Deutsch 
Projects
This is a small excerpt from the projects I've realized in my carrer.
| ISP Mailsolution | I've developed a full fledged Mailsolution for an ISP based only on open source products. A homebrewn webinterface manages the ~4000 users, writes is data into a mysql database which stores necessary information into an ldap-database which is replicated multiple times into satellite ldap-servers. The mailserver uses the ldap-database as it's configuration, userbase, vacation information and userquota, furthermore it authenticates against LDAP for POP, IMAP and authenticated SMTP requests. The MTA checks mails for viruses on arrival and sends it to a spam-scanning engine that marks mails as good or bad when the MDA finally decides how to sort mails out. The MTA is secured against relay-attacks but also has a rate-limit implemented and per-ip limits so it can't be easily attacked from the bad internet. It encrypts POP and IMAP sessions so the users have a secure home. |
| Secure ISP Webhosting | Based on Apache, suexec, FastCGI and PHP I've setup a secure and automated webhosting solution for thousands of website where the apache HTTP server is automatically configured and home directories are automatically provisioned according to data in an LDAP-Database. The user accounts and ftp users also come from an LDAP-Database, so no local user accounts are kept on the webserver. With the use of some scripts every user also gets an automated website analysis with the use of awstats without manual intervention. With the help of suexec it is possible to put each user's PHP scripts in a secure context so the php scripts can't do harm to anybody on the webserver except the user that owns the PHP scripts. |
| Greylisting Firewall | An openBSD approach where I've secured a really poor mailserver which was DOS'ed by evil spammers. I've put a bridging Firewall between the mailhost and the internet (with a special redundant spanning tree setup in case of failure) that would implement greylisting, so the mailserver can breathe again. Greylists 95% of all incoming mail, keeps the spammers out. |
| Server Virtualization | During many approaches I use virtualization techniques. I mainly deal with linux-vserver and xen but am also able to help out with other (open source) virtualization techniques. |
| Enterprise Network Security | I've implemented a highly redundant (with the use of VRRP and Rapid Spanning Tree) and fault tolerant network for an IT enterprise that would secure every network port that is out there in the company. Starting with printers in a separate network I've also highly secured the workstations in the network by enforcing 802.1X authentication on the network level. Computers who can't authenticate will be dropped into a guest-VLAN with internet access but no chance of doing harm |
| Firewall Redundancy | I've implemented redundant firewalls that even share and synchroize their states by using openBSD packetfilter and pfsync, as well as CARP (something like VRRP or HSRP, you name it) to provide a redundant IP address. PF makes the configuration of a firewall really readable and easy. I've implemented routing and switching firewalls |
| Monitoring Solution | As an experienced nagios administrator I can write custom checks, deal with custom SNMP scrips for example to alert in case of a mail queue that is too full. I am able to monitor servers as well as routers. Furthermore I use cacti and other graphing tools for statistical analysis of the behaviour or trend of a server or router. I've gained quite some experience with rrdtool during various projects. |
| sFlow Analysis | A huge project for the Vienna Internet Exchange was to write a software that interprets sFlow data to generate graphs for peer to peer relationships on an exchange point. This tool is also used to generate a peering matrix. |
| Cisco/Foundry automation | I've written a collection of software that is able to periodically and automatically fetch the current config of Cisco and Foundry devices and store it onto a TFTP Server. Furthermore this software suite can also push config snippets to an arbitrary amount (to groups of) of devices in a secure manner over SNMPv3. |
| IPv6 | Being an experienced IPv6 user I've deployed an IPv6 Backbone for a small ISP as well as for many services (BIND, Apache, Exim, etc) |
| LDAP Authorization and Authentication | Having used LDAP for more than 5 years I am quite knowledgeable on how to deploy an LDAP authorization and authentication infrastructure for arbritrary services (apache, smtp, pop3, imap, ppp, caldav, webdav, pam, etc) |
| L2TP Endpoint | I've deployed a radius authentication infrastructure that uses LDAP as a DB-Backend and connected that to a cisco L2TP / PPP / VPDN service which sets static routes for specific users and also puts them into a VRF instance if desired. |
References
For security reasons I don't provide names of my references. I can assure you though that I have worked for governmental institutions, universities and internet service providers.