Network Security Engineer (Cisco ASA / Checkpoint)

Job Title: Network Security Engineer (Cisco ASA / Checkpoint)
Location: Plano, TX (Local candidates only)
Type: Contract

Role Overview

The Network Security Engineer will lead the architecture, deployment, and ongoing optimization of advanced Security Service Edge (SSE) and Secure Access Service Edge (SASE) solutions. This role focuses on Zero Trust Network Access (ZTNA), hybrid cloud security, and identity-aware policy enforcement across distributed BFSI environments. The engineer will be responsible for designing resilient security frameworks, improving performance, and ensuring compliance within a heavily regulated environment.

Primary Responsibilities

• Architect, implement, and manage SSE/SASE platforms including Palo Alto Prisma Access, Fortinet Universal ZTNA, Zscaler ZIA/ZPA, Broadcom, and Bluecoat.

• Deploy and optimize cloud-delivered security services such as SWG, CASB, ZTNA, DNS security, FWaaS, and SSL/TLS inspection.

• Integrate identity-based access frameworks using SAML, OAuth2, OpenID Connect, device posture checks, and adaptive access controls.

• Design and maintain policy lifecycles, including URL filtering, application control, and data protection rules.

• Continuously improve security posture using telemetry, policy analytics, latency monitoring, and user experience metrics.

• Implement advanced threat protection via sandboxing, cloud threat intelligence, and real-time traffic analysis.

• Develop and maintain highly available SSE architectures with redundant tunnels, multi-tenant segmentation, and failover strategies.

• Configure traffic steering policies including local internet breakout, selective tunneling, and QoS-aware routing.

• Oversee PKI integration, certificate pinning, and SSL decryption across user and application flows.

• Leverage digital experience monitoring (DEM) tools to baseline and enhance end-user performance.

Secondary Responsibilities

• Integrate SD-WAN and VPN technologies including IKEv2/IPSec/GRE tunnels and BGP/OSPF routing.

• Contribute to cloud security architecture across AWS, Azure, and Google Cloud Platform.

• Develop automation scripts using Python, Ansible, or Terraform for policy management and compliance.

• Integrate with SIEM/SOAR platforms such as Splunk, QRadar, or Sentinel.

• Coordinate with endpoint security tools (CrowdStrike, Defender, SentinelOne) for device trust enforcement.

• Implement DNS-layer protections and inline DLP controls.

• Support MFA and conditional access integration with Azure AD and Okta.

• Design identity-based network segmentation and microsegmentation strategies.

• Manage cloud logging pipelines with CloudWatch, Azure Monitor, and Google Cloud Platform Logging.

• Enforce CIS, NIST, and custom security hardening standards.

Required Experience

• 8 12 years of enterprise network and security engineering experience.

• Minimum 3 years in SSE/SASE architecture and operations.

• Strong background in Zero Trust models, identity-aware segmentation, and cloud security enforcement.

• Experience in BFSI or other regulated industries with emphasis on audit readiness and data protection.

• Hands-on exposure to multi-vendor SSE ecosystems, policy migrations, and performance testing.

• Experience with incident response, forensic workflows, and policy rollback.

Preferred Qualifications

• Background in hybrid cloud security, multi-cloud segmentation, and DevSecOps workflows.

• Familiarity with EDR/XDR, TIPs, sandboxing, and advanced threat detection.

• Understanding of compliance frameworks: ISO 27001, NIST 800-53, RBI, GDPR, PCI-DSS.

• Knowledge of SASE convergence across WAN, cloud, and identity edges.

Nice to Have Certifications

• Zscaler Certified Cloud Professional (ZCCP-IA / ZCCP-PA)

• AWS or Azure Security Specialty

• CISSP or CCSP