Network Security - Cisco ASA Checkpoint

Job Title: Network Security – Cisco ASA / Checkpoint

Location: Plano, TX (Onsite)

Type: Contract

Role Overview

We are seeking a highly skilled Network Security Engineer with deep expertise in Security Service Edge (SSE) and Secure Access Service Edge (SASE) to lead the design, deployment, and lifecycle management of cloud-delivered security services. This role is critical in implementing Zero Trust Network Access (ZTNA), securing hybrid BFSI infrastructure, and integrating identity-aware, policy-driven controls across distributed environments.

Primary Technical Skills

• SSE/SASE Platforms: Advanced configuration and policy orchestration on Palo Alto Prisma Access, Fortinet Universal ZTNA, Zscaler ZIA/ZPA, Broadcom, and Bluecoat.
• Cloud-Delivered Security Functions: Deep understanding of SWG, CASB, ZTNA, DNS security, FWaaS, and SSL/TLS inspection.
• Identity-Aware Access Control: Integration with SAML/OAuth2/OpenID Connect, device posture enforcement, and risk-based access policies.
• Policy Lifecycle Management: Design and tuning of access control policies, URL filtering, application control, and data protection rules.
• Post-Deployment Optimization: Continuous tuning using telemetry, policy hit/miss analysis, latency metrics, and user experience feedback.
• Advanced Threat Protection: Integration with sandboxing engines, cloud-delivered threat intelligence, and real-time traffic analysis.
• High Availability & Resilience: Design of redundant tunnels, failover strategies, and multi-tenant segmentation in SSE environments.
• Traffic Steering & Breakout Policies: Implementation of local internet breakout (LIB), selective tunneling, and QoS-aware routing.
• Certificate Management: Handling PKI integration, certificate pinning, and SSL decryption policies across user and app flows.
• User Experience Assurance: Use of digital experience monitoring (DEM) tools to baseline and optimize end-user performance.
  
  

Secondary Technical Skills

• SD-WAN & VPN Integration: Deep familiarity with overlay routing, dynamic path selection, IKEv2/IPSec/GRE tunnels, and BGP/OSPF redistribution.
• Cloud Security Architecture: Design of hub-and-spoke, transit VPC, and cloud-native firewalling across AWS, Azure, and GCP.
• Automation & APIs: Development of Python/Ansible/Terraform scripts for policy automation, bulk onboarding, and compliance checks.
• SIEM & SOAR Integration: Event forwarding, custom log parsing, UEBA correlation, and automated response playbooks in Splunk, QRadar, or Sentinel.
• Endpoint & EDR Integration: Policy coordination with CrowdStrike, Microsoft Defender, or SentinelOne for device trust enforcement.
• DNS & DLP Integration: Enforcement of DNS-layer security and data exfiltration controls using inline DLP and cloud-native inspection.
• Multi-Factor & Conditional Access: Integration with Azure Conditional Access, Okta Adaptive MFA, and device compliance policies.
• Network Segmentation: Implementation of microsegmentation using identity-based policies and application-aware zoning.
• Cloud Logging & Audit Trails: Centralized logging via CloudWatch, Azure Monitor, or GCP Logging, mapped to compliance controls.
• Security Baseline Enforcement: Use of CIS Benchmarks, NIST 800-53, and custom hardening scripts for posture validation.
  
  

Required Experience

• 8–12 years in enterprise network and security engineering, with 3 years in SSE/SASE design and operations.
• Proven experience in Zero Trust architecture, identity-aware segmentation, and cloud-delivered security enforcement.
• Strong exposure to regulated verticals (preferably BFSI), with emphasis on data protection, audit readiness, and risk mitigation.
• Hands-on with multi-vendor SSE ecosystems, including policy migration, interoperability testing, and performance benchmarking.
• Experience in incident response, forensics, and policy rollback in production SSE environments.
  
  

Preferred Qualifications

• Experience with hybrid cloud security models and multi-cloud segmentation strategies.
• Familiarity with EDR/XDR, sandboxing, and threat intelligence platforms (TIPs).
• Understanding of compliance frameworks: ISO 27001, NIST 800-53, RBI, GDPR, and PCI-DSS.
• Exposure to DevSecOps pipelines, CI/CD security gates, and IaC security scanning.
• Knowledge of SASE convergence models, including WAN edge, cloud edge, and identity edge integration.
  
  

Nice to Have

• Zscaler Certified Cloud Professional (ZCCP-IA / ZCCP-PA)
• AWS/Azure Security Specialty
• CISSP or CCSP
  
  

Skills: network security,cisco,asa,checkpoint