SUMMARY:

• Build / upgrade / maintain CheckPoint Security Management Servers/SMS and gateways in a distributed deployment.
• Implement Change Controls/RFCs: Install/push firewall/NAT policies:create objects/rules.
• Problem resolution using SmartDashboard Tracker / fwmonitor / tcpdump
• CheckPoint 4800, 4400 Appliances, Nokia IP390’s
• GAIA 77.30, IPSO R75.47, Windows for Security Management Server
• Smart Console: SmartView Dashboard /Monitor/Tracker/Smart Update - Licensing
• Voyager /GAIA WebUI
• HA/VRRP clusters
• NAT static/hide
• Clish/CLI commands
• SIC/cpconfig/configure static routes
• Anti-spoofing topology groups
• Support forward/reverse deployment of Blue Coat SG 600-35 and MicroSoft ForeFront TMG
• Implement Change Controls / RFCs: white-listing
• Explicit proxy mode
• Round-Robin Load Balancing / Failover Groups
• SSL Interception/Content Filtering via URL path/BlueCoat Web Filter
• BlueCoat Policy Trace / knowledge of HTTP error codes
• User Authentication via IWA/BCAAA
• VPM: Visual Policy Manager: Web Access Layer / Web Authentication Layer
• Understand proxy traffic- flow from client browser to external content server: beginning w/DNS resolution of proxy VIPs on client, routing thru DMZ infrastructure to proxy’s WAN/LAN static routes to firewall proxy-related policies and out to Internet
• Citrix Netscaler 8200 ADC (Application Delivery Controller): Understanding of GLSB, SSL offload, SSL Certificates, Virtual Servers, Services, Service Groups GlobalScape EFT (Enhanced File Transfer) Server: create client accounts; RSA and/or standard passwords, permission account parameters, search logs for problems, knowledge of FTP error codes Cisco Secure ACS v5: configure/maintain Authorizations, Permissions, Shell Profiles, etc. Use Monitoring/Report Viewer
• Cisco ASA firewalls to support IPSEC VPN w/CiscoAnyConnect client, VPN Pools, review ASA logs

SKILLS:

Security: Checkpoint R70.30 firewalls, Cisco ACS/TACACS+, MP-BGP, MPLS, BGP, OSPF, EIGRP, RIP

Cisco hardware: 7206VXR, 6500 native/hybrid, 3845, 3600, 2900, 2800, F5 Big IP, Cisco Distributed Director

Traffic Capture/PacketAnalysis: Checkpoint SmartView Tracker/Expert Monitor, Wireshark

MAC authentication: Cisco VMPS (Vlan Membership Policy Server)

Monitioring: Solarwinds, Cacti

Documentation: VISIO

PROFESSIONAL EXPERIENCE:

Confidential

Network Engineer

Responsibilities:

• Review application flow to identify inbound/outbound traffic patterns, src/dst hosts and TCP/UDP ports for Market Data and Client DMZ connections.
• Work with external network groups to establish connectivity via eBGP, EIGRP, RIPV2, static routing; filter subnet advertisements with prefix-lists/distribute lists.
• Distribute external networks in to core. Configure respective firewall and NAT rulesets on Checkpoint R70.30 firewalls.
• Create A, alias, MX records and master domains on Bluecat Adonis-1000 appliances for external/internet domains.
• Deploy master-slave policies.
• Verify updates via server logs, dig@ localhost and websites such as kloth.net Liase with Demys domain registrar.
• Support mixture of Checkpoint Local Password and LDAP Authentication VPN clients worldwide using Checkpoint Secure Client.
• Create VPN access groups, accounts and increase/update subnet pool range.
• Review Windows/Unix server team requirements to understand traffic flow and configure corresponding load balancing rules. Load Balancing method is round-robin supported by F5 BIG-IP appliances and cisco2600 Distributed Director feature set. Configure: Virtual Servers, VIPS, monitor statistics.
• Migrate branch sites from leased-line T1 to Verizon L3 MPLS and IPC L2 MPLS. Establish eBGP peering to VZ PE. Configure L2 sub-interfaces and established eBGP peering with TP AS for IPC. Apply AS-path prepend route map to VZ routes to achieve desired traffic flow with IPC as the preferred path. Manage branch office cut-overs/application testing w/Desktop and Server groups.
• Establish initial connectivity via multi-link T1 circuits to cisco2600 at remote site with NAT configs to support overlapping subnets. EIGRP advertising subset of TullettPrebon (TP) global ip routing table filtered via prefix-lists.
• When Hurricane Sandy forced the closure of Confidential NYC downtown office all Chapdelaine users and servers relocated to TP offices and TP ip address space. Assigned TP ips for Chapdelaine's internal and DMZ servers.
• Configured Checkpoint firewall/NAT rules to support connectivity to all intranet/internet Chapdelaine servers/applications. Configured/deployed external DNS entries for all Chapdelaine internet services re-assigned to TP ip address space.
• Establish DMVPN connectivity to branch sites. Configure/deploy routers, manage internet circuit installation, Apply Internet ACL template. Test failover between internet circuit and DMVPN backup if applicable.
• Establish external/internal connectivity and resolve issues among multiples sites in a multi-protocol environment such as: London server prefix suddenly not advertised in Toronto global routing table.
• Apply static route as a quick break/fix. The Toronto link rides a carrier-provided MPLS pipe that also supports other branch sites.
• Carrier states that we are exceeding their default route max limit of 500 prefixes so some networks are getting dropped. Although Toronto receives only 85 prefixes, this London route is getting dropped b/c it is one of approx 525 prefixes filtered on PE ingress interface.
• Resolution: request carrier to increase route limit to 1000 prefixes.

Confidential

Network Implementation Engineer

Responsibilities:

• Participated in deployment of DOE’s first LWAPP (Lightweight Access Point Protocol) installation.
• Completed hardware upgrades on (42) Cisco Access Points model AP-1210.
• Assisted in configuration/testing of Wireless Lan Controller Model Cisco4400, configured Cisco Aironet Utility on school laptops, tested 802.1x and PEAP client authentication.

Confidential

Network Operations Engineer

Responsibilities:

• Verification/”scrub” router/switch configurations for Change Controls implemented by Deployment group.
• Complete “diff’s” on config files.
• Update VISIO diagrams.
• Work with vendors/clients to resolve issues related to recent Change Controls.
• Identify/resolve route configuration issues. Verify route re-distribution to core network and to client/vendor using standard “show” commands for RIP, OSPF, BGP.
• Verify distribute-list filters, pre-fix lists etc.
• Analyze MSFC/Sup logs to determine root cause of OSPF Adjacency, BGP notification and HSRP state-change alarms generated from Spectrum management system.
• Configure/swap faulty MSFC, Sup and Interface Boards on cisco6500: sup II, III, and 720 - native and hybrid.

Confidential

Implementation Engineer

Responsibilities:

• Co-ordinate all network issues to support opening of Wellington and Melbourne branch offices:
• Configured routers and switches. Test WAN with Telstra carrier. Remotely managed installation/testing/cutover. Completed VISIO docs.
• Migrate Metro Data Center core/ Scranton,PA and Tokyo call centers from Cat5000 to Cat6509 platform:
• Configured MSFC’s/Sup III’s using SRM Single-Router-Mode, High-Availability, HSRP.Configure VLANS, etherchannels, removed secondary IP addressing scheme and Fast-Ethernet sub-interface configs.
• Configure/test cisco extended access-lists to support applications such as FTP, Telnet, Direct-Connect and various TCP/UDP client-server applications.
• Work with external network groups to determine exchange of routing protocols.
• Installation/testing/cutover of domestic and international WAN circuits:
• Leased-line, frame-relay, ATM, ISDN and managed Ethernet. Speeds: frac/full T1, E1, DS3. Configuration of external and internal CSU/DSU’s.
• Support AS5200 remote access issues for dial-up connections:
• Familiar with PRI cards and 56K firmware upgrades.

Confidential

Network Operations/Firewall Administrator

Responsibilities:

• Resolve client connectivity issues, missing gateway addresses, incorrect subnet masks, wrapped FDDI rings. Install/configure cisco routers/switches.
• Transferred to Security/Firewall group and updated IP Filter shareware packet filter with source/destination ip address and TCP/UDP Port information.