Single-handedly designed, built, and maintained the global network access control system (NAC) for over 100,000 endpoints at a time when most large organizations abandoned NAC due to its complexity.

The design incorporated several technical components that were extremely creative for their time (early 2000’s).

True layer 2 authentication architecture. Systems were authenticated and placed in appropriate VLANs before they were ever allowed to obtain a layer 3 IP address.

Internal PKI infrastructure issued x.509 machine certificates with unique identifiers in uncommon fields for identification. The fields and identifiers were rotated periodically to prevent stagnation. Certificates could be issued and revoked from a central location, providing better control of authorized endpoints.

Endpoints with both embedded 802.1x supplicants and the ability to use an x.509 certificate for EAP authentication were authenticated via this manner.

Endpoints without 802.1x supplicants were authenticated via mac-auth-bypass mechanisms.

All authentication requests were forwarded form the switch to a RADIUS environment and filtered by rules.

The RADIUS infrastructure queried a back-end inventory management system for profile validation.

The back-end inventory management system (3rd party) was automated and placed endpoints into profiles based on several factors (mac-address, NetFlow data, Packet captures from taps, etc.). If the system detected an endpoint acting differently than it was supposed to (i.e., printer sending SSH requests), it would immediately re-profile the endpoint and send an SNMP command to the switch to bounce the port and force re-authentication. This prevented mac-spoofing issues.

The 3rd party back-end inventory management system was not originally designed for security purposes. In the early 2000’s there was no system available on the market designed for this purpose. I identified a small company (Great Bay Software) and contacted them to inquire about a joint venture to redesign their software to accommodate for the security needs of a large enterprise (adding network identification data and the ability to trigger SNMP events). They agreed, and we jointly developed the new product.

Designed a co-location environment to continually stream Reuters stock data from exchanges to customer-facing brokers as quickly as possible for timely trades. The design included the use of multi-cast streaming technology and QoS network prioritization rules.

Designed and built core data center routing systems capable of withstanding multiple failures across geographically diverse locations. Designs incorporated many different technology concepts including:

o Complex spanning-tree and VTP configurations

o Multiple routing protocols (EIGRP, BGP, OSPF) depending on location or function.

o Multiple load-balancing techniques and configurations.

Load Balancer modules built into hardware.

• Weighted round-Robin.

• Least connection.

• Resource based (adaptive).

DNS load balancing with sophisticated health checks

• Flag file values.

• Specific query-return URLs.

Designed and built sophisticated web proxy environment for local, remote, and guest users.

o Integrated 802.1x authentication results to determine path based on VLAN placement.

o Implemented GRC tunnels for environments that needed additional internal security on web connections.

o Synchronization of corporate rules to external proxy for remote users.

o Configuration of remote user proxy determination based on geographic location.

Designed and built multi-tenant VPN head-end infrastructure used for B2B connections, remote employees, temporary contract workers, and remote support. Environment included:

o Support for multiple remote encryption methods.

o Support for multiple remote routing protocols.

o Isolation of traffic between environments.

RSA Security Analytics (Netwitness) SIEM custom configuration.

o Configuration of custom log parsers in log decoder hardware for unique customer environments.

o Complex rule creation via the Event Stream Analysis module for SIEM alerts.

o Configuration of Malware Analytics module including integration into customer sandbox environments.

RSA ECAT endpoint threat detection customer setup.

o Custom threat intelligence feed configuration.

o External component setup per customer requirements (SYSLOG, SMTP, SA integration, etc.).

• Setup forward-deployed air defense communications systems for Marine Air Support Squadrons worldwide.

• Troubleshot and repaired UHF radio communications issues in high-pressure, life-threatening situations.

• Troubleshot and repaired issues with cryptographic cyphers and frequency hopping SINCGARS (Single Channel Ground and Airborne Radio Systems) technology.