michaelrash@gmail.com 
Mount Airy, MD 

 

Michael B. Rash

 

Education


THE UNIVERSITY of MARYLAND 
Master of Arts in Applied Mathematics 
Thesis: "The Bastille Wrappings System: An Application of the Software Wrappings Integration Framework to Computer Security"
May, 2000

THE UNIVERSITY of MARYLAND 
Bachelor of Science in Mathematics  
December, 1996

PRINCE GEORGE'S COMMUNITY COLLEGE 
Attended full-time at the age of 14 in lieu of high school 
September 1990 - May 1992

Experience


Senior Security Architect / Technical Council Chair G2, INC. 
Annapolis Junction, MD 
September, 2009 - April, 2011  
  • Wrote custom Python sniffer code to optimize exploit delivery against passively fingerprinted Windows and Linux target systems.
  • Authored technical whitepapers and internal documents for the detection of network attack methods employed by the latest malware and associated botnets that contribute to worldwide network insecurity. This effort emphasized the detection and mitigation of attacks against Government networks.
  • Developed a command-line application "nwdump" to interface with NetWitness packet capture infrastructure so that analysts operating on Linux systems can acquire raw pcap data from NetWitness. The nwdump application was developed in C and utilized the NetWitness SDK.

Security Architect ENTERASYS NETWORKS, INC.; Dragon IDS/IPS Product Development 
Columbia, MD 
October, 2006 - August, 2009  
  • Designed and implemented code in multi-threaded C for IPv6 inspection and attack detection capabilities for an upcoming software release of the Dragon IDS/IPS. This code included IPv6 packet header inspection, updates to various Dragon decoders, and the ability to decode IP-in-IP tunnels.
  • Directed the software engineering effort for the Dragon IDS/IPS network sensor. This included setting engineering priorities with an emphasis on attack detection through enhanced signature detection capabilities, system design, and technical direction of engineers who developed Dragon network sensor code.
  • Developed a fully automated build system for the Dragon ISO appliance image. The system patched and compiled the Linux kernel, was driven by a Subversion repository, bundled all software packages from the Slackware 12.0 Linux distribution, and produced a bootable ISO image for the Dragon software.

Chief Technology Officer (CTO) SOLIRIX, INC.; 
Severna Park, MD 
April, 2006 - September, 2006  
  • Directed the development effort for the QuantaView network security product line. This product line consisted of components written in C, Perl, and Java and were developed by two independent teams, some members of which worked from remote locations.
  • Authored technical white papers and documentation to help make the case for why Network Behavior Anomaly Detection can provide an additional mechanism to enhance the security of networks today; especially those that only have traditional signature-based Intrusion Detection Systems deployed.


Security Research Engineer ENTERASYS NETWORKS, INC.; Dragon IDS Research Group 
Columbia, MD 
January, 2004 - April, 2006  
  • Extended the Dragon signature language to include full regular expression matching against network traffic, per-signature thresholding, various packet header tests, and communication of state information across signatures.
  • Designed and developed reaction capabilities for the Dragon Network Intrusion Prevention System (Dragon 7.1). These capabilities included the ability to generate session busting traffic and instantiate firewall blocking rules in response to an attack.
  • Wrote the paper "Developing Custom Signature Modules for the Dragon Network IDS Sensor" which details how custom code can be developed to augment the Dragon signature language. This capability can be used to detect attacks that normally challenge the detection abilities of the existing signature language.
  • Implemented IP-based thresholding in the main Dragon alerting agent called "Alarmtool". This made it possible to tie event count thresholds to individual IP addresses.
  • Developed signatures for the Dragon IDS that enabled it to detect new threats and exploits such as the SSL DoS in Microsoft libraries (Microsoft security bulletin MS04-011), SQL injection attacks against PhpNuke, and the Bagle and MyDoom worms. The signature development process involved in-depth analysis of exploit code and packet traces using Ethereal as exploits were leveraged against a target system in a controlled environment.
  • Designed and implemented an internal signature maintenance MySQL database schema and wrote web CGI scripts to facilitate updates and additions of both Dragon NIDS and HIDS signatures.

Programmer USINTERNETWORKING, INC.; GSP-OSS Dept. 
Annapolis, MD 
October, 2001 - January, 2004  
  • IDS Development; Developed a custom Host-Based Intrusion Detection System for USi network infrastructure devices and servers. The HIDS functioned across six different operating systems including Linux, Solaris, and Nokia IPSO, and was deployed on approximately 1,000 machines in the USi corporate network.
  • Wrote Perl/CGI web interfaces to view HIDS data and alerts for the Information Assurance Team so they could respond to significant security events.
  • Implemented keystroke logging in OpenSSH to provide strong audit trail for administration of particularly sensitive systems.

Senior Security Engineer USINTERNETWORKING, INC.; Security Engineering Dept. 
Annapolis, MD 
October, 2000 - October 2001  
  • Security Systems Software Development; Designed, developed, and deployed custom data collection, monitoring, and configuration validation software for critical pieces of the USi security and network infrastructure. The software (integrated into a product called "USi Oasis") was web enabled via Perl/CGI, made use of the Perl DBI to interface with a MySQL database, and used ssh pre-shared keys and the Expect.pm module as the network communication vehicles.
  • USi Oasis enabled USi to pass the SAS-70 Type I and Type II certification audits by Ernst and Young as of May, 2001.
  • Wrote both the USi Linux Security Hardening Guide (used for securing all Linux machines within the USi network infrastructure), and a Perl program (used by USi unix system administrators) to automatically implement the security practices outlined in the guide.

Senior Operations Engineer USINTERNETWORKING, INC.; Operations Dept. 
Annapolis, MD 
May, 2000 - October, 2000  
  • Responsible for system administration of over 400 Checkpoint Firewall-1 version 4.1 firewalls running on Nokia IPSO 3.2.1 for Fortune 500 companies. Firewalls were configured in separate VLANs with two firewalls per server pod in a redundant VRRP failover configuration. Connectivity to client's remote corporate offices was accomplished through IKE/FWZ VPN encrypted tunnels and/or private backend leased lines on private IP space.
  • Acted as the Senior Technical Lead and escalation point for a team of eight junior and intermediate firewall engineers who worked in the Global Enterprise Management Center (GEMC), a 24x7x365 managed firewall operation.
  • Single-handedly developed and deployed custom Perl scripts to automate the conversion of Checkpoint firewalls from centralized management consoles to the Checkpoint Provider-1 distributed management architecture. These scripts facilitated USi's ability to convert all 400+ firewalls to Provider-1.
  • Developed a distributed Nokia IPSO syslog error message parser to generate detailed reports of the health of the OS on which the Checkpoint firewalls were deployed. The parser used ssh as the network communication vehicle driven by Perl/Expect, and analyzed many errors specific to the Nokia IPSO/Checkpoint combination such as those generated by ipsrd.

Internet Security Consultant M-CUBED INFORMATION SYSTEMS On location at the U.S. DEPARTMENT OF THE TREASURY 
Hyattsville, MD 
September, 1999 - March, 2000  
  • Advised Treasury Department senior officials and technical staff on the methodology the Treasury Department should employ to secure its large internal LAN which consists of over 2,000 desktop machines, TCP/IP enabled mainframes, and high-end servers.
  • Developed a penetration testing and vulnerability analysis plan using the latest versions of ISS SAFESuite, CyberCop, Nmap, and Nessus for the Treasury internal LAN.
  • Administered the Treasury's multiply redundant Raptor 6.0 firewalls, and several Cisco NetRanger Sensors and Directors for intrusion detection running on Solaris 2.6. Deployed multiple Linux machines at strategic network locations and installed the latest security related scanners and sniffers.
  • Gave a biweekly seminar entitled "Topics in Computer Security" to the Treasury Department security/firewall administrators and other members of the technical staff. The goal of each seminar was to summarize a specific security technology and evaluate it for possible inclusion within the Treasury security policy and ultimately for deployment within the Treasury internal LAN.

Security Engineer  DIGEX, INC; Security Management Center 
Beltsville, MD 
May 1998 - July 1999  
  • Firewall administration and LAN intrusion detection for over 80 corporate firewalls and LAN's, including many Fortune 100 and Fortune 500 companies
  • Firewalls consisted of Cisco PIX, Raptor Eagle, and Check Point Firewall-1, with Cisco NetRanger 2.2.1 for intrusion detection
  • Responsible for firewall/LAN integration and compatibility, ongoing administration, and system backups
  • Wrote filesystem and system load monitoring and reporting software for Raptor Eagle 5.0 and CheckPoint Firewall-1 3.064b firewalls implemented on Solaris 2.6
  • Remotely managed DSMC customer corporate firewalls through VPN encrypted tunnels

Firewall Support
Technician
DIGEX, INC. Security Product Operations 
Beltsville, MD 
March 1997 - May 1998  
  • Performed troubleshooting of Check Point Firewall-1 3.064b and Raptor Eagle 5.0 firewall configuration problems with DSPO firewall customers
  • Wrote CGI, password authentication, and timing Perl scripts for use in conjunction with the Digex Remedy database
  • Solved Intranet/Internet DNS and Routing issues on corporate LAN's for Security Services customers
  • Configured Windows NT 4.0 and Sun Solaris 2.5.1 platforms for Firewall/corporate LAN compatibility

Dialup Support
Technician
DIGEX, INC. Telecommute Solutions Group 
Beltsville, MD 
May 1996 - March 1997  
  • Solved Internet connectivity software configuration problems
  • Instructed junior technicians on troubleshooting end-user Internet connectivity software misconfigurations
  • Managed group account customer subscriptions

Projects/Consulting


IDS Developer BASTILLE-LINUX 
November 1999 - Present 
  • Developed a network intrusion detection engine PSAD for the Bastille-Linux Project. PSAD is written in Perl and C, and detects many Snort network signatures as well as several types of advanced port scanning techniques such as SYN, FIN, and Xmas scans which are easily mounted against a machine via Nmap.

Linux Security Consultant A.N.T. 
April 2000 
  • Installed and and made extensive security modifications to a corporate Linux (Red Hat 6.2 Professional Edition) webserver for Digital Island
  • Wrote two documents describing in detail the standard methodologies for making Linux machines rock-solid secure. The first document targeted Linux machines that are not running any servers, and the second specifically targeted Linux webservers.

Applied Mathematics
Programmer
U.S. ARMY RESEARCH LABORATORY; Sensor Physics Branch  
Adelphi, MD 
April 1997 - July 1999  
  • High Performance Computing; Designed and developed slab-style matrix decomposition algorithm from existing LAPACK code for the more efficient solution of large, dense systems of linear equations
  • Implemented matrix decomposition algorithm on the Silicon Graphics Iris Indigo platform running IRIX 4.0.5F
  • Optimized matrix decomposition algorithm for maximum computing performance on matrices large enough to exceed available system RAM

Website Developer W.S. ATARAS ENGINEERING, INC. 
Upper Marlboro, MD 
October 1996 
  • Single-handedly designed, developed, and constructed corporate website
  • Configured CGI script for website shopping cart

Patents



"Method for Secure Single-Packet Remote Authorization"; #20070234428 (patent pending)

Publications



"Advanced SPA with fwknop"; Hakin9 September 2008

"IDS Signature Matching with iptables, psad, and fwsnort"; USENIX ;login: Magazine (Security Issue) December 2007

"Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort"; No Starch Press (ISBN: 1-59327-141-7), October 2007

"Protecting SSH Servers with Single Packet Authorization"; The Linux Journal May 2007

"Single Packet Authorization"; The Linux Journal April 2007

"Single Packet Authorization with fwknop"; USENIX ;login: Magazine, Feb 2006

"Intrusion Prevention and Active Response: Deploying Network and Host IPS"; Syngress Publishing (ISBN: 193226647X), Feb 2005

"Combining Port Knocking and Passive OS Fingerprinting with fwknop"; USENIX ;login: Magazine, Dec 2004

"Snort 2.1 Intrusion Detection"; Syngress Publishing (ISBN: 1-931836-04-3), May 2004

"Content Filtering and Inspection with fwsnort and psad"; Sys Admin Magazine, Apr 2004

"Firewalls: Doing it Yourself"; Information Security Magazine, Oct 2003

"Running Linux and Netfilter on Nokia IP Series Hardware"; The Linux Journal (website), Apr 2003

"Security Benchmark for Linux" (Contributing Editor); The Center for Internet Security, May 2002

"Verifying Filesystem Integrity with CVS"; The Linux Journal, Feb 2002

"Securing Linux Step-By-Step" (Contributing Editor); SANS, Mar 2002

"Detecting Suspect Traffic"; The Linux Journal, Nov 2001

Skills


  • Internet WAN/LAN Security:
    • Firewall Administration and Integration: CheckPoint Firewall-1 and Provider-1, Raptor Eagle, Cisco PIX, Ipfilter, iptables, Netfilter
    • Network Intrusion Detection Systems (NIDS): Dragon, Cisco NetRanger, Snort, PSAD, Fwsnort, custom software
    • Host Intrusion Detection Systems (HIDS): Tripwire, AIDE, custom software
    • Packet trace analysis: tcpdump, Ethereal, custom software with libpcap.
    • Penetration Testing/Vulnerability Analysis: Nmap, Nessus, CyberCop
    • Server/Host OS Security Hardening: Bastille-Linux
    • Virtual Private Networks: SKIP, IKE, IPsec, FWZ, SSL
    • Cryptographic Software and Theory: SSL, SSH, PGP, GPG, DES, 3DES, Kerberos, MD5, AES

  • Languages:
    • Perl, Python, C/C++, UNIX Shell Scripting, Fortran, Forth

  • Internet Communications:
    • TCP/IP based communications (IPv4), Internet Routing, and DNS
    • Webserver communications, CGI development

  • Operating Systems:
    • Linux (2.0.x - 2.6.x kernels), Solaris 2.5 - 8.0, SunOS 4.1.x, Nokia IPSO 3.2.1, FreeBSD 4.1 - 5.2.1, NetBSD 1.2, IRIX 4.0 - 6.2
    • Macintosh OS 8, OS X

References


Available Upon Request