PROFESSIONAL PROFILE OF ERIC STEWART INTRODUCTION Mr. Stewart is a senior level Network Security Specialist and Cisco Subject Matter Expert with 23+ years in the IT industry including 11 years in IT Security. He currently is a top ranked Cisco Certified Systems Instructor (CCSI) in Global Knowledge (Canada) where he delivers advanced technical courses in the areas of IT Security analysis, design and implementation. He holds certifications as a CCNA (Cisco Certified Network Architect) for Security and CCSP (Cisco Certified Security Professional). His most recent experience is heavily focused on integration of Cisco technologies within security solutions. He has had specific experience in designing and implementing SSL VPN.solutions in conjunction with Cisco ASA 5500 UTM firewall appliances and Next Generation Firewalls. Mr. Stewart has appeared on national TV on several occasions in recent months, most recently with Global National where he was asked to use his IT security expertise to comment on recent (and successful) cyber attacks on Canadian Federal Government departments as well as the hijacking of a national political party’s website. He also contributed to a documentary piece on wireless network security and the ease of eavesdropping on users of wireless hotspots. His commentary has also appeared in print media, specifically in newspapers owned by Post Media. In September of 2010, Mr. Stewart was a guest speaker at the DND ISSO Conference at the Conference Centre in Ottawa where he shared a presentation on enterprise network security. Relevant and noteworthy experience include: Design and implementation of security architectures including IDSs, VPNs, firewalls and content filters.(CheckPoint Firewall-1, Cisco PIX and ASA security appliances and 3000 series VPN Concentrators; Cisco IDS/IPS servers, SSM modules and various protocol analyzers) Design and implementation of security architectures including hands-on installation and support of SSH Client/Server, HTTPS on Apache web server, Certificate Authorities and AAA servers using respectively MS CA and Cisco ACS 3.x and 4.x and Radius and LDAP integration. VPNs secured between CheckPoint and Cisco PIX and ASA security appliances using IPSec/IKE and between MS RAS servers and clients using MS PPTP (point-to-point tunneling protocol) and L2TP. Delivery of workshops on Cisco’s security blueprint, “SAFE” and Self Defending Network and vulnerability and Threat Risk Assessments using a variety of tools including nmap, Nessus, etc. Extensive hands-on in teaching the building of multi-platform workstation and switch/router TCP/IP networks, both enterprise and backbone. Firm grounding in TCP/IP applications (SMTP, DNS, FTP, Telnet, etc.) as well as IP routing protocols such as RIP, OSPF, BGP, IGRP and EIGRP. Taught Cisco CCNA, CCSP, CCNP and CCIE advanced curriculum as well as non-vendor Wireless Security (WPA, 802.11i, 802.1x, LEAP, PEAP, WEP and site survey tools) Thorough and fundamental knowledge of the cryptographic concepts and systems behind many modern implementations of encryption technology including IPsec VPNs, S-HTTP, SSH and S/MIME and their component ciphers and crypto systems. Extensive hands-on and lab-based experience implementing secure architectures using intrusion detection/protection systems and firewalls in a comprehensive network design. Extensive experience with PKI/LDAP and X.509 integration with remote access client authentication using digital certificates and extended authentication in Active Directory with Cisco PIX and ASA firewalls as well as IOS devices including routers and switches. Subject matter expert and presenter on network hardening principles, not only in Cisco but in heterogeneous networks. Noted speaker, author and instructor on network security policies, vulnerability and threat-risk assessments and attack methodologies. Taught and implemented labs where firewall policies, ACLs, Stateful Packet Inspection and UTM principles and operation are demonstrated. Authored an exam preparation guide for Cisco’s new CCNA Security certification for Cisco Press. This book is currently on store shelves and also online. Recent and practical knowledge with Cisco ISE (Identity Services Engine), Wireless LAN controllers and BYOD framework. Security Clearance: Secret (Level II) File: 95-22-7957, Expiry date: September 16, 2019 EMPLOYMENT HISTORY (INCL. CONCURRENT WORK) Fastlane Education July 2011 – Present Cisco Security Instructor Bell Canada (various projects) July 2008 – Present Senior Network Security Engineer Marine Atlantic Apr. 2011 – Aug. 2011 Security Consultant Department of National Defence Oct. 2010 – Present Senior Network Security Engineer Office of the Information Commissioner of Canada (OIC) Nov. 2009 – Jan. 2010 Security Consultant Public Health Agency Canada (PHAC) Apr. 2009 – Oct. 2009 Senior Network Engineer NAV Canada Nov. 2008 – Nov. 2009 Senior Network Security Engineer Loyalist College Dec. 2008 Senior Network Security Architect Bank of Canada (BoC) Jul. 2008 – Sep. 2008 Senior Cisco Network Security Analyst Cisco Systems Inc. Apr. 2008 – Oct. 2008 Cisco Press Author Canadian Air Transport Security Authority (CATSA) Jan. 2008 – May 2008 Senior Network Security Architect Francis Fuel and Freightliner of Ottawa Nov. 2007 – Dec. 2007 Senior Security Consultant Loyalist College Oct. 2007 Network Consultant Cisco Systems Inc. Apr. 2007 – Jul. 2007 and Sep. 2007 – Nov. 2007 Press Development Editor IBM Canada and CTE Solutions Jun. 1995 – Present Senior Network Architect and CCSI Loyalist College May 2006 – Jul. 2006 Cisco Architect Alcatel-Lucent Networks Aug. 2005 – Sep. 2006 Senior Course Designer and SME Loyalist College Jun. 2005 – Aug. 2005 Cisco Architect Freightliner Trucks Jul. 2005 Cisco Engineer Elytra Enterprises May 2005 – Jul. 2005 Senior Network Security Consultant JDS Uniphase May 2003 – Aug. 2003 Network Consultant Canadian Network Data Solutions (CANDS) Sep./Oct. 2002, Jun./Jul. 2003 and Apr./May 2004 Cisco Engineer Northland Systems Inc. Jan. 2001 – Aug. 2001 SME and eLearning Consultant Department of Foreign Affairs and International Trade (DFAIT) Jul. 1993 – Jul. 2000 LAN/WAN Network Architect Revenue Canada, Customs and Excise (RCCE, now CRA) May 1992 – Jan. 1993 Project Manager and Technical Lead Department of National Defence (DND) 1991 – 1992 Architect Ontario Provincial Ministry of Heath 1990 – 1991 Systems Engineer/Project Leader Revenue Canada Customs and Excise (RCCE, now CRA) 1989 Systems Anaylst Supply and Services Canada (now PWGSC) 1989 – 1991 Programmer/Analyst Micro Support Services 1987 – 1989 Programmer Analyst Department of National Defence (DND) 1979 – 1986 Commissioned Naval Officer (Lieutenant) BUSINESS EXPERIENCE (INCL. CONCURRENT PROJECTS) Project 1 (November 2012 – February 2013) Corporate Security and Facility Services of the Bank of Canada (w/ Juno Risk LLC) Network Security Architect Mr. Stewart was part of a team which conducted a thorough review of the Bank’s virtualized data centre network infrastructure which culminated in a detailed gap analysis as well as specific recommendations as to how these security gaps may be closed. Extensive use of Cisco and other vendors’ best practices as well as ITSG-22 and -38 are crucial, as is knowledge of the Cisco ASA firewalls, virtual contexts, Nexus switches and Cisco VDC (Virtual Data Center) architecture and TrustSec that are employed in BoC’s highly virtualized architecture. Project(s) 2 (July 2012 – September 2012, and January 2013 to present) University of Ottawa and International Joint Commissions (w/ Bell Canada) Network Security Architect Mr. Stewart reviewed uOttawa’s network security architecture and implemented two Cisco Firewall Services Modules (FWSMs) in an Active/Standby Failover configuration at the Internet perimeter. As part of the effort he rationalized and simplified the rule set logic of a cutover from the pre-existing DrawBridge firewall to the new firewall architecture. At the IJC, Mr. Stewart installed and integrated an A/S FO Cisco ASA pair supporting both gate-togate and client-to-gate VPN functionality using respectively IPsec and Cisco AnyConnect Secure Mobility Client solutions. Subsequently scaled the solution by adding remote access by Cisco VoIP phones via AnyConnect and integrating with Cisco UCS at the client headend in both Ottawa, Windsor and Washington DC Project 3 (January 2012 – August 2012) Corporate Security and Facility Services of the Bank of Canada (w/ Juno Risk LLC) Network Security Architect Mr. Stewart did a thorough analysis of the newly implemented virtual data centre (VDC) architecture and identified gaps in the security architecture when measured against Bank policy. He also made specific recommendations on how these gaps might be closed as well as the risk associated with the gaps. Project 4 (concurrent) (Apr. 2011 – Aug. 2011) Marine Atlantic IT Security Analyst Mr. Stewart provided hands-on design, configuration and implementation services in support of a 5phase network security architecture renewal at Marine Atlantic in Port-Aux-Basques Newfoundland. The project started with an architecture review, followed by specific recommendations for the acquisition of new technology to replace outdated equipment. The technology was acquired by the customer, and subsequently was implemented by Mr. Stewart per the five phases outlined below: Phase 1: Designed and implemented a Cisco ASA 5585-X SSP-20 security appliance/firewall to replace the existing Cisco PIX 525. This phase also involved the configuration of a Cisco WebVPN portal for clientless SSL VPN access as well the Cisco AnyConnect Secure Mobility Client clientbased SSL solution (client-to-gate) to support IT Staff and teleworkers. Recommendations were made for proper zone-based network security policies per CSE ITSG-22 and ITSG-38 Phase 2: Designed and implemented a Cisco 4255 IDS appliance to detect and prevent networkbased attacks from both outside of Marine Atlantic’s network as well as attacks originating on the inside. Phase3: Designed and implemented a Cisco Ironport C370 Cluster of two Ironport Email Security Appliances (ESAs) to provide anti-spam, anti-malware, and reputation based scanning and detailed reports of all inbound email traffic to Marine Atlantic’s mail servers. Phase 4: Designed and implemented a pair of Cisco Ironport S160 Web Security Appliances (WSAs) to provide for reputation based scanning and content filtering as well as detailed reports of all outbound web traffic from Marine Atlantic’s fixed facilities and ferry boats. Phase 5: Designed, implemented and integrated Tenable Security’s Security Center 4.2 SIEM (Security Intrusion and Event Monitoring) solution to provide for realtime monitoring, analysis and reporting of security events based on correlated information from all of Marine Atlantic’s network devices (IDS/IPS, firewalls, switches, VPN endpoings, WSAs, and ESAs, etc.) Project #5 – 34 mths (Oct. 2010 – Present) Department of National Defence (DND) Network Security Analyst / Architect Mr. Stewart designed and then conducted a test plan to choose between Fortinet Fortigate UTM device and Cisco ASA 5500 series solutions in support of a SSL VPN remote access VPN portal for the Enclave Convergence Initiative (ECI). Subsequently he designed and implemented a Cisco SSL VPN remote access (client-to-gate) VPN Web portal in support of the Enclave Convergence Initiative (ECI). ECI is a high profile project whose Q1 2013 implementation will result in the consolidation of disparate networks into a Classified Restricted Zone (RZ) protected by two clustered Cisco ASA 5585-X UTM firewall / SSL VPN servers and using common services such as email and file share repositories. The design/implementation required in-depth knowledge of both CLI and ASDM. Users within the existing DND Operations Zone (OZ) will be able to connect to the VPN cluster where they will be authenticated and their workstations’security posture assessed for access to RZ services. Features (and technology used) of the solution include: Integration with existing Entrust enterprise PKI solution including authentication using device X.509 identity certificates. Cisco Secure Desktop pre- and post-login posture assessment. Load-balancing and high-availability through the implementation of two Cisco ASA 5585-X SSP20 UTM firewall / VPN gateways in a cluster. WebVPN (thin) and AnyConnect Secure Mobility Client (thick) SSL remote access VPN solution (client-to-gate). Design of a gate-to-gate (site-to-site) IPsec VPN between the clustered ASAs and an IEG (Internet Exchange Gateway) to support SMTP email from the RZ MS Exchange 2010 server into the DND OZ. Design of a high-availability layer 3 switch stack solution in the RZ which provides for intrachassis redundancy and routing offload for all intra-RZ traffic such as vMotion, management protocols and backup jobs. Two- and one-factor authentication options leveraging on SmartCard technology and integrating with Active Directory (AD) services in the RZ.] IEEE 802.1Q VLAN trunk to core switch services in the RZ providing for logical separation of management, data and control plane traffic. Extensive documentation of all implemented and tested technology per DND engineering process documentation standards including: System Design Specifications; V&V Plans; System Interface Requirements; Test Plans; and Proofs of Concept. Documented adherence to GSP, ITSG-22, ITSG-38 and Cisco best practices as contained in Cisco’s “Self-Defending Network”. Designed and implemented a remote access (client-to-gate) Cisco IPsec VPN for OZ management users into the RZ, authenticating from a RADIUS server integrated with the RZ AD. Designed and implemented a Cisco DMVPN solution integrated with Cisco’s GETVPN technology on top of DND’s CSNI and DWAN network and supporting client connectivity on top of TACLANE. Project #6 - 4mths (Nov. 2009 – Jan. 2010) Office of the Information Commissioner of Canada (OIC) Network Security Analyst / Architect Mr. Stewart conducted IT Security analysis including a Threat Risk Assessment (TRA) of OIC IT infrastructure which included a review and gap analysis of present OIC security policy, Business Continuity Plans and Disaster Recovery Plan. Report resulted in a technical strategy for remediation to ensure that the residual risk was acceptable to responsible stakeholders. Gaps were measured against Government Security Policy (GSP) as well as Cisco’s SelfDefending Network (SDN) and uses metrics and zoning recommendations contained in CSE’s ITSG-22 and ITSG-38. The technology involved in this work was: CISCO IOS routers, Fortinet Fortigate 300-A (UTM) with remote access SSL VPN client connectivity, and Zywall-70 firewall. Technology Environment: OIC’s network devices are managed in-band in a separate management VLAN using SSH and S-HTTP for encryption and protection against MITM (manin-the-middle) attacks. OIC used Cisco 800-series ISR routers and Catalyst 2950 and 2960 series switches. The OIC’s Intranet used Microsoft Active Directory for user login. AD was used to store users’ credentials and other attributes in an X.509 compliant directory. ZyWall and Fortinet firewall UTM appliances were used, with signature-based intrusion detection system configured on a hardware module on the ZyWall firewall. Nessus, Nmap and WireShark were used to assess the network’s vulnerability to common technical threats targeted on information assets and network integrity. Nmap Scripting Engine (NSE) shell scripting was used to scan for vulnerable network services as was Tenable Nessus. Project #7 - 6mths (Apr. 2009 – Oct. 2009) Public Health Agency Canada (PHAC) Senior Network Engineer / Network Security Analyst Mr. Stewart performed security gap analysis on an as-built application hosting environment called PHACNET. Subsequently, Mr. Stewart: Developed new network architecture and installed and configured Cisco IDSM-2 IPS modules in 6 Cisco Catalyst 6509 core switches in both Winnipeg and Ottawa, configured CS-MARS SIEM solution integration with existing network devices and designed and configured management network including integration with RSA Authentication Server central AAA solution. Created thorough documentation of as-built as well as reconfigured network while comparing against CSE/RCMP and vendor best practices statements as well as GSP; this was implemented in a heterogeneous network of Nortel Contivity IPSec VPN gateways(configured gate-to-gate in Secure Channel),Cisco / Check Point / RSA / Sourcefire / Symantec and Websense devices as well as other vendors. Implemented Cisco IDSM-2 intrusion detection modules in core switches and configured security policies and clustering on PHAC’s Checkpoint firewalls. Also implemented Sourcefire IDS appliances in several security zones. Implemented/integrated access to Nortel Contivity 1760 gateways (to PWGSC Secure Channel) which used FIPs-compliant IPsec encryption for a gate-to-gate VPN. Installed, configured and trained IT staff on Cisco Security Manager (CSM) version 4. Technology Environment: PHAC’s network devices are managed in-band in a separate management VLAN using SSH and S-HTTP for encryption and protection against MITM (manin-the-middle) attacks. AD was used to store users’ credentials and other attributes in an X.509 compliant directory.AD was used with RSA Authentication Server to authenticate administrators of network devices on an internal AAA server. PHAC used redundant (intra-chassis) Cisco 7200series supervisor modules in their core 6509 switches for Intranet/Internet access. ISP-managed Cisco 2800-series ISR routers were used for Secure Channel access and Cisco Catalyst 3750 (discrete and stacked) and Cisco 6509 series switches were used in the access and core layers respectively. Project #8 – 5mths (Nov. 2008 – Nov. 2009) NAV Canada Senior Network Security Engineer Mr. Stewart assessed the network from both architecture and a configuration (technical) standpoint for its vulnerability against inside and outside threats. Evaluated software and installed upgrades to CiscoWorks LMS, and CSACS 1113 Solution Engine. Compiled and installed RADIUS integration from Sun Solaris OS devices to the Cisco CSACS server. Documented the architecture of the Perimeter Security Network (PSN) and performed a security impact analysis of network changes. Implemented and configured Nortel Contivity IPsec/ and Alteon client-to-gate SSL VPN gateways for authentication to CSACS. Cisco’s Security MARS, CSACS and CSM products as well as an internal syslog server were installed to report and do trend analysis of network-based attacks. Technology Environment: NAVCAN’s network devices are managed in-band in a separate management VLAN using SSH and S-HTTP for encryption and protection against MITM (manin-the-middle) attacks. S-HTTP was also used for both thin- and thick-client SSL VPN access to the NAVCAN HQ network on Nortel Alteon switches. NAVCAN used a combination of Top Layer and Snort IDS. Perimeter firewall services were provided by two Checkpoint NG-X clusters: one internal and another external. Nortel Contivity 1760 gateways (to PWGSC Secure Channel) which used FIPs-compliant IPsec encryption gate-to-gate. AD was used to store users’ credentials and other attributes in an X.509 compliant directory. NAVCAN used Cisco 2800series ISR routers (for Secure Channel access) and Catalyst 2960 and 3750 (stacked) and 6513 series switches Project #9 – 1 month (Dec. 2008) Loyalist College Senior Network Security Architect Mr. Stewart performed an IT Security analysis of the existing infrastructure; and re-engineered, evaluated, configured, integrated and implemented an overhaul of Loyalist’s entire switched campus infrastructure and completed on-time and on-budget in December 2008. Loyalist’s network devices are managed in-band in a separate management VLAN using SSH and S-HTTP for encryption and protection against MITM (man-in-the-middle) attacks. Consulted and provided advice on the specification of equipment to purchase in support of the procurement of over $250,000 of new Cisco equipment. Implemented Catalyst 6509 core switch and a FWSM firewall module and new GigabitEthernet switches in the core and edge of the campus network. Configured contexts (virtual firewalls) between different VLANs. Established separate VLANs for security zone architecture to support Cisco Aironet 802.11 b/g/n autonomous AP implementation in public zones throughout Loyalist campus. Evaluated multiple vendor solutions for best fit. Loyalist College has 15,000 users, comprising both day and night division students as well as faculty. IPsec was used for remote access Cisco hardware client-based VPN access (client-to-gate) from several remote sites to the campus Cisco 3030 VPN Concentrator. Technology Environment: Loyalist’s network devices are managed in-band in a separate management VLAN using SSH and S-HTTP for encryption and protection against MITM (manin-the-middle) attacks. IPsec was used for remote access Cisco hardware client-based VPN access from several remote sites to the campus Cisco 3030 VPN Concentrator. Loyalist used a Cisco 7200-series supervisor module for Intranet/Internet routing and Catalyst 2950 and 2960 switches (access layer) and a 6509 series core switch. Project #10 - 3mths (Jul. 2008 – Sep. 2008) Bank of Canada (BoC) Senior Cisco Network Security Analyst Mr. Stewart performed an IT Security analysis (including a design and architecture review) of the High Availability Deployment Project (HADP); the analysis involved a thorough IT security review of the network design and implementation plan, prior to the implementation phase. The analysis determined the network security posture as well as adherence with GC policies and standards. HADP is a highly virtualized protected “B”-certified network accessible over the Internet by the Bank’s partner financial institutions. The IT Security review included all components of the network including: Catalyst 6509 switches, ACS 1113 solution engines, IDS 4255 appliances, VRFs, Security Contexts on FWSM, ASA 5500 series security appliances, Cisco Security Manager (CSM) and Cisco Secure Monitoring Analysis and Reporting System (MARS) and remote-access (client-to-gate) AnyConnect SSL VPN solution. The assessment required in-depth knowledge of both CLI and ASDM. Technology Environment: BoC’s network devices are managed in-band in a separate management VLAN using SSH and S-HTTP for encryption and protection against MITM (manin-the-middle) attacks. PKI is used to issue identity certificates to devices and users and to perform message encryption and signing using X.509 certificates and S/MIME. Evaluated a Cisco AnyConnect ASA SSL VPN solution. BoC used Cisco FWSMs (firewall services modules) in core switchs and configured contexts (virtual firewalls) between different VLANs. Cisco IDSM-2 modules were used and deployed as multiple virtual sensors between different VLANs. BoC used redundant (intra-chassis) Cisco 7200-series supervisor modules in their core 6513 switches for Intranet/Internet access. ISP-managed Cisco 2800-series ISR routers were used for Secure Channel access and Cisco Catalyst 29xx and Cisco 6513 series switches were used in the access and core layers respectively. Nmap Scripting Engine (NSE) shell scripting was used to scan for vulnerable network services as was Tenable Nessus. Reports were exported into .csv format for importing into spreadsheets and other software. Cisco Security MARS and Cisco CSM were configured to manage devices via SNMP and Netflow. Project #11 - 4mths (Apr. 2008 – Oct. 2008) Cisco Systems Inc. Press Author, CCNA Security Certification Guide Mr. Stewart authored an exam preparation guide for Cisco’s new CCNA Security certification for Cisco Press. This book is currently on store shelves and also online. Book title is CCNA Security Exam Cram, ISBN 0789738007. Technology Environment: This book provides a very comprehensive analysis and practical guidelines, and discusses the following areas in-depth: SSH and IPsec operation as well as network hardening and security using S-HTTP and S/MIME signatures for non-repudiation and origin authentication for messaging security.ASA AnyConnect SSL VPN solutions, both thin and thick clients. Principles of TCP/IP operation, securing and encryption as well as zone-based security architecture are discussed in the book including well-known protocols such as UDP, DNS, SMTP and SNMP version 3 for secure reporting. IDS/IPS systems in general as well as specific examples in Cisco’s product line including IOS IPS, hardware-based IDS/IPS modules for ASA security appliances, 6500-series switches and modular IOS routers. Unsecure network protocols such as HTTP, FTP, and Telnet and their specific vulnerabilities in the context of MITM attacks.Book discusses network security principles for routers, switches, firewalls and other network devices. Describes and discusses the “bastion” process for network device and server hardening as well as means to secure routers using Cisco autosecure and one-step lockdown CLI tools. Presents an extensive survey to threats against the network infrastructure as well as safeguarding and classifying IT assets and information. Technical threats and network remediation are discussed in the context of best practices and over-arching security principles. Cisco’s System Development Life Cycle approach, Self Defending Network (SDN) and SAFE blueprint as well as industry best practices for implementing protocol, password and hardware and software security are discussed in depth in the book. Firewall policies, ACLs, Stateful Packet Inspection and UTM principles and operation are explained. Project #12 - 5mths (Jan. 2008 – May 2008) Canadian Air Transport Security Authority (CATSA) Senior Network Security Architect Mr. Stewart provided IT security analysis including expert oversight and technical assistance for the design, implementation and integration of a gate-to-gate IPsec VPN Protected B secure architecture utilizing Cisco ASA 5520 UTM appliances on the Protected A, Canada-wide CATSA intranet. Evaluated, procured and then implemented a secure reporting and event management system (Tenable Security Center) to ensure public sector MITS and GSP compliance. Implemented Cisco ASA Security Appliances into the existing network.Network comprised of Nortel ERS, Tipping Point IDS/IPS appliances, McAfee (ePolicy Orchestrator) Servers and Secure Computing WebWasher and Cisco PIX firewalls in Class 1 and Class 2 airport facilities. Part of the project included the establishment of CATSA intranet OSPF areas using the PWGSC TELUS IP/MPLS core as the backbone area. Configured and implemented 2-factor authentication using RSA Secure ID smart card token technology for the Cisco IPsec remote access(client-to-gate) VPN client solution (Used CA and X.509). FIPS compliance was required for CATSA’s Cisco’s IPsec VPN client solution. IPsec VPNs were designed and implemented for protected-B “islands” to transmit classified data in gate-to-gate VPNs over CATSA’s protected-A intranet. SNMP reporting, syslog, and Netflow with Tenable Network Security’s “Security Center” SIEM product was evaluated against Cisco Security MARS. CATSA’s Tipping Point IDS/IPS appliances were evaluated as were Cisco PIX firewalls at the Internet perimeter in both HQ and satellite sites. Technology Environment: CATSA’s network used TCP/IP for transport both in their intranet as well as for connection to the Internet. DNS name resolution was configured on an internal server to resolve both internal and external domains. SMTP was used for inbound and outbound email from a DMZ to and from the Internet. CATSA used Cisco 2800-series ISR routers (for Secure Channel access) and Catalyst 2960 and 3750 (stacked) and 6513 series switches Project #13 - 0.5mths (Nov. 2007 – Dec. 2007) Francis Fuel and Freightliner of Ottawa Senior Security Consultant Mr. Stewart evaluated an as-built security architecture and subsequently implemented/integrated a secure network of Cisco ASA firewalls(UTM devices) at 3 separate sites connected with a dedicated full-mesh T1 WAN. Presented option analysis for technology integration. De-commissioned Cisco ASA firewalls in a full-mesh IPsec VPN solution between three sites, created network security policies and architecture to support the secure transmission of VoIP between satellite offices and headquarters. Integrated a secure Bell-supplied VoIP solution between the remote sites and a central office which uses Nortel BCM 4000 solution and Nortel VoIP phones integrated into a Layer 3 Cisco Catalyst switch backbone. Executed a penetration test to test the solution’s security including an inside AS/400 mainframe Lotus Notes and Domino Mail Server and BlackBerry Enterprise Server (BES). Designed, implemented/installed and configured a Cisco ASA 5505 remote access (client-to-gate) SSL VPN solution using both the ASDM (Adaptive Security Device Manager) and the command line interface (CLI). Integrated Cisco AnyConnect Client-to-gate SSL VPN client solution to HQ. Client-to-gate Cisco client IPsec VPN solution for teleworkers and sales Basic threat detection was configured on Cisco ASA 5505 firewalls as well as access lists on a Cisco 3620 IOS router. Implemented 802.11n wireless network in a separate VLAN at a satellite office using a Cisco Aironet captive access point on an Cisco 881W wireless router. Technical Environment: IBM MVS on AS/400, Microsoft Server 2008. HTTP, FTP, and Telnet were used to connect to both intranet and internet servers. SIP protocols were used for VoIP traffic in the with the Nortel BCM solution. D-link and Linksys LAN switches, and Cisco ASA 5505 firewalls with Security Plus licenses. Also Cisco 3620 and 881W wireless routers and Cisco Catalyst 3560 PoE switch with full layer 2 and 3 QoS configuration. Project #14 - 0.5mths (Oct. 2007) Loyalist College Network Consultant This was a troubleshooting contract involving a QoS (Quality of Service) issue with a dedicated remote access Cisco VPN solution and a proprietary central site server. Tools used included the Wireshark Protocol Analyzer and Cisco switches using SPAN and RSPAN. Also installed and configured a Cisco VPN 3030 concentrator head end device for a remote access (client-to-gate) IPsec and SSL VPN solution, authenticating with RADIUS/LDAP and integrated the VPN solution into a DMZ to pass through a Cisco PIX 525 UTM firewall deployed at the network perimeter. Transport layer flows in the TCP/IP stack were analyzed carefully to determine where QoS issues were occurring in a client-server flow inside a previously implemented remote-access IPsec VPN solution. Project #15 - 2 months (Apr. 2007 – Jul. 2007 / Sep. 2007 – Nov. 2007) Cisco Systems Inc. Press Development Editor Mr. Stewart was responsible for the technical content of the 2nd edition of the official Designing for Cisco Internetwork Solutions (DESGN) book. This material is required reading for the CCDA (Cisco Certified Design Associate) curriculum. Required expertise in switching, wireless LAN design, routing and Cisco network security as well as in-depth understanding of Cisco’s Life Cycle Design and Self Defending Network. ISBN 9781-58705-272-9 Edited a new title called Router Security Strategies ISBN 978-1-58705-336-8. This book was released in Q1 2008. Project #16- 90 months (on average 6 months per year) (Jun. 1995 – Present) IBM Canada and CTE Solutions Senior Network Architect and CCSI, Global Knowledge Network One of only a handful of CCSIs in North America, Mr. Stewart provided hands-on advanced training and Subject Matter Expertise for Global Knowledge in the areas of Network Security analysis, design and implementation including: the design, evaluation and implementation of security architectures including IPS/IDSs, VPNs, firewalls and content filters. Delivered hands-on technical design and implementation seminars for Global Knowledge. This experience included the design, configuration, maintenance, testing (planning and execution) and troubleshooting of lab environments; the environment included leading edge technologies and featured more specifically a blend of Microsoft and Cisco technologies. The seminars designed and implemented various security solutions including: IPS/IDSs, IPsec and SSL VPNs; Cisco 3000 series concentrators (initially) and (later) CISCO ASA 5500 in conjunction with Cisco’s WebVPN, SSL VPN Client (SVC) and AnyConnect Client SSL VPNs; as well as firewalls and content filters. Over the past 6 years (since 2004), Mr. Stewart has been preparing and delivered hands-on advanced level technical seminars in the areas of network security analysis, design and implementation. As a SME responsible for training often senior level students, he has built and maintained several lab environments within Global Knowledge premises as part of the teaching process; as well as on his own business premises for analysis, knowledge advancement and research purposes. The labs that he has been maintaining include leading edge technologies and feature more specifically a blend of Microsoft and Cisco technologies. Instruction was predominantly using the Cisco CLI for configuration, though Cisco has taken a more blended approach with their new SNAF and SNAA courses where the ASDM is being used extensively in addition to the CLI for all configurations, especially tasks like SSL VPN which have multiple component steps. The labs that he has been maintaining include leading edge technologies and feature more specifically a blend of Microsoft and Cisco technologies. As part of this hands-on instruction work, Mr. Stewart has been teaching implementation of PKI for authentication of network devices and end-users in the majority of the IT security courses he teaches. PKIs configured and implemented include MS CA and OpenSSL. Recently, he has guided groups of experienced students through the implementation of technology solutions including most recently, a PKI to support remote access(client-to-gate) SSL and IPSEC VPN solutions; the solutions included both CA and active directory (X.509) His work also included analysis, design and advanced troubleshooting of Global Network infrastructure as and when required. For example: he redesigned, implemented and documented a full-mesh, redundant remote access (client-to-gate) IPSec VPN solution between the Canadian operation’s satellite offices and the HQ in Raleigh, North Carolina. (2006); he solved a number of difficult-to-troubleshoot firewall and VPN configuration issues and other network issues that threatened the Canadian operation with lost productivity. Delivered workshops on Cisco’s Self Defending Network and vulnerability and Threat Risk Assessments. Provided hands-on teaching on the building of multi-platform workstation and switch/router TCP/IP networks, both enterprise and backbone with a firm grounding in TCP/IP applications (SMTP, DNS, FTP, Telnet, etc.), as well as, IP routing protocols such as RIP, OSPF, BGP, IGRP and EIGRP. Taught Cisco CCNA, CCSP, CCNP and CCIE advanced curriculum as well as non-vendor Wireless Security (WPA, LEAP, PEAP, WEP and site survey tools) Constantly learnt, evaluated and certified on leading edge technology including network hardware, end-user workstations, client-server and operating systems. On-going testing (including test planning and execution) of all security solutions being designed and deployed in the teaching labs’ network. Products worked with include Check Point Firewall-1, Cisco ASA5500 series, PIX and VPN concentrators and PIX in-line IDS and various protocol analyzers. He designed and implemented security architectures including hands-on installation and support of SSH Client/Server, HTTPS on Apache web server, Certificate Authorities and AAA servers using respectively MS CA and Cisco ACS 4.x and LDAP integration. VPNs were secured between Check Point and Cisco PIX firewalls using IPSec/IKE and between MS RAS servers and clients using MS PPTP (point-topoint tunneling protocol) and L2TP. Experience gained in the following IT security areas: Extensive experience in designing and implementing security architectures including IDSs, VPNs, firewalls and content filters Products where expertise was gained include CheckPoint Firewall-1, Cisco PIX and ASA 5500 series security appliances and 3000 series VPN Concentrators and Cisco IDS/IPS servers and SSM modules and various protocol analyzers. Extensive experience in designing and implementing security architectures including handson installation and support of SSH Client/Server, HTTPS on Apache web server, Certificate Authorities and AAA servers using respectively MS CA and Cisco ACS 3.x and 4.x and Radius and LDAP integration. VPNs secured between CheckPoint and Cisco PIX and ASA security appliances using IPSec/IKE and between MS RAS servers and clients using MS PPTP (point-to-point tunneling protocol) and L2TP. Extensive hands-on and instructional experience with Microsoft OS’s including Windows 2000 (incl. server) and Windows XP. Deliver workshops on Cisco’s security blueprint, “SAFE” and Self Defending Network and vulnerability and Threat Risk Assessments using a variety of tools including nmap, Nessus, etc. Extensive hands-on in teaching the building of multi-platform workstation and switch/router TCP/IP networks, both enterprise and backbone. Firm grounding in TCP/IP applications (SMTP, DNS, FTP, Telnet, etc.) as well as IP routing protocols such as RIP, OSPF, BGP, IGRP and EIGRP. Teach Cisco CCNA, CCSP, CCNP and CCIE advanced curriculum as well as non-vendor Wireless Security (WPA, 802.11i, 802.1x, LEAP, PEAP, WEP and site survey tools). Pr. 16.1 – Lab design, implementation, upgrade and maintenance As a SME responsible for training often senior level students, Mr. Stewart has designed, implemented and upgrades/maintains on an on-going basis a comprehensive lab environment on his own business premises for analysis, knowledge advancement and research purposes. The network architecture design includes CISCO ASA Unified Threat Management devices using SSL VPNs. The design and implementation work involved configuring CISCO ASA 5500 series of devices using ASDM and CLI. The lab includes leading edge technologies, within an all virtualized environment, including the following: Cisco AnyConnect SSL VPN, Cisco IPsec VPN clients as well as Gate-to-gate IPsec VPNs, Active Directory / LDAP (Microsoft and Open Source implementations), RADIUS AAA server, Squid web proxy, caching, content and URL filtering server with Cisco WCCP v2 transparent proxying, Cisco Ironport C10 messaging gateway, Cisco 871 IOS routers configured in an HSRP cluster, dual-homed to the Internet on Static IP addresses, Cisco Catalyst 3524-XL-EN series IOS switches, ASA 5505 (w/ Security Plus License) UTM security appliance acting as both an IPsec VPN server and SSL VPN server and IPsec gate-to-gate VPN endpoint, and an AIP-SSC5 IPS module providing perimeter intrusion prevention services WPA2-Enterprise wireless acess point, VMware Server 2.1 and VMWare ESXi 4.2, Ubuntu, Solaris, Fedora, CentOS and FreeBSD Linux OSs, Microsoft Server 2003 and OpenSSL CAs operating in a hierarchical PKI and issuing X.509v3 identity certificates to servers (mail, web, FTP, etc.) and users within privately hosted domain; MS Server 2010 and Exchange 2010, McAfee VirusScan Enterprise (VSE) v 1.6 Linux Server 2 Microsoft 2003 Servers (Enterprise) as domain controllers and configured with Group Policy Objects (GPOs) within test lab domain. BlackBerry Enterprise Server Express (BESx) and three registered BlackBerry 9700, 9800, 9810 smartphones. Zenoss SNMP Network Management Server Tenable Security Nessus Server Project #17 – 1 month (May 2006 – Jul. 2006) Loyalist College Cisco Architect Mr. Stewart conducted IT Security analysis including a Threat Risk Assessment (TRA); on existing infrastructure and subsequently designed and implemented a remote access (client-to-gate) and siteto-site (gate-to-gate) IPSec VPN between Loyalist College’s central campus in Belleville and satellite campuses across the province. Implemented a Cisco-proprietary WebVPN and SSL VPN solution. Implemented security zones at the central campus and controls for traffic moving between the zones including wireless hotspots. Installed and configured a Cisco VPN 3020 Concentrator into the DMZ and PIX 525 firewall and RSM at the central office. Designed and implemented campus VLAN design and inter-VLAN routing on Loyalist’s RSM. Loyalist College has 15,000 users. Project #18 - 8 months (Aug. 2005 – Sep. 2006) Alcatel-Lucent Networks Network Architect/Analyst Mr. Stewart worked as part of a team to design a new advanced network certification track for Alcatel’s core service router offerings. Technologies included QoS, IP/MPLS, GRE, IPsec VPNs, dynamic routing protocols. Courseware, lab fit-out and other materials delivered according to an aggressive timeline and to the highest quality standards. This project advanced Alcatel’s presence in the networking community with a suite of courses to compete in this important global market space. The work involved 80% design – 20% instruction. Project #19 - 0.5 months (Jun. 2005 – Aug. 2005) Loyalist College Cisco Architect Mr. Stewart conducted IT Security analysis including a Vulnerability Assessment (VA) and implemented a complete Local Area Network VLAN overhaul of the college’s core network. The redesign involved a review of the current collapsed backbone and Novell client/server, followed by a phased implementation which involved core and internal VLAN architecture with Cisco Catalyst LAN switches, a Cisco 7206 edge BGP router and Cisco PIX 525 firewall. Project #20 - 0.5 months (Jul. 2005) Freightliner Trucks Cisco Engineer Mr. Stewart conducted security analysis including a threat risk assessment (TRA) and option analysis; he designed;procured equipment;and then implemented a full-mesh site-to-site (gate-to-gate) VPN solution for Freightliner Trucks with several sites using Cisco PIX firewalls and Linksys wireless VPN gateways. Solution also supported remote access for a number of teleworkers. The project involved requirements definition, a statement of work, and a phased implementation plan. Project #21 - concurrent (May 2005 – Jul. 2005) Elytra Enterprises Senior Network Security Consultant Mr. Stewart wrote a research whitepaper on the security, privacy and legal implications for VoIP as relates to the introduction of infrastructure VoIP in North America. This extensive research was conducted for Lucent Technologies Japan. The report was extremely well received by the customer. Research into the security and privacy implications of VoIP within the (then) current regulatory and legal frameworks was either nonexistent or poorly conceived. The report, a 500-page document, drew from a number of experts in both areas and involved extensive interviewing and research. Project #22 - 4 months (May 2003 – Aug. 2003) JDS Uniphase Network Consultant Mr. Stewart conducted IT Security analysis including a Vulnerability Assessment (VA), designed, and tested(including test planning and execution) the fit-out of, and costing of a remotely-accessible optical fiber lab with WDM (Wave Division Multiplexing) equipment. He separately recommended learning objectives and provided detailed incremental costing and security risk analysis for delivering a series of JDSU-proprietary courses over the Internet on encrypted links using the eLearning instructor-led modality. Project #23 - 1 month (Sep./Oct. 2002, Jun./Jul. 2003 and Apr./May 2004) Canadian Network Data Solutions (CANDS) Cisco Engineer Mr. Stewart conducted IT Security analysis including a TRA and based on its recommendations, implemented Cisco PIX 506E firewall and Site-to-Site VPN installation at Francis Fuels and Freightliner Trucks Ottawa. Provided for firewall screening private subnets of several interconnected enterprises as well as providing for secure, MS PPTP and Cisco VPN clients remote access to company network. Implemented SSH (Secure Shell) and HTTPS access to PIX firewall. Configured remote access solution to allow secure access from VAR through PIX to AS/400 server at Freightliner Ottawa site. Project #24 - 1 month (Jan. 2001 – Aug. 2001) Northland Systems Inc. SME and eLearning Consultant Mr. Stewart co-authored a number of proprietary online advanced TCP/IP and WAN networking courses for Northland as a Network SME (Subject Matter Expert) and QA lead. These courses are offered to Alcatel to their network engineers worldwide. Project #25 - 72 months (Jul. 1993 – Jul. 2000) Department of Foreign Affairs and International Trade (DFAIT) LAN/WAN Network Architect, SIGNET Project On contract to SPS Engineering and Computer Consultants, Mr. Stewart was part of the original tactical team which architected and rolled out the departmental global WAN. Secure Intranet, the Secure Integrated Global Network (SIGNET) at Department of Foreign Affairs and International Trade (DFAIT). This infrastructure (SIGNET C) was leveraged by DND for connectivity to embassies abroad. Technologies included Cisco routers, Frame Relay, TCP/IP OSPF, and X.400 Mail. Acted as Regional Support Manager in both Europe and Southeast Asia areas of the global WAN. Developed a 4-week technology workshop and trained all implementation teams and WAN support teams for the global rollout. 7 years of solid and intimate experience with a geographically large and diverse WAN. Project #26 - 9 months (May 1992 – Jan. 1993) Revenue Canada, Customs and Excise (RCCE, now CRA) Project Manager and Technical Lead On contract to Iota Consulting, Mr. Stewart was the project leader in charge of the design and implementation of an Equipment Services group for RCCE (CCRA) and the LAN Integration Centre. He was later responsible for 20 staff who provided all network infrastructure support for the department’s SNA mainframe and WAN network across Canada. Administered and monitored ISP Service Level Agreements (SLAs) and third-party support vendors who performed on-site hardware support and installation services outside Ottawa/Gatineau. Supported equipment included WANs with SDLC-attached devices mainframe (ESCON and Bus & Tag) and Token Ring LAN-connected (LLC2) hardware and peripherals, terminals, controllers, gateways, bridges, routers, FEPS etc. RCCE upgraded from 3COM 3+OPEN to MS LAN Manager 2.1 on WaveLan and token ring topology networks. Project #27 - 6 months (1991 – 1992) Department of National Defence (DND) Architect At the Flight Structures and Dynamics section of Aeronautical Engineering, Mr. Stewart performed a feasibility study and prototyped an image data capture/retrieval system called FSDDIS (Flight Structures and Dynamics Data Integration System). FSDDIS produced front-end data for a UNIXbased Flight Path Reconstruction Program. Table of discrete x, y data points from scanned-in graphs and tabular data which represented flight test data for aircraft types in the Canadian Forces inventory was fed to OCR front-end and inputted to CAD and raster-to-vector (R2V) technology which was used for the conversion of the scanned graphical data. Another module of the prototype system analyzed and graphed the data, performing simple linear regression, best-curve approximations, and basic statistics. Project #28 - 12 months (1990 – 1991) Ontario Provincial Ministry of Heath Systems Engineer/Project Leader, Emergency Health Services Mr. Stewart set up and coordinated the implementation of a general systems support contract for the LANs and WAN of the Emergency Health Services Branch of the Provincial Ministry of Health. The work involved setup, repair and troubleshooting of software and hardware as well as customer service at several LAN/WAN installations in Eastern Ontario. Application support encompassed custom packages as well as basic office automation products; answering user queries; and on-site training as well as coordination of same throughout the client's user base. Project #29 - 3 months (1989) Revenue Canada Customs and Excise (RCCE, now CRA) Systems Anaylst Mr. Stewart collaborated on the rollout of a national LAN/WAN implementation based on 3COM's 3+OPEN product and interconnecting sites in support of the GST project. The implementation required the quick, accurate and efficient integration of remote sites over an X.25 WAN and the training of several diverse groups including the technical support personnel, users, LAN administrators and Regional Support Managers as well as the trainers themselves. He collaborated in the formative planning of an overall support organization and its staffing. Project #30 - 18 months (1989 – 1991) Supply and Services Canada (now PWGSC) Programmer/Analyst The IM/IT Network Database A logical extension of the SSC Course Training Database, this project involved the enhancement of a single-user system into full network capabilities. The system required the development of a unique "paging" menu system with colour-coded navigation. A multiple-hierarchy password protection system was designed as well as other security measures such as database encryption and compilation of program source code. SSC/PDG Course Training Database Mr. Stewart developed a database application that gave managers, course instructors and other staff a method to enter applications for training, as well as retrieve current and historical information on courses offered by internal and external agencies. Reporting requirements included course critiques, information briefs and mailing lists. Project #31 - 21 months (1987 – 1989) Micro Support Services Programmer Analyst, Customer Support Mr. Stewart provided customer services in support of both software and hardware. Also, he was largely involved in troubleshooting and direct maintenance on IBM and compatible microcomputers and peripherals, as well as set-up and design of Novell and Unix/XENIX local area networks. Designed backup procedures and user log-in interfaces as well as documented network administration manuals. Provided application programming in BBx for an accounting package. Co-authored a Canadian payroll module Project #32 - 8 years (1979 – 1986) Department of National Defence (DND) Commissioned Naval Officer (Lieutenant) Mr. Stewart served in the Canadian Navy in various capacities throughout his tenure at Royal Military College of Canada where he studied Computer Engineering. Later, on the West Coast in Victoria, B.C., he served as a bridge officer, ship’s navigator, and junior staff officer. Mr. Stewart served in various ship types including destroyers and minesweepers. EDUCATION BA, Economics Major/Computer Science Minor,Carleton University Class of ‘87 CERTIFICATION, TRAINING, AND PROFESSIONAL DEVELOPMENT Computer Engineering Courses, Royal Military College Certifications Cisco Certified Systems Instructor CCSI Cisco Certified Network Associate CCNA Cisco Certified Network Associate Security CCNA Security Cisco Certified Security Professional CCSP (need to re-certify as of November ‘11) Professional Upgrade Courses BSCI – Building Scalable Cisco Internetworks ICND 1 and 2 – Interconnecting Cisco Network Devices Parts 1 and 2 SNRS – Securing Networks with Routers and Switches IINS – Implementing IOS Network Security SNAF – Securing Networks with ASA Fundamentals SNAA – Securing Networks with ASA Advanced DLSW – Data Link Switching + CSVPN – Cisco Secure VPN SNAM – SNA for Multiprotocol Administrators BCMSN – Building Cisco Multilayer Switched Networks ABGP – Advanced Border Gateway Protocol MCAST – IP Multicast OSPF Design – Open Shortest Path First CISSP (Certified Information Systems Security Professional) Boot Camp Many others... Class of ‘83