Corvil Support for Monitoring Encrypted Eurex and Xetra Trading Sessions

With the increasing frequency of ransomware attacks on national infrastructure, including paralysis of the Irish Health Service and the Colonial Pipeline operations in the US in recent years, the protection of critical public infrastructure from criminal and potentially cyber-military attacks is firmly in the spotlight.

Against this backdrop, why do we allow billions of dollars to be traded daily over unencrypted networks, where the login passwords are visible in clear text to anyone who can install a network sniffer? And where a man-in-the-middle attacker, who can sniff and inject traffic, could potentially impersonate a trading entity and disrupt markets?

Most of this trading is happening inside exchange and colocation data centers, where physical and network security are taken very seriously. However, there are also situations where trading access is extended to remote access points, potentially in different countries. Now you are extending your trust envelope to multiple service providers and third parties. How well do you know and trust all of them?

Deutsche Börse and the EU Cyber Security Landscape

The NIS2 directive (Network and Information Systems Directive) is a European Union regulation that aims to improve the security of critical infrastructure networks and systems, including energy, healthcare, water, and financial markets. The directive was adopted by the European Parliament on 6 February 2023 and will enter into force in September 2024. All EU member states are expected to comply with NIS2 by 2024, and national laws are currently in various stages of implementation.

As a result, Deutsche Börse is this year introducing mandatory TLS encryption for all trading interfaces, apart from Co-Lo originated high-frequency (HF) connections, as detailed in Circular 005/23. Login credentials must be encrypted on all connections.

From 8th May 2023, all production FIX sessions for Eurex and Xetra must be encrypted.

By 23rd October 2023 – the only unencrypted Eurex / Xetra trading sessions will be ETI HF sessions originating within the Deutsche Börse Equinix FR2 facility.

Encryption ensures that your trading data is confidential, authentic, and tamper-proof. It prevents anyone from snooping on your network traffic or altering your orders.

But encryption also comes with a challenge: how do you monitor your encrypted network traffic?

Monitoring your network traffic is essential for optimizing your trading performance, troubleshooting issues, and detecting anomalies. But if your traffic is encrypted, how can you see what’s happening inside?

That’s where Corvil comes in.

Monitoring Encrypted Trading Traffic using Corvil

With Corvil, you can:

  • Improve your trading performance by identifying and resolving network and application issues, bottlenecks, and inefficiencies.

  • Comply with regulatory requirements with accurately timestamped transaction records, independent of the trading applications, with no latency overhead.

  • Accelerate trade support, reconciliation, troubleshooting and root-cause analysis.

  • Tune latency-sensitive trading algorithms and order routing, including flight-time of data from source data center to exchange handoff, potentially across multiple hops.

  • Immediately detect service-provider issues, including routing changes/failover events, based on step changes in latency.

All of the above comes with no changes to applications and no latency overhead.

Without additional action, once encryption is enabled, packet-based approaches will lose the ability to decode ETI or FIX messages. Corvil network analytics will continue to work as usual (for example, microburst and TCP metrics) but application-layer trading analytics will not.

Corvil enables you to monitor your encrypted Eurex and Xetra trading sessions without compromising security or performance. Corvil offers a secure agent-based approach to obtain per-session keys from your endpoints and decrypt your traffic on the fly without storing or exposing your keys. Corvil then analyzes your traffic in real time, providing rich insights into your trading activity, latency, errors, market data quality, and more.

The Corvil TLS Agent is a lightweight agent that can be enabled in C/C++ or Java applications that implement TLS, without change to source code. The TLS Agent extracts the encryption keys that are negotiated as part of the TLS handshake process for each connection and sends them in real-time via a secure channel to a Corvil appliance. The Corvil decoder can then decrypt the network traffic and decode the application messages as normal. The agent is only active during the TLS handshake, so latency overhead is not an issue.

Conclusion and Next Steps

Encryption for inter-party trading traffic looks set to become far more widespread in the next few years, particularly outside co-lo. Accurate low-overhead real-time monitoring remains critical for multiple reasons, including compliance, performance monitoring and trade support. Corvil can help you square this circle, maintaining the visibility of encrypted traffic.

Please contact Corvil Support ([email protected]) for further information, and for access to software and documentation for Corvil TLS Agent or Corvil Sensor.

Matt Davey

Matt Davey, Executive Director, Product Management
Pico is a leading provider of technology services for the financial markets community. Pico provides a best-in-class portfolio of innovative, transparent, low-latency markets solutions coupled with an agile and expert service delivery model. Instant access to financial markets is provided via PicoNet™, a globally comprehensive network platform instrumented natively with Corvil analytics and telemetry. Clients choose Pico when they want the freedom to move fast and create an operational edge in the fast-paced world of financial markets.