Security Engineer / IP Network Architect
Resume:
Joseph G. McGean _-_ RESUME
www.net-working.net
_________________________________________________
CheckPoint FW-1/Nokia Firewall Engineer/Architect
_________________________________________________
Looking for full-time roles in and around
Albany, NY
Phone: 518-***-****
E-mail: <nospam_mcgean@gmail.com_nopam>
Remove 'nopam_' at end and begining of ^^^^ above address
=================================================
OBJECTIVE
_________
To provide scaleable, supportable military grade TCP/IP security
solutions along with expert TCP/IP network designs that enables
business functionality. "Security for security sake", is not my goal.
Secure business and fostering business in a secure way: that's the
challenge.
TECHNICAL HIGHLIGHTS
____________________
* Internet Security and TCP/IP network design
* Firewall install, consult, review and maintain
* VPN, policy design, IDS, & DMZ design
Firewalls: CheckPoint FW-1 4.1/NG FP3 & AI R54-56 and NGX [r60]
Running on Nokia, NT, Linux (SPLAT) & Solaris 2.6 - 2.9
Nokia IPSO version(s) 3.1 to 3.9
SecurePlatform & Provider-1
Cisco PIX, Raptor, IP chains, IP filter, Cisco IOS filters, TIS/NAI
Gauntlet, WatchGuard Firebox II, FWTK
Remote Access: RSA Ace Server/SecurID, RADIUS, CheckPoint
FW-1 SecureClient/SecureRemote, CyptoCard, Cisco Secure Access
Control Server (ACS) [TACACS+]
High Availability: CheckPoint FW-1 (StoneBeat on Solaris 2.6), Cisco
HSRP, Nokia/Alteon VRRP, Cisco CSS-11150 (AKA-ArrowPoint CS-
150), Big/IP & 3DNS along with BGP4 and plain old DNS 'round robin'
Vulnerability Scanning: SPIDynamics WebInspect, eEye, Nessus, Nmap,
Hping, ISS Security Scanner, CyberCop Scanner, etc.
IDS: ISS RealSecure, Cisco, Enterasys Dragon, Snort, NFR, Shadow
IP routing: IGRP, BGP4, OSPF, RIPv1 &v2, static
PROFESSIONAL EXPERIENCE
_______________________
January 2003 to Present
Bank of America Albany, New York
http://www.bankofamerica.com/
CheckPoint FW-1/Nokia Firewall Engineer
Member of the Firewall Engineering team at Bank of America, as of
which administers 260+ Nokia CheckPoint FW-1 firewall modules. This
includes Nokia models: IP330, IP440, IP530, IP630 and IP740. Running
Nokia IPSO 3.7 and CheckPoint FW-1 NG FP3 HFA323.
Team also responsible for administrating Nortel Contivity VPN servers
-- Nortel Contivity Extranet Switches (CES): 1600, 2600, 4600 -- and
FTP/Telnet proxy server.
This is one of the largest CheckPoint FW-1 deployments in the world.
We use CheckPoint Provider-1 to manage the individual modules, many
of which are HA (Nokia VRRP) pairs.
Daily Tasks Include:
o Troubleshooting complex hardware and software issues with
regards to network connectivity and access controls
o Analyse firewall performance and suggest/implement
improvements
o Scrutinize rule sets to ensure high levels of security and
functionality
o Carried a pager on a rotating basis for one week and
responsive to off-hour production firewall issues 24x7
o Responded to internal, and external, audit inquiries regarding
firewall management and configuration practices
Interacted with external, and internal 'Line of Business' customers, to
provide technical and procedural solutions to business problems
pertaining to firewall configurations and policies.
Directed network and server administrators (Unix and Windows) to take
corrective actions to address misconfigurations or implement
customized configurations of network protocols: Default route, subnet
masks, etc.
Conducted research and coordinated with Intrusion Detection analysts
performing forensic investigations in support of enterprise security
operations. Also, Coordinated with internal CERT teams regarding high-
risk security issues in general.
----
October 2001 to September 2002
Allianz Ireland Dublin, Ireland
www.allianz.ie
Firewall Security Analyst
Evaluation and re-design of three different firewall architectures (B2B,
Internet facing and 3rd party): including external and internal choke
routers and firewalls. Created a single firewall architecture that used
two different firewall technologies (FW-1 and Cisco Pix), in a defence
in-depth approach.
Evaluation and response to PEN tests. Analysis, of Broker B2B User
Management, via LDAP, created an implementation roadmap including:
custom code, Web SSO (Securant) RSA ClearTrust and full J2EE
Application Server integration (IBM WebSphere) with IBM Host
Publisher (J2EE based AS/400 'screen scraping'). I explained to
business the costs and pros and cons of the above three user
management approaches.
Analysed AS/400 TCP/IP network security issues relating to QSECOFR
('root'), DDM, FTP, ODBC and Client Access (TN5250): rated risks of
these and created solutions to secure. Also looked at legacy SNA
APPC LU 6.2 links and their security and considered migration to IP when
possible to secure.
I also had responsibility for day to day firewall administration (Gauntlet,
SunScreen, and multiple CheckPoint FW-1 boxes), all on Solaris. I
served as the overall technical security advisor, consulting on the
security aspects of various projects: Credit Card Auth (for phone reps
and Web sites),RIM BlackBerry (GPRS wireless PDA), Experian
connections, 3rd party data transfers and B2C Web site security
(www.fisrtcalldireact.com).
Wrote the following security policies: Firewall Change Control, DMZ
Security (patching SLA), Wireless 802.11b, Firewall Password.
----
April 2001 to Oct. 2001 (contract)
www.ireland.com, The Irish Times Dublin, Ireland
Network & Security Administrator
With 27 million page impressions a month Ireland.com is the fourth
busiest Web site in the UK & Ireland. My role mostly focused on
www.ireland.com, but was functional across the entire Irish Times
Group. I drew up E-mail and Web usage policies and outlined overall
security architecture to meet BS7799 compliance. Designed resilient
network paths to business critical facilities. Created a leased line test
bed to measure typical network traffic patterns of specific applications.
Wrote an RFP for Dublin wide WAN and also an RFP for VPN (Nokia
CheckPoint FW-1 appliances). Outlined a secure process for vendor file
upload as part of a new service offering. Using Snort on Solaris 2.7 to
do IDS. Establishing a secure means to access LDAP servers. Looking
at Java code running on BEA WebLogic Application server for possible
security holes.
----
January to April 2001 (contract)
Irish Aviation Authority Dublin, Ireland
www.iaa.ie
Security Consultant
The Irish Aviation Authority is the Irish Government body which
manages Irish air space, control towers and flight management
systems. I wrote an RFP (Request for Proposal) for a dual CheckPoint
FW-1 pair connected with StoneBeat on Solaris, along with a dual ISP
connection. I was also part of the RFP response evaluation committee.
This was a good experience as I have answered RFPs in the past, but
this time I got to distil a customers needs and requirements into an RFP
and then participate in the review of the responses. Also suggested
auditing tools (SysLog for Unix, BindView for Novell) based on
customer auditing requirements. Troubleshot DNS mail issues and
found security issues with managed Cisco's in seven locations.
----
July 2000 to December 2000 (Contract) Trinity Technology
Dublin, Ireland
Firewall (CheckPoint FW-1) Engineer / Product & Service
Integration
Six-month contract with client who required a complete overview on
setting up a firewall managed service: from a technical perspective. I
translated my experience working in a managed firewall service
environment (PSINet), and advised them, on how to create such a
managed firewall service, from a technical support perspective.
Technologies: (Cisco routers, CheckPoint FW-1 on Solaris & Nokia).
----
April to June 2000 (3 month contract)
Digifone Ltd. (now O2) Dublin, Ireland
www.digifone.com
Internetworking and Security Systems Engineer
Digifone is a very innovative GSM provider located in Ireland. Digifone
Is "the worlds first GSM operator to offer on-line shopping to customers
using their dot digifone on-line (WAP) service." I am looking at the
security aspects of some advanced and as yet un-offered WAP
services. Also I am designing the network infrastructure and advising on
the creation of an ISP that will run on top of the GSM network. The ISP
will be a straight dial-up 'free' ISP, as well, that will link to the WAP
portal. It is a very dynamic project with the chance to work with some of
the industries top professionals from IBM, Netscape (I-Planet) and Sun
on some leading edge mobile E-commerce solutions. My background in
mission critical Internet solutions and Internet security is being applied
to these innovative solutions.
----
July 1999 to Feb 2000
Cognotec Ltd. Dublin, Ireland
www.cognotec.com
Security Engineer / IP Network Architect
As Security Officer I have worked with the Security groups at the
following banks to explain and integrate Cognotec's AutoDeal Lite
product with the banks network: Credit Suisse First Boston, First Union,
Wells Fargo, Bank One, Swedbank, Soc Gen, West LB, Sanwa
(Japan), Royal Bank of Canada.
Also in this capacity I have designed the model of how Cognotec should
connect to banks and worked with UUNet system engineers to create
standard Cisco router configurations to ease rollout to banks.
Oversaw the installation, configuration and migration of four CheckPoint
firewalls from NT to Solaris 2.6 within our datacenter utilizing two
StoneBeat High Availability instances.
Oversaw overall Internet security policy, including designing slides
and high-level architecture documents that are provided to all Cognotec
customers.
Administrated CheckPoint 4.0 NT firewalls in Dublin and London.
As Global IP Network Architect I am responsible for designing and
Implementing full BGP4 peering with three ISPs: DigitalIsland, UUNet
and BT. This is to provide reliable Internet uptime of our financial
transaction Web servers.
----
Jan. 1997 to April 1999
PSINet Inc. Troy, NY USA
www.psi.com
multiple positions (see below)
Security Planning and Response Team (7/98 to 4/99)
http://www.psinet.com/security/index.html
* Configured and administrated TIS Gauntlet firewalls for PSINet's Secure
Enterprise customers (Gauntlet ver. 3.2 to 4.2 on BSDI ver 3.0 to 3.1).
Also responsible for setting up and maintaining Intranets and dynamic
packet filters for PSINet's Managed Service customers. Additional
services provided to Managed Service customers included router and
CSU/DSU configuration via remote administration and consulting on the
creation of an overall Internet security policy based upon organisational
needs and resources.
NetWatch Strategic Support Group (4/97 to 7/98
* NetWatch was created to provide PSINet's top 50 strategic customers
with a focused level of technical assistance of the type enumerated under
'Corporate Installations' below, yet targeted towards high profile
customers such as: The White House, TWA, Merrill Lynch & Co., Inc.
Goldman Sachs, The Department of Defence, WebTV, Mindspring,
Earthlink, PBS, United Airlines, Council on Foreign Relations, RiteAid.
Corporate Installations (1/97 to 4/97)
* Supervised and orchestrated the integration of customer LANs with the
Internet. Assisted corporate ISDN and leased line (128K-T1,T3,SMDS)
customers both through e-mail and over the phone. Specific tasks
included troubleshooting mail packages, router and CSU/DSU
configurations, LAN/WAN security, connectivity issues, subnetting
internal networks and maintaining/troubleshooting DNS zone records for
PSINet customer domains. The role required knowledge of TCP/IP,
familiarity with multiple software and hardware platforms, and solid
network troubleshooting skills.
EDUCATION
_________
May 1992 University at Albany - SUNY
(State University of New York)
Albany, NY USA
B.A Political Science
Bachelor of Arts, (honors program)
GPA 3.92 (on a 4.0 scale, A+ average)
SUMMARY OF OTHER EXPERIENCE
___________________________
6/88 to 1/91 IBM (contracted through Burns International
Security Services) Montvale, NJ USA
Security Specialist _-_ Provided physical security functions while utilizing
PROFS mail system with a tn3270 client front end.
----
9/86 to 6/88 Rockland Community College
Suffren, NY USA
Computer Laboratory Technician _-_ Installed software and hardware upgrades
on IBM PC's and provided general Helpdesk support to student users
TECHNICAL SKILLS
________________
* Understand all aspects of TCP/IP routing including: RIP ver. 1 and ver. 2,
OSPF, BGP4, IRGP, EIRGP and static routing
* Familiar with BS77999, ISO17799 & SAS 70 security organizational
standards: security policies, firewall log review processes, Web site
privacy policies, change control documents and processes, server &
network documentation, password change processes, education and
implementation
* Can troubleshoot all LAN/WAN issues involving: leased lines (128K - T1,
T3, SMDS), ISDN, Dial-up, SMDS, Frame Relay, Ethernet and Token
Ring
* Have dealt with issues pertaining to the following Internet protocols: FTP,
POP3, IMAP, SSH, HTTP, SNMP, DHCP, DNS and SMTP
* Total grasp of both DNS resolution and delegation
* Familiar with the following Unix tools: sh, Rsync, wget, Ntop (network
top), snoop & tcpdump
* Understand that Internet e-mail (SMTP) is the major Internet application
for most companies, as such I can troubleshoot SMTP issues very well
* Familiar with the following Unix programs: Python, Perl/CGI, Sendmail,
BIND, Apache (HTTP/WAP)
* Familiar with the following routers: Ascend, Compatible Systems,
Netopia, Xedia, Livingstion, MorningStar, Rockwell, NT RAS (Steelhead
now RRAS), Proteon and Cisco
* PSINet used Cisco routers on its backbone so have much experience
with the Cisco IOS
* I am familiar with Astrocom, Kentrox, AdTran and Paradyne external
CSU/DSU's and the internal CSU/DSU's inside Cisco (2524), Ascend
P130 and Compatible Systems MicroRouter 1250I and 1270I
* Know Unix variants: Solaris 2.6/7/8, BSDI 3.x, Linux, Free BSD 2.6
* Can configure TCP/IP on: All Unix variants, Novell 3.11 – 4.x, MS WIN
3.11, WIN95/98 and NT 3.51 – 4.0 (server and workstation)
* Understand NetBEUI and Microsoft networking very well: LMhosts,
WINS, NetBIOS name resolution, PDC/BDC, PPTP, DUN, RRAS, NT
domain issues, WIN95/98 peer-to-peer, MS Exchange, MS Proxy and IIS
Contact this candidate