|
|
|
michael.rash@gmail.com
Mount Airy, MD
|
|
|
Education
|
|
|
|
|
THE UNIVERSITY of MARYLAND
Master of Arts in
Applied Mathematics
Thesis: "The Bastille Wrappings System: An Application of the Software
Wrappings Integration Framework to Computer Security"
May, 2000
|
|
|
THE UNIVERSITY of MARYLAND
Bachelor of Science in
Mathematics
December, 1996
|
|
|
PRINCE GEORGE'S COMMUNITY COLLEGE
Attended full-time at the age of 14 in lieu of high
school
September 1990 - May 1992
|
Experience
|
|
|
Senior Security Architect / Technical Council Chair
| |
G2, INC.
Annapolis Junction, MD
September, 2009 - April, 2011
-
Wrote custom Python sniffer code to optimize exploit delivery against passively
fingerprinted Windows and Linux target systems.
-
Authored technical whitepapers and internal documents for the detection of network
attack methods employed by the latest malware and associated botnets that contribute
to worldwide network insecurity. This effort emphasized the detection and mitigation
of attacks against Government networks.
-
Developed a command-line application "nwdump" to interface with NetWitness packet
capture infrastructure so that analysts operating on Linux systems can acquire raw
pcap data from NetWitness. The nwdump application was developed in C and utilized
the NetWitness SDK.
|
Security Architect
| |
ENTERASYS NETWORKS, INC.; Dragon IDS/IPS Product Development
Columbia, MD
October, 2006 - August, 2009
-
Designed and implemented code in multi-threaded C for IPv6 inspection and attack detection
capabilities for an upcoming software release of the Dragon IDS/IPS. This code included
IPv6 packet header inspection, updates to various Dragon decoders, and the ability to
decode IP-in-IP tunnels.
-
Directed the software engineering effort for the Dragon IDS/IPS network sensor. This
included setting engineering priorities with an emphasis on attack detection through
enhanced signature detection capabilities, system design, and technical direction of
engineers who developed Dragon network sensor code.
-
Developed a fully automated build system for the Dragon ISO appliance image. The
system patched and compiled the Linux kernel, was driven by a Subversion repository,
bundled all software packages from the Slackware 12.0 Linux distribution, and produced
a bootable ISO image for the Dragon software.
|
Chief Technology Officer (CTO)
| |
SOLIRIX, INC.;
Severna Park, MD
April, 2006 - September, 2006
-
Directed the development effort for the QuantaView network security product line. This
product line consisted of components written in C, Perl, and Java and were developed by
two independent teams, some members of which worked from remote locations.
-
Authored technical white papers and documentation to help make the case for why Network
Behavior Anomaly Detection can provide an additional mechanism to enhance the security
of networks today; especially those that only have traditional signature-based Intrusion
Detection Systems deployed.
|
Security Research Engineer
| |
ENTERASYS NETWORKS, INC.; Dragon IDS Research Group
Columbia, MD
January, 2004 - April, 2006
-
Extended the Dragon signature language to include full regular expression matching against
network traffic, per-signature thresholding, various packet header tests, and communication
of state information across signatures.
-
Designed and developed reaction capabilities for the Dragon Network Intrusion Prevention
System (Dragon 7.1). These capabilities included the ability to generate session busting
traffic and instantiate firewall blocking rules in response to an attack.
-
Wrote the paper "Developing Custom Signature Modules for the Dragon Network IDS Sensor"
which details how custom code can be developed to augment the Dragon signature
language. This capability can be used to detect attacks that normally challenge the
detection abilities of the existing signature language.
-
Implemented IP-based thresholding in the main Dragon alerting agent called "Alarmtool".
This made it possible to tie event count thresholds to individual IP addresses.
-
Developed signatures for the Dragon IDS that enabled it to detect new threats and exploits
such as the SSL DoS in Microsoft libraries (Microsoft security bulletin MS04-011), SQL
injection attacks against PhpNuke, and the Bagle and MyDoom worms. The signature development
process involved in-depth analysis of exploit code and packet traces using Ethereal as
exploits were leveraged against a target system in a controlled environment.
-
Designed and implemented an internal signature maintenance MySQL database schema and wrote
web CGI scripts to facilitate updates and additions of both Dragon NIDS and HIDS signatures.
|
Programmer
| |
USINTERNETWORKING, INC.; GSP-OSS Dept.
Annapolis, MD
October, 2001 - January, 2004
-
IDS Development; Developed a custom Host-Based Intrusion Detection System for USi
network infrastructure devices and servers. The HIDS functioned across six different
operating systems including Linux, Solaris, and Nokia IPSO, and was deployed on approximately
1,000 machines in the USi corporate network.
-
Wrote Perl/CGI web interfaces to view HIDS data and alerts for the Information Assurance
Team so they could respond to significant security events.
-
Implemented keystroke logging in OpenSSH to provide strong audit trail for administration
of particularly sensitive systems.
|
Senior Security Engineer
| |
USINTERNETWORKING, INC.; Security Engineering Dept.
Annapolis, MD
October, 2000
- October 2001
-
Security Systems Software Development; Designed, developed, and deployed custom data collection,
monitoring, and configuration validation software for critical pieces of the USi security and network
infrastructure. The software (integrated into a product called "USi Oasis") was web enabled via Perl/CGI,
made use of the Perl DBI to interface with a MySQL database, and used ssh pre-shared keys and the Expect.pm
module as the network communication vehicles.
-
USi Oasis enabled USi to pass the SAS-70 Type I and Type II certification audits by Ernst and Young
as of May, 2001.
-
Wrote both the USi Linux Security Hardening Guide (used for securing all Linux machines within the USi
network infrastructure), and a Perl program (used by USi unix system administrators) to automatically
implement the security practices outlined in the guide.
|
Senior Operations Engineer
| |
USINTERNETWORKING, INC.; Operations Dept.
Annapolis, MD
May, 2000 - October, 2000
-
Responsible for system administration of over 400 Checkpoint Firewall-1 version 4.1 firewalls
running on Nokia IPSO 3.2.1 for Fortune 500 companies. Firewalls were configured in separate
VLANs with two firewalls per server pod in a redundant VRRP failover configuration. Connectivity
to client's remote corporate offices was accomplished through IKE/FWZ VPN encrypted tunnels and/or
private backend leased lines on private IP space.
-
Acted as the Senior Technical Lead and escalation point for a team of eight junior and
intermediate firewall engineers who worked in the Global Enterprise Management Center (GEMC),
a 24x7x365 managed firewall operation.
-
Single-handedly developed and deployed custom Perl scripts to automate the conversion of
Checkpoint firewalls from centralized management consoles to the Checkpoint Provider-1 distributed
management architecture. These scripts facilitated USi's ability to convert all 400+ firewalls
to Provider-1.
-
Developed a distributed Nokia IPSO syslog error message parser to generate detailed reports of
the health of the OS on which the Checkpoint firewalls were deployed. The parser used ssh as the
network communication vehicle driven by Perl/Expect, and analyzed many errors specific to the Nokia
IPSO/Checkpoint combination such as those generated by ipsrd.
|
Internet Security Consultant
| |
M-CUBED INFORMATION SYSTEMS
On location at the U.S. DEPARTMENT OF THE TREASURY
Hyattsville, MD
September, 1999
- March, 2000
-
Advised Treasury Department senior officials and technical staff on the
methodology the Treasury Department should employ to secure its large
internal LAN which consists of over 2,000 desktop machines, TCP/IP enabled
mainframes, and high-end servers.
- Developed a penetration testing and vulnerability analysis plan using
the latest versions of ISS SAFESuite, CyberCop, Nmap, and Nessus for the
Treasury internal LAN.
- Administered the Treasury's multiply redundant Raptor 6.0 firewalls,
and several Cisco NetRanger Sensors and Directors for intrusion detection
running on Solaris 2.6. Deployed multiple Linux machines at strategic
network locations and installed the latest security related scanners and
sniffers.
- Gave a biweekly seminar entitled "Topics in Computer Security" to the
Treasury Department security/firewall administrators and other members of
the technical staff. The goal of each seminar was to summarize a specific
security technology and evaluate it for possible inclusion within the
Treasury security policy and ultimately for deployment within the Treasury
internal LAN.
|
Security Engineer |
|
DIGEX, INC;
Security Management Center
Beltsville, MD
May 1998 - July 1999
-
Firewall administration and LAN intrusion detection for over 80 corporate
firewalls and LAN's, including many Fortune 100 and Fortune 500 companies
-
Firewalls consisted of Cisco PIX, Raptor Eagle, and Check Point
Firewall-1, with Cisco NetRanger 2.2.1 for intrusion detection
-
Responsible for firewall/LAN integration and compatibility, ongoing
administration, and system backups
-
Wrote filesystem and system load monitoring and reporting software
for Raptor Eagle 5.0 and CheckPoint Firewall-1 3.064b firewalls implemented
on Solaris 2.6
-
Remotely managed DSMC customer corporate firewalls through
VPN encrypted tunnels
|
Firewall Support
Technician |
|
DIGEX, INC. Security Product Operations
Beltsville, MD
March 1997 - May 1998
-
Performed troubleshooting of Check Point Firewall-1 3.064b and Raptor
Eagle 5.0 firewall configuration problems with DSPO firewall customers
-
Wrote CGI, password authentication, and timing Perl scripts for use in
conjunction with the Digex Remedy database
-
Solved Intranet/Internet DNS and Routing issues on corporate
LAN's for Security Services customers
-
Configured Windows NT 4.0 and Sun Solaris 2.5.1 platforms
for Firewall/corporate LAN compatibility
|
Dialup Support Technician |
|
DIGEX, INC.
Telecommute Solutions Group
Beltsville, MD
May 1996 - March 1997
-
Solved Internet connectivity software configuration problems
-
Instructed junior technicians on troubleshooting end-user Internet
connectivity software misconfigurations
-
Managed group account customer subscriptions
|
Projects/Consulting
|
|
|
IDS Developer |
|
BASTILLE-LINUX
November 1999 - Present
-
Developed a network intrusion detection engine PSAD
for the Bastille-Linux Project. PSAD is written in Perl and C, and
detects many Snort network signatures as well as several types of
advanced port scanning techniques such as SYN, FIN, and Xmas scans which
are easily mounted against a machine via Nmap.
|
Linux
Security Consultant |
|
A.N.T.
April 2000
-
Installed and and made extensive security modifications to a corporate
Linux (Red Hat 6.2 Professional Edition) webserver for Digital Island
- Wrote two documents describing in detail the standard methodologies
for making Linux machines rock-solid secure. The first document targeted
Linux machines that are not running any servers, and the second
specifically targeted Linux webservers.
|
Applied Mathematics
Programmer |
|
U.S. ARMY RESEARCH
LABORATORY; Sensor Physics Branch
Adelphi, MD
April 1997 - July 1999
-
High Performance Computing; Designed and developed slab-style
matrix decomposition algorithm from existing LAPACK code for the more
efficient solution of large, dense systems of linear equations
-
Implemented matrix decomposition algorithm on the Silicon
Graphics Iris Indigo platform running IRIX 4.0.5F
-
Optimized matrix decomposition algorithm for maximum
computing performance on matrices large enough to exceed available
system RAM
|
Website
Developer |
|
W.S. ATARAS ENGINEERING, INC.
Upper Marlboro, MD
October 1996
-
Single-handedly designed, developed, and constructed corporate website
-
Configured CGI script for website shopping cart
|
|
Patents
|
|
|
|
|
|
|
"Method for Secure Single-Packet Remote Authorization"; #8,413,248, issued April, 2013
|
|
Publications
|
|
|
|
|
|
|
"Advanced SPA with fwknop";
Hakin9 September 2008
|
|
|
"IDS Signature Matching with iptables, psad, and fwsnort";
USENIX ;login: Magazine (Security Issue) December 2007
|
|
|
"Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort";
No Starch Press (ISBN: 1-59327-141-7), October 2007
|
|
|
"Protecting SSH Servers with Single Packet Authorization";
The Linux Journal May 2007
|
|
|
"Single Packet Authorization";
The Linux Journal April 2007
|
|
|
"Single Packet Authorization with fwknop";
USENIX ;login: Magazine, Feb 2006
|
|
|
"Intrusion Prevention and Active Response: Deploying Network and Host IPS";
Syngress Publishing (ISBN: 193226647X), Feb 2005
|
|
|
"Combining Port Knocking and Passive OS Fingerprinting with fwknop";
USENIX ;login: Magazine, Dec 2004
|
|
|
"Snort 2.1 Intrusion Detection";
Syngress Publishing (ISBN: 1-931836-04-3), May 2004
|
|
|
"Content Filtering and Inspection with fwsnort and psad";
Sys Admin Magazine, Apr 2004
|
|
|
"Firewalls: Doing it Yourself";
Information Security Magazine, Oct 2003
|
|
|
"Running Linux and Netfilter on Nokia IP Series Hardware";
The Linux Journal (website), Apr 2003
|
|
|
"Security Benchmark for Linux" (Contributing Editor);
The Center for Internet Security, May 2002
|
|
|
"Verifying Filesystem Integrity with CVS";
The Linux Journal, Feb 2002
|
|
|
"Securing Linux Step-By-Step" (Contributing Editor);
SANS, Mar 2002
|
|
|
"Detecting Suspect Traffic";
The Linux Journal, Nov 2001
|
|
Skills
|
|
|
|
|
- Internet WAN/LAN Security:
- Firewall Administration and Integration: CheckPoint Firewall-1 and Provider-1, Raptor Eagle, Cisco PIX, Ipfilter, iptables, Netfilter
- Network Intrusion Detection Systems (NIDS): Dragon, Cisco NetRanger, Snort, PSAD, Fwsnort, custom software
- Host Intrusion Detection Systems (HIDS): Tripwire, AIDE, custom software
- Packet trace analysis: tcpdump, Ethereal, custom software with libpcap.
- Penetration Testing/Vulnerability Analysis: Nmap, Nessus, CyberCop
- Server/Host OS Security Hardening: Bastille-Linux
- Virtual Private Networks: SKIP, IKE, IPsec, FWZ, SSL
- Cryptographic Software and Theory: SSL, SSH, PGP, GPG, DES, 3DES, Kerberos, MD5, AES
- Languages:
- Perl, Python, C/C++, UNIX Shell Scripting, Fortran, Forth
- Internet Communications:
- TCP/IP based communications (IPv4), Internet Routing, and DNS
- Webserver communications, CGI development
- Operating Systems:
- Linux (2.0.x - 2.6.x kernels), Solaris 2.5 - 8.0, SunOS 4.1.x, Nokia IPSO 3.2.1, FreeBSD 4.1 - 5.2.1, NetBSD 1.2, IRIX 4.0 - 6.2
- Macintosh OS 8, OS X
|
References
|
|
|
|
|
Available Upon Request |