Network/Security Engineer Proxy (Skyhigh SWG)

Our client, an IT Services organization supporting commercial and federal clients, is seeking Network Security Engineer with Skyhigh SWG Proxy experience. This role is 100% remote and can be anywhere in the US. Responsibilities / Scope: - Operate & Engineer - Own SWG policy lifecycle: design - peer review - test - deploy - validate. Keep hierarchy sane; keep lists accurate and minimal. - Maintain TLS inspection posture and exception handling (pinning-safe), with documented rationale and owner for each exception. - Troubleshoot at Scale - Lead packet-through-analytics investigations; produce clear RCAs with captures, logs, and sequence diagrams. - Harden & Improve - Reduce legacy exceptions, remove dead objects, and optimize PAC/WPAD logic. - Keep rollback plans and versioned artifacts for every material change. - Deliverables (acceptance = artifact exists and is technically correct) o Current-State Assessment (-30 days): Inventory of SWG policies, objects/lists, TLS inspection posture, PAC/WPAD flow, and key data paths; gap list with remediation proposals. o Runbooks & Tests (-60-90 days): o Troubleshooting runbooks (auth failures, TLS errors, PAC issues, proxy vs origin error differentiation). o PCRE test suite with regression cases and performance gates. o Change checklist with rollback criteria and canary plan. o Quarterly Hygiene Pack: Exception review (add/remove decisions with owners), object cleanup report, and prioritized improvement backlog. o Incident RCAs: For P1/P2 proxy incidents, RCA within 5 business days with evidence and corrective actions. - Evaluation / Verification o Live Exercise: Given a synthetic outage (e.g., SSO app fails behind TLS inspection), isolate cause using packet capture + logs and propose a safe change with rollback. o PCRE Test: Author a performant pattern for a non-trivial URL/classification case; demonstrate why it won-t backtrack catastrophically. o Policy Review: Walk through a hierarchy change (lists, inheritance, bypass logic) and defend design/rollback-clarity over theatrics. Required Skills - Must be US Citizen due to government clearance requirement - Must be eligible for Public Trust (active DoD Secret is a plus) Mandatory Qualifications - Skyhigh SWG (SkyHigh) - 3+ years administering Skyhigh Secure Web Gateway in production (>10k users). - Expert in policy hierarchy/inheritance, object & list management, staged rollout (test-pilot-prod), logging export, versioning, rollback. - Proxy Engineering - Forward/reverse proxy modes; explicit vs transparent; PAC/WPAD design and distribution. - SSL/TLS inspection: cert chains, pinning impacts, ALPN, HTTP/2 behavior, auth flows (Kerberos/NTLM, SAML/OIDC). - Safe bypass strategies (domain/SNI/IP/risk-based) without degrading coverage. - Layer 3 & Internet Fundamentals - Routing & addressing (CIDR, MTU/fragmentation/PMTUD, NAT44/66, VRFs), basic BGP/OSPF, DNS recursion/forwarding and failure modes. - Ports & Protocols - TCP/UDP behavior, ephemeral ranges, TLS handshake/SNI, and middlebox interactions (no QUIC/HTTP-3 requirement). - PCRE - Writes and reviews complex PCRE (lookarounds, backreferences, atomic groups) with an eye for performance (avoid catastrophic backtracking). - Troubleshooting: Packets + Analytics - tcpdump/Wireshark proficiency (TLS/HTTP analysis, TCP dynamics). - Log correlation at scale (e.g., Splunk/ELK) to isolate issues off-box (client, network, IdP, upstream). - Can distinguish origin responses vs proxy-generated errors and document root cause. - Communication & Prioritization - Clear stakeholder comms; triage correctly under load-doesn-t treat every noisy issue as P1. Apply tot his job