My NetSec History
By 1997 when I went to work for Compucom, I was into request brokers for load balancing and connecting applications to servers.
Even though the company was Windows centric, they still did all their critical work on Unix iron.
After developing an infrastructure to support several of their critical apps on HP 9000s, I was asked to solve some sendmail issues.
This led to helping solve some Bind issues and finally some routing issues the company was having.
One day the head of network security came by and asked if I could help them with some Linux problems they were having.
It turned out the former head of network security had moved on to greener pastures leaving some interesting Linux code running which the current netsec guys couldn't quite handle.
So I moved into network security and fell in love with it.
It was like drinking from a firehose, there was so much to learn about protocols, firewalls, Cisco switch/router ACLs, etc. but, as I said, I loved it.
A short while after I moved over, there was a major RIFF and I was left the most senior person in network security, by then I was also pretty much the most senior technical person in the company.
We only had 4 sensors to cover a network with thousands of desktops, hundreds of lap tops, over 50 remote sites, numerous links to client companys, and hundreds of in-house servers.
I wrote the the network behavioral IDS on this site then got it going on the sensors and one ancient server we had at Compucom.
I had used NTSC's Shadow so the behavioral NIDS I wrote accomplished similar goals only in real-time.
The NTSC's Shadow allows you to watch traffic and see exactly what folks are doing, I learned a bunch just watching traffic this way and I still watch it today.
I also became familiar with versions of Dragon, a knowledge based IDS.
The company had received a problematic security review from their auditors and I was assigned to solve the network security problems evolving from the audit.
The company started on a comprehensive network upgrade and as part of it we (netsec) were allowed to purchase 16 more sensors and 4 fairly powerful servers just for security.
In a few months we got all these sensors and servers up and running monitoring the network.
The large servers had over a terabyte of storage to keep captured network information and had their own gigabit network between them.
Having enough space to store captured packet info has been a problem for most security operations so the terabyte was invaluable.
In 2003 I went to work for Globaldataguard where I mostly programmed and became even more familiar with specific firewalls and router ACLs and other security equipment. We developed a really keen and more effecient data base to store captured network information, that was interrogated using an SQL like language. I had an opportunity to work on many firewalls, router ACLs, and bridging. One interesting thing I did was to integrate Snort into a traffic logger we developed to accomplish both behavior and knowledge based packet monitoring in a single multi-thread process.
In December of 2009 I retired but I keep my eye on my own network (here).