SMITASIN/CV

Michael N. Smitasin

Cybersecurity Engineer, Systems Security Architect
Lawrence Berkeley National Laboratory

Research Interests

High-performance networking and security; open network monitoring and analysis; practical cryptography; network-based building occupancy detection; open-source intrusion detection; operational big data analysis.

Experience

Cybersecurity Engineer, Systems Security Architect
Lawrence Berkeley National Laboratory (May 2018 - Present)

Published Security Reference Architectures and Security Design Guide to assist system owners and implementers consider possible risks/mitigations/controls, and design their systems with security in mind.
Provided network and security architecture design review and implementation consulting internally and externally, including scientific research staff, IT division service owners, construction project management, research & education organizations and private industry.
Contributed subject matter expertise and documented LBNL implementation of NIST SP 800-53 Rev. 5 controls.
Implemented cloud-native logging solution to aggregate audit, WAF, and EDR logs from multiple cloud service providers to a cloud-hosted log management and analytics platform. Wrote tools to integrate cloud-hosted solution with existing cybersecurity workflows.
Implemented column-oriented database system for high performance network log searching and analytics and presented work to cybersecurity staff from across Department of Energy national laboratory complex.
Developed configuration standards, processes, and security validation procedures for migrating between firewall vendors and provided guidance and advice to network group on project implementation.
Evaluated and implemented service to provide web application firewall, caching/CDN, SSL/TLS termination and application logging functionality for ~1500 public facing web servers, and developed tools for API integration to cybersecurity processes.
Designed system to replace traditional RTBH with large scale border blocking capabilities up to 2^32 IPv4 addresses.
Upgraded Cybersecurity network infrastructure, including L2 switches, firewalls, and 40G/100G tap aggregation devices and defined new standards for cable management.
Built tools for identifying device owners by correlating historical MAC/IP addresses across multiple authentication sources.
Optimized configuration of tap aggregation switches for TCAM scaling limitations, allowing for dynamic traffic shunting based on 5-tuple IPv4 and IPv6 match criteria.
Investigated network intrusion incidents and built tools to detect and prevent exploitation of newly discovered vulnerabilities.
Presented on network tapping, tap aggregation and web application firewalling to conferences and working groups composed of universities and other national laboratories.
Contributed technical expertise to case study on Zero Trust and web application firewalling published by Cloudflare, Inc.

Principal Network Engineer
Lawrence Berkeley National Laboratory (July 2016 - April 2018)

Designed next generation campus aggregation routing layer and developed standards for configuring and implementing new routers with BGP, OSPF/v3, PIM, IGMP, HSRP, and Netflow v9.
Led project to upgrade satellite locations to redundant, provider-diverse circuits for the same on-going cost as previous single-provider wave service. Moved each location to CWDM over dark fiber and 802.1ad (Q-in-Q) over Metro-Ethernet, improving link capacity in 3/4 of locations by 10x, and adding bandwidth and latency monitoring to all links.
Led design of new wireless infrastructure to provide geographic redundancy for wireless core and improved link capacity.
Led design of new tap aggregation infrastructure to accommodate 40G backbone network, additional 100G external peering links and provide geographic redundancy to cybersecurity monitoring systems.
Tested, deployed, documented and trained staff on configuration of IPSec VPN tunnels to multiple Virtual Private Cloud providers.
Led network group's implementation of multi-factor authentication using FIPS 140-2 Level 4 tokens and securing of network infrastructure to comply with DOE mandates.
Led automation of network group's Linux server deployment and configuration management with Puppet.
Built R&D network environment for evaluation of new technologies, configurations, and performance testing.
Provided consulting to research staff and network engineers at research laboratories, universities and multi-national research organizations on the implementation of Science DMZ architecture to support high bandwidth, long distance data transfers.
Provided advice and assistance on work techniques, best practices and subject-matter expertise to other network engineers in building and operating the LBNL campus network.

Routing Team Co-Chair & Volunteer
ACM/IEEE Supercomputing Conference (August 2015 - November 2017)

Led 17 network engineers from universities, research laboratories and service provider networks from around the world during the year of planning, and three weeks of staging, setup, and operation of the conference network. Recruited volunteers, developed strategy, assigned and prioritized work, documented standards, and advised on technical implementation. Worked closely with Architecture, WAN Transport and Network Security teams to coordinate cross-team collaboration.
Negotiated ~$26 Million USD worth of loaned routing and switching equipment from five vendors to build a terabit-scale network providing global connectivity for exhibitors to showcase high performance computing, storage, and network applications.
Designed a six-vendor optical transport network with metro-ethernet rings and data center interconnects to provide 37x100G connectivity to booths on the show floor.
Installed, configured, and provided troubleshooting for four-vendor core and aggregation routers in terabit-scale networks for SC15 and SC16 utilizing BGP, IS-IS, and PIM. Led efforts to implement OpenFlow and Ryu controller for programming network flows in multi-vendor access layer.
Worked with exhibitors to troubleshoot data transfers at 100 Gbps, including insufficient throughput due to layer-1 issues, high latency resulting from WAN peering preferences, and misconfigured/untuned devices both at the show and at remote locations.

Network Engineer
Lawrence Berkeley National Laboratory (August 2013 - July 2016)

Presented research at national networking conferences on repeatable open-source testing methodologies for evaluating the suitability of network equipment for Science DMZ environments.
Collaborated with researchers to develop methods for gathering building occupancy data using existing network infrastructure to drive intelligent, automated building control systems.
Designed and implemented new redundant routing infrastructure in support of nearly 4000 wireless devices, including new Autonomous System (ASN 63331), multiple new peerings, Provider Independent IPv6 address space, and utilizing BGP, OSPF/v3, VRRP, uRPF, and geographically defined VLANs.
Worked with research staff to implement Science DMZ network architecture to support multiple 10 Gbps data transfer flows over long distances (>50ms RTT) while continuing to service low-latency acquisition and visualization workflows.
Contributed to implementation of redundant border routers, additional zone/aggregation routers, additional 10 Gbps external peering links and the Lab's first 100 Gbps WAN link.
Drove process for implementing collapsed access layer design using VLANs and controller-based wireless networks.
Involved in green field network deployments in newly constructed buildings, including developing requirements, proposing network designs, reviewing construction documents, and working with contractors to ensure conformity.
Defined standards for configuring performance testing and packet capture servers at core infrastructure locations.
Designed and implemented VLANs, Anycast DNS, and 10 Gbps core links in Advanced Light Source accelerator controls networks.
Improved monitoring of multi-vendor network equipment using Nagios, Cacti and Syslog/Simple Event Correlator.
Implemented new data center network infrastructure offering 10 Gbps access ports, VLANs, redundant routing/switching to HPC and enterprise data systems.
Led implementation of Juniper switches and routers, defining configuration standards and ensuring interoperability in multi-vendor network environment.
Assigned and distributed tasks and projects to other network engineers as part of Acting Work Lead duties.

Presentations & Publications

"Network Tapping for Zeek (Deep Dive)"
ESnet Cyber Infrastructure Engineering Lunch & Learn Series, March 2023
"Network Tapping for Zeek"
ZeekWeek 2022, October 2022
"Cloudflare Case Study: Lawrence Berkeley National Laboratory"
Cloudflare, Inc, September 2021
"Cloudflare Lessons Learned"
ESnet Cyber Infrastructure Engineering Lunch & Learn Series, October 2020
"Fast IOC searching with a columnar database (ClickHouse)"
Department of Energy Network Security & Monitoring Meeting, April 2019
"Accessing Wi-Fi Data for Occupancy Sensing"
Contributor, Lawrence Berkeley National Laboratory, doi: 10.7941/S97H0V, September 2017
"Evaluating Network Buffer Size Requirements for Very Large Data Transfers"
Internet2 Technology Exchange 2015, Advanced Networking Track, October 2015
"Evaluating Network Buffer Size Requirements for Very Large Data Transfers"
NANOG 64, Research & Education Track, June 2015
"Buffering for High BDP Flows"
ESnet Site Coordinators Committee, March 2015
"Switch Buffer Experiments"
Internet2 Technology Exchange 2014, Performance Working Group, October 2014

Professional Training

Cyber Fire Network Archaeology, Department of Energy (March 2020)
Cyber Fire Entry Point, Department of Energy (October 2018)
Enterprise Defender, SANS Institute (September 2015)
Advanced BIND and DNSSEC, Internet Systems Consortium (March 2014)
Introduction to BIND, Internet Systems Consortium (March 2014)

Education

University of Oregon, Bachelor of Science, June 2007
School of Architecture & Allied Arts, Digital Arts