Mr. Eric Stewart
PROFILE
Mr. Stewart is a senior level Network Security Specialist and Cisco Subject Matter Expert with
25+ years in the IT industry including 13 years in IT Security. He currently is a top ranked Cisco
Certified Systems Instructor (CCSI) in Global Knowledge (Canada) and also with Fastlane
Education where he delivers advanced technical courses in the areas of IT Security analysis,
design and implementation. He holds certifications as a CCNA (Cisco Certified Network
Architect) for Security and CCSP (Cisco Certified Security Professional). His most recent
experience is heavily focused on integration of Cisco technologies within security solutions. He
has had specific experience in designing and implementing SSL VPN solutions in conjunction
with Cisco ASA 5500-X UTM firewall appliances and Next Generation Firewalls, Sourcefire and
Cisco FirePOWER services.
Mr. Stewart has appeared on national TV on several occasions in recent months, most recently
with Global National where he was asked to use his IT security expertise to comment on recent
(and successful) cyber-attacks on Canadian Federal Government departments as well as the
hijacking of a national political party’s website. He also contributed to a documentary piece on
wireless network security and the ease of eavesdropping on users of wireless hotspots. His
commentary has also appeared in print media, specifically in newspapers owned by Post Media.
In Sep of 2010, Mr. Stewart was a guest speaker at the DND ISSO Conference at the
Conference Centre in Ottawa where he shared a presentation on enterprise network security.
Relevant and noteworthy experience include:







Design and implementation of security architectures including IDSs, VPNs, firewalls and
content filters.(CheckPoint Firewall-1, Cisco PIX and ASA security appliances and 3000
series VPN Concentrators; Cisco and Sourcefire IDS/IPS servers , SSM modules and
various protocol analyzers)
Design and implementation of security architectures including hands-on installation and
support of SSH Client/Server, HTTPS on Apache web server, Certificate Authorities and
AAA servers using respectively MS CA and Cisco ACS 3.x and 4.x and Radius and LDAP
integration.
VPNs secured between CheckPoint and Cisco PIX and ASA security appliances using
IPsec/IKE and between MS RAS servers and clients using MS PPTP (point-to-point
tunneling protocol) and L2TP.
Delivery of workshops on Cisco’s security blueprint, “SAFE” and Self Defending Network
and vulnerability and Threat Risk Assessments using a variety of tools including nmap,
Nessus, etc.
Extensive hands-on in teaching the building of multi-platform workstation and switch/router
TCP/IP networks, both enterprise and backbone.
Firm grounding in TCP/IP applications (SMTP, DNS, FTP, Telnet, etc.) as well as IP routing
protocols such as RIP, OSPF, BGP, IGRP and EIGRP and WAN technologies such as
MPLS.
Taught Cisco CCNA, CCSP, CCNP and CCIE advanced curriculum as well as non-vendor
Wireless Security (WPA, 802.11i, 802.1x, LEAP, PEAP, WEP and site survey tools)








Thorough and fundamental knowledge of the cryptographic concepts and systems behind
many modern implementations of encryption technology including IPsec VPNs, S-HTTP,
SSH and S/MIME and their component ciphers and crypto systems.
Extensive hands-on and lab-based experience implementing secure architectures using
intrusion detection/protection systems and firewalls in a comprehensive network design.
Extensive experience with PKI/LDAP and X.509 integration with remote access client
authentication using digital certificates and extended authentication in Active Directory with
Cisco PIX and ASA firewalls as well as IOS devices including routers and switches.
Subject matter expert and presenter on network hardening principles, not only in Cisco but
in heterogeneous networks.
Noted speaker, author and instructor on network security policies, vulnerability and threatrisk assessments and attack methodologies.
Taught and implemented labs where firewall policies, ACLs, Stateful Packet Inspection and
UTM principles and operation are demonstrated.
Authored an exam preparation guide for Cisco’s new CCNA Security certification for Cisco
Press. This book is currently on store shelves and also online.
Recent and practical knowledge with Cisco ISE (Identity Services Engine), Wireless LAN
controllers and BYOD framework.
PROJECT HISTORY
Project 1
Bell Canada
Senior IT Security Design Specialist, Networking
Jan 2012 – Present
(47 months)
Project Description:
Mr. Stewart worked as a Senior IT Security Design Specialist specializing in networking for the
Cisco IronPort component of the Email Transformation Initiative (ETI) project at Bell. When this
project is complete, all Government of Canada departments and agencies will have transitioned
to a single, converged, and modern email system. Mr. Stewart’s involvement includes regular
policy meetings and design reviews both with internal Bell Canada stakeholders (including
senior management) as well as Shared Services Canada (SSC) stakeholders. At the same time
as the network was designed, implemented and configured, Mr. Stewart has engaged in
information transfer, coaching and formalized training of Security Operations Centre personnel
at Bell. He shepherded the SOC team through detailed testing and sign-off of the production
network and his network component was the first past the post for sign-off with the Crown.
Here are some highlights of Mr. Stewart’s design: ETI is spread across two Government of
Canada data centres and two Bell Canada data centres. The Cisco IronPort virtual Email
Security Appliances (vESAs) provide the anti-spam, anti-virus, malware, URL filtering and
reputation filtering core for all inbound and outbound email and are deployed in the GoC data
centres. These email firewalls send real-time data and other telemetry for capacity, network
metric and performance analysis, reporting, tracking and quarantining. This real-time data and
telemetry is collected and correlated on tools such as Cisco IronPort Security Management
Appliances (SMAs) as well as ArcSight and SMARTS SNMP console in the Bell data centres.
The network is fully resilient against failure, providing both inter-DC HA between the two
government data centres as well as hot-standby capabilities between the primary and
secondary Bell data centres.
The network design required much integration and configuration of both Bell and GoC firewalls,
load-balancers, switches and routers. Mr. Stewart provided configuration guidance as well as
security policy input for all of these devices as well as for the team which provisioned the
hypervisors which hosted the virtualized ESAs.
Mr. Stewart was deeply involved and hands-on in this complex network’s implementation,
configuring all of the ESAs and SMAs himself as well as leading all the subsequent
troubleshooting, tuning and policy updates on the devices as well as knowledge transfer to Bell
SOC personnel.
Mr. Stewart worked closely with the reporting team to develop reporting metrics both for Key
Performance Indicators (KPIs) and Service Level Targets (SLTs) for the purpose of both
capacity planning and forecasting (KPIs) and compliance (SLTs) with the Crown.
Corporate Security and Facility Services of the Bank of Canada (w/ Juno Risk LLC)



Mr. Stewart was part of a team which conducted a thorough review of the Bank’s virtualized
data centre network infrastructure which culminated in a detailed gap analysis as well as
specific recommendations as to how these security gaps may be closed.
Utilized Cisco and other vendors’ best practices as well as ITSG-22 in order to install and
configure the Cisco ASA firewalls, virtual contexts, Nexus switches, routers, VPN, and Cisco
VDC (Virtual Data Center) architecture and TrustSec that are employed in Bank of Canada’s
highly virtualized architecture for the Corporate Security and Facility Services project.
Subsequently, Mr. Stewart was asked back to map out and document all network segments
operated by BoC with an eye to mapping the network security policy to a zone based
security architecture more closely aligned with industry best practices.
University of Ottawa and International Joint Commissions (w/ Bell Canada)




Mr. Stewart reviewed uOttawa’s network security architecture and implemented two Cisco
Firewall Services Modules (FWSMs) in an Active/Standby Failover configuration at the
Internet perimeter. As part of the effort he rationalized and simplified the rule set logic of a
cutover from the pre-existing DrawBridge firewall to the new firewall architecture.
At the IJC, installed, configured, and integrated VPNs, routers, switches, firewalls as well as
an A/S Failover Cisco ASA pair supporting both gate-to-gate and client-to-gate VPN
functionality using respectively IPsec and Cisco AnyConnect Secure Mobility Client
solutions. Subsequently scaled the solution by adding remote access by Cisco VoIP phones
via AnyConnect and integrating with Cisco UCS at the client headend in both Ottawa,
Windsor and Washington DC.
Designed the International Join Commissions (IJC) secure network using VPNS, and NIDS
in order to.
Implement a full mesh site-to-site IPsec VPN between headquarters and satellite offices
between Cisco ASA firewalls. Also designed and implemented remote access AnyConnect
VPN solution tied back to Active Directory for authentication both for remote users as well as
supporting the Cisco UCS VoIP solution. Worked with both circuit-switched PSTN T1 trunk
backup and primary VPN transport for VoIP at all sites connecting back to the central VoIP
server.
Mr. Stewart wrote a new design which, when implemented, will modernize the IJC network
to include a site-to-site Dynamic Multipoint VPN (DMVPN) using newly purchased Cisco IOS
routers at the main and satellite offices of IJC as well as a migration to full application
visibility control (AVC) through managed Sourcefire IPS instances in new Cisco ASA 5525-X
Security Appliances at all sites. The new solution will also allow the client to correlate
intrusion events and indications of compromise (IoC) across all sites as well as to report on
and protect from Malware through telemetry to the Cisco AMP cloud using FireSIGHT
Management Center.
Corporate Security and Facility Services of the Bank of Canada (w/ Juno Risk LLC)



Mr. Stewart did a thorough analysis of the newly implemented virtual data centre (VDC)
architecture and identified gaps in the security architecture when measured against Bank
policy. He also made specific recommendations on how these gaps might be closed as well
as the risk associated with the gaps.
Ottawa Hospital (w/ Bell Canada)
Mr. Stewart re-configured and optimized the Ottawa Hospital’s NIDS implementation of
Cisco IPS 4360 IPS devices. These IPS devices monitor and collect network metrics for
both the internal knowledge workers’ group and guest users’ group within the hospital.
Traffic is monitored inline on both the Internet uplink as well as the link to eHealth, which is
Ontario’s online electronic patient database repository. Data is correlated and reported in
ArcSight at Bell’s commercial SOC and monthly metrics are reported back to the client,
these metrics including network utilization by group as well as a break-down of the
taxonomy of intrusion attempts and IPS actions (where applicable).
Project 2
Marine Atlantic
Senior IT Security Design Specialist, Networking
Apr 2011 – Aug 2011
(5 months)
Project Description:
Mr. Stewart provided hands-on design, configuration and implementation services in support of
a 5-phase network security architecture renewal at Marine Atlantic in Port-Aux-Basques
Newfoundland. The project started with an architecture review, followed by specific
recommendations for the acquisition of new technology to replace outdated equipment. The
technology was acquired by the customer, and subsequently was implemented by Mr. Stewart
per the five phases outlined below:
Tasks Performed:




Phase 1: Designed and implemented a Cisco ASA 5585-X SSP-20 security
appliance/firewall to replace the existing Cisco PIX 525. This phase also involved the
configuration of a Cisco WebVPN thin-client SSL VPN portal for clientless SSL VPN access
as well the full client Cisco AnyConnect Secure Mobility Client client-based SSL VPN
solution (client-to-gate) to support IT Staff and teleworkers. Authentication was integrated
with an existing Active Directory for role-based access control (RBAC) Recommendations
were made for proper zone-based network security policies per CSE ITSG-22 and ITSG-38
Phase 2: Designed and implemented a Cisco 4255 IDS appliance to detect and prevent
network-based attacks from both outside of Marine Atlantic’s network as well as attacks
originating on the inside from users (including crew and passengers) from docked ferries.
Phase3: Designed and implemented a Cisco IronPort C370 Cluster of two IronPort Email
Security Appliances (ESAs) to provide anti-spam, anti-malware, and reputation based
scanning and detailed reports of all inbound/outbound email traffic to/from Marine Atlantic’s
mail servers.
Phase 4: Designed and implemented a pair of Cisco IronPort S160 Web Security
Appliances (WSAs) to provide for reputation based scanning and content filtering as well as

detailed reports of all outbound web traffic from Marine Atlantic’s fixed facilities and ferry
boats.
Phase 5: Designed, implemented and integrated Tenable Security’s Security Center 4.2
SIEM (Security Intrusion and Event Monitoring) solution to provide for real-time monitoring,
analysis and reporting of security events based on correlated information from all of Marine
Atlantic’s network devices (IDS/IPS, firewalls, switches, VPN endpoints, WSAs, and ESAs,
etc.)
Project 3
Department of National Defence (DND)
Senior IT Security Design Specialist, Networking
Sep 2010 – Present
(63 months)
Project Description:
Mr. Stewart designed and then conducted a test plan to choose between Fortinet Fortigate UTM
device and Cisco ASA 5500 series solutions in support of a SSL VPN remote access VPN
portal for the Enclave Convergence Initiative (ECI).
Subsequently he designed and implemented a Cisco SSL VPN remote access (client-to-gate)
VPN Web portal in support of the Classified Restricted Zone (CRZ). CRZ is a high profile project
whose Q1 2013 implementation resulted in the consolidation of disparate networks into a
SECRET/CANUS zone protected by two clustered Cisco ASA 5585-X UTM firewall / SSL VPN
servers and using common services such as email and file share repositories. The
design/implementation required in-depth knowledge of both CLI and ASDM. Users within the
existing DND Operations Zone (OZ) called CSNI are able to connect to the VPN cluster where
they are authenticated and their workstations’ security posture assessed for access to CRZ
services. Features (and technology used) of the solution include:
Tasks Performed:






Integration with existing Entrust enterprise PKI solution including authentication using device
X.509 identity certificates.
Cisco Secure Desktop pre- and post-login posture assessment.
Installed, implemented, and configured two Cisco ASA 5585-X SSP-20 UTM firewall / VPN
gateways in a cluster in order to achieve load-balancing and high-availability for the
Classified Restricted Zone (CRZ) part of the Classified Secret Network Infrastructure (CSNI)
in DND’s WAN. This solution provides secure head-end IPsec and SSL VPN and firewall
services to access SECRET/CEO data from desktops in CSNI
Configured remote switchport analysis (RSPAN) in the underlying layer 2 LAN infrastructure
to support the NetWitness network tap which analyzes network utilization metrics and user
traffic within the CRZ
Developed and designed secure networks such as the WebVPN (thin) and AnyConnect
Secure Mobility Client (thick) SSL remote access VPN solution (client-to-gate) using
technologies such as MPLS, VPNs, and NIDS
Designed, configured, and installed a secure network and a gate-to-gate (site-to-site) IPsec
VPN between the clustered ASAs and an IEG (Internet Exchange Gateway) to support
SMTP email from the RZ MS Exchange 2010 server into the DND OZ. Recently this
solution has been extended to include web proxy and monitoring and network metric
collection services at the IEG using a McAfee web proxy for the use of CRZ desktops. This
also involved integration and optimization across TACLANEs







Design of a high-availability layer 3 routed switch stack solution in the CRZ which provides
for intra-chassis redundancy and routing offload for all intra-CRZ traffic such as vMotion,
management protocols and backup jobs. Technologies include both Cisco Nexus switches
and Cisco Catalyst switches.
Two- and one-factor authentication options leveraging on SmartCard technology and
integrating with Active Directory (AD) services in the CRZ.]
Installed and configured IEEE 802.1Q VLAN trunk to core switch services in the CRZ
providing for logical separation of management, data and control plane traffic.
Extensive documentation of all implemented and tested technology per DND engineering
process documentation standards including: System Design Specifications; V&V Plans;
System Interface Requirements; Test Plans; and Proofs of Concept.
Documented adherence to GSP, ITSG-22, ITSG-38 and Cisco best practices as contained
in Cisco’s “Self-Defending Network”.
Designed, configured, and implemented a remote access (client-to-gate) Cisco IPsec VPN
for OZ management users into the RZ, authenticating from a RADIUS server integrated with
the RZ AD.
Designed and implemented a Cisco DMVPN solution integrated with Cisco’s GETVPN
technology on top of DND’s CSNI and DWAN network and supporting client connectivity on
top of TACLANE Type 1 cryptographic devices.
Project 4
Office of the Information Commissioner of Canada (OIC)
Network Security Analyst / Architect
Nov 2009 – Jan 2010
(3 months)
Project Description:
Mr. Stewart conducted IT Security analysis including a Threat Risk Assessment (TRA) of OIC IT
infrastructure which included a review and gap analysis of present OIC security policy, Business
Continuity Plans and Disaster Recovery Plan.
Tasks Performed:







Report resulted in a technical strategy for remediation to ensure that the residual risk was
acceptable to responsible stakeholders.
Gaps were measured against Government Security Policy (GSP) as well as Cisco’s SelfDefending Network (SDN) and uses metrics and zoning recommendations contained in
CSE’s ITSG-22 and ITSG-38.
The technology involved in this work was: CISCO IOS routers, Fortinet Fortigate 300-A
(UTM) with remote access SSL VPN client connectivity, and Zywall-70 firewall.
OIC’s network devices are managed in-band in a separate management VLAN using SSH
and S-HTTP for encryption and protection against MITM (man-in-the-middle) attacks.
OIC used Cisco 800-series ISR routers and Catalyst 2950 and 2960 series switches.
The OIC’s Intranet used Microsoft Active Directory for user login. AD was used to store
users’ credentials and other attributes in an X.509 compliant directory.
ZyWall and Fortinet firewall UTM appliances were used, with signature-based intrusion
detection system configured on a hardware module on the ZyWall firewall.


Nessus, Nmap and WireShark were used to assess the network’s vulnerability to common
technical threats targeted on information assets and network integrity.
Nmap Scripting Engine (NSE) shell scripting was used to scan for vulnerable network
services as was Tenable Nessus.
Project 5
Public Health Agency Canada (PHAC)
Senior Network Security Analyst
Apr 2009 – Oct 2009
(7 months)
Project Description:
Mr. Stewart performed security gap analysis on an as-built application hosting environment
called PHACNET. Subsequently, Mr. Stewart:
Tasks Performed:










Developed new network architecture and installed and configured Cisco IDSM-2 IPS
modules in 6 Cisco Catalyst 6509 core switches in both Winnipeg and Ottawa, configured
CS-MARS SIEM solution integration with existing network devices and designed and
configured management network including integration with RSA Authentication Server
central AAA solution.
Created thorough documentation of as-built as well as reconfigured network while
comparing against CSE/RCMP and vendor best practices statements as well as GSP; this
was implemented in a heterogeneous network of Nortel Contivity IPsec VPN
gateways(configured gate-to-gate in Secure Channel),Cisco / Check Point / RSA /
Sourcefire / Symantec and Websense devices as well as other vendors.
Implemented Cisco IDSM-2 intrusion detection modules in core switches and configured
security policies and clustering on PHAC’s Checkpoint firewalls. Also implemented
Sourcefire IDS appliances in several security zones.
Implemented/integrated access to Nortel Contivity 1760 gateways (to PWGSC Secure
Channel) which used FIPs-compliant IPsec encryption for a gate-to-gate VPN.
Installed, configured and trained IT staff on Cisco Security Manager (CSM) version 4.
PHAC’s network devices are managed in-band in a separate management VLAN using SSH
and S-HTTP for encryption and protection against MITM (man-in-the-middle) attacks.
AD was used to store users’ credentials and other attributes in an X.509 compliant directory.
AD was used with RSA Authentication Server to authenticate administrators of network
devices on an internal AAA server.
PHAC used redundant (intra-chassis) Cisco 7200-series supervisor modules in their core
6509 switches for Intranet/Internet access.
ISP-managed Cisco 2800-series ISR routers were used for Secure Channel access and
Cisco Catalyst 3750 (discrete and stacked) and Cisco 6509 series switches were used in
the access and core layers respectively.
Project 6
NAV Canada
Senior Network Security Engineer
Nov 2008 – Nov 2009
(13 months)
Tasks Performed:











Mr. Stewart assessed the network from both architecture and a configuration (technical)
standpoint for its vulnerability against inside and outside threats.
Evaluated software and installed upgrades to CiscoWorks LMS, and CSACS 1113 Solution
Engine.
Compiled and installed RADIUS integration from Sun Solaris OS devices to the Cisco
CSACS server.
Documented the architecture of the Perimeter Security Network (PSN) and performed a
security impact analysis of network changes.
Implemented and configured Nortel Contivity IPsec/ and Alteon client-to-gate SSL VPN
gateways for authentication to CSACS.
Cisco’s Security MARS, CSACS and CSM products as well as an internal syslog server
were installed to report and do trend analysis of network-based attacks.
NAVCAN’s network devices are managed in-band in a separate management VLAN using
SSH and S-HTTP for encryption and protection against MITM (man-in-the-middle) attacks.
HTTPS was also used for both thin- and thick-client SSL VPN access to the NAVCAN HQ
network on Nortel Alteon switches.
NAVCAN used a combination of Top Layer and Snort IDS. Perimeter firewall services were
provided by two Checkpoint NG-X clusters: one internal and another external.
Nortel Contivity 1760 gateways (to PWGSC Secure Channel) which used FIPs-compliant
IPsec encryption gate-to-gate. AD was used to store users’ credentials and other attributes
in an X.509 compliant directory.
NAVCAN used Cisco 2800-series ISR routers (for Secure Channel access) and Catalyst
2960 and 3750 (stacked) and 6513 series switches
Project 7
Loyalist College
Senior Network Security Architect
Dec 2008 – Dec 2008
(1 months)
Project Description:
Mr. Stewart performed an IT Security analysis of the existing infrastructure; and re-engineered,
evaluated, configured, integrated and implemented an overhaul of Loyalist’s entire switched
campus infrastructure and completed on-time and on-budget in Dec 2008. Loyalist’s network
devices are managed in-band in a separate management VLAN using SSH and S-HTTP for
encryption and protection against MITM (man-in-the-middle) attacks.
Tasks Performed:


Consulted and provided advice on the specification of equipment to purchase in support of
the procurement of over $250,000 of new Cisco equipment.
Implemented Catalyst 6509 core switch and a FWSM firewall module and new Gigabit
Ethernet switches in the core and edge of the campus network.







Configured contexts (virtual firewalls) between different VLANs. Established separate
VLANs for security zone architecture to support Cisco Aironet 802.11 b/g/n autonomous AP
implementation in public zones throughout Loyalist campus.
Evaluated multiple vendor solutions for best fit.
Loyalist College has 15,000 users, comprising both day and night division students as well
as faculty.
IPsec was used for remote access Cisco hardware client-based VPN access (client-to-gate)
from several remote sites to the campus Cisco 3030 VPN Concentrator.
Loyalist’s network devices are managed in-band in a separate management VLAN using
SSH and S-HTTP for encryption and protection against MITM (man-in-the-middle) attacks.
IPsec was used for remote access Cisco hardware client-based VPN access from several
remote sites to the campus Cisco 3030 VPN Concentrator.
Loyalist used a Cisco 7200-series supervisor module for Intranet/Internet routing and
Catalyst 2950 and 2960 switches (access layer) and a 6509 series core switch.
Project 8
Bank of Canada
Senior Cisco Network Security Analyst
Jul 2008 – Sep 2008
(3 months)
Project Description:
Mr. Stewart performed an IT Security analysis (including a design and architecture review) of
the High Availability Deployment Project (HADP); the analysis involved a thorough IT security
review of the network design and implementation plan, prior to the implementation phase. The
analysis determined the network security posture as well as adherence with GC policies and
standards. HADP is a highly virtualized protected “B”-certified network accessible over the
Internet by the Bank’s partner financial institutions.
Tasks Performed:





The IT Security review included all components of the network including: Catalyst 6509
switches, ACS 1113 solution engines, IDS 4255 appliances, VRFs, Security Contexts on
FWSM, ASA 5500 series security appliances, Cisco Security Manager (CSM) and Cisco
Secure Monitoring Analysis and Reporting System (MARS) and remote-access (client-togate) AnyConnect SSL VPN solution. The assessment required in-depth knowledge of both
CLI and ASDM.
BoC’s network devices are managed in-band in a separate management VLAN using SSH
and S-HTTP for encryption and protection against MITM (man-in-the-middle) attacks.
PKI is used to issue identity certificates to devices and users and to perform message
encryption and signing using X.509 certificates and S/MIME. Evaluated a Cisco AnyConnect
ASA SSL VPN solution.
BoC used Cisco FWSMs (firewall services modules) in core switches and configured
contexts (virtual firewalls) between different VLANs. Cisco IDSM-2 modules were used and
deployed as multiple virtual sensors between different VLANs.
BoC used redundant (intra-chassis) Cisco 7200-series supervisor modules in their core
6513 switches for Intranet/Internet access. ISP-managed Cisco 2800-series ISR routers
were used for Secure Channel access and Cisco Catalyst 29xx and Cisco 6513 series
switches were used in the access and core layers respectively.


Nmap Scripting Engine (NSE) shell scripting was used to scan for vulnerable network
services as was Tenable Nessus. Reports were exported into .csv format for importing into
spreadsheets and other software.
Cisco Security MARS and Cisco CSM were configured to manage devices via SNMP and
Netflow.
Project 9
Cisco Systems Inc
Press Author, CCNA Security Certification Guide
Apr 2008 – Oct 2008
(7 months)
Project Description:
Mr. Stewart authored an exam preparation guide for Cisco’s new CCNA Security certification for
Cisco Press. This book is currently on store shelves and also online. Book title is CCNA
Security Exam Cram, ISBN 0789738007.
This book provides a very comprehensive analysis and practical guidelines, and discusses the
following areas in-depth:








SSH and IPsec operation as well as network hardening and security using S-HTTP and
S/MIME signatures for non-repudiation and origin authentication for messaging security.
ASA AnyConnect SSL VPN solutions, both thin and thick clients.
Principles of TCP/IP operation, securing and encryption as well as zone-based security
architecture are discussed in the book including well-known protocols such as UDP, DNS,
SMTP and SNMP version 3 for secure reporting.
IDS/IPS systems in general as well as specific examples in Cisco’s product line including
IOS IPS, hardware-based IDS/IPS modules for ASA security appliances, 6500-series
switches and modular IOS routers.
Unsecure network protocols such as HTTP, FTP, and Telnet and their specific vulnerabilities
in the context of MITM attacks. Book discusses network security principles for routers,
switches, firewalls and other network devices.
Describes and discusses the “bastion” process for network device and server hardening as
well as means to secure routers using Cisco autosecure and one-step lockdown CLI tools.
Presents an extensive survey to threats against the network infrastructure as well as
safeguarding and classifying IT assets and information. Technical threats and network
remediation are discussed in the context of best practices and over-arching security
principles.
Cisco’s System Development Life Cycle approach, Self-Defending Network (SDN) and
SAFE blueprint as well as industry best practices for implementing protocol, password and
hardware and software security are discussed in depth in the book.
Firewall policies, ACLs, Stateful Packet Inspection and UTM principles and operation are
explained.
Project 10
Canadian Air Transport Security Authority (CATSA)
Senior Network Security Architect
Jan 2008 – May 2008
(5 months)
Project Description:
Mr. Stewart provided IT security analysis including expert oversight and technical assistance for
the design, implementation and integration of a gate-to-gate IPsec VPN Protected B secure
architecture utilizing Cisco ASA 5520 UTM appliances on the Protected A, Canada-wide CATSA
intranet.
Tasks Performed:









Evaluated, procured and then implemented a secure reporting and event management
system (Tenable Security Center) to ensure public sector MITS and GSP compliance.
Implemented Cisco ASA Security Appliances into the existing network. Network comprised
of Nortel ERS, Tipping Point IDS/IPS appliances, McAfee (ePolicy Orchestrator) Servers
and Secure Computing WebWasher and Cisco PIX firewalls in Class 1 and Class 2 airport
facilities.
Part of the project included the establishment of CATSA intranet OSPF areas using the
PWGSC TELUS IP/MPLS core as the backbone area.
Configured and implemented 2-factor authentication using RSA Secure ID smart card token
technology for the Cisco IPsec remote access (client-to-gate) VPN client solution (Used CA
and X.509). FIPS compliance was required for CATSA’s Cisco’s IPsec VPN client solution.
IPsec VPNs were designed and implemented for protected-B “islands” to transmit classified
data in gate-to-gate VPNs over CATSA’s protected-A intranet.
SNMP reporting, syslog, and Netflow with Tenable Network Security’s “Security Center”
SIEM product was evaluated against Cisco Security MARS.
CATSA’s Tipping Point IDS/IPS appliances were evaluated as were Cisco PIX firewalls at
the Internet perimeter in both HQ and satellite sites.
CATSA’s network used TCP/IP for transport both in their intranet as well as for connection to
the Internet. DNS name resolution was configured on an internal server to resolve both
internal and external domains.
SMTP was used for inbound and outbound email from a DMZ to and from the Internet.
CATSA used Cisco 2800-series ISR routers (for Secure Channel access) and Catalyst 2960
and 3750 (stacked) and 6513 series switches
Project 11
Francis Fuel and Freightliner of Ottawa
Senior Security Consultant
Nov 2007 – Dec 2007
(2 months)
Project Description:
Mr. Stewart evaluated an as-built security architecture and subsequently
implemented/integrated a secure network of Cisco ASA firewalls (UTM devices) at 3 separate
sites connected with a dedicated full-mesh T1 WAN.
Tasks Performed:

Presented option analysis for technology integration.










De-commissioned Cisco ASA firewalls in a full-mesh IPsec VPN solution between three
sites, created network security policies and architecture to support the secure transmission
of VoIP between satellite offices and headquarters.
Integrated a secure Bell-supplied VoIP solution between the remote sites and a central
office which uses Nortel BCM 4000 solution and Nortel VoIP phones integrated into a Layer
3 Cisco Catalyst switch backbone.
Executed a penetration test to test the solution’s security including an inside AS/400
mainframe Lotus Notes and Domino Mail Server and BlackBerry Enterprise Server (BES).
Designed, implemented/installed and configured a Cisco ASA 5505 remote access (clientto-gate) SSL VPN solution using both the ASDM (Adaptive Security Device Manager) and
the command line interface (CLI).
Integrated Cisco AnyConnect Client-to-gate SSL VPN client solution to HQ. Client-to-gate
Cisco client IPsec VPN solution for teleworkers and sales
Basic threat detection was configured on Cisco ASA 5505 firewalls as well as access lists on
a Cisco 3620 IOS router.
Implemented 802.11n wireless network in a separate VLAN at a satellite office using a Cisco
Aironet captive access point on a Cisco 881W wireless router.
IBM MVS on AS/400, Microsoft Server 2008. HTTP, FTP, and Telnet were used to connect
to both intranet and internet servers.
SIP protocols were used for VoIP traffic in the with the Nortel BCM solution. D-link and
Linksys LAN switches, and Cisco ASA 5505 firewalls with Security Plus licenses.
Cisco 3620 and 881W wireless routers and Cisco Catalyst 3560 PoE switch with full layer 2
and 3 QoS configuration.
Project 12
Loyalist College
Network Consultant, count 0.5 months
Oct 2007 – Oct 2007
(1 months)
Project Description:
This was a troubleshooting contract involving a QoS (Quality of Service) issue with a dedicated
remote access Cisco VPN solution and a proprietary central site server. Tools used included the
WireShark Protocol Analyzer and Cisco switches using SPAN and RSPAN.
Tasks Performed:


Installed and configured a Cisco VPN 3030 concentrator head end device for a remote
access (client-to-gate) IPsec and SSL VPN solution, authenticating with RADIUS/LDAP and
integrated the VPN solution into a DMZ to pass through a Cisco PIX 525 UTM firewall
deployed at the network perimeter.
Transport layer flows in the TCP/IP stack were analyzed carefully to determine where QoS
issues were occurring in a client-server flow inside a previously implemented remote-access
IPsec VPN solution.
Project 13
Cisco Systems Inc
Press Development Editor
Apr 2007 – Nov 2007
(8 months)
Tasks Performed:



Responsible for the technical content of the 2nd edition of the official designing for Cisco
Internetwork Solutions (DESGN) book. This material is required reading for the CCDA
(Cisco Certified Design Associate) curriculum.
Required expertise in switching, wireless LAN design, routing and Cisco network security as
well as in-depth understanding of Cisco’s Life Cycle Design and Self Defending Network.
ISBN 978-1-58705-272-9
Edited a new title called Router Security Strategies ISBN 978-1-58705-336-8. This book was
released in Q1 2008.
Project 14
IBM Canada and CTE Solutions
Senior IT Security Design Specialist, Networking
Jun 1995 – Present
(246 months)
Project Description:
One of only a handful of CCSIs in North America, Mr. Stewart provided hands-on advanced
training and Subject Matter Expertise as a Senior IT Security Design Specialist for Global
Knowledge in the areas of Network Security analysis, design and implementation including: the
design, evaluation and implementation of security architectures including IPS/IDSs, VPNs,
firewalls and content filters.
Delivered hands-on technical design and implementation seminars for Global Knowledge. This
experience included the design, configuration, maintenance, testing (planning and execution)
and troubleshooting of lab environments; the environment included leading edge technologies
and featured more specifically a blend of Microsoft and Cisco technologies. The seminars
designed and implemented various security solutions including: IPS/IDSs, IPsec and SSL
VPNs; Cisco 3000 series concentrators (initially) and (later) CISCO ASA 5500 in conjunction
with Cisco’s WebVPN, SSL VPN Client (SVC) and AnyConnect Client SSL VPNs; as well as
firewalls and content filters.
Tasks Performed:



Mr. Stewart has been preparing and delivered hands-on advanced level technical seminars
in the areas of network security analysis, design and implementation.
Built and maintained several lab environments within Global Knowledge premises as part of
the teaching process; as well as on his own business premises for analysis, knowledge
advancement and research purposes. The labs that he has been maintaining include
leading edge technologies and feature more specifically a blend of Microsoft and Cisco
technologies. Instruction was predominantly using the Cisco CLI for configuration, though
Cisco has taken a more blended approach with their new SNAF and SNAA courses where
the ASDM is being used extensively in addition to the CLI for all configurations, especially
tasks like SSL VPN which have multiple component steps.
Developed, designed, configured, and deployed network layer metrics products which
included metrics of network utilization as attributed to user groups










Many of the scenarios involved integration with syslog, Cisco PRIME infrastructure and
CiscoWorks configuration as well a monitoring software such as Solarwinds Orion suite and
Tenable Security Center.
The labs that he has been maintaining include leading edge technologies and feature more
specifically a blend of Microsoft and Cisco technologies.
As part of this hands-on instruction work, Mr. Stewart has been teaching implementation of
PKI for authentication of network devices and end-users in the majority of the IT security
courses he teaches. PKIs configured and implemented include MS CA and OpenSSL.
Recently, he has guided groups of experienced students through the implementation of
technology solutions including most recently, a PKI to support remote access(client-to-gate)
SSL and IPSEC VPN solutions; the solutions included both CA and active directory (X.509)
Analysis, design and advanced troubleshooting of Global Network infrastructure including
the design of this secure network using a combination of MPLS, VPNs, and NIDS. For
example: redesigned, implemented and documented a full-mesh, redundant remote access
(client-to-gate) IPSec VPN solution between the Canadian operation’s satellite offices and
the HQ in Raleigh, North Carolina. (2006); he solved a number of difficult-to-troubleshoot
firewall and VPN configuration issues and other network issues that threatened the
Canadian operation with lost productivity.
Delivered workshops on Cisco’s Self Defending Network and vulnerability and Threat Risk
Assessments.
Provided hands-on teaching on the building of multi-platform workstation and switch/router
TCP/IP networks, both enterprise and backbone with a firm grounding in TCP/IP
applications (SMTP, DNS, FTP, Telnet, etc.), as well as, IP routing protocols such as RIP,
OSPF, BGP, IGRP and EIGRP.
Taught Cisco CCNA, CCSP, CCNP and CCIE advanced curriculum as well as non-vendor
Wireless Security (WPA, LEAP, PEAP, WEP and site survey tools). Cisco courses included
in-depth theory and hands-on labs in traffic engineering, traffic shaping, WAN optimization
and MPLS VPNs and other methods of traffic segmentation and QoS.
Constantly learnt, evaluated and certified on leading edge technology including network
hardware, end-user workstations, client-server and operating systems.
On-going testing (including test planning and execution) of all security solutions being
designed and deployed in the teaching labs’ network.
Products worked with include Check Point Firewall-1, Cisco ASA5500 series, PIX and VPN
concentrators and PIX in-line IDS and various protocol analyzers. He designed and
implemented security architectures including hands-on installation and support of SSH
Client/Server, HTTPS on Apache web server, Certificate Authorities and AAA servers using
respectively MS CA and Cisco ACS 4.x and LDAP integration. VPNs were secured between
Check Point and Cisco PIX firewalls using IPsec/IKE and between MS RAS servers and
clients using MS PPTP (point-to-point tunneling protocol) and L2TP.
Experience gained in the following IT security areas:


Extensive experience in designing and implementing security architectures including IDSs,
VPNs, firewalls and content filters Products where expertise was gained include CheckPoint
Firewall-1, Cisco PIX and ASA 5500 series security appliances and 3000 series VPN
Concentrators and Cisco IDS/IPS servers and SSM modules and various protocol
analyzers.
Extensive experience in designing and implementing security architectures including handson installation and support of SSH Client/Server, HTTPS on Apache web server, Certificate






Authorities and AAA servers using respectively MS CA and Cisco ACS 3.x and 4.x and
Radius and LDAP integration.
VPNs secured between CheckPoint and Cisco PIX and ASA security appliances using
IPsec/IKE and between MS RAS servers and clients using MS PPTP (point-to-point
tunneling protocol) and L2TP.
Extensive hands-on and instructional experience with Microsoft OS’s including Windows
2000 (incl. server) and Windows XP.
Deliver workshops on Cisco’s security blueprint, “SAFE” and Self Defending Network and
vulnerability and Threat Risk Assessments using a variety of tools including nmap, Nessus,
etc.
Extensive hands-on in teaching the building of multi-platform workstation and switch/router
TCP/IP networks, both enterprise and backbone.
Developed and designed TCP/IP applications (SMTP, DNS, FTP, Telnet, etc.) as well as IP
routing protocols such as RIP, OSPF, BGP, IGRP and EIGRP and WAN design with MPLS
for secure network design. Teach Cisco CCNA, CCSP, CCNP and CCIE advanced
curriculum as well as non-vendor Wireless Security (WPA, 802.11i, 802.1x, LEAP, PEAP,
WEP and site survey tools).
As a SME responsible for training often senior level students, Mr. Stewart has designed,
implemented and upgrades/maintains on an on-going basis a comprehensive lab
environment on his own business premises for analysis, knowledge advancement and
research purposes. The network architecture design includes CISCO ASA Unified Threat
Management devices using SSL VPNs. The design and implementation work involved
configuring CISCO ASA 5500 series of devices using ASDM and CLI.
Technical Environment: Cisco AnyConnect SSL VPN, Cisco IPsec VPN clients as well as Gateto-gate IPsec VPNs, Active Directory / LDAP (Microsoft and Open Source implementations),
RADIUS AAA server, Squid web proxy, caching, content and URL filtering server with Cisco
WCCP v2 transparent proxy, Cisco IronPort C100V Email Security Appliances (ESA) and M100V
Content Security Management Appliances (SMA), Cisco 2911 ISR2 routers configured in an
HSRP cluster, dual-homed to the Internet on Static IP addresses, Cisco Catalyst 3524-XL-EN
series IOS switches, ASA 5515-X UTM security appliance acting as both an IPsec VPN server
and SSL VPN server and IPsec gate-to-gate VPN endpoint, and Sourcefire NIDS module
providing perimeter intrusion prevention services integrated with FireSIGHT Management
CenterWPA2-Enterprise wireless access point, VMWare ESXi 5.x,Ubuntu, Solaris, Fedora,
CentOS and FreeBSD Linux OSs, Microsoft Server 2012 R2 and OpenSSL CAs operating in a
hierarchical PKI and issuing X.509v3 identity certificates to servers (mail, web, FTP, etc.) and
users within privately hosted domain; MS Server 2008, 2012 and Exchange 2013, McAfee
VirusScan Enterprise (VSE) v 1.6 Linux Server, 2 Microsoft 2012 R2 Servers (Enterprise) as
domain controllers and configured with Group Policy Objects (GPOs) within test lab domain,
BlackBerry Enterprise Server 12 and a mix of Android, iOS and BlackBerry handsets, Alienvault
OSSIM v5.2 SIEM and Tenable Security Nessus Server
Project 15
Loyalist College
Cisco Architect
May 2006 – Jul 2006
(3 months)
Project Description:
Mr. Stewart conducted IT Security analysis including a Threat Risk Assessment (TRA); on
existing infrastructure and subsequently designed and implemented a remote access (client-togate) and site-to-site (gate-to-gate) IPSec VPN between Loyalist College’s central campus in
Belleville and satellite campuses across the province. Loyalist College has 15,000 users.
Tasks Performed:




Implemented a Cisco-proprietary WebVPN and SSL VPN solution.
Implemented security zones at the central campus and controls for traffic moving between
the zones including wireless hotspots.
Installed and configured a Cisco VPN 3020 Concentrator into the DMZ and PIX 525 firewall
and RSM at the central office.
Designed and implemented campus VLAN design and inter-VLAN routing on Loyalist’s
RSM.
Project 16
Alcatel–Lucent Networks
Network Architect/Analyst
Aug 2005 – Sep 2006
(14 months)
Project Description:
Mr. Stewart worked as part of a team to design a new advanced network certification track for
Alcatel’s core service router offerings.
Courseware, lab fit-out and other materials delivered according to an aggressive timeline and to
the highest quality standards.
This project advanced Alcatel’s presence in the networking community with a suite of courses to
compete in this important global market space.
The work involved 80% design – 20% instruction.
Technical Environment: QoS, IP/MPLS, GRE, IPsec VPNs, dynamic routing protocols.
Project 17
Loyalist College
Cisco Architect
Jun 2005 – Aug 2005
(3 months)
Tasks Performed:
Mr. Stewart conducted IT Security analysis including a Vulnerability Assessment (VA) and
implemented a complete Local Area Network VLAN overhaul of the college’s core network. The
redesign involved a review of the current collapsed backbone and Novell client/server, followed
by a phased implementation which involved core and internal VLAN architecture with Cisco
Catalyst LAN switches, a Cisco 7206 edge BGP router and Cisco PIX 525 firewall.
Project 18
Elytra Enterprises
Senior Network Security Consultant
May 2005 – Jul 2005
(3 months)
Project Description:
Mr. Stewart wrote a research whitepaper on the security, privacy and legal implications for VoIP
as relates to the introduction of infrastructure VoIP in North America. This extensive research
was conducted for Lucent Technologies Japan.
The report was extremely well received by the customer. Research into the security and privacy
implications of VoIP within the (then) current regulatory and legal frameworks was either nonexistent or poorly conceived. The report, a 500-page document, drew from a number of experts
in both areas and involved extensive interviewing and research.
Project 19
JDS Uniphase
Network Consultant
May 2003 – Aug 2003
(4 months)
Tasks Performed:


Mr. Stewart conducted IT Security analysis including a Vulnerability Assessment (VA),
designed, and tested (including test planning and execution) the fit-out of, and costing of a
remotely-accessible optical fiber lab with WDM (Wave Division Multiplexing) equipment.
He separately recommended learning objectives and provided detailed incremental costing
and security risk analysis for delivering a series of JDSU-proprietary courses over the
Internet on encrypted links using the eLearning instructor-led modality.
Project 20
Canadian Network Data Solutions (CANDS)
Cisco Engineer
Sep 2002 – Oct 2002
(2 months)
Tasks Performed:



Mr. Stewart conducted IT Security analysis including a TRA and based on its
recommendations, implemented Cisco PIX 506E firewall and Site-to-Site VPN installation at
Francis Fuels and Freightliner Trucks Ottawa.
Provided for firewall screening private subnets of several interconnected enterprises as well
as providing for secure, MS PPTP and Cisco VPN clients remote access to company
network.
Implemented SSH (Secure Shell) and HTTPS access to PIX firewall. Configured remote
access solution to allow secure access from VAR through PIX to AS/400 server at
Freightliner Ottawa site.
Project 21
Northland Systems Inc
SME and eLearning Consultant
Jan 2001 – Aug 2001
(8 months)
Tasks Performed:
Mr. Stewart co-authored a number of proprietary online advanced TCP/IP and WAN networking
courses for Northland as a Network SME (Subject Matter Expert) and QA lead. These courses
are offered to Alcatel to their network engineers worldwide.
Project 22
Department of Foreign Affairs and International Trade (DFAIT)
LAN/WAN Network Architect, SIGNET Project
Jul 1993 – Jul 2000
(85 months)
Tasks Performed:




On contract to SPS Engineering and Computer Consultants, Mr. Stewart was part of the
original tactical team which architected and rolled out the departmental global WAN. Secure
Intranet, the Secure Integrated Global Network (SIGNET) at Department of Foreign Affairs
and International Trade (DFAIT). This infrastructure (SIGNET C) was leveraged by DND for
connectivity to embassies abroad. Technologies included Cisco routers, Frame Relay,
IP/MPLS, TCP/IP OSPF, and X.400 Mail.
Acted as Regional Support Manager in both Europe and Southeast Asia areas of the global
WAN.
Developed a 4-week technology workshop and trained all implementation teams and WAN
support teams for the global rollout.
7 years of solid and intimate experience with a geographically large and diverse WAN.
Project 23
Revenue Canada, Customs and Excise (RCCE, now CRA)
Project Manager and Technical Lead
May 1992 – Jan 1993
(9 months)
Project Description:
Mr. Stewart was the project leader in charge of the design and implementation of an Equipment
Services group for RCCE (CCRA) and the LAN Integration Centre. He was later responsible for
20 staff who provided all network infrastructure support for the department’s SNA mainframe
and WAN network across Canada.
Tasks Performed:



Administered and monitored ISP Service Level Agreements (SLAs) and third-party support
vendors who performed on-site hardware support and installation services outside
Ottawa/Gatineau.
Supported equipment included WANs with SDLC-attached devices mainframe (ESCON and
Bus & Tag) and Token Ring LAN-connected (LLC2) hardware and peripherals, terminals,
controllers, gateways, bridges, routers, FEPS etc.
RCCE upgraded from 3COM 3+OPEN to MS LAN Manager 2.1 on WaveLan and token ring
topology networks.
EDUCATION























BA, Economics Major/Computer Science Minor, Carleton University Class of ‘87
Certification, Training, and Professional Development
Computer Engineering Courses, Royal Military College Class of ‘83
Certifications (current and past)
Cisco Certified Systems Instructor CCSI
Cisco Certified Network Associate CCNA
Cisco Certified Network Associate Security CCNA Security
Cisco Certified Security Professional CCSP
Professional Upgrade Courses
BSCI – Building Scalable Cisco Internetworks
ICND 1 and 2 – Interconnecting Cisco Network Devices Parts 1 and 2
SNRS – Securing Networks with Routers and Switches
IINS – Implementing IOS Network Security
SNAF – Securing Networks with ASA Fundamentals
SNAA – Securing Networks with ASA Advanced
DLSW – Data Link Switching +
CSVPN – Cisco Secure VPN
SNAM – SNA for Multiprotocol Administrators
BCMSN – Building Cisco Multilayer Switched Networks
ABGP – Advanced Border Gateway Protocol
MCAST – IP Multicast
OSPF Design – Open Shortest Path First
CISSP (Certified Information Systems Security Professional) Boot Camp
SECURITY CLEARANCE:


Security Clearance: Secret (Level II) File: 95-22-7957, Expiry date: Sep 16, 2019
Top Secret (Level III)