for new firewall and F5 implementations and changes.
Softworld @ Cape Cod Hospital – Hyannis MA – Recovery, design, configuration, installation, & maintenance of Checkpoint NGX R65 FW-1 and VPN-1 solutions in a large healthcare environment. Included upgrade of Checkpoint SmartCenter server and Checkpoint FW-1/Nokia firewalls to most recent versions
Softworld @ Staples, Inc. – Framingham MA – Design, configuration, installation, and maintenance of Checkpoint NGX FW-1 solution in a large corporate environment for a PCI-DSS project. Assisted in the specification, analysis, and final selection of Tufin SecureTrack as the firewall auditing, monitoring, and compliance solution for the entire corporate firewall environment.
EDUCATION
Training – Various Locations
SANS SEC502 – Perimeter Protection In-Depth (GCFW – Course Only)
SANS SEC503 – Intrusion Detection In-Depth (GCIA – Course Only)
Checkpoint Plus and Checkpoint NG Plus – GAIA, SPLAT, Nokia OS’s.
Cisco ICRC(ICND), ACRC(BSCN), IMRC, CLSC(BCMSN), BCRAN
Southern Connecticut State University – New Haven, CT
Studies included ANSI “C”, 4GL/SAS, Pascal (Turbo), and Organization Information & Retrieval (DBMS).
Contact this candidate