Security setup for a Dedicated (trading) system at a datacenter

Discussion in 'Networking and Security' started by rohan2008, Mar 20, 2019.

  1. rohan2008


    Hi everyone,

    I have been running a trading system from home for sometime. Due to the power/network outage issues, I want to move it to a datacenter. I have talked to the sales rep of a premier data center near CME with regards to a dedicated system. He gave me multiple options and I can’t decide whats right for me. Any inputs/pointers can help.

    My current system:

    My trading system runs on ubuntu 14.04 for now. I use port 80 to access the configs of the system. Nginx directs client requests to my trading system… and that’s how I tune my system remotely depending on the daily trading conditions. I access it through ssh, samba mount. I don’t worry about security since this is running from my home behind a firewall.

    Datacenter options:

    1. Colo option if I provide them with a server.

    2. Dedicated system that the data center is going to provide me.

    I have asked for security options for the dedicated system option and the datacenter folks have proposed that do the following:

    1. Full VPN connection with a hardware firewall to the server

    2. I can access the system ONLY if I log in through the VPN and the firewall is going to restrict non VPN connections.

    3. IP address whitelisting… and all the bells & whistles

    After looking at the options I am wondering if I am going overboard here. If I have a CIS config on a say Redhad 7.x imabe and close all the ports to incoming requests… will the system be secure enough for me. I can access port 80 through ssh tunnel and get by with my trading. I can turn off samba and simply rely on sshfs for filesystem mounts on remote machines. Is this good enough and do I need a VPN? How do others do this? I am confused. If I following all the best practices of SSH, do I still need to worry about hacking? Any pointers can help

  2. Robert Morse

    Robert Morse Sponsor

    What software and FCM do you use to route to the CME?
  3. ZBZB


    What data centre? Is it in Aurora?
  4. rohan2008


  5. ensemble


    Go with colo and buy your gear on eBay. Data centers are desperate for tenants and you can negotiate a deal on a partial cabinet. Any Tier 1 bandwidth provider will have much lower latency to your broker than your home ISP even without a cross connect.

    A refurbished HPE DL360p Gen8 server with E5-2670 and 64GB of RAM runs for under $700. Buy a pair of Cisco ASA 5520s and setup a site-to-site tunnel.
    Sprout and rohan2008 like this.
  6. rohan2008


    Thanks for the suggestion, this is helpful. I don't have experience with setting up enterprise firewalls; how hard is it to setup a site-to-site tunnel? need to research this... but yes, this is definitely the right direction.
  7. ensemble


    If you have an ASA on both sides, you can run the VPN setup wizard in the Cisco GUI to configure it all. You will need a static IP on your home WAN though.
  8. T0pH4t


    Not sure if this is relevant any more. But you can avoid the whole VPN issue if you just use SSH, disable password authentication, and use ssh key explicitly. If you really wan to get anal and have a static home ip, whitelist the IP. SSH can be used to proxy a lot of different types of traffic (if you know what you are doing).
    rohan2008 likes this.