PROFESSIONAL EXPERIENCE:

Network Security Engineer

Confidential, Washington, NY

Responsibilities:

• Lead Engineer for hardware/software migration from legacy Checkpoint Confidential ’s to Checkpoint 4400/4800/ version GAIA R77.30
• Familiar with CheckPoint Security Management Servers and Palo Alto Panorama M - 100
• Two-Factor Authentication/DUO - configure/test firewall access to AD, internal DUO Auth Proxy and DUO cloud for Palo Alto GlobalProtect and Cisco AnyConnect remote access clients
• Translate connectivity requests/RFC’s in to security policies for internet, DMZ and internal firewalls
• Configure firewall objects, zones, actions, interfaces, service route interfaces, Policy Based Forwarding/PBR, static routes, NAT, HA/VVRP clusters, active/standby failover, URL filtering, licensing
• IDS/IPS: knowledge of signature/pattern matching, anomaly detection. PaloAlto Security Profiles/Vulnerability Protection and Checkpoint IPS Blade
• Cloud/AWS: participate in configuration of IPSec VPN connection to AWS VPC. Basic understanding of AWS networking concepts: VPC, EC2, Route53
• Perform firewall log analysis/packet captures to resolve connectivity issues via Monitor, Tracker, WebUI/CLI
• Escalate issues to vendor technical support

Confidential

Responsibilities:

• Support explicit proxy mode
• Configure Content Filtering via WebPulse
• Resolve issues using BlueCoat Policy Trace / TMG monitor/ familiar with HTTP error codes
• Implement BlueCoat Director for centralized policy management
• Familiar with user authentication via IWA/BCAAA
• Install/update PAC/WPAD files
• Implement Change Controls / RFCs: white-listing /resolve proxy-related issues
• Configure VPM: Visual Policy Manager: Web Access Layer / Web Authentication Layer
• Understand proxy traffic-flow from client browser thru internal DMZ infrastructure to external content server

Application Delivery Controller

Confidential

Responsibilities:

• Configure Virtual Servers, Services, Monitors, GSLB
• Request/renew certs from CA’s and install SSL Certificates terminated on NetScaler
• Perform packet capture via nstrace
• High Availability / Master state
• Understanding of PKI: SSL handshake, encryption

Network Engineer

Confidential

Responsibilities:

• Review application flow to identify inbound/outbound traffic patterns, src/dst hosts and TCP/UDP ports for Market Data and Client DMZ connections. Work with external network groups to establish connectivity via eBGP, EIGRP, RIPV2, static routing; filter subnet advertisements with prefix-lists/distribute lists. Distribute external networks in to core. Configure respective firewall and NAT rulesets on Checkpoint R70.30 firewalls.
• DNS: create A, alias, MX records and master domains on Bluecat Adonis-1000 appliances for external/internet domains. Deploy master-slave policies. Verify updates via server logs, dig@ localhost and websites such as kloth.net Liase with Demys domain registrar.
• IPSEC Remote Access VPN: support mixture of Checkpoint Local Password and LDAP Authentication VPN clients worldwide using Checkpoint Secure Client. Create VPN access groups, accounts and increase/update subnet pool range.
• Load Balancing: Review Windows/Unix server team requirements to understand traffic flow and configure corresponding load balancing rules. Load Balancing method is round-robin supported by F5 BIG-IP appliances and cisco2600 Distributed Director feature set. Configure: Virtual Servers, VIPS, monitor statistics.
• WAN: migrate branch sites from leased-line T1 to Verizon L3 MPLS and IPC L2 MPLS. Establish eBGP peering to VZ PE. Configure L2 sub-interfaces and established eBGP peering with TP AS for IPC. Apply AS-path prepend route map to VZ routes to achieve desired traffic flow with IPC as the preferred path. Manage branch office cut-overs/application testing w/Desktop and Server groups.
• Chapdelaine merger: establish initial connectivity via multi-link T1 circuits to cisco2600 at remote site with NAT configs to support overlapping subnets. EIGRP advertising subset of TullettPrebon (TP) global ip routing table filtered via prefix-lists. When Hurricane Sandy forced the closure of Chapdelaines NYC downtown office all Chapdelaine users and servers relocated to TP offices and TP ip address space. Assigned TP ips for Chapdelaine's internal and DMZ servers. Configured Checkpoint firewall/NAT rules to support connectivity to all intranet/internet Chapdelaine servers/applications. Configured/deployed external DNS entries for all Chapdelaine internet services re-assigned to TP ip address space.
• DMVPN: establish DMVPN connectivity to branch sites. Configure/deploy routers, manage internet circuit installation, Apply Internet ACL template. Test failover between internet circuit and DMVPN backup if applicable.

Network Implementation Engineer

Confidential

Responsibilities:

• Participated in deployment of DOE’s first LWAPP (Lightweight Access Point Protocol) installation.
• Completed hardware upgrades on (42) Cisco Access Points model AP-1210.
• Assisted in configuration/testing of Wireless Lan Controller Model Cisco4400, configured Cisco Aironet Utility on school laptops, tested 802.1x and PEAP client authentication.

Network Operations Engineer- Level II

Confidential

Responsibilities:

• Verification/”scrub” router/switch configurations for Change Controls implemented by Deployment group. Complete “diff’s” on config files. Update VISIO diagrams. Work with vendors/clients to resolve issues related to recent Change Controls.
• Identify/resolve route configuration issues. Verify route re-distribution to core network and to client/vendor using standard “show” commands for RIP, OSPF, BGP. Verify distribute-list filters, pre-fix lists etc.
• Analyze MSFC/Sup logs to determine root cause of OSPF Adjacency, BGP notification and HSRP state-change alarms generated from Spectrum management system. Configure/swap faulty MSFC, Sup and Interface Boards on cisco6500: sup II, III, and 720 - native and hybrid.
• Use Niksun for traffic capture. T-shoot application “time-out” issues by identifying RST’s, SYN timeouts, TCP retransmissions.etc. Compare these captures to PIX firewall logs provided by Security Group to determine if problem is firewall or infrastructure/routing issue.

Implementation Engineer

Confidential

Responsibilities:

• Co-ordinate all network issues to support opening of Wellington and Melbourne branch offices:
• Configured routers and switches. Test WAN with Telstra carrier. Remotely managed installation/testing/cutover. Completed VISIO docs.
• Migrate Metro Data Center core/ Scranton,PA and Tokyo call centers from Cat5000 to Cat6509 platform: Configured MSFC’s/Sup III’s using SRM Single-Router-Mode, High-Availability, HSRP. Configure VLANS, etherchannels, removed secondary IP addressing scheme and Fast-Ethernet sub-interface configs.
• External vendor/client connections:
• Configure/test cisco extended access-lists to support applications such as FTP, Telnet, Direct-Connect and various TCP/UDP client-server applications. Work with external network groups to determine exchange of routing protocols.

Installation/testing/cutover of domestic and international WAN circuits:

• Leased-line, frame-relay, ATM, ISDN and managed Ethernet. Speeds: frac/full T1, E1, DS3. Configuration of external and internal CSU/DSU’s. Work with carriers such as AT&T,Verizon, Equant.
• Support AS5200 remote access issues for dial-up connections:
• Familiar with PRI cards and 56K firmware upgrades.

Consultant

Confidential

Responsibilities:

• Migrate Teleport and American Standard clients from bridged-to-routed environment.
• Developed ip addressing scheme, configured cisco routers, completed cutovers.