Is there Security Risk in Financial Trading Networks?
Researcher at Black Hat warns that security might be at risk when nano-seconds count.
In the fast pace world of financial trading, nano-seconds count. They can mean the difference between profit and loss with millions of dollars on the line.
In the race to make trading faster, has there been an oversight for security considerations?
Security researcher James Arlen argues that there financial trading systems have traded security for performance. Arlen is speaking on the topic this week at the Black Hat security conference in Las Vegas.
"These networks are super flat and super shared and are not well protected from each other and there are no firewall" Arlen said in a preview of his Black Hat talk. "It's a big ugly Local Area Networking soup."
Arlen added that in his estimation financial trading systems also lack Access Control List (ACLs) as well. He noted that turning ACL on routers and switches adds latency which is what financial trading systems are desperately trying to minimize and avoid. Additionally in an effort to avoid latency, he noted there typically isn't any kind of anti-virus or application hardening technologies in place either.
"We need to build protective measures against a reasonable threat model," Arlen said.
Arlen noted that traditional security doesn't work in the world of high-speed trading as in his view it's about a thousand times too slow. The problem is that traditional security devices add latency and currently don't address the needs of ultra-speed networks. There is however no mystery in terms of what Arlen sees as being needed to help secure networks.
"We need to do something and this isn't hard stuff this is 1999 networking security basics," Arlen said.
According to Arlen, the hard part is the fact that many components of high speed trading networks are highly customized. The other challenge is in convincing operators of high speed trading networks that it is worth the effort in terms of cost and latency to layer security into their networks and reduces risk.
Though Arlen sees a lot of missing pieces, he said that networking vendors Juniper and Cisco are off to a good start in offering security at high-speed.
"Both vendors have systems that can do meaningful security work in around 1 microsecond, Arlen said. "The big question is why the rest of the security industry is not keeping up."
For Juniper Networks, the race towards faster networks is part of their competitive advantage in the market.
"Juniper Networks supports a growing number of the world's most advanced financial services organizations with solutions that provide the speed, security and integrity needed to gain a competitive advantage on either side of a trade," said Abner Germanow, Director of Enterprise Marketing at Juniper Networks in an email to <em>InternetNews.com</em>. "As the demands, use cases, and technologies used by our customers change, our researchers and developers work closely with our customers, the security community, and other technology partners to implement security to protect their systems from malicious intent and ensure the integrity of financial transactions."