Evolving Standards May Boost Wireless

By Maria Trombly | Securities Industry News | June 7, 2004

June 7, 2004 - Wireless networking, though easy to set up and appealing to many users, still poses security risks for Wall Street companies. In the near future, however, as wireless security standards mature, that situation may change.

Today, wireless networks are found most frequently at sites where the benefits of mobility are most obvious: trading floors. Unlike many other companies, however, trading floors can enforce strict security measures. For example, at the New York Stock Exchange, unapproved visitors are not even allowed entry into the building.

Trading floors are also limited geographically, and wireless access points can be set up so that the network only covers the trading area, adding another measure of security.

Finally, wireless isn't just a nice option on many trading floors, but a necessity. For example, the Chicago Mercantile Exchange has two ways to trade-an open outcry system and an electronic trading platform. But the growth of the Globex platform created problems for brokers, who had to choose between the two trading methods. Being able to access Globex wirelessly while out on the trading floor removed this problem.

"While standing on the floor, they can trade any Globex product they choose to," said Maz Chadid, the CME's floor technology managing director.

That's a huge benefit, he added, because Globex now accounts for almost 50 percent of the market.

With the wireless handhelds, many traders can now access both the electronic and traditional markets simultaneously. "Quite a few people are doing both at the same time," he said. In currency trading, for example, the vast majority of traders use the devices, he said.

Altogether, there are 365 wireless devices being used at the exchange, with 175 users currently awaiting their new handhelds. In the interest-rate area, fewer than 40 people used the devices six months ago, he said. Today, there are 175 users, and another 75 are in the pipeline.

There is also a separate wireless network that allows traders to access their own systems.

"We allocate the bandwidth and make sure people don't interfere with us or each other," Chadid said. "They bring their own proprietary applications." These include analytical and order routing applications, Chadid said.

To access the Globex trading platform, traders use what the exchange calls Galax-C devices, iPaq handhelds running software that CME built in-house. The handhelds average 180,000 contracts a day.

The devices don't currently offer e-mail or instant messaging, but the exchange does have plans to extend their functionality, Chadid said. The second category of devices, which access the common wireless network, do have those communication abilities if they're so set up, but cannot trade on Globex. Traders use them to improve communication with home offices and with customers, Chadid said.

However, not all CME traders carry handhelds. Many aren't actually out on the floors but are busy talking to customers, or handling order execution. Altogether, Chadid said, only about a third of CME's traders would benefit from the handhelds.

CME is also considering other functionality-traders may soon be able to use them in the options area, and to enter their open-outcry trades instead of using slips of paper. These new features are expected to arrive in the third quarter of this year.

To ensure security, CME uses firewalls and encryption technology combined with user-specific authentication. "The combination of the three is extremely safe," Chadid said.

In addition, there are also physical security measures. The wireless signal is strictly limited to the trading floors, he said. That means that hackers can't walk around outside the building with sniffing devices, looking for wireless networks they can tap into.

One Size Doesn't Fit All
For the brokerages themselves, however, these kinds of security measures may not be worth the expense and the basic security built into wireless products was not sufficient to meet their needs.

At the Chicago Stock Exchange (CHX), traders usually sit at computers to work, instead of wandering around the trading floor. As a result, there's less of a pressing need for wireless access devices.

Krysia Jacobs, VP of technical services at the exchange, has decided against deploying the technology. "We're not using it for security reasons," she said.

However, as the wireless security standards situation improves, she might change her mind. "We're monitoring it," she said.

Trade group IEEE is expected in June to ratify the Wi-Fi Protected Access 2 (WPA 2), which supports the Advanced Encryption Standard and authentication features, making it more attractive for Wall Street firms.

Previously, brokerages were forced to create virtual private networks for their wireless LANs, which created a whole set of management problems, said Chris Bolinger, manager of product marketing in the wireless networking business unit of Cisco Systems.

With good wireless security built in, Bolinger said, brokerages should start rolling out wireless networks sometime in the next 12 months.

Progress has been made on other security fronts as well, he said. A year ago, the only way a manager had of detecting rogue access points was to walk around with a sniffing device, hunting for unauthorized signals. Since wireless access points are cheap and easy to install, employees sometimes went over to their local mall and bought insecure devices, opening up corporate networks to outside threats.

Today, there are a number of ways to handle this problem. A company's legitimate access points could do double duty, not only broadcasting the legitimate, secure wireless signal, but also listening for unauthorized signals. This way, managers can triangulate on rogue access points and even rogue wireless devices in real time. The access points can be shut down automatically, by simply cutting them off from the network.

Shutting down rogue devices is a touchier area, Bolinger said. Yes, the device could belong to a hacker trying to break into a firm's network and sending a signal that puts it out of business would be a good thing. But the device could also belong to an employee from the company next door.

"You have to be very careful in mounting over-the-air attacks because that could be someone else's production access point," said Bolinger. One customer even had a problem where one set of its own access points tried to shut down a set that had come from a different vendor, he said.

As a result, Cisco's policy is not to promote over-the-air attacks. "We're not going to rule it out, but we're being conservative because it's potentially dangerous to do that," he said.

Hacking It
Of course, hackers are under no such moral restrictions and it's possible for one, even if he can't break into a wireless network, to shut it down remotely through what's known as a denial of service attack, in effect jamming legitimate radio signals with a barrage of meaningless ones.

Fortunately, some of the same techniques used to identify unauthorized access points can also track down the source of a denial of service attack, said IDC analyst Abner Germanow. "If you have a system that can identify the source of interference, it's not that hard to deal with," he said. "You send a guy out to say, Hey, what do you have in that truck?'"

It may also be possible to work around an interfering signal, routing traffic to other access points or different channels. Companies have to decide whether the cost of managing those monitoring systems is worth it, though, he added.

Likewise, physical security, which is possible for many companies, can be prohibitive for others.

"The NYSE has shielded its building against the possibility of a truck pulling up outside and broadcasting into it," said Germanow. "Whether every exchange on the planet can afford that is a different question."

On the Horizon
In addition to better security, brokerages might also be motivated by the emergence of Internet telephony over wireless. VPNs don't work well for this kind of application, Bolinger said, but the new standards will. This means that instead of carrying cell phones when they move around the building, employees will be able to carry communication devices that directly tie in to their firms' voice over IP (VoIP) systems, giving them the same functionality as they have at their desks.

One VoIP application that is already out on the market is a "Star Trek"-style communicator badge produced by Vocera Communications. The badges are already becoming popular in the health care field, said Germanow, and similar devices might find their way onto Wall Street as early as the second half of 2005, once the early bugs are worked out.

"Voice in the securities world tends to be a pretty mission-critical application," said Germanow. "The people who are in charge of deploying the technology and infrastructure don't want to mess with something that's brand new."

And once companies do start rolling it out, it will probably be in the more peripheral areas of the company first, he added. Instead of appearing on the trading floor, the technology might first show up in the back office, where reliable voice communications is important but not absolutely critical.

As with security, voice standards are on their way. According to Germanow, standards will be approved this September that will help create a common infrastructure for enabling voice communication over wireless networking.