Senior Network Security Engineer

Overview

The Senior Network Security Engineer is responsible for designing, securing, operating, and troubleshooting enterprise network and security infrastructure in a compliance-driven government-contractor environment. This role owns or heavily influences boundary protection, firewall architecture, segmentation, VPN, secure routing, cloud networking, logging, monitoring, and network security evidence. This is a senior technical role for an engineer who can independently trace complex failures across clients, networks, firewalls, cloud infrastructure, Kubernetes clusters, identity systems, and backend services. The ideal candidate can identify root cause, propose practical fixes, defend architectural decisions, and support security/compliance reviews with clear evidence.

Responsibilities

• Design, administer, and troubleshoot secure enterprise network and firewall infrastructure.
• Own or support boundary protection architecture, firewall policy, network segmentation, VPN, remote access, routing, NAT, DNS security, and ingress/egress controls.
• Analyze and troubleshoot complex client-to-service, site-to-site, cloud, hybrid, and application-path issues.
• Identify bottlenecks across clients, firewalls, VPNs, load balancers, cloud networks, Kubernetes clusters, service endpoints, and backend systems.
• Review and approve network and firewall changes for security, operational impact, compliance impact, and rollback readiness.
• Develop and maintain secure network architecture diagrams, firewall standards, routing standards, segmentation models, and operational runbooks.
• Ensure network device logs, firewall logs, VPN logs, DNS logs, and flow logs are forwarded to centralized logging/SIEM platforms.
• Support incident response, root-cause analysis, forensic log review, outage analysis, and corrective action planning.
• Support compliance requirements for CMMC, NIST 800-171, NIST 800-53, FedRAMP, DoD, or similar regulated environments.
• Produce audit-ready evidence for access control, configuration management, boundary protection, logging, monitoring, vulnerability remediation, and change control.
• Partner with DevOps, Security, Cloud, Platform, Application, and PMO teams to ensure network designs are secure, scalable, supportable, and compliant.
• Mentor junior engineers and raise the technical quality of network troubleshooting, documentation, and change execution.
• Evaluate new network/security technologies and determine operational, compliance, logging, monitoring, and support impacts before adoption.

Requirements

• CompTIA Security+ CE or higher government-accepted baseline security certification.
• CCNP-level networking knowledge or equivalent senior hands-on experience.
• Strong experience with enterprise firewalls such as Palo Alto, Fortinet, Cisco Secure Firewall, Juniper SRX, Check Point, or similar platforms.
• Deep understanding of TCP/IP, routing, switching, BGP, OSPF, VLANs, NAT, VPNs, DNS, DHCP, ACLs, firewall policy, segmentation, and network security architecture.
• Experience troubleshooting complex production issues using packet captures, firewall logs, VPN logs, flow logs, routing tables, application logs, and monitoring tools.
• Experience with secure remote access, site-to-site VPNs, ingress/egress control, network isolation, privileged access, and administrative access control.
• Experience supporting compliance-driven environments with formal change control, configuration management, audit logging, evidence collection, and vulnerability remediation.
• Self-starter with no constant management required.
• Research-capable using vendor documentation, architecture references, hardening guides, RFCs, logs, packet captures, configuration analysis, and real diagnostic data — not just AI-generated answers.
• Ability to independently identify root cause and propose technically sound, operationally realistic, and compliant remediation plans.
• Strong written and verbal communication skills for architecture reviews, incident reports, risk explanations, executive summaries, and audit evidence.
• Ability to mentor others and enforce engineering discipline without creating unnecessary bureaucracy.

Preferred Qualifications

• CCNP Enterprise, CCNP Security, CCIE, or equivalent senior-level experience.
• Palo Alto PCNSE, Fortinet FCSS/FCX, Cisco Security, Juniper Security, Check Point CCSE, or equivalent advanced firewall certification.
• CISSP, CASP+/SecurityX, CISM, or similar senior security certification.
• AWS Advanced Networking Specialty or strong hands-on experience with AWS GovCloud networking.
• Experience with VPCs, Transit Gateway, Direct Connect, VPN, Route 53 Resolver, VPC endpoints, flow logs, security groups, NACLs, load balancers, and cloud-native network controls.
• Experience in DoD, federal contractor, FedRAMP, CMMC Level 2/3, NIST 800-171, NIST 800-53, IL4, IL5, or similarly regulated environments.
• Experience designing centralized logging, SIEM integration, network monitoring, alerting, and operational dashboards for network/security infrastructure.
• Experience with Kubernetes networking, ingress controllers, service mesh evaluation, load balancers, WAF, API gateways, and container platform troubleshooting.
• Experience with infrastructure as code, Git-based change control, CDK/Terraform, configuration backup, and automated compliance validation.
• Someone who can use AI as a support tool when appropriate, but does not need AI to perform senior engineering work, root-cause analysis, architecture design, technical research, compliance reasoning, or production troubleshooting.