Seperate computer on secure VLAN for trading only?

Discussion in 'Networking and Security' started by KINGOFSHORTS, Dec 27, 2019.

  1. Do you guys have a dedicated trading workstation where no internet surfing occurs? Only Trading platforms,bloomberg anywhere etc.. are used on the machine.

    Second workstation is used for general internet usage etc on a different VLAN.

    Trading VLAN has an outbound ACL that only permits traffic to Trading networks etc..

    The General use VLAN has no access to the trading VLAN,

    Both on a Fortigate with IPS/AV/App controll etc.

    Wireless APs on a third VLAN this is where the iPads etc.. live on.

    All workstations Macs with the exeption of a VM for apps not yet ported to OS X.

    The internet is a wild wild west and you need to have all the security in the world to avoid ransomware,dataloss,compromise of accounts.

    I have battery backups and generator. Right now massive power loss in the neighborhood so I am working on backup power no problem.
    lovethetrade and AKUMATOTENSHI like this.
  2. When I get to 5 million in trading capital then maybe. Until then, I'll let the hackers go after you.

    I do have a UPS though which gives me 30 seconds to go flat and shut off.
  3. gaussian


    I don't think this is necessary for your average SOHO.

    Good anti-malware, offsite cold storage backups, and common sense are really all you need. Most brokers support 2FA which adds to the security. If you're behind a NAT and have a non-business IP package from your ISP you are mostly protected from an entire class of attacks (except if you run a DMZ).

    Separating devices into VLANs is fine if you want to go that far. I try to do that with devices that I know "call home" (for example TVs, etc that force you to connect to the internet now) so that they can't call back home at all. Alternative power sources are always nice especially if you're running a robot of some kind.
  4. IAlwaysWin


    Just invest in a remote window dedicated server or vps. So you won't be left trying to kick start a dead horse if the power goes out one day.
    nooby_mcnoob likes this.
  5. destriero


    I think a lot of traders start out with the intention to lock it down, but inevitably surf/bank on their trading rig. I am linux and Mac (almost) exclusively; only trading from a win-laptop when traveling. I bank on my phone (when traveling). There is no concern now with 2FA and trading front-ends.

    Stick to LTE or 5G when banking.
    Overnight and comagnum like this.
  6. destriero


    Please correct spelling in the thread title.
  7. The trading workstations are restricted. My regular Surf and youtube etc.. is next to the trading machine. There are lots of zero day exploits that all it takes is you visting a website and a compromised banner ad etc.. injects a rootkit to your machine and your AV will never detect it.

    PCs are cheap so having a second one just for regular shit is worth it.

    The secure (RED vlan) is locked down to just the specific networks used by my trading platforms, bloomberg anywhere etc.

    I have a NAS (Synology) on that network and my servers as well for the workloads.

    Its not a difficult concept to implement but worth it. Shit is getting out of hand out there with so many zero day exploits and people losing hard work because of it

    The cost of equipment is not to shabby

    A fortigate 61E for example is 640 dollars.
    A fortiswitch 108-FPOE is 300-320 bucks.

    Cheap insurance to avoid the nightmares others end up dealing with. All it takes is one time.

    The great thing of Apple workstations is the whole time machine backups. you can backup to an external drive and to the NAS at the same time, having 2 copies of critical date at all times.

    every month I send one of my external drives to a bank safe deposit box.
  8. traider


    Just use another pc for surfing pr0n and installing shit ware
    Overnight likes this.
  9. Overnight


    Just don't go to unneeded sites on your trading machine, and you'll be fine.

    I use my trading machine for browsing the simplest of sites, and e-mails. I know which e-mails are malicious or not. I don't use it for social media. It's been safe on Win7 for 5 years. It has a free AV program on it along with some passive scanners. Never got a malware alert, never a DDOS attack, no fuss, no muss.

    Like traider says, stay away from pr0N and Nigerian prince e-mails, and you will be right as rain.

    Your trading machine must be for just that strict business. Have a second machine for all the other stuff.
    apdxyk and MarkBrown like this.
  10. Do you mean a dedicated computer for manual trading? Or a dedicated computer for automated trading?
    I am using a dedicated computer for automated trading. No special VLAN kind of stuff, simply connected to the same home broadband network, behind router and modem. This, in my view, suffices for malware security. This dedicated computer is switched on on Sunday evening, does its thing throughout the week, and gets a rest on Saturday morning.
    #10     Dec 27, 2019