|
Information Security
< Previous Next >
Re: Sending FIX messages across internet
Jörg Thönnes / Macdonald Associates
20 May 2005 5:07AM ET> > Is it possible to send FIX message through SSH tunnel across internet?
> > Is there alternate way to send FIX message across internet?
>
> The FIX Information Security Subcommittee has been discussing options
> surrounding this. [...]
>
> * Traffic analysis. Even if someone can't decrypt the data, they still
> can log when it is sent. I.e. "At 10:30 Institution A sent data to
> Broker B. Broker B responded with a bunch of data at 10:32. At 10:35,
> Institution A then sent data to Broker C." It's not as valuable as
> plaintext, but it's still information given away.
I would like to add "Replay attacks" here. A possible intruder could try to replay the encrypted trade, thereby at least disturb the communication.
> [...] This transparency is also, in my view, a potential weakness of VPNs. The
> application layer thinks everything is cleartext, and it has no proof
> whether crypto really is happening, so the application is putting total
> trust for security in the underlying network. If someone flips off
> encryption on the VPN routers, the people handling FIX support may not
> know. It's also possible that a routing mixup could cause traffic
> between counterparties to take another path that doesn't involve the VPN
> box, and as a result the traffic isn't protected in transit. With
> SSL/TLS enabled at an application or proxy level, there's no question
> whether a session is encrypted and authenticated.
Yes, this kind of problem is of the same kind as if somebody switches off the firewall by accident. An extra level of encryption in the application increases the security is such cases.
Cheers, Jörg
Re: Sending FIX messages across internet
Jörg Thönnes / Macdonald Associates 20 May 2005 5:07AM ET
|
