Network Security Engineer

In-person interview required at the 189 Harry S. Truman Parkway, Annapolis, MD 21401.

Hybrid – 3 Days Onsite and 2 days remote; On-site support may be required. Resource must be able to report on-site within four (4) hours notification.

SUMMARY

The Network Security Engineer will actively participate in planning and coordinating the design, installation, and connectivity of computer and network systems to ensure stable, scalable, redundant, and secure 24x7 network operations.

RESOURCE QUALIFICATIONS

The resource must meet the following minimum qualifications:

• Associate degree.
• Palo Alto Networks Certified Network Security Administrator (PCNSA) Certification OR Palo Alto Networks Network Security Professional Certification.
• Cisco Certified Network Associate (CCNA) Enterprise OR (CCNA) Security Certification.

The resource must have the following qualifications:

• Ten (10) years of CONUS technical experience in IT networking and network security.
• Associate’s degree in an Information Technology (IT) related field
• Certifications that are currently active or expired within three (3) years of proposal submission as follows:
• Palo Alto Networks Certified Network Security Engineer (PCNSE) Certification or Palo Alto Networks Next-Generation Firewall Engineer Certification OR Palo Alto Networks Network Security Analyst Certification.
• Cisco Certified Network Professional (CCNP) Enterprise OR (CCNP) Security Certification.

Resource shall be responsible for the following:

• Pro-actively identifying organization requirements, and helping to design, and engineer implementations that best serve the needs.
• Performing project-based engineering, design, installation and troubleshooting of data security networks.
• Providing assessment, design and implementation services of data and secure networking environments.
• Developing comprehensive graphical and text-based design documentation and effectively managing the implementation process from design to acceptance.
• Assisting internal groups through capacity planning, maintaining, monitoring and review of secure data communications networks.
• Leading migrations or assisting a team of engineers who will migrate traditional/legacy network security platforms to current/next generation technologies and expose customers to the full life cycle of defense in depth solutions.
• Assisting network engineers in troubleshooting critical problems or threat remediation relating to network security products.
• Working with the engineering team to successfully implement configuration guidelines, change management, and standard operating procedures for secure network solutions.
• Leading, scheduling, providing guidance and coordinating the activities with other team members to resolve end user problems in a timely and accurate fashion.
• Generating weekly status reports including project progress, key milestones, and tasks accomplished.
• Hosting weekly status meetings/calls with team or on as needed basis

RESOURCE(S) SKILLS, EXPERIENCE, & CAPABILITIES

• Five (5) years of experience with:

• Palo Alto Networks next generation firewall services.
• Intrusion Detection and Prevention with Palo Alto networks.
• Content Filtering Palo Alto networks.
• Virtual Private Networks using Palo Alto network systems.
• Data Loss Prevention
• TLS/SSL Inspection

• Four (4) years of experience in Complex switching, routing, wireless with Cisco Systems.
• Three (3) years of experience in Reverse Proxies, Load Balancing with A10 networks.
• Two (2) years of experience in Network Access Control - Cisco Identity Services Engine (ISE), Free Radius, and Access Control Lists (ACLs).
• General experience with the following:

• Implementing multifactor authentication solutions with Microsoft.
• Cloud based virtual networking and security services
• Authentication standards - (802.1x) in wired and wireless applications.
• Scalable routing protocols Enhance Interior Gateway Routing Protocol (EIGRP), Open Shortest Path Fist (OSPF), and Border Gateway Protocol (BGP).
• Enterprise Data Center implementing Micro segmentation.
• Certificate Management, Public Key Infrastructure (PKI).
• Vulnerability management using Nessus, NMAP, Windows, Unix, and Linux OS
• Packet/Protocol Analysis using Opnet, Riverbed, Wireshark, and taps.
• Centralized Management using Panorama, SolarWinds
• Major server and desktop operating systems and utilities

• Ability to:
• To work independently, troubleshoot and provide mentoring to junior associates.
• Communicate effectively when providing presentations.
• Produce technical documents (diagrams, design documents, project plans and schedules, and user instructions) as required.

SCHEDULE & COORDINATION

• Resource(s) shall perform during normal operating hours, Monday through Friday, 8:00AM to 4:30PM Eastern Standard Time (EST).
• Resource(s) shall have the flexibility to extend coverage hours or schedule to meet deadlines, project requirements, and/or on-call operational support, including evenings, nights, weekends, and holidays.
• The JIS Project Manager or Department/Senior Manager must approve work prior to or after normal operation hours, not to exceed 2,040 hours per year.
• A two (2) to four (4) week training period will be provided to acclimate the successful resource(s) in the methods, processes, equipment, and software used by the Maryland Judiciary.

RESOURCE(S) ACCESS

• Resource must use technologies approved by Judiciary to access, configure, or document work.
• All work, including notetaking, configuration files, scripting, systems backups, templates, logs and documentation, must be stored on Judiciary provided technology (e.g., ShareFile).
• Resource(s) shall not download, copy, or transfer files, logs, or configurations between the Judiciary network and any non-Judiciary device or cloud service.
• Any required file sharing must only be performed while using a Judiciary provided account, email, device or media.
• File sharing via email, removable media, personal cloud storage (e.g., Google Drive, Dropbox), or file transfer tools (e.g., SFTP, FTP, SSH to external systems) outside of the Judiciary network is prohibited.
• If alternate methods are required that conflict with these requirements, approval from both the Judiciary Contract Manager and the Information Security Officer must be obtained prior to use.