- Hong Kong Hong Kong
DA International Financial Service Limited Hiring! Full Time Senior Network Infrastructure - Security Engineer in Hong Kong - Ricebowl
Senior Network Infrastructure - Security Engineer
DA International Financial Service Limited
Share
Save
Working Location
Job Description
Responsibilities
Position Overview
Responsible for designing, building, and operating the company’s global financial-grade network infrastructure, deeply integrating high-performance network engineering and intelligent security analytics. You will lead the end-to-end architecture from Cisco hardware up to AI-driven security analytics platforms, ensuring submillisecond trading network stability across five major financial hubs (Singapore/Hong Kong/Shanghai/Chicago/Malaysia), while building a comprehensive network visibility framework for real-time detection and automated response to abnormal outbound traffic, lateral movement threats, and abnormal internal asset behaviors.
Core Responsibilities
1. Global Network Architecture & Intelligent Security Operations(50%)
Full-stack Management of Cisco Networking and Security Devices:
Lead architecture design, performance tuning, and security hardening of Cisco Catalyst
9000/Nexus 3000/9000 switches and ASA/Firepower/Secure Firewall.
Expert in OSPFv2/v3 and BGP (eBGP/iBGP/MP-BGP) routing protocols; design multi-homing redundancy, Anycast routing, and DDoS traffic diversion strategies.
Build highly available IPSec VPN matrix (DMVPN/GETVPN/FlexVPN), enabling zero-trust access for global sites.
Deploy VXLAN/EVPN microsegmentation, leverage Cisco ISE for SD-Access implementation.
Comprehensive Traffic Security Analysis & Threat Detection (NTA/NDR):
Outbound Network Anomaly Monitoring:
Deploy NetFlow/IPFIX/sFlow for full traffic collection, monitor internet egress bandwidth anomalies, traffic spikes, and protocol distributions.
Detect DDoS attacks (Volumetric/Protocol/Application Layer), C2 callbacks, and large-scale data exfiltration.
Integrate external threat intelligence feeds (Proofpoint/Virustotal/AbuseIPDB) for real-time tagging of malicious IPs, domains, and URLs.
Malicious Access Filtering & Blocking:
Configure Cisco Firepower/Firewall IPS/IDS rules for signature-based threat detection.
Deploy DNS security layers (Cisco Umbrella/Infoblox) to block malicious domain resolution and DNS tunneling.
Implement GeoIP filtering and reputation-based blocking to automatically isolate traffic from high-risk countries/regions.
East-West (Internal) Network Traffic Monitoring:
Use SPAN/RSPAN/ERSPAN or network TAP to mirror key segment traffic, deploy Zeek/Suricata for Deep Packet Inspection (DPI).
Monitor point-to-point IP anomalies: identify lateral movement, abnormal port scans,SMB/RDP brute force.
Build asset communication baselines: use machine learning to detect deviations, e.g.,server accessing new subnets or large off-hours data transfers.
Real-time Alerting & Automated Response:
Build SOAR (Security Orchestration, Automation & Response) workflows: anomaly detection → auto-block (ACL/blackhole route) → alert notification (Slack/WeCom) → ticket creation (ServiceNow).
Develop threat hunting scripts for proactive incident detection (beaconing, DNS covert tunneling).
Network Automation & AI-driven Operations:
Build integrated network-security automation platforms.
Develop traffic analysis engines with Python/Go, integrate Elasticsearch for PB-scale traffic log storage & retrieval.
Use Ansible/Terraform for Security-as-Code orchestration (Firewall Rule as Code).
Develop anomaly detection algorithms (time series, isolation forest) for traffic pattern change.
Integrate with third-party security platforms (Splunk ES, IBM QRadar, Azure Sentinel) or open-source security stacks (Wazuh + TheHive + Cortex).
2. Enterprise IT & Zero-Trust Security (20%)
Deploy 802.1X + Cisco ISE for identity-based dynamic network access (NAC).
Manage endpoint EDRs (CrowdStrike/SentinelOne) in coordination with network-layer controls to enable
endpoint-network collaborative responses.
Maintain IT asset CMDB, build asset-to-IP-to-traffic mapping for quick traceability.
3. Trading Platform Network Assurance & Financial-Grade Security(30%)
24/7 trading network protection: monitor market data feeds (Reuters/Bloomberg/direct exchange feeds) for traffic integrity and latency anomalies.
Dedicated line security monitoring: detect leased line (MPLS/private) interruptions, route hijacks, MITM attacks.
Lead red/blue teaming exercises: simulate APT attack vectors, verify segmentation and detection effectiveness.
Develop financial security compliance programs (MAS TRM, PCI-DSS, ISO 27001).
Requirements
Responsible for designing, building, and operating the company’s global financial-grade network infrastructure, deeply integrating high-performance network engineering and intelligent security analytics. You will lead the end-to-end architecture from Cisco hardware up to AI-driven security analytics platforms, ensuring submillisecond trading network stability across five major financial hubs (Singapore/Hong Kong/Shanghai/Chicago/Malaysia), while building a comprehensive network visibility framework for real-time detection and automated response to abnormal outbound traffic, lateral movement threats, and abnormal internal asset behaviors.
Core Responsibilities
1. Global Network Architecture & Intelligent Security Operations(50%)
Full-stack Management of Cisco Networking and Security Devices:
Lead architecture design, performance tuning, and security hardening of Cisco Catalyst
9000/Nexus 3000/9000 switches and ASA/Firepower/Secure Firewall.
Expert in OSPFv2/v3 and BGP (eBGP/iBGP/MP-BGP) routing protocols; design multi-homing redundancy, Anycast routing, and DDoS traffic diversion strategies.
Build highly available IPSec VPN matrix (DMVPN/GETVPN/FlexVPN), enabling zero-trust access for global sites.
Deploy VXLAN/EVPN microsegmentation, leverage Cisco ISE for SD-Access implementation.
Comprehensive Traffic Security Analysis & Threat Detection (NTA/NDR):
Outbound Network Anomaly Monitoring:
Deploy NetFlow/IPFIX/sFlow for full traffic collection, monitor internet egress bandwidth anomalies, traffic spikes, and protocol distributions.
Detect DDoS attacks (Volumetric/Protocol/Application Layer), C2 callbacks, and large-scale data exfiltration.
Integrate external threat intelligence feeds (Proofpoint/Virustotal/AbuseIPDB) for real-time tagging of malicious IPs, domains, and URLs.
Malicious Access Filtering & Blocking:
Configure Cisco Firepower/Firewall IPS/IDS rules for signature-based threat detection.
Deploy DNS security layers (Cisco Umbrella/Infoblox) to block malicious domain resolution and DNS tunneling.
Implement GeoIP filtering and reputation-based blocking to automatically isolate traffic from high-risk countries/regions.
East-West (Internal) Network Traffic Monitoring:
Use SPAN/RSPAN/ERSPAN or network TAP to mirror key segment traffic, deploy Zeek/Suricata for Deep Packet Inspection (DPI).
Monitor point-to-point IP anomalies: identify lateral movement, abnormal port scans,SMB/RDP brute force.
Build asset communication baselines: use machine learning to detect deviations, e.g.,server accessing new subnets or large off-hours data transfers.
Real-time Alerting & Automated Response:
Build SOAR (Security Orchestration, Automation & Response) workflows: anomaly detection → auto-block (ACL/blackhole route) → alert notification (Slack/WeCom) → ticket creation (ServiceNow).
Develop threat hunting scripts for proactive incident detection (beaconing, DNS covert tunneling).
Network Automation & AI-driven Operations:
Build integrated network-security automation platforms.
Develop traffic analysis engines with Python/Go, integrate Elasticsearch for PB-scale traffic log storage & retrieval.
Use Ansible/Terraform for Security-as-Code orchestration (Firewall Rule as Code).
Develop anomaly detection algorithms (time series, isolation forest) for traffic pattern change.
Integrate with third-party security platforms (Splunk ES, IBM QRadar, Azure Sentinel) or open-source security stacks (Wazuh + TheHive + Cortex).
2. Enterprise IT & Zero-Trust Security (20%)
Deploy 802.1X + Cisco ISE for identity-based dynamic network access (NAC).
Manage endpoint EDRs (CrowdStrike/SentinelOne) in coordination with network-layer controls to enable
endpoint-network collaborative responses.
Maintain IT asset CMDB, build asset-to-IP-to-traffic mapping for quick traceability.
3. Trading Platform Network Assurance & Financial-Grade Security(30%)
24/7 trading network protection: monitor market data feeds (Reuters/Bloomberg/direct exchange feeds) for traffic integrity and latency anomalies.
Dedicated line security monitoring: detect leased line (MPLS/private) interruptions, route hijacks, MITM attacks.
Lead red/blue teaming exercises: simulate APT attack vectors, verify segmentation and detection effectiveness.
Develop financial security compliance programs (MAS TRM, PCI-DSS, ISO 27001).
Requirements
- 5+ years enterprise networking operations, 3+ years in finance/highfrequency
- Expert on Cisco: Nexus 9000 (VPC/OTV/ACI), Catalyst 9000, Firepower
- Routing protocol expert: OSPF/BGP advanced tuning (BGP FlowSpec for
- IPSec/SSL VPN: DMVPN, GETVPN, FlexVPN, AnyConnect posture
Important Information
Never provide your bank or credit card details when applying for jobs. Do not transfer any money or complete unrelated online surveys. If you see something suspicious, Report this Job ad.
Learn More
