Network/Security Engineer — Proxy (Skyhigh SWG)

Our client, an IT Services organization supporting commercial and federal clients, is seeking Network Security Engineer with Skyhigh SWG Proxy experience. This role is 100% remote and can be anywhere in the US.

Responsibilities / Scope:

• Operate & Engineer
• Own SWG policy lifecycle: design - peer review - test - deploy - validate. Keep hierarchy sane; keep lists accurate and minimal.
• Maintain TLS inspection posture and exception handling (pinning-safe), with documented rationale and owner for each exception.
• Troubleshoot at Scale
• Lead packet-through-analytics investigations; produce clear RCAs with captures, logs, and sequence diagrams.
• Harden & Improve
• Reduce legacy exceptions, remove dead objects, and optimize PAC/WPAD logic.
• Keep rollback plans and versioned artifacts for every material change.
• Deliverables (acceptance = artifact exists and is technically correct)
o Current-State Assessment (-30 days): Inventory of SWG policies, objects/lists, TLS inspection posture, PAC/WPAD flow, and key data paths; gap list with remediation proposals.o Runbooks & Tests (-60-90 days):o Troubleshooting runbooks (auth failures, TLS errors, PAC issues, proxy vs origin error differentiation).o PCRE test suite with regression cases and performance gates.o Change checklist with rollback criteria and canary plan.o Quarterly Hygiene Pack: Exception review (add/remove decisions with owners), object cleanup report, and prioritized improvement backlog.o Incident RCAs: For P1/P2 proxy incidents, RCA within 5 business days with evidence and corrective actions.
• Evaluation / Verification
o Live Exercise: Given a synthetic outage (e.g., SSO app fails behind TLS inspection), isolate cause using packet capture + logs and propose a safe change with rollback.o PCRE Test: Author a performant pattern for a non-trivial URL/classification case; demonstrate why it won-t backtrack catastrophically.o Policy Review: Walk through a hierarchy change (lists, inheritance, bypass logic) and defend design/rollback-clarity over theatrics.

Required Skills

• Must be US Citizen due to government clearance requirement
• Must be eligible for Public Trust (active DoD Secret is a plus)

Mandatory Qualifications
• Skyhigh SWG (SkyHigh)
• 3+ years administering Skyhigh Secure Web Gateway in production (>10k users).
• Expert in policy hierarchy/inheritance, object & list management, staged rollout (test-pilot-prod), logging export, versioning, rollback.
• Proxy Engineering
• Forward/reverse proxy modes; explicit vs transparent; PAC/WPAD design and distribution.
• SSL/TLS inspection: cert chains, pinning impacts, ALPN, HTTP/2 behavior, auth flows (Kerberos/NTLM, SAML/OIDC).
• Safe bypass strategies (domain/SNI/IP/risk-based) without degrading coverage.
• Layer 3 & Internet Fundamentals
• Routing & addressing (CIDR, MTU/fragmentation/PMTUD, NAT44/66, VRFs), basic BGP/OSPF, DNS recursion/forwarding and failure modes.
• Ports & Protocols
• TCP/UDP behavior, ephemeral ranges, TLS handshake/SNI, and middlebox interactions (no QUIC/HTTP-3 requirement).
• PCRE
• Writes and reviews complex PCRE (lookarounds, backreferences, atomic groups) with an eye for performance (avoid catastrophic backtracking).
• Troubleshooting: Packets + Analytics
• tcpdump/Wireshark proficiency (TLS/HTTP analysis, TCP dynamics).
• Log correlation at scale (e.g., Splunk/ELK) to isolate issues off-box (client, network, IdP, upstream).
• Can distinguish origin responses vs proxy-generated errors and document root cause.
• Communication & Prioritization
• Clear stakeholder comms; triage correctly under load-doesn-t treat every noisy issue as P1.

Apply tot his job

Apply To this Job

Ready to Apply?

Don't miss out on this amazing opportunity!