Network Security Engineer

Employment Type: Contract to HireTitle: Network Security Engineer Duration: 6 months to hire Location: New York, NY Must be authorized to work in USA: No sponsorship Pay Rate: $70-$75/ hour W2 | $150K $170K ConvMust Have: Forescout Platform ExperiencePosition OverviewWe are seeking an experienced Network Security Engineer for a contract-to-hire engagement with one of New York City's leading healthcare organizations. This is a hands-on, senior-level role responsible for the design, deployment, and ongoing operational excellence of our network access control and security infrastructure. The contract is expected to convert to a permanent full-time position for the right candidate. The ideal candidate brings deep technical expertise in Forescout and thrives in a complex, compliance-driven healthcare environment where uptime and patient data protection are paramount.Key ResponsibilitiesDesign, deploy, and manage Forescout-based Network Access Control (NAC) infrastructure across enterprise and clinical environmentsDevelop and enforce device visibility, classification, and policy enforcement for managed, unmanaged, and IoT/medical devicesAuthor and maintain comprehensive technical documentation, standard operating procedures (SOPs), runbooks, and network security policiesConduct architecture reviews and lead network security improvement initiatives in alignment with HIPAA, HITECH, and NIST frameworksCollaborate with infrastructure, clinical engineering, and IT teams to ensure secure network segmentation and least-privilege accessMonitor network security events, investigate anomalies, and drive remediation efforts in coordination with the SOC teamManage and maintain next-generation firewall infrastructure (Palo Alto Networks preferred), including rule lifecycle management and threat prevention policy tuningSupport and administer F5 application delivery and security services including LTM/GTM, APM, and ASM/AWAFLead vendor engagements, coordinate with managed service partners, and serve as internal SME for network security technologiesParticipate in on-call rotation and provide escalation support for critical network security incidentsRequired Qualifications5+ years of hands-on experience in network security engineering in enterprise environmentsDeep expertise in Forescout Platform (formerly CounterACT), including:– eyeSight, eyeControl, and eyeSegment modules– Policy authoring, device classification, and enforcement actions– Integration with Active Directory, SIEM, and ticketing platforms– Deployment in large-scale, multi-site environmentsActive Forescout certification (FCSS – Forescout Certified Security Specialist, or equivalent) requiredDemonstrated ability to independently design and deliver full lifecycle NAC deployments — from architecture through implementation and documentationStrong documentation skills: ability to produce clear, detailed SOPs, network diagrams, and policy documentation for both technical and non-technical audiencesSolid understanding of network fundamentals: VLANs, 802.1X, RADIUS, DHCP, DNS, routing, and switchingExperience working in regulated industries with exposure to HIPAA, HITECH, or similar compliance requirementsBachelor's degree in Computer Science, Information Security, or equivalent practical experiencePreferred Qualifications (Nice to Have)Palo Alto Networks expertise:– Hands-on experience with PAN-OS, Panorama, and NGFW policy management– Familiarity with Prisma Access, GlobalProtect, and Cortex XSOAR a plus– Palo Alto Networks Certified Network Security Engineer (PCNSE) preferredF5 expertise:– Administration of BIG-IP LTM, GTM, APM, and ASM/Advanced WAF– Experience with iRules, SSL offload, and application security policies– F5 Certified BIG-IP Administrator (F5-CA) or Solution Expert (F5-CSE) preferredExperience with healthcare IoT and medical device securityFamiliarity with Zero Trust architecture principles and microsegmentation strategiesExposure to SIEM platforms (Splunk, Microsoft Sentinel) and SOAR integrationsAdditional industry certifications: CISSP, CCNP Security, CEH, or equivalent