HEADING 1, PROPOSAL H1

advertisement
PROFESSIONAL PROFILE
OF
ERIC STEWART
INTRODUCTION
Mr. Stewart is a senior level Network Security Specialist and Cisco Subject Matter Expert with 23+
years in the IT industry including 11 years in IT Security. He currently is a top ranked Cisco Certified
Systems Instructor (CCSI) in Global Knowledge (Canada) where he delivers advanced technical
courses in the areas of IT Security analysis, design and implementation. He holds certifications as a
CCNA (Cisco Certified Network Architect) for Security and CCSP (Cisco Certified Security
Professional). His most recent experience is heavily focused on integration of Cisco technologies
within security solutions. He has had specific experience in designing and implementing SSL
VPN.solutions in conjunction with Cisco ASA 5500 UTM firewall appliances and Next Generation
Firewalls.
Mr. Stewart has appeared on national TV on several occasions in recent months, most recently with
Global National where he was asked to use his IT security expertise to comment on recent (and
successful) cyber attacks on Canadian Federal Government departments as well as the hijacking of a
national political party’s website. He also contributed to a documentary piece on wireless network
security and the ease of eavesdropping on users of wireless hotspots. His commentary has also
appeared in print media, specifically in newspapers owned by Post Media. In September of 2010, Mr.
Stewart was a guest speaker at the DND ISSO Conference at the Conference Centre in Ottawa where
he shared a presentation on enterprise network security.
Relevant and noteworthy experience include:







Design and implementation of security architectures including IDSs, VPNs, firewalls and content
filters.(CheckPoint Firewall-1, Cisco PIX and ASA security appliances and 3000 series VPN
Concentrators; Cisco IDS/IPS servers, SSM modules and various protocol analyzers)
Design and implementation of security architectures including hands-on installation and support
of SSH Client/Server, HTTPS on Apache web server, Certificate Authorities and AAA servers
using respectively MS CA and Cisco ACS 3.x and 4.x and Radius and LDAP integration.
VPNs secured between CheckPoint and Cisco PIX and ASA security appliances using IPSec/IKE
and between MS RAS servers and clients using MS PPTP (point-to-point tunneling protocol) and
L2TP.
Delivery of workshops on Cisco’s security blueprint, “SAFE” and Self Defending Network and
vulnerability and Threat Risk Assessments using a variety of tools including nmap, Nessus, etc.
Extensive hands-on in teaching the building of multi-platform workstation and switch/router
TCP/IP networks, both enterprise and backbone.
Firm grounding in TCP/IP applications (SMTP, DNS, FTP, Telnet, etc.) as well as IP routing
protocols such as RIP, OSPF, BGP, IGRP and EIGRP.
Taught Cisco CCNA, CCSP, CCNP and CCIE advanced curriculum as well as non-vendor
Wireless Security (WPA, 802.11i, 802.1x, LEAP, PEAP, WEP and site survey tools)









Thorough and fundamental knowledge of the cryptographic concepts and systems behind many
modern implementations of encryption technology including IPsec VPNs, S-HTTP, SSH and
S/MIME and their component ciphers and crypto systems.
Extensive hands-on and lab-based experience implementing secure architectures using intrusion
detection/protection systems and firewalls in a comprehensive network design.
Extensive experience with PKI/LDAP and X.509 integration with remote access client
authentication using digital certificates and extended authentication in Active Directory with
Cisco PIX and ASA firewalls as well as IOS devices including routers and switches.
Subject matter expert and presenter on network hardening principles, not only in Cisco but in
heterogeneous networks.
Noted speaker, author and instructor on network security policies, vulnerability and threat-risk
assessments and attack methodologies.
Taught and implemented labs where firewall policies, ACLs, Stateful Packet Inspection and UTM
principles and operation are demonstrated.
Authored an exam preparation guide for Cisco’s new CCNA Security certification for Cisco Press.
This book is currently on store shelves and also online.
Recent and practical knowledge with Cisco ISE (Identity Services Engine), Wireless LAN
controllers and BYOD framework.
Security Clearance: Secret (Level II) File: 95-22-7957, Expiry date: September 16, 2019
EMPLOYMENT HISTORY (INCL. CONCURRENT WORK)
Fastlane Education
July 2011 – Present
Cisco Security Instructor
Bell Canada (various projects)
July 2008 – Present
Senior Network Security Engineer
Marine Atlantic
Apr. 2011 – Aug. 2011
Security Consultant
Department of National Defence
Oct. 2010 – Present
Senior Network Security Engineer
Office of the Information
Commissioner of Canada (OIC)
Nov. 2009 – Jan. 2010
Security Consultant
Public Health Agency Canada
(PHAC)
Apr. 2009 – Oct. 2009
Senior Network Engineer
NAV Canada
Nov. 2008 – Nov. 2009
Senior Network Security Engineer
Loyalist College
Dec. 2008
Senior Network Security Architect
Bank of Canada (BoC)
Jul. 2008 – Sep. 2008
Senior Cisco Network Security
Analyst
Cisco Systems Inc.
Apr. 2008 – Oct. 2008
Cisco Press Author
Canadian Air Transport Security
Authority (CATSA)
Jan. 2008 – May 2008
Senior Network Security Architect
Francis Fuel and Freightliner of
Ottawa
Nov. 2007 – Dec. 2007
Senior Security Consultant
Loyalist College
Oct. 2007
Network Consultant
Cisco Systems Inc.
Apr. 2007 – Jul. 2007 and
Sep. 2007 – Nov. 2007
Press Development Editor
IBM Canada and CTE Solutions
Jun. 1995 – Present
Senior Network Architect and CCSI
Loyalist College
May 2006 – Jul. 2006
Cisco Architect
Alcatel-Lucent Networks
Aug. 2005 – Sep. 2006
Senior Course Designer and SME
Loyalist College
Jun. 2005 – Aug. 2005
Cisco Architect
Freightliner Trucks
Jul. 2005
Cisco Engineer
Elytra Enterprises
May 2005 – Jul. 2005
Senior Network Security Consultant
JDS Uniphase
May 2003 – Aug. 2003
Network Consultant
Canadian Network Data Solutions
(CANDS)
Sep./Oct. 2002, Jun./Jul.
2003 and Apr./May 2004
Cisco Engineer
Northland Systems Inc.
Jan. 2001 – Aug. 2001
SME and eLearning Consultant
Department of Foreign Affairs and
International Trade (DFAIT)
Jul. 1993 – Jul. 2000
LAN/WAN Network Architect
Revenue Canada, Customs and
Excise (RCCE, now CRA)
May 1992 – Jan. 1993
Project Manager and Technical Lead
Department of National Defence
(DND)
1991 – 1992
Architect
Ontario Provincial Ministry of
Heath
1990 – 1991
Systems Engineer/Project Leader
Revenue Canada Customs and
Excise (RCCE, now CRA)
1989
Systems Anaylst
Supply and Services Canada (now
PWGSC)
1989 – 1991
Programmer/Analyst
Micro Support Services
1987 – 1989
Programmer Analyst
Department of National Defence
(DND)
1979 – 1986
Commissioned Naval Officer
(Lieutenant)
BUSINESS EXPERIENCE (INCL. CONCURRENT PROJECTS)
Project 1 (November 2012 – February 2013)
Corporate Security and Facility Services of the Bank of Canada (w/ Juno Risk LLC)
Network Security Architect
Mr. Stewart was part of a team which conducted a thorough review of the Bank’s virtualized data
centre network infrastructure which culminated in a detailed gap analysis as well as specific
recommendations as to how these security gaps may be closed. Extensive use of Cisco and other
vendors’ best practices as well as ITSG-22 and -38 are crucial, as is knowledge of the Cisco ASA
firewalls, virtual contexts, Nexus switches and Cisco VDC (Virtual Data Center) architecture and
TrustSec that are employed in BoC’s highly virtualized architecture.
Project(s) 2 (July 2012 – September 2012, and January 2013 to present)
University of Ottawa and International Joint Commissions (w/ Bell Canada)
Network Security Architect
Mr. Stewart reviewed uOttawa’s network security architecture and implemented two Cisco Firewall
Services Modules (FWSMs) in an Active/Standby Failover configuration at the Internet perimeter.
As part of the effort he rationalized and simplified the rule set logic of a cutover from the pre-existing
DrawBridge firewall to the new firewall architecture.
At the IJC, Mr. Stewart installed and integrated an A/S FO Cisco ASA pair supporting both gate-togate and client-to-gate VPN functionality using respectively IPsec and Cisco AnyConnect Secure
Mobility Client solutions. Subsequently scaled the solution by adding remote access by Cisco VoIP
phones via AnyConnect and integrating with Cisco UCS at the client headend in both Ottawa,
Windsor and Washington DC
Project 3 (January 2012 – August 2012)
Corporate Security and Facility Services of the Bank of Canada (w/ Juno Risk LLC)
Network Security Architect
Mr. Stewart did a thorough analysis of the newly implemented virtual data centre (VDC) architecture
and identified gaps in the security architecture when measured against Bank policy. He also made
specific recommendations on how these gaps might be closed as well as the risk associated with the
gaps.
Project 4 (concurrent) (Apr. 2011 – Aug. 2011)
Marine Atlantic
IT Security Analyst
Mr. Stewart provided hands-on design, configuration and implementation services in support of a 5phase network security architecture renewal at Marine Atlantic in Port-Aux-Basques Newfoundland.
The project started with an architecture review, followed by specific recommendations for the
acquisition of new technology to replace outdated equipment. The technology was acquired by the
customer, and subsequently was implemented by Mr. Stewart per the five phases outlined below:
Phase 1: Designed and implemented a Cisco ASA 5585-X SSP-20 security appliance/firewall to
replace the existing Cisco PIX 525. This phase also involved the configuration of a Cisco WebVPN
portal for clientless SSL VPN access as well the Cisco AnyConnect Secure Mobility Client clientbased SSL solution (client-to-gate) to support IT Staff and teleworkers. Recommendations were
made for proper zone-based network security policies per CSE ITSG-22 and ITSG-38
Phase 2: Designed and implemented a Cisco 4255 IDS appliance to detect and prevent networkbased attacks from both outside of Marine Atlantic’s network as well as attacks originating on the
inside.
Phase3: Designed and implemented a Cisco Ironport C370 Cluster of two Ironport Email Security
Appliances (ESAs) to provide anti-spam, anti-malware, and reputation based scanning and detailed
reports of all inbound email traffic to Marine Atlantic’s mail servers.
Phase 4: Designed and implemented a pair of Cisco Ironport S160 Web Security Appliances (WSAs)
to provide for reputation based scanning and content filtering as well as detailed reports of all
outbound web traffic from Marine Atlantic’s fixed facilities and ferry boats.
Phase 5: Designed, implemented and integrated Tenable Security’s Security Center 4.2 SIEM
(Security Intrusion and Event Monitoring) solution to provide for realtime monitoring, analysis and
reporting of security events based on correlated information from all of Marine Atlantic’s network
devices (IDS/IPS, firewalls, switches, VPN endpoings, WSAs, and ESAs, etc.)
Project #5 – 34 mths (Oct. 2010 – Present)
Department of National Defence (DND)
Network Security Analyst / Architect
Mr. Stewart designed and then conducted a test plan to choose between Fortinet Fortigate UTM
device and Cisco ASA 5500 series solutions in support of a SSL VPN remote access VPN portal for
the Enclave Convergence Initiative (ECI).
Subsequently he designed and implemented a Cisco SSL VPN remote access (client-to-gate) VPN
Web portal in support of the Enclave Convergence Initiative (ECI). ECI is a high profile project
whose Q1 2013 implementation will result in the consolidation of disparate networks into a Classified
Restricted Zone (RZ) protected by two clustered Cisco ASA 5585-X UTM firewall / SSL VPN servers
and using common services such as email and file share repositories. The design/implementation
required in-depth knowledge of both CLI and ASDM. Users within the existing DND Operations
Zone (OZ) will be able to connect to the VPN cluster where they will be authenticated and their
workstations’security posture assessed for access to RZ services. Features (and technology used) of
the solution include:











Integration with existing Entrust enterprise PKI solution including authentication using device
X.509 identity certificates.
Cisco Secure Desktop pre- and post-login posture assessment.
Load-balancing and high-availability through the implementation of two Cisco ASA 5585-X SSP20 UTM firewall / VPN gateways in a cluster.
WebVPN (thin) and AnyConnect Secure Mobility Client (thick) SSL remote access VPN solution
(client-to-gate).
Design of a gate-to-gate (site-to-site) IPsec VPN between the clustered ASAs and an IEG (Internet
Exchange Gateway) to support SMTP email from the RZ MS Exchange 2010 server into the DND
OZ.
Design of a high-availability layer 3 switch stack solution in the RZ which provides for intrachassis redundancy and routing offload for all intra-RZ traffic such as vMotion, management
protocols and backup jobs.
Two- and one-factor authentication options leveraging on SmartCard technology and integrating
with Active Directory (AD) services in the RZ.]
IEEE 802.1Q VLAN trunk to core switch services in the RZ providing for logical separation of
management, data and control plane traffic.
Extensive documentation of all implemented and tested technology per DND engineering process
documentation standards including: System Design Specifications; V&V Plans; System Interface
Requirements; Test Plans; and Proofs of Concept.
Documented adherence to GSP, ITSG-22, ITSG-38 and Cisco best practices as contained in
Cisco’s “Self-Defending Network”.
Designed and implemented a remote access (client-to-gate) Cisco IPsec VPN for OZ management
users into the RZ, authenticating from a RADIUS server integrated with the RZ AD.

Designed and implemented a Cisco DMVPN solution integrated with Cisco’s GETVPN
technology on top of DND’s CSNI and DWAN network and supporting client connectivity on
top of TACLANE.
Project #6 - 4mths (Nov. 2009 – Jan. 2010)
Office of the Information Commissioner of Canada (OIC)
Network Security Analyst / Architect
Mr. Stewart conducted IT Security analysis including a Threat Risk Assessment (TRA) of OIC IT
infrastructure which included a review and gap analysis of present OIC security policy, Business
Continuity Plans and Disaster Recovery Plan.




Report resulted in a technical strategy for remediation to ensure that the residual risk was
acceptable to responsible stakeholders.
Gaps were measured against Government Security Policy (GSP) as well as Cisco’s SelfDefending Network (SDN) and uses metrics and zoning recommendations contained in CSE’s
ITSG-22 and ITSG-38.
The technology involved in this work was: CISCO IOS routers, Fortinet Fortigate 300-A (UTM)
with remote access SSL VPN client connectivity, and Zywall-70 firewall.
Technology Environment: OIC’s network devices are managed in-band in a separate
management VLAN using SSH and S-HTTP for encryption and protection against MITM (manin-the-middle) attacks. OIC used Cisco 800-series ISR routers and Catalyst 2950 and 2960 series
switches. The OIC’s Intranet used Microsoft Active Directory for user login. AD was used to
store users’ credentials and other attributes in an X.509 compliant directory. ZyWall and Fortinet
firewall UTM appliances were used, with signature-based intrusion detection system configured
on a hardware module on the ZyWall firewall. Nessus, Nmap and WireShark were used to assess
the network’s vulnerability to common technical threats targeted on information assets and
network integrity. Nmap Scripting Engine (NSE) shell scripting was used to scan for vulnerable
network services as was Tenable Nessus.
Project #7 - 6mths (Apr. 2009 – Oct. 2009)
Public Health Agency Canada (PHAC)
Senior Network Engineer / Network Security Analyst
Mr. Stewart performed security gap analysis on an as-built application hosting environment called
PHACNET. Subsequently, Mr. Stewart:



Developed new network architecture and installed and configured Cisco IDSM-2 IPS modules in
6 Cisco Catalyst 6509 core switches in both Winnipeg and Ottawa, configured CS-MARS SIEM
solution integration with existing network devices and designed and configured management
network including integration with RSA Authentication Server central AAA solution.
Created thorough documentation of as-built as well as reconfigured network while comparing
against CSE/RCMP and vendor best practices statements as well as GSP; this was implemented
in a heterogeneous network of Nortel Contivity IPSec VPN gateways(configured gate-to-gate in
Secure Channel),Cisco / Check Point / RSA / Sourcefire / Symantec and Websense devices as
well as other vendors.
Implemented Cisco IDSM-2 intrusion detection modules in core switches and configured security
policies and clustering on PHAC’s Checkpoint firewalls. Also implemented Sourcefire IDS
appliances in several security zones.



Implemented/integrated access to Nortel Contivity 1760 gateways (to PWGSC Secure Channel)
which used FIPs-compliant IPsec encryption for a gate-to-gate VPN.
Installed, configured and trained IT staff on Cisco Security Manager (CSM) version 4.
Technology Environment: PHAC’s network devices are managed in-band in a separate
management VLAN using SSH and S-HTTP for encryption and protection against MITM (manin-the-middle) attacks. AD was used to store users’ credentials and other attributes in an X.509
compliant directory.AD was used with RSA Authentication Server to authenticate administrators
of network devices on an internal AAA server. PHAC used redundant (intra-chassis) Cisco 7200series supervisor modules in their core 6509 switches for Intranet/Internet access. ISP-managed
Cisco 2800-series ISR routers were used for Secure Channel access and Cisco Catalyst 3750
(discrete and stacked) and Cisco 6509 series switches were used in the access and core layers
respectively.
Project #8 – 5mths (Nov. 2008 – Nov. 2009)
NAV Canada
Senior Network Security Engineer
Mr. Stewart assessed the network from both architecture and a configuration (technical) standpoint
for its vulnerability against inside and outside threats.






Evaluated software and installed upgrades to CiscoWorks LMS, and CSACS 1113 Solution
Engine.
Compiled and installed RADIUS integration from Sun Solaris OS devices to the Cisco CSACS
server.
Documented the architecture of the Perimeter Security Network (PSN) and performed a security
impact analysis of network changes.
Implemented and configured Nortel Contivity IPsec/ and Alteon client-to-gate SSL VPN
gateways for authentication to CSACS.
Cisco’s Security MARS, CSACS and CSM products as well as an internal syslog server were
installed to report and do trend analysis of network-based attacks.
Technology Environment: NAVCAN’s network devices are managed in-band in a separate
management VLAN using SSH and S-HTTP for encryption and protection against MITM (manin-the-middle) attacks. S-HTTP was also used for both thin- and thick-client SSL VPN access to
the NAVCAN HQ network on Nortel Alteon switches. NAVCAN used a combination of Top
Layer and Snort IDS. Perimeter firewall services were provided by two Checkpoint NG-X
clusters: one internal and another external. Nortel Contivity 1760 gateways (to PWGSC Secure
Channel) which used FIPs-compliant IPsec encryption gate-to-gate. AD was used to store users’
credentials and other attributes in an X.509 compliant directory. NAVCAN used Cisco 2800series ISR routers (for Secure Channel access) and Catalyst 2960 and 3750 (stacked) and 6513
series switches
Project #9 – 1 month (Dec. 2008)
Loyalist College
Senior Network Security Architect
Mr. Stewart performed an IT Security analysis of the existing infrastructure; and re-engineered,
evaluated, configured, integrated and implemented an overhaul of Loyalist’s entire switched campus
infrastructure and completed on-time and on-budget in December 2008. Loyalist’s network devices
are managed in-band in a separate management VLAN using SSH and S-HTTP for encryption and
protection against MITM (man-in-the-middle) attacks.






Consulted and provided advice on the specification of equipment to purchase in support of the
procurement of over $250,000 of new Cisco equipment.
Implemented Catalyst 6509 core switch and a FWSM firewall module and new GigabitEthernet
switches in the core and edge of the campus network.
Configured contexts (virtual firewalls) between different VLANs. Established separate VLANs
for security zone architecture to support Cisco Aironet 802.11 b/g/n autonomous AP
implementation in public zones throughout Loyalist campus.
Evaluated multiple vendor solutions for best fit.
Loyalist College has 15,000 users, comprising both day and night division students as well as
faculty.
IPsec was used for remote access Cisco hardware client-based VPN access (client-to-gate) from
several remote sites to the campus Cisco 3030 VPN Concentrator.
Technology Environment: Loyalist’s network devices are managed in-band in a separate
management VLAN using SSH and S-HTTP for encryption and protection against MITM (manin-the-middle) attacks. IPsec was used for remote access Cisco hardware client-based VPN
access from several remote sites to the campus Cisco 3030 VPN Concentrator. Loyalist used a
Cisco 7200-series supervisor module for Intranet/Internet routing and Catalyst 2950 and 2960
switches (access layer) and a 6509 series core switch.
Project #10 - 3mths (Jul. 2008 – Sep. 2008)
Bank of Canada (BoC)
Senior Cisco Network Security Analyst
Mr. Stewart performed an IT Security analysis (including a design and architecture review) of the
High Availability Deployment Project (HADP); the analysis involved a thorough IT security review
of the network design and implementation plan, prior to the implementation phase. The analysis
determined the network security posture as well as adherence with GC policies and standards. HADP
is a highly virtualized protected “B”-certified network accessible over the Internet by the Bank’s
partner financial institutions.
The IT Security review included all components of the network including: Catalyst 6509 switches,
ACS 1113 solution engines, IDS 4255 appliances, VRFs, Security Contexts on FWSM, ASA 5500
series security appliances, Cisco Security Manager (CSM) and Cisco Secure Monitoring Analysis and
Reporting System (MARS) and remote-access (client-to-gate) AnyConnect SSL VPN solution. The
assessment required in-depth knowledge of both CLI and ASDM.

Technology Environment: BoC’s network devices are managed in-band in a separate
management VLAN using SSH and S-HTTP for encryption and protection against MITM (manin-the-middle) attacks. PKI is used to issue identity certificates to devices and users and to
perform message encryption and signing using X.509 certificates and S/MIME. Evaluated a
Cisco AnyConnect ASA SSL VPN solution. BoC used Cisco FWSMs (firewall services
modules) in core switchs and configured contexts (virtual firewalls) between different VLANs.
Cisco IDSM-2 modules were used and deployed as multiple virtual sensors between different
VLANs. BoC used redundant (intra-chassis) Cisco 7200-series supervisor modules in their core
6513 switches for Intranet/Internet access. ISP-managed Cisco 2800-series ISR routers were used
for Secure Channel access and Cisco Catalyst 29xx and Cisco 6513 series switches were used in
the access and core layers respectively. Nmap Scripting Engine (NSE) shell scripting was used
to scan for vulnerable network services as was Tenable Nessus. Reports were exported into .csv
format for importing into spreadsheets and other software. Cisco Security MARS and Cisco CSM
were configured to manage devices via SNMP and Netflow.
Project #11 - 4mths (Apr. 2008 – Oct. 2008)
Cisco Systems Inc.
Press Author, CCNA Security Certification Guide
Mr. Stewart authored an exam preparation guide for Cisco’s new CCNA Security certification for
Cisco Press. This book is currently on store shelves and also online. Book title is CCNA Security
Exam Cram, ISBN 0789738007.
Technology Environment: This book provides a very comprehensive analysis and practical
guidelines, and discusses the following areas in-depth:
 SSH and IPsec operation as well as network hardening and security using S-HTTP and
S/MIME signatures for non-repudiation and origin authentication for messaging security.ASA
AnyConnect SSL VPN solutions, both thin and thick clients.
 Principles of TCP/IP operation, securing and encryption as well as zone-based security
architecture are discussed in the book including well-known protocols such as UDP, DNS,
SMTP and SNMP version 3 for secure reporting.
 IDS/IPS systems in general as well as specific examples in Cisco’s product line including IOS
IPS, hardware-based IDS/IPS modules for ASA security appliances, 6500-series switches and
modular IOS routers.
 Unsecure network protocols such as HTTP, FTP, and Telnet and their specific vulnerabilities
in the context of MITM attacks.Book discusses network security principles for routers,
switches, firewalls and other network devices.
 Describes and discusses the “bastion” process for network device and server hardening as well
as means to secure routers using Cisco autosecure and one-step lockdown CLI tools.
 Presents an extensive survey to threats against the network infrastructure as well as
safeguarding and classifying IT assets and information. Technical threats and network
remediation are discussed in the context of best practices and over-arching security principles.
 Cisco’s System Development Life Cycle approach, Self Defending Network (SDN) and SAFE
blueprint as well as industry best practices for implementing protocol, password and hardware
and software security are discussed in depth in the book.
 Firewall policies, ACLs, Stateful Packet Inspection and UTM principles and operation are
explained.
Project #12 - 5mths (Jan. 2008 – May 2008)
Canadian Air Transport Security Authority (CATSA)
Senior Network Security Architect
Mr. Stewart provided IT security analysis including expert oversight and technical assistance for the
design, implementation and integration of a gate-to-gate IPsec VPN Protected B secure architecture
utilizing Cisco ASA 5520 UTM appliances on the Protected A, Canada-wide CATSA intranet.








Evaluated, procured and then implemented a secure reporting and event management system
(Tenable Security Center) to ensure public sector MITS and GSP compliance.
Implemented Cisco ASA Security Appliances into the existing network.Network comprised of
Nortel ERS, Tipping Point IDS/IPS appliances, McAfee (ePolicy Orchestrator) Servers and
Secure Computing WebWasher and Cisco PIX firewalls in Class 1 and Class 2 airport facilities.
Part of the project included the establishment of CATSA intranet OSPF areas using the PWGSC
TELUS IP/MPLS core as the backbone area.
Configured and implemented 2-factor authentication using RSA Secure ID smart card token
technology for the Cisco IPsec remote access(client-to-gate) VPN client solution (Used CA and
X.509). FIPS compliance was required for CATSA’s Cisco’s IPsec VPN client solution.
IPsec VPNs were designed and implemented for protected-B “islands” to transmit classified data
in gate-to-gate VPNs over CATSA’s protected-A intranet.
SNMP reporting, syslog, and Netflow with Tenable Network Security’s “Security Center” SIEM
product was evaluated against Cisco Security MARS.
CATSA’s Tipping Point IDS/IPS appliances were evaluated as were Cisco PIX firewalls at the
Internet perimeter in both HQ and satellite sites.
Technology Environment: CATSA’s network used TCP/IP for transport both in their intranet as
well as for connection to the Internet. DNS name resolution was configured on an internal server
to resolve both internal and external domains. SMTP was used for inbound and outbound email
from a DMZ to and from the Internet. CATSA used Cisco 2800-series ISR routers (for Secure
Channel access) and Catalyst 2960 and 3750 (stacked) and 6513 series switches
Project #13 - 0.5mths (Nov. 2007 – Dec. 2007)
Francis Fuel and Freightliner of Ottawa
Senior Security Consultant
Mr. Stewart evaluated an as-built security architecture and subsequently implemented/integrated a
secure network of Cisco ASA firewalls(UTM devices) at 3 separate sites connected with a dedicated
full-mesh T1 WAN.




Presented option analysis for technology integration.
De-commissioned Cisco ASA firewalls in a full-mesh IPsec VPN solution between three sites,
created network security policies and architecture to support the secure transmission of VoIP
between satellite offices and headquarters.
Integrated a secure Bell-supplied VoIP solution between the remote sites and a central office
which uses Nortel BCM 4000 solution and Nortel VoIP phones integrated into a Layer 3 Cisco
Catalyst switch backbone.
Executed a penetration test to test the solution’s security including an inside AS/400 mainframe
Lotus Notes and Domino Mail Server and BlackBerry Enterprise Server (BES).





Designed, implemented/installed and configured a Cisco ASA 5505 remote access (client-to-gate)
SSL VPN solution using both the ASDM (Adaptive Security Device Manager) and the command
line interface (CLI).
Integrated Cisco AnyConnect Client-to-gate SSL VPN client solution to HQ. Client-to-gate Cisco
client IPsec VPN solution for teleworkers and sales
Basic threat detection was configured on Cisco ASA 5505 firewalls as well as access lists on a
Cisco 3620 IOS router.
Implemented 802.11n wireless network in a separate VLAN at a satellite office using a Cisco
Aironet captive access point on an Cisco 881W wireless router.
Technical Environment: IBM MVS on AS/400, Microsoft Server 2008. HTTP, FTP, and Telnet
were used to connect to both intranet and internet servers. SIP protocols were used for VoIP
traffic in the with the Nortel BCM solution. D-link and Linksys LAN switches, and Cisco ASA
5505 firewalls with Security Plus licenses. Also Cisco 3620 and 881W wireless routers and Cisco
Catalyst 3560 PoE switch with full layer 2 and 3 QoS configuration.
Project #14 - 0.5mths (Oct. 2007)
Loyalist College
Network Consultant
This was a troubleshooting contract involving a QoS (Quality of Service) issue with a dedicated
remote access Cisco VPN solution and a proprietary central site server. Tools used included the
Wireshark Protocol Analyzer and Cisco switches using SPAN and RSPAN. Also installed and
configured a Cisco VPN 3030 concentrator head end device for a remote access (client-to-gate) IPsec
and SSL VPN solution, authenticating with RADIUS/LDAP and integrated the VPN solution into a
DMZ to pass through a Cisco PIX 525 UTM firewall deployed at the network perimeter.
Transport layer flows in the TCP/IP stack were analyzed carefully to determine where QoS issues
were occurring in a client-server flow inside a previously implemented remote-access IPsec VPN
solution.
Project #15 - 2 months (Apr. 2007 – Jul. 2007 / Sep. 2007 – Nov. 2007)
Cisco Systems Inc.
Press Development Editor
Mr. Stewart was responsible for the technical content of the 2nd edition of the official Designing for
Cisco Internetwork Solutions (DESGN) book. This material is required reading for the CCDA (Cisco
Certified Design Associate) curriculum.


Required expertise in switching, wireless LAN design, routing and Cisco network security as well
as in-depth understanding of Cisco’s Life Cycle Design and Self Defending Network. ISBN 9781-58705-272-9
Edited a new title called Router Security Strategies ISBN 978-1-58705-336-8. This book was
released in Q1 2008.
Project #16- 90 months (on average 6 months per year) (Jun. 1995 – Present)
IBM Canada and CTE Solutions
Senior Network Architect and CCSI, Global Knowledge Network
One of only a handful of CCSIs in North America, Mr. Stewart provided hands-on advanced training
and Subject Matter Expertise for Global Knowledge in the areas of Network Security analysis, design
and implementation including: the design, evaluation and implementation of security architectures
including IPS/IDSs, VPNs, firewalls and content filters.








Delivered hands-on technical design and implementation seminars for Global Knowledge. This
experience included the design, configuration, maintenance, testing (planning and execution) and
troubleshooting of lab environments; the environment included leading edge technologies and
featured more specifically a blend of Microsoft and Cisco technologies. The seminars designed
and implemented various security solutions including: IPS/IDSs, IPsec and SSL VPNs; Cisco
3000 series concentrators (initially) and (later) CISCO ASA 5500 in conjunction with Cisco’s
WebVPN, SSL VPN Client (SVC) and AnyConnect Client SSL VPNs; as well as firewalls
and content filters.
Over the past 6 years (since 2004), Mr. Stewart has been preparing and delivered hands-on
advanced level technical seminars in the areas of network security analysis, design and
implementation.
As a SME responsible for training often senior level students, he has built and maintained several
lab environments within Global Knowledge premises as part of the teaching process; as well as
on his own business premises for analysis, knowledge advancement and research purposes. The
labs that he has been maintaining include leading edge technologies and feature more specifically
a blend of Microsoft and Cisco technologies. Instruction was predominantly using the Cisco CLI
for configuration, though Cisco has taken a more blended approach with their new SNAF and
SNAA courses where the ASDM is being used extensively in addition to the CLI for all
configurations, especially tasks like SSL VPN which have multiple component steps.
The labs that he has been maintaining include leading edge technologies and feature more
specifically a blend of Microsoft and Cisco technologies.
As part of this hands-on instruction work, Mr. Stewart has been teaching implementation of PKI
for authentication of network devices and end-users in the majority of the IT security courses he
teaches. PKIs configured and implemented include MS CA and OpenSSL. Recently, he has
guided groups of experienced students through the implementation of technology solutions
including most recently, a PKI to support remote access(client-to-gate) SSL and IPSEC VPN
solutions; the solutions included both CA and active directory (X.509)
His work also included analysis, design and advanced troubleshooting of Global Network
infrastructure as and when required. For example: he redesigned, implemented and documented
a full-mesh, redundant remote access (client-to-gate) IPSec VPN solution between the Canadian
operation’s satellite offices and the HQ in Raleigh, North Carolina. (2006); he solved a number
of difficult-to-troubleshoot firewall and VPN configuration issues and other network issues that
threatened the Canadian operation with lost productivity.
Delivered workshops on Cisco’s Self Defending Network and vulnerability and Threat Risk
Assessments.
Provided hands-on teaching on the building of multi-platform workstation and switch/router
TCP/IP networks, both enterprise and backbone with a firm grounding in TCP/IP applications
(SMTP, DNS, FTP, Telnet, etc.), as well as, IP routing protocols such as RIP, OSPF, BGP, IGRP
and EIGRP.





Taught Cisco CCNA, CCSP, CCNP and CCIE advanced curriculum as well as non-vendor
Wireless Security (WPA, LEAP, PEAP, WEP and site survey tools)
Constantly learnt, evaluated and certified on leading edge technology including network
hardware, end-user workstations, client-server and operating systems.
On-going testing (including test planning and execution) of all security solutions being designed
and deployed in the teaching labs’ network.
Products worked with include Check Point Firewall-1, Cisco ASA5500 series, PIX and VPN
concentrators and PIX in-line IDS and various protocol analyzers. He designed and implemented
security architectures including hands-on installation and support of SSH Client/Server, HTTPS
on Apache web server, Certificate Authorities and AAA servers using respectively MS CA and
Cisco ACS 4.x and LDAP integration. VPNs were secured between Check Point and Cisco PIX
firewalls using IPSec/IKE and between MS RAS servers and clients using MS PPTP (point-topoint tunneling protocol) and L2TP.
Experience gained in the following IT security areas:
 Extensive experience in designing and implementing security architectures including IDSs,
VPNs, firewalls and content filters Products where expertise was gained include CheckPoint
Firewall-1, Cisco PIX and ASA 5500 series security appliances and 3000 series VPN
Concentrators and Cisco IDS/IPS servers and SSM modules and various protocol analyzers.
 Extensive experience in designing and implementing security architectures including handson installation and support of SSH Client/Server, HTTPS on Apache web server, Certificate
Authorities and AAA servers using respectively MS CA and Cisco ACS 3.x and 4.x and
Radius and LDAP integration.
 VPNs secured between CheckPoint and Cisco PIX and ASA security appliances using
IPSec/IKE and between MS RAS servers and clients using MS PPTP (point-to-point tunneling
protocol) and L2TP.
 Extensive hands-on and instructional experience with Microsoft OS’s including Windows
2000 (incl. server) and Windows XP.
 Deliver workshops on Cisco’s security blueprint, “SAFE” and Self Defending Network and
vulnerability and Threat Risk Assessments using a variety of tools including nmap, Nessus,
etc.
 Extensive hands-on in teaching the building of multi-platform workstation and switch/router
TCP/IP networks, both enterprise and backbone.
 Firm grounding in TCP/IP applications (SMTP, DNS, FTP, Telnet, etc.) as well as IP routing
protocols such as RIP, OSPF, BGP, IGRP and EIGRP. Teach Cisco CCNA, CCSP, CCNP
and CCIE advanced curriculum as well as non-vendor Wireless Security (WPA, 802.11i,
802.1x, LEAP, PEAP, WEP and site survey tools).
Pr. 16.1 – Lab design, implementation, upgrade and maintenance

As a SME responsible for training often senior level students, Mr. Stewart has designed,
implemented and upgrades/maintains on an on-going basis a comprehensive lab environment on
his own business premises for analysis, knowledge advancement and research purposes. The
network architecture design includes CISCO ASA Unified Threat Management devices using
SSL VPNs. The design and implementation work involved configuring CISCO ASA 5500 series
of devices using ASDM and CLI.

The lab includes leading edge technologies, within an all virtualized environment, including the
following:
 Cisco AnyConnect SSL VPN,
 Cisco IPsec VPN clients as well as Gate-to-gate IPsec VPNs,
 Active Directory / LDAP (Microsoft and Open Source implementations),
 RADIUS AAA server,
 Squid web proxy, caching, content and URL filtering server with Cisco WCCP v2 transparent
proxying,
 Cisco Ironport C10 messaging gateway,
 Cisco 871 IOS routers configured in an HSRP cluster, dual-homed to the Internet on Static IP
addresses,
 Cisco Catalyst 3524-XL-EN series IOS switches,
 ASA 5505 (w/ Security Plus License) UTM security appliance acting as both an IPsec VPN
server and SSL VPN server and IPsec gate-to-gate VPN endpoint, and an AIP-SSC5 IPS
module providing perimeter intrusion prevention services
 WPA2-Enterprise wireless acess point,
 VMware Server 2.1 and VMWare ESXi 4.2,
 Ubuntu, Solaris, Fedora, CentOS and FreeBSD Linux OSs,
 Microsoft Server 2003 and OpenSSL CAs operating in a hierarchical PKI and issuing X.509v3
identity certificates to servers (mail, web, FTP, etc.) and users within privately hosted domain;
MS Server 2010 and Exchange 2010,
 McAfee VirusScan Enterprise (VSE) v 1.6 Linux Server
 2 Microsoft 2003 Servers (Enterprise) as domain controllers and configured with Group
Policy Objects (GPOs) within test lab domain.
 BlackBerry Enterprise Server Express (BESx) and three registered BlackBerry 9700, 9800,
9810 smartphones.
 Zenoss SNMP Network Management Server
 Tenable Security Nessus Server
Project #17 – 1 month (May 2006 – Jul. 2006)
Loyalist College
Cisco Architect
Mr. Stewart conducted IT Security analysis including a Threat Risk Assessment (TRA); on existing
infrastructure and subsequently designed and implemented a remote access (client-to-gate) and siteto-site (gate-to-gate) IPSec VPN between Loyalist College’s central campus in Belleville and satellite
campuses across the province.





Implemented a Cisco-proprietary WebVPN and SSL VPN solution.
Implemented security zones at the central campus and controls for traffic moving between the
zones including wireless hotspots.
Installed and configured a Cisco VPN 3020 Concentrator into the DMZ and PIX 525 firewall and
RSM at the central office.
Designed and implemented campus VLAN design and inter-VLAN routing on Loyalist’s RSM.
Loyalist College has 15,000 users.
Project #18 - 8 months (Aug. 2005 – Sep. 2006)
Alcatel-Lucent Networks
Network Architect/Analyst
Mr. Stewart worked as part of a team to design a new advanced network certification track for
Alcatel’s core service router offerings.




Technologies included QoS, IP/MPLS, GRE, IPsec VPNs, dynamic routing protocols.
Courseware, lab fit-out and other materials delivered according to an aggressive timeline and to
the highest quality standards.
This project advanced Alcatel’s presence in the networking community with a suite of courses to
compete in this important global market space.
The work involved 80% design – 20% instruction.
Project #19 - 0.5 months (Jun. 2005 – Aug. 2005)
Loyalist College
Cisco Architect
Mr. Stewart conducted IT Security analysis including a Vulnerability Assessment (VA) and
implemented a complete Local Area Network VLAN overhaul of the college’s core network. The
redesign involved a review of the current collapsed backbone and Novell client/server, followed by a
phased implementation which involved core and internal VLAN architecture with Cisco Catalyst
LAN switches, a Cisco 7206 edge BGP router and Cisco PIX 525 firewall.
Project #20 - 0.5 months (Jul. 2005)
Freightliner Trucks
Cisco Engineer
Mr. Stewart conducted security analysis including a threat risk assessment (TRA) and option analysis;
he designed;procured equipment;and then implemented a full-mesh site-to-site (gate-to-gate) VPN
solution for Freightliner Trucks with several sites using Cisco PIX firewalls and Linksys wireless
VPN gateways. Solution also supported remote access for a number of teleworkers. The project
involved requirements definition, a statement of work, and a phased implementation plan.
Project #21 - concurrent (May 2005 – Jul. 2005)
Elytra Enterprises
Senior Network Security Consultant
Mr. Stewart wrote a research whitepaper on the security, privacy and legal implications for VoIP as
relates to the introduction of infrastructure VoIP in North America. This extensive research was
conducted for Lucent Technologies Japan.
The report was extremely well received by the customer. Research into the security and privacy
implications of VoIP within the (then) current regulatory and legal frameworks was either nonexistent or poorly conceived. The report, a 500-page document, drew from a number of experts in
both areas and involved extensive interviewing and research.
Project #22 - 4 months (May 2003 – Aug. 2003)
JDS Uniphase
Network Consultant
Mr. Stewart conducted IT Security analysis including a Vulnerability Assessment (VA), designed,
and tested(including test planning and execution) the fit-out of, and costing of a remotely-accessible
optical fiber lab with WDM (Wave Division Multiplexing) equipment. He separately recommended
learning objectives and provided detailed incremental costing and security risk analysis for delivering
a series of JDSU-proprietary courses over the Internet on encrypted links using the eLearning
instructor-led modality.
Project #23 - 1 month (Sep./Oct. 2002, Jun./Jul. 2003 and Apr./May 2004)
Canadian Network Data Solutions (CANDS)
Cisco Engineer
Mr. Stewart conducted IT Security analysis including a TRA and based on its recommendations,
implemented Cisco PIX 506E firewall and Site-to-Site VPN installation at Francis Fuels and
Freightliner Trucks Ottawa.


Provided for firewall screening private subnets of several interconnected enterprises as well as
providing for secure, MS PPTP and Cisco VPN clients remote access to company network.
Implemented SSH (Secure Shell) and HTTPS access to PIX firewall. Configured remote access
solution to allow secure access from VAR through PIX to AS/400 server at Freightliner Ottawa
site.
Project #24 - 1 month (Jan. 2001 – Aug. 2001)
Northland Systems Inc.
SME and eLearning Consultant
Mr. Stewart co-authored a number of proprietary online advanced TCP/IP and WAN networking
courses for Northland as a Network SME (Subject Matter Expert) and QA lead. These courses are
offered to Alcatel to their network engineers worldwide.
Project #25 - 72 months (Jul. 1993 – Jul. 2000)
Department of Foreign Affairs and International Trade (DFAIT)
LAN/WAN Network Architect, SIGNET Project
On contract to SPS Engineering and Computer Consultants, Mr. Stewart was part of the original
tactical team which architected and rolled out the departmental global WAN. Secure Intranet, the
Secure Integrated Global Network (SIGNET) at Department of Foreign Affairs and International
Trade (DFAIT). This infrastructure (SIGNET C) was leveraged by DND for connectivity to
embassies abroad. Technologies included Cisco routers, Frame Relay, TCP/IP OSPF, and X.400
Mail.

Acted as Regional Support Manager in both Europe and Southeast Asia areas of the global WAN.


Developed a 4-week technology workshop and trained all implementation teams and WAN
support teams for the global rollout.
7 years of solid and intimate experience with a geographically large and diverse WAN.
Project #26 - 9 months (May 1992 – Jan. 1993)
Revenue Canada, Customs and Excise (RCCE, now CRA)
Project Manager and Technical Lead
On contract to Iota Consulting, Mr. Stewart was the project leader in charge of the design and
implementation of an Equipment Services group for RCCE (CCRA) and the LAN Integration Centre.
He was later responsible for 20 staff who provided all network infrastructure support for the
department’s SNA mainframe and WAN network across Canada.



Administered and monitored ISP Service Level Agreements (SLAs) and third-party support
vendors who performed on-site hardware support and installation services outside
Ottawa/Gatineau.
Supported equipment included WANs with SDLC-attached devices mainframe (ESCON and Bus
& Tag) and Token Ring LAN-connected (LLC2) hardware and peripherals, terminals, controllers,
gateways, bridges, routers, FEPS etc.
RCCE upgraded from 3COM 3+OPEN to MS LAN Manager 2.1 on WaveLan and token ring
topology networks.
Project #27 - 6 months (1991 – 1992)
Department of National Defence (DND)
Architect
At the Flight Structures and Dynamics section of Aeronautical Engineering, Mr. Stewart performed
a feasibility study and prototyped an image data capture/retrieval system called FSDDIS (Flight
Structures and Dynamics Data Integration System). FSDDIS produced front-end data for a UNIXbased Flight Path Reconstruction Program. Table of discrete x, y data points from scanned-in graphs
and tabular data which represented flight test data for aircraft types in the Canadian Forces inventory
was fed to OCR front-end and inputted to CAD and raster-to-vector (R2V) technology which was
used for the conversion of the scanned graphical data. Another module of the prototype system
analyzed and graphed the data, performing simple linear regression, best-curve approximations, and
basic statistics.
Project #28 - 12 months (1990 – 1991)
Ontario Provincial Ministry of Heath
Systems Engineer/Project Leader, Emergency Health Services
Mr. Stewart set up and coordinated the implementation of a general systems support contract for the
LANs and WAN of the Emergency Health Services Branch of the Provincial Ministry of Health.
The work involved setup, repair and troubleshooting of software and hardware as well as customer
service at several LAN/WAN installations in Eastern Ontario. Application support encompassed
custom packages as well as basic office automation products; answering user queries; and on-site
training as well as coordination of same throughout the client's user base.
Project #29 - 3 months (1989)
Revenue Canada Customs and Excise (RCCE, now CRA)
Systems Anaylst
Mr. Stewart collaborated on the rollout of a national LAN/WAN implementation based on 3COM's
3+OPEN product and interconnecting sites in support of the GST project. The implementation
required the quick, accurate and efficient integration of remote sites over an X.25 WAN and the
training of several diverse groups including the technical support personnel, users, LAN
administrators and Regional Support Managers as well as the trainers themselves. He collaborated
in the formative planning of an overall support organization and its staffing.
Project #30 - 18 months (1989 – 1991)
Supply and Services Canada (now PWGSC)
Programmer/Analyst
The IM/IT Network Database
A logical extension of the SSC Course Training Database, this project involved the enhancement of
a single-user system into full network capabilities. The system required the development of a unique
"paging" menu system with colour-coded navigation. A multiple-hierarchy password protection
system was designed as well as other security measures such as database encryption and compilation
of program source code.
SSC/PDG Course Training Database
Mr. Stewart developed a database application that gave managers, course instructors and other staff
a method to enter applications for training, as well as retrieve current and historical information on
courses offered by internal and external agencies. Reporting requirements included course critiques,
information briefs and mailing lists.
Project #31 - 21 months (1987 – 1989)
Micro Support Services
Programmer Analyst, Customer Support
Mr. Stewart provided customer services in support of both software and hardware. Also, he was
largely involved in troubleshooting and direct maintenance on IBM and compatible microcomputers
and peripherals, as well as set-up and design of Novell and Unix/XENIX local area networks.



Designed backup procedures and user log-in interfaces as well as documented network
administration manuals.
Provided application programming in BBx for an accounting package.
Co-authored a Canadian payroll module
Project #32 - 8 years (1979 – 1986)
Department of National Defence (DND)
Commissioned Naval Officer (Lieutenant)
Mr. Stewart served in the Canadian Navy in various capacities throughout his tenure at Royal Military
College of Canada where he studied Computer Engineering. Later, on the West Coast in Victoria,
B.C., he served as a bridge officer, ship’s navigator, and junior staff officer.
Mr. Stewart served in various ship types including destroyers and minesweepers.
EDUCATION

BA, Economics Major/Computer Science Minor,Carleton University
Class of ‘87
CERTIFICATION, TRAINING, AND PROFESSIONAL DEVELOPMENT

Computer Engineering Courses, Royal Military College
Certifications




Cisco Certified Systems Instructor CCSI
Cisco Certified Network Associate CCNA
Cisco Certified Network Associate Security CCNA Security
Cisco Certified Security Professional CCSP (need to re-certify as of November ‘11)
Professional Upgrade Courses















BSCI – Building Scalable Cisco Internetworks
ICND 1 and 2 – Interconnecting Cisco Network Devices Parts 1 and 2
SNRS – Securing Networks with Routers and Switches
IINS – Implementing IOS Network Security
SNAF – Securing Networks with ASA Fundamentals
SNAA – Securing Networks with ASA Advanced
DLSW – Data Link Switching +
CSVPN – Cisco Secure VPN
SNAM – SNA for Multiprotocol Administrators
BCMSN – Building Cisco Multilayer Switched Networks
ABGP – Advanced Border Gateway Protocol
MCAST – IP Multicast
OSPF Design – Open Shortest Path First
CISSP (Certified Information Systems Security Professional) Boot Camp
Many others...
Class of ‘83
Download