Network Security Engineer – Cisco ASA / Checkpoint

Job Title: Network Security Engineer – Cisco ASA / Checkpoint

Work Type: Contract – W2 only

Location: Plano, TX (Onsite, 5 days/week)

Candidate Eligibility: This position is open to local candidates only.

Work Authorization Note: At the moment, we will not be considering H-1B or 1099 candidates. If you are comfortable working on a W2 basis with your current work authorization, we would be delighted to move forward with your application.

Experience: 10 Years

Domain: Financial Services/ Invsestment Banking

Role Overview

We are seeking a highly skilled Network Security Engineer with deep expertise in Security Service Edge (SSE) and Secure Access Service Edge (SASE) to lead the design, deployment, and lifecycle management of cloud-delivered security services. This role is pivotal in implementing Zero Trust Network Access (ZTNA), securing hybrid BFSI infrastructures, and integrating identity-aware, policy-driven controls across distributed environments.

The ideal candidate will have extensive experience in enterprise network security, multi-vendor SSE/SASE ecosystems, and a proven track record in designing, deploying, and optimizing cloud-delivered security solutions.

Primary Technical Skills

• SSE/SASE Platforms: Advanced configuration and policy orchestration on Palo Alto Prisma Access, Fortinet Universal ZTNA, Zscaler ZIA/ZPA, Broadcom, and Bluecoat.
• Cloud-Delivered Security Functions: Expertise in SWG, CASB, ZTNA, DNS security, FWaaS, SSL/TLS inspection.
• Identity-Aware Access Control: Integration with SAML/OAuth2/OpenID Connect, device posture enforcement, and risk-based access policies.
• Policy Lifecycle Management: Design, tuning, and enforcement of access control policies, URL filtering, application control, and data protection rules.
• Post-Deployment Optimization: Continuous improvement using telemetry, policy hit/miss analysis, latency metrics, and user experience feedback.
• Advanced Threat Protection: Integration with sandboxing engines, cloud threat intelligence, and real-time traffic analysis.
• High Availability & Resilience: Redundant tunnels, failover strategies, and multi-tenant segmentation in SSE environments.
• Traffic Steering & Breakout Policies: Implementation of local internet breakout (LIB), selective tunneling, and QoS-aware routing.
• Certificate Management: PKI integration, certificate pinning, and SSL decryption policies.
• User Experience Assurance: Leveraging digital experience monitoring (DEM) tools to optimize performance.

Secondary Technical Skills

• SD-WAN & VPN Integration: Overlay routing, dynamic path selection, IKEv2/IPSec/GRE tunnels, BGP/OSPF redistribution.
• Cloud Security Architecture: Hub-and-spoke, transit VPC, and cloud-native firewalling across AWS, Azure, and GCP.
• Automation & APIs: Python, Ansible, Terraform scripts for policy automation, bulk onboarding, and compliance checks.
• SIEM & SOAR Integration: Event forwarding, custom log parsing, UEBA correlation, automated response playbooks in Splunk, QRadar, or Sentinel.
• Endpoint & EDR Integration: Policy coordination with CrowdStrike, Microsoft Defender, or SentinelOne.
• DNS & DLP Integration: DNS-layer security and data exfiltration controls using inline DLP and cloud-native inspection.
• Multi-Factor & Conditional Access: Azure Conditional Access, Okta Adaptive MFA, and device compliance enforcement.
• Network Segmentation: Identity-based policies and application-aware zoning.
• Cloud Logging & Audit Trails: Centralized logging via CloudWatch, Azure Monitor, or GCP Logging.
• Security Baseline Enforcement: CIS Benchmarks, NIST 800-53, custom hardening scripts for posture validation.

Required Experience

• 8–12 years in enterprise network and security engineering, with 3 years in SSE/SASE design and operations.
• Proven experience in Zero Trust architecture, identity-aware segmentation, and cloud-delivered security enforcement.
• Exposure to regulated verticals (BFSI preferred), focusing on data protection, audit readiness, and risk mitigation.
• Hands-on experience with multi-vendor SSE ecosystems, including policy migration, interoperability testing, and performance benchmarking.
• Experience in incident response, forensics, and policy rollback in production SSE environments.

Preferred Qualifications

• Experience with hybrid cloud security models and multi-cloud segmentation strategies.
• Familiarity with EDR/XDR, sandboxing, and threat intelligence platforms (TIPs).
• Understanding of compliance frameworks: ISO 27001, NIST 800-53, RBI, GDPR, PCI-DSS.
• Exposure to DevSecOps pipelines, CI/CD security gates, and IaC security scanning.
• Knowledge of SASE convergence models, including WAN edge, cloud edge, and identity edge integration.

Nice to Have:

• Zscaler Certified Cloud Professional (ZCCP-IA/ZCCP-PA)
• AWS/Azure Security Specialty
• CISSP or CCSP