Job Tasks Breakdown:
General Firewalling (ASA/Firepower/PA/Fortinet): 25%
VPN Creation and Troubleshooting 25%
Firewall Migration Projects (Assisting and Learning) 20%
General Cisco ISE (Configuration and Tshoot) 5%
ISE Projects (Assisting and Learning) 15%
R/S Tickets 5%
Device Monitoring 5%
The Network Security Engineer (Mid Level) can expect to work firewall, VPN, and other security technology tickets daily for our managed services clients. Further, the NSE will assist senior engineers on various security projects such as Firewall Migrations (ASA to PA, ASA to Firepower, Firepower to PA, etc.), Cisco ISE (installations, expansions, migrations), and more with the goal of learning how to eventually be able to complete the same types of projects on their own with only minimal peer review.
At least 50% of the NSE’s work will be centered on firewall devices and the applicant should have very strong skills and experience in configuring, troubleshooting, and resolving firewall issues. Firewall vendors in scope include Cisco ASA, Cisco Firepower (Firepower Threat Defense or ASA software), Palo Alto, and Fortinet.
- A strong background in both Cisco ASA and Firepower is required for this position.
- Strong knowledge of firewall behavior, stateful filtering, deep packet inspection, zone/security-level segmentation, firewall High Availability, and vendor-specific firewall behavior (especially ASA and Firepower) is highly important to this role. You should be highly experienced with troubleshooting and resolving firewall access issues, network translation issues, VPN issues, and other general issues that arise on firewalls.
- Strong Cisco ASA CLI experience is a requirement for this position. Though ASDM may be used when needed (e.g. DAP/Hostscan), it is expected that you will do most of your ASA configuration and troubleshooting using CLI in this position.
- Strong IPSEC VPN knowledge in the areas of creation, troubleshooting techniques, theory (IKEv1 and IKEv2), and CLI command knowledge is very important for this role. You should be highly experienced, if not an expert, in troubleshooting VPN issues.
- Intermediate knowledge of Cisco AnyConnect VPN is required to include troubleshooting and configuring authentication (LDAP, RADIUS), LDAP attribute mapping, group policy (configuration, inheritance, etc.), AnyConnect Profiles, Modules, DAP/Hostscan, etc.
- Strong knowledge in network address translation (NAT) as performed in firewalls is a requirement for this role. NAT is central to many firewall issue resolutions and because of this, you should be highly experienced at troubleshooting NAT as well as configuring it.
- Strong knowledge of IP, TCP, and UDP protocol behavior is required for this role. Additional knowledge of the behavior of other protocols such as DNS, LDAP/S, RADIUS, TACACS, HTTP, HTTPS/TLS is a plus.
- A beginner or intermediate knowledge of Palo Alto or Fortinet firewalls is nice but not required. Applicants will be required to take training and certifications in Palo Alto firewalls in their first year. Fortinet training and certifications will be required as you progress in the future.
- Cisco ISE knowledge is nice to have but you can learn it on the job as well as take training and certifications as required.
- Knowledge of TACACS and RADIUS configuration for AAA on firewalls and Cisco Router and Switches is a plus. Additionally, knowledge of the configuration of TACACS in Cisco ISE or RADIUS in Windows NPS is a strong plus.
- CCNP Security is a requirement for the position.
- CCNP Enterprise (R/S) is nice to have as routing and switching is tightly interwoven with security device function and design.
- PCNSA or PCNSE is a plus but not required. You will be required to attain on or both of these in your first year in the position.
- Fortinet NSE 4 is a plus but not required. You may also be required to attain this certification in the first few years in the position.
- CISSP or other general security certifications is a plus but not required.
- General security architecture and design knowledge is a plus but not required. You will have the opportunity to learn security architecture and design knowledge as well as migration techniques and processes on the job.