Network Security Engineer (SkyHigh SWG) at Redriver

We are seeking a highly experienced Network Security Engineer to support and enhance our enterprise web proxy infrastructure using Skyhigh Secure Web Gateway (SWG). This role is responsible for policy engineering, troubleshooting, and maintaining secure and scalable proxy services for a user base exceeding 10,000. 

Key Responsibilities 

• Manage full lifecycle of SWG policies: design, peer review, test, deploy, validate. 

• Maintain TLS inspection posture and exception handling with documented rationale. 

• Optimize PAC/WPAD logic and ensure version-controlled policy artifacts. 

• Lead investigations using packet captures and log analytics. 

• Deliver clear root cause analyses (RCAs) with supporting evidence and diagrams. 

• Reduce legacy exceptions and clean up unused objects. 

• Maintain rollback plans and quarterly hygiene reports. 

• Current-state assessment of proxy infrastructure within 30 days. 

• Runbooks, regex test suite, and change checklist within 60–90 days. 

• Quarterly hygiene pack and incident RCAs for P1/P2 issues. 

Required Qualifications: 

• Must meet eligibility for Public Trust / MBI (as applicable). 

• Proficient in tcpdump/Wireshark and log platforms (Splunk/ELK). 

• Clear stakeholder communication and effective triage under pressure. 

• Ability to distinguish origin vs proxy errors and document root causes. 

• Deep knowledge of TCP/UDP behavior, TLS handshake, and PCRE (regex) performance optimization. 

• Strong understanding of routing, NAT, MTU, DNS, and basic BGP/OSPF. 

• Experience with forward/reverse proxy modes, PAC/WPAD design, SSL/TLS inspection, and safe bypass strategies. 

• Expertise in policy hierarchy, object/list management, staged rollout, logging, and rollback. 

• 3+ years administering Skyhigh SWG in production environments (>10k users). 

Preferred Qualifications 

• Scripting/automation experience (Python, PowerShell, Bash). 

• Identity integration experience (Azure AD, Okta, Ping Identity, Radiant Logic). 

• Familiarity with device identity/posture hooks (mTLS/MDM) affecting SWG policy. 

Evaluation Criteria 

• Live Exercise: Diagnose a synthetic outage using packet capture and logs. 

• Regex Test: Author a performant PCRE pattern and explain its efficiency. 

• Policy Review: Present and defend a hierarchy change with rollback strategy. 

Tooling Environment 

• Skyhigh SWG 

• tcpdump / Wireshark 

• Splunk / ELK 

• Version control for policy artifacts 

Compliance & Change Control 

• Must adhere to IRS change management windows. 

• All material changes require peer review and documented evidence.