Senior Security Engineer| CISSP 831782| Security Architecture(GDSA)| CCIE#50155| Intrusion Analyst
Saudi Telecom Company - Stc
Total years of experience :11 years, 6 Months
- Engaged in the IT projects to collect and decide on security requirements in the start phase
of new IT system development and integration.
- Ensuring IT Security Policy enforcement by enabling and select the security controls as part
of the design phase before system implementation.
- Establish and review the HLD and LLD of security solutions with Security vendors and security
implementation team
- Working on escalated technical issues with security operation for production issues.
- Working with implementation team for datacentre migration to plan physical and logical
security controls requirements
- Engaged in security assessment with cyber security compliance team for any policy exception
and infrastructure change to maintain compliance with regulatory and security program
requirements
- Assist in developing and enhancing the security roles, policies, and controls implemented on
the security devices and security process and procedures.
- Participate in the IT change management process by reviewing the change requests and
provide feedback when required.
- Analyse existing security systems and make the changes or improvements if required to fix
vulnerability and emerging risk
- updating the risk register for IT security projects and systems.
- Continues review of network attack surface, for deficiencies in visibility, protocols, OS vulnerability, encryption, authentication, and authorization.
- Run auditing tools for Network devices ( Nipper) to fix all CISecrity level 1 benchmarks, and most level 2
- Harden the switches, port-security, DHCP snooping, configuring Private VLAN, disables vulnerable services, enable strong password hashes, enable logging.
- Harden routers, Neighbour authentication, EIGRP, BGP routing authentication, Block bogus IPs, enable SNMPv3, NTP authentication, and apply ACL.
- Cisco ASA, Palo alto, Fortinet firewalls configurations and implementations. Apply the required firewall segmentation( DMZ), security rules, NAT rules, packet captures, enable logging.
- Migration of layer 3/4 ASA Firewall to Next-generation Firewall, Palo alto or Cisco Firepower.
- Move port tcp/udp firewalls rules to rules include (application+ tcp/udp ports), user-base rule-set, enable intrusion prevention in firewall rules, Malware sandboxing ( inbound and outbound files), DLP, URL filtering, DNS filtering, and Geolocation rule-sets, enable SSL decryption.
- Cisco Firepower IPS, configure and monitor cisco IPS, as well as read, interpret, and analyze network traffic and related log events, and configure the required snort rules.
- Configuring Web proxy cisco WSA, Bluecoat. Controlling Internet access by enable authenticated access, banners for unknown URLs, site category filtering, url whitelisting and Blacklisting
- Cisco IRON PORT, configure anti-spam, email spoofing, phishing emails. Enable sender verification and authentication, SPF DNS TXT records. Domainkey( DKIM), DMARC, cousin domain blacklist, rate-limiting.
- Implementing and configuring cisco SSL VPN anyconnect for remote access user, implementing different groups base on employee user or vendor and give them the required access, enables radius user authentication with multifactor authentication.
- Configure and establish remote networks access securely by IPSEC VPN, GRE DMVPN and enabling the required authentication, and encryption controls. By cisco ASA, and Cisco Routers.
- Cisco ACS to manage access policies for network devices administration, TACACS+, Radius for network devices, VPN remote user, and integrate the authentication process with AD, multifactor authentication ( RSA).
- Validate, plan and carry out software version upgrades of various network and security devices in periodical timely manner
Etihad Etisalat Company (Mobily), Managing and Operating Hosted Data center and Cloud Services Project.
Managing and Operating Mobily Hosted Data Center Network and Security Infrastructure (Malga Data Center), Managing and Operating Costumer WAN IPVPN, DIA to get access to their network at Malga HDC through Mobily MPLS VPN, Or public Internet.
Identifies, troubleshoots and resolves hardware, software- network-related problems
encountered by end-users of the network, the Internet, the servers or network and security infrastructures
Configuring VLANs and Switch Infrastructures, VLAN trunking, port-channel, STP to extend VLANS from CISCO ASA5580, core Nexus7000 C7018, cisco Nexus5020, Cisco Catalyst 4507, Cisco IPS Sensors, ACE load balancer to customers production servers.
Configuring routing and implementing VRF for each costumer, OSPF, BGP, to distribute routes from costumer networks through Mobily MPLS, Mobily Data centers Core to customers Servers Networks.
Managing and operating CISCO ASA5580, ASA5540 firewalls, software update, licensing. Hardware fail-over, Active/Active Failover.
Configuring virtual firewalls (contexts), for each customer. Applying rules (ACLs) to allow traffic from internet and MPLS segment to customers Servers. Configuring static NAT for Public Servers. And global NAT.
Managing and configuring Management ASA Firewall, for out of band management HDC devices and Mobily different team access to costumers Servers.
Troubleshooting traffic session on cisco ASA, traffic capture, and analyzing Flags and logs to identify issues in connections throw ASA or terminated.
Implementing and troubleshooting IPSec site to site VPN on edge ASR1006 Internet Router for Costumers Production traffic through public Internet.
Implementing and troubleshooting AnyConnect SSL VPNs on ASA 5540 Firewall, for management access to all Customers Servers. Manage SSL AnyConnect connection profiles, Group-Policy, User and Devices authentication.
Cisco ACE4710, managing the appliance, SW upgrading, licenses, implemnting failover, configuring serverfaram, server load balancing policy policy .
Configuring and managing cisco IPS 4270 Intrusion Prevention Sensor Appliances, image recovery, application update, signature update.
Implementing IPS in interface vlan-pair or Promiscuous mode to analyze traffic and customizing IPS operation for Network environment.
Tuning signatures to produce the required alerts and summary, monitoring events and apply action for each signature and global actions, monitoring events and generating attacks reports.
Bachelor, Computer Engineering - Average 3.4 out of 4 Saudi Council of Engineer #115856