Senior Network Security Engineer

About EOTSS:

The Executive Office of Technology Services and Security (EOTSS) is the lead enterprise technology organization for the Commonwealth of Massachusetts. Charged with driving the ongoing alignment of business and technology across the Commonwealth’s Executive Branch, EOTSS oversees and manages the enterprise technology, digital infrastructure and services, as well as the Commonwealth Security Operations Center and an enterprise Standard Operating Environment that includes an information security and risk management framework for over 125 state agencies and over 43,000 state employees. We directly serve our constituents by providing digital services and tools that enable taxpayers, drivers, businesses, visitors, families and other citizens to do business with the Commonwealth in a way that makes every interaction with government easier, faster, and more secure.

Our Mission: We provide technology leadership across the Commonwealth to enhance the quality of public service and foster positive community outcomes.

About this Role:

EOTSS is seeking to hire a Network Security Engineer to join the EOTSS Security Engineering Team. The EOTSS Security Engineering Team provides reliable security services and support to all Commonwealth customers. The security services provided by the team include security design, implementation, installation, and management. The team is especially skilled in and specializes in complex firewall and routing configurations, wireless networking security, analyzing packet captures, and the use of Visio for creating diagrams in support of the infrastructure. The team provides 3rd Tier support to the Network Operations Team and routinely joins major incident conference bridges to assist with troubleshooting incidents to their resolution.

The Network Security Engineer will be mainly responsible for the configuration and implementation for a multi-vendor hardware network within a hybrid environment. Additional responsibilities will include installing cables, fiber infrastructure to support authentication, firewall, IDP/IPS, remote access, network TAPs, DNS, Web Application Firewalls, and proxy solutions. The incumbent of this role will also be responsible for upgrading multiple different vendors firewalls, upgrading network TAPs, remote access VPN solutions, DNS infrastructure, and authentication systems. This individual will also be involved with the design and implementation of site-to-site VPN connections between multiple different vendors’ hardware to provide secure connectivity and access to the Commonwealth data centers. The incumbent of this role will provide 3rd Tier support to 2nd Tier Network Operations staff to resolve customer issues with critical response time requirements. The successful candidate will need to be able to work independently for specific assigned tasks but will also need to work in a team environment. Other expectations of this position will be attending training via remote learning or instructor-led courses to further develop their skills.

The primary work location for this role is 200 Arlington Street, Chelsea, Massachusetts, 02150. The work schedule for this position is Monday through Friday, 9AM to 5PM EST. This position would be expected to follow a hybrid model of reporting to work that combines in-office workdays and work from home days as needed. Applicants should be located within reasonable commuting distance from the primary work location. Off-hours/On-call support may be required as determined by the Security Engineering Manager. On-Call is defined as “non-work time, during which members of staff are required to be available to handle job-related activities and emergencies off hours”. Staff are compensated per the Collective Bargaining agreement for stand-by pay and callback.

Responsibilities:

• Participate in major incident conference calls to assist with troubleshooting and resolution.
• Perform and analyze packet captures to determine whether expected traffic is traversing the network infrastructure.
• Develop written transition documents and procedures for the Network Operations Team when deploying new systems and hardware. This may include leading transition meetings or training sessions to ensure seamless integration into production.
• Attend bi-weekly status meetings and provide status updates to the Manager.
• Stay current with security, network, and infrastructure technologies through various methods including online research, vendor-hosted seminars and conferences, free online courses as well employer-sponsored training.
• Collaborate with users, vendors, and other technical teams to identify, isolate, and resolve issues, as well as implement enhancements to the WAN/Core network.
• Adhere to standard change management processes.
• Document and assess the impact of required changes to various networked systems, ensuring proper planning, scheduling, and communication.
• Design complex Core and WAN networks, including IP and routing summarization, as well as firewall configuration.
• Develop server load balancing solutions, including configuring Web Application Firewalls and SSL offloading on appliances.
• Design proposals for connectivity solutions for internal and external Commonwealth customers and lead discussions on implementation.
• Maintain firewalls, remote access solutions, authentication systems, and DNS solutions.
• Assign IP address space using VLSM to meet customer requirements.
• Create detailed Visio diagrams to support security system deployments.
• Participate in design meetings with vendor partners to discuss technology updates.
• Obtain hardware quotes from resellers to support procurement efforts.
• Other duties as assigned.

Preferred Knowledge, Skills, & Abilities:

• Five (5) years of hands-on experience configuring and implementing multi-vendor hardware network (Checkpoint, Palo Alto, and Juniper) within a hybrid environment.
• Five (5) years of hands-on experience configuring remote access solutions, including Ivanti Connect Secure and Palo Alto Global Protect.
• Five (5) years of experience with networking concepts, including VLANs, routing, switching, and IP subnetting.
• Two (2) to three (3) years of hands-on experience with the following cloud computing platforms such as Microsoft Azure and Amazon AWS.
• Extensive experience with a variety of routing protocols including OSPF, BGP, IGRP, and EIGRP.
• Proficiency in IP and route summarization, including configuring routers and switches.
• Experience using network analysis tools such as Tcpdump and Wireshark.
• Strong understanding of network protocols, including TCP and UDP, their common use cases, and standard port assignments.
• Experience with scripting languages such as Python, Bash, or PowerShell.
• Preferred experience working with AI, machine learning, or anomaly detection technologies within network security, using tools such as Cortex, SOAR, or CrowdStrike.
• Knowledge of Identity and Access Management (IAM) solutions, including OKTA and Azure AD.
• Experience working with firewalls, including Juniper SRX, Palo Alto, Checkpoint, and Fortinet.
• Familiarity with networking vendors such as Cisco, Juniper, and F5.
• Knowledge of desktop operating systems and their networking functions.
• Knowledge of wireless networks and basic configuration.
• Strong configuration experience with multi-vendor routers and switches.
• Knowledge of server load balancing solutions, including SLB farms, Web Application Firewalls, and SSL offloading.
• Ability to create detailed Visio diagrams to support network hardware deployments.
• Ability to adhere to standard change management processes.
• Ability to comprehend and follow complex oral and written instructions.
• Excellent organizational, verbal, and written communication skills.
• Strong interpersonal skills with keen attention to detail.
• Expertise in Variable Length Subnet Masking (VLSM) and static routing.

Certifications:

• Relevant certifications such as Certified Information Systems Security Professional (CISSP), Checkpoint certifications (CCSA, CCSE), Palo Alto certifications (PCNSE, PCNS), and Juniper Network certifications (JNCIA, JNCIE), are desired.