140 Central Street, Acton, MA 01720

no-more-calls-please § john.manning@gmail.com

www.johnmanning.org

John Manning

Profile IT Infrastructure Solutions Designer with experience that combines communication, leadership and out-of-box problem solving. Expertise includes security, firewalls, load balancers, content delivery networks, content replication, service monitoring and backups.

  • Design, engineer and implement large internet gateways, including web hosting, mail, DNS, VPN, proxy and default gateway services.
  • CISSP certified; interpret policy and business requirements to deliver solutions that manage risk. Draw on knowledge of HIPPA, GMLB, SARBOX, SB 1386, and Visa Standard.
  • Deliver major network upgrades and redesigns with zero downtime, including planning and participating in enterprise network implementation.
  • Consistently solve complex technical problems previously defying resolution. Exceptionally strong technical skills.
  • Invited speaker at industry events, with topics that include Quarantine Networks (Network Security Forum, 10/2005), Quality Scanning (Network Security Forum 10/2004), System Patch Lifecycle (ISSA 7/2002), and Internet Gateway Design (ISSA 5/2001).

Experience HEWLETT PACKARD (Previously Compaq, Digital Equipment Corporation) 1997-2005

Senior Network Engineer 2002-2005

Played key role on team of eight, designing and implementing the next generation of HP’s web hosting infrastructure, part of HP’s Adaptive Network Architecture. (Environments: Microsoft, HPUX, Cisco, Checkpoint, Foundry, ProCurve)

  • Defined, introduced and implemented web hosting infrastructure and port and protocol standards consistently at 11 hosting sites worldwide.
  • Consulted with business application developers to define network connectivity requirements and enforced use of standards to meet business needs. Engineered solutions to over 50 business solutions / applications defining network communications.
  • Participated in SOW/SLA definition with key customers, as well as due diligence and RFP preparations for major projects.
  • Provided Level 4 support. Resolved all escalated complex problems, working closely with Microsoft, Cisco, Checkpoint and other major solution providers. Senior “go to” resource for resolving difficult tasks involving scalability, availability and performance.
  • Conducted training with management, businesses and support groups to communicate across all levels the advantages of HP’s network strategy.

Technical Lead, Internet Operations North Americas 1998 -2002

Delivered end-to-end operations support to 1000+ systems located at three major hosting sites, including enterprise web hosting, proxy, mail, DNS and VPN. Defined standards, with an early focus on security. Key contributor during explosive growth in dot.com cycle.

  • Developed and implemented automated quality and risk analysis for 2000+ systems.
  • Senior Engineer for www.digital.com, www.compaq.com, www.hp.com and ftp.compaq.com.
  • Received the highest rating from an external security audit by Ernst & Young.

Technical Platforms: Windows 2003/XP/2000/NT, UNIX, LINUX, Knoppix, IOS, PIX, FW1

Skills Tools: Visio, Perl, Netmon, SQL, ASP/HTML, ISS Internet Scanner

Education / Bentley College

Training BS - Computer Information Systems, 1997

Computer Information Systems Security Professional (CISSP: 66307), 2004

Microsoft Certified Systems Engineer, MCSE W2K (MCP ID# 2332318)

Network Security Forum, Boston, MA, 2001-2005

Other Information Systems Security Association (ISSA), Board of Directors, New England Chapter

 

 

  
  Project List 2003-2005

HP Shared Intrusion Detection Managed Service

  • Goal: Develop IDS/IPS shared infrastructure solution for trade customers hosted in HP's Shared Web Hosting environment.
  • My Role: Technical Engineer responsible for product testing, configuration standards, inline network placement, documentation, training, implementation and handoff.
  • My Contribution: Evaluated Tipping Point  and Cisco's IPS products.  Piloted Cisco's latest appliance and blade solutions.   Implementation in Houston datacenter ongoing.

HP Single Homed E-Service Network

  • Goal: Developed requirements, engineer infrastructure, cost model, and promote design.  Solution must leverage exiting design of dual homed hosting wherever possible.  Minimize costs.  Solution need to consider migration of 1000's of installed server both dual and single and find the best standard going forward. 
  • My Role: Lead architect, identify stakeholders, recruit contributors, technical engineer, evangelist
  • My Contribution:  Lead a  divers team of engineers, application developers, and security leads world wide to establish requirements as well as acceptable solutions and budgets.  Produced a hosting environment design and supported the needs of all existing customers as well as the flexibility to adapt as needed.  Pilot underway at the Boeblingen Germany site.

New England Security Forum, Boston.  User briefings:

  • Microsoft Network Access Protection (NAP).  Discus an ongoing HP pilot of NAP.   Present on NAP's use of IPSec, route manipulation, 802.x, and vlan shunting  to enforce policy network wide.
  • Patch Management using Streaming OS.  Administration of large numbers of identical systems (think call center) can be simplified using streaming OS strategies such as Ardance's product.  The solution allows for a single OS image to be loaded by all clients, patch the image and all clients are patched at the next boot. 

Vulnerability Scanning Compartment design and implementation

  • Goal: HP's 2 class A networks (15/8 & 16/8) require enormous vulnerability scans, often impacting the network infrastructure at the source of the scan.  In order to make these scans run quickly and not interrupt business a dedicated compartment will be created.  The
    • compartment should bypass the datacenter hub routers so that forwarding databases are not filled. 
    • compartment should have unrestricted access to all other compartments (approved by Infosec and Network Security Council). 
    • 8 compartments will be built world wide.
  • My Role: Network Engineering.  Implementation Advisor.
  • My Contribution: Designed, documented and delivered compartment as required.  Compartment was approved by all governing committees and the business was satisfied with the results of the 3 sites deployed as of 10/2005.  Compartment documentation and SLA recorded.  Compartment owner assigned.

Corporate Outbound VPN solution (using ISA 2004 EE ~ 'The Silver Bullet')

  • Goal: Secure outbound VPN connections, required by business, but not meeting security policy restricting simultaneous access to HP's network and any other network (split tunnel routing, dual horizon, ...).
  • My Role: Solution Engineer
  • My Contribution: "Silver Bullet" & "Twister" projects.  My 'Silver Bullet' design was successfully tested, approved and incorporate into the Tornado project (A good thing!).
    • design leverages the standard corporate VPN client kit and ISA 2004 EE.
    • Central management thru ISA's Enterprise console. 
    • server allows limited access to HP for DNS & WINS while allowing users to establish VPN sessions to the internet.
    •  IPSec Ok.  PPTP Ok. But not all VPN client vendors support at layered connection.  Microsoft, Cisco & Checkpoint tested successfully.

Corporate Compartmentalization Consultant

  • Goal: Participate in consultation to HP businesses
  • My Role: resolve business problems related to network connectivity in the compartmentalized network space.  Primarily focused on internet facing networks and security issues.
  • My Contribution: Worked over 50 consultations since 2003.

Corporate Proxy standards and migration ISA 2004

  • Goal: Upgrade existing ISA 2000 servers to ISA 2004
  • My Role: Product testing, Load testing, define configuration standards, implementation central management
  • My Contribution: Tested and documented ISA 2004 Enterprise Edition standards that were deployed to 10+ server supporting 40,000 users.  Worked with Microsoft to resolve ISA bug with passive FTP sessions, this resulted in a MS hotfix.

WAN utilization analysis and optimization of proxy traffic

  • Goal: Optimize world wide proxy traffic.  Eliminate unnecessary WAN traffic related to web proxies.
  • My Role: Lead Engineer, Solution provider
  • My Contribution: Developed a systems to analyze network traffic and automatic browser configuration data to improve proxy assignments for users.
    • Worked with regional proxy administrators to optimize upstream and failover traffic to minimize WAN usage.
    • Worked with helpdesks to educate representatives of correct settings and the impact of incorrect settings.
    • Implemented acls, qos and traffic optimizers where needed.
    • Worked with application owner to optimized application use of the network and proxy infrastructure. 

    Resulted in a major reduction in WAN traffic - 15%-25% on most trans oceanic links preventing the need for costly upgrades in some situations.

Automate routine SNMP changes on all network equipment corporate wide

  • Goal: Update snmp strings yearly on over 50,000 network devices.
  • My Role: Tool development.
  • My Contribution: Created a single tool which supported automated upgrading of 90% of devices.
    • Tool did not require pre classification of devices, supported all Cisco, Foundry, HP and Extreem hardware.
    • Tool did not require SNMP access to make the change
    • Reduced time to complete work each year by ~ 1 FTE!  
    • Tool provided detailed reporting and automated tracking. 
    • Tool was adaptable to perform other similar repetitive tasks thus exceeding goals ie. password changes, acl changes. 
    • Tools has been used since 2003 without problems. 
    • This tool was written in PERL.

Active Directory

  • Goal: Using Hp corporate standards, implement directory service for the E-Service compartment.   Provide single sign on for administrators world wide.
  • My Role: Identify requirements, network requirements, protocol approval
  • My Contribution: Developed and worked approval of connectivity required for and Active Directory to spread across 11 gateway E-Service sites.
    • Used my Checkpoint firewall log analysis tools to determine port requirements for replication, authentication, and client connections.

Global Compartment Manager for world wide e-commerce hosting compartments

  • Goal: Single reference for all issues related to the E-commerce hosting compartment at 11 core sites world wide. 
  • My Role: GCM - Maintain standards, Articulate strategy, promote compliance and participate in road map planning.
  • My Contribution: 

Oversee & assist core Internet Gateway migration form legacy site to new architecture (Boeblingen)

  • Goal: Migrate 200+ systems from legacy hosting (router acl of 12,000+ lines) to new corporate hosting standard PIX / FW1.
  • My Role: Assist in ACL definition, promote design advantages and assist with Implementation.
  • My Contribution: HUGE router ACL was converted to stateful rules for Cisco PIX & Checkpoint FW1.  Conversion was assisted by a tool I developed to be used at each legacy to be migrated.  This site will be the first deployment of the new single homed design.  Migration of existing servers will be piece be piece (sorry no forlift upgrade on this project). 

High Volume syslog solution

  • Goal: Support logging of Cisco PIX firewalls in debug mode  (~5 to 15G daily per device)
  • My Role: Technical Engineer
  • My Contribution: Highly available syslog servers designed and deployed to 5 sites.
    • Redhat ES 5. 
    • Load balanced syslog receiver per site
    • tested upto 50 gb of daily traffic.
    • solution turned over to standard support group for ongoing use.

Shared Backup Network

  • Goal: Develop a secure method to share backup hardware between network compartments.  Compartment policy must not be violated.  Solution must be approved and documented as well as adopted by the world wide backup teams.  Avoid host routes on clients!
  • My Role: Solution Architect   / Technical Engineer
  • My Contribution: Developed a network using Cisco private vlans (or vlan acls on HP Procurves) to isolate backup connections from compartments.  This is essential a physical port acl that prevents backup clients from talking to any other port.  
    • This solution allows for cost savings and
    • Increased security (operator / installation error eliminated)
    • Solution was documented and adopted by the managed storage and back up team.

Dual Homed Server Routing Standard

  • Goal: Developed and Implement a world wide dual homed server routing standard.
  • My Role: Technical Engineer \ trainer
  • My Contribution: Defined standard routing rules. 
    • Gained approval from network and security councils. 
    • Developed presentations and documentation. 
    • Presented on 11 occasions. 
    • Routing standard was clear and complete, simplified application development and acl defaults.

FW log correlation and reporting

  • Goal: Use firewall logs to identify misconfigurations and usage statistics.
  • My Role: developer
  • My Contribution: Daily analysis and reporting on 10Gb of data from NA, EMEA & AP.
    •  checkpoint and pix firewall logs. 
    • Daily reports clearly identified server configuration issues, security violations and top talkers. 
    • Solution also helped identify port and protocol requirements for applications. 
    • This process runs without user interaction, and has resulted in frequent actions based on the information.

Customer Work: Motorola, Reebok, Starwood Hotels, Applied Biosystems, P&G, Microsoft

So much more ... just ask me.