jobs in DA International Financial Service Limited

全职 Senior Network Infrastructure - Security Engineer 工作, 薪水, DA International Financial Service Limited Hong Kong 公司招聘中 - Ricebowl

Senior Network Infrastructure - Security Engineer

DA International Financial Service Limited

Undisclosed

Hong Kong

分享
保存

工作地点

  • Hong Kong Hong Kong

职位描述

岗位职责

Position Overview
Responsible for designing, building, and operating the company’s global financial-grade network infrastructure, deeply integrating high-performance network engineering and intelligent security analytics. You will lead the end-to-end architecture from Cisco hardware up to AI-driven security analytics platforms, ensuring submillisecond trading network stability across five major financial hubs (Singapore/Hong Kong/Shanghai/Chicago/Malaysia), while building a comprehensive network visibility framework for real-time detection and automated response to abnormal outbound traffic, lateral movement threats, and abnormal internal asset behaviors.

Core Responsibilities

1. Global Network Architecture & Intelligent Security Operations(50%)
Full-stack Management of Cisco Networking and Security Devices:
Lead architecture design, performance tuning, and security hardening of Cisco Catalyst
9000/Nexus 3000/9000 switches and ASA/Firepower/Secure Firewall.
Expert in OSPFv2/v3 and BGP (eBGP/iBGP/MP-BGP) routing protocols; design multi-homing redundancy, Anycast routing, and DDoS traffic diversion strategies.
Build highly available IPSec VPN matrix (DMVPN/GETVPN/FlexVPN), enabling zero-trust access for global sites.
Deploy VXLAN/EVPN microsegmentation, leverage Cisco ISE for SD-Access implementation.
Comprehensive Traffic Security Analysis & Threat Detection (NTA/NDR):

Outbound Network Anomaly Monitoring:
Deploy NetFlow/IPFIX/sFlow for full traffic collection, monitor internet egress bandwidth anomalies, traffic spikes, and protocol distributions.

Detect DDoS attacks (Volumetric/Protocol/Application Layer), C2 callbacks, and large-scale data exfiltration.

Integrate external threat intelligence feeds (Proofpoint/Virustotal/AbuseIPDB) for real-time tagging of malicious IPs, domains, and URLs.

Malicious Access Filtering & Blocking:
Configure Cisco Firepower/Firewall IPS/IDS rules for signature-based threat detection.

Deploy DNS security layers (Cisco Umbrella/Infoblox) to block malicious domain resolution and DNS tunneling.

Implement GeoIP filtering and reputation-based blocking to automatically isolate traffic from high-risk countries/regions.

East-West (Internal) Network Traffic Monitoring:
Use SPAN/RSPAN/ERSPAN or network TAP to mirror key segment traffic, deploy Zeek/Suricata for Deep Packet Inspection (DPI).

Monitor point-to-point IP anomalies: identify lateral movement, abnormal port scans,SMB/RDP brute force.

Build asset communication baselines: use machine learning to detect deviations, e.g.,server accessing new subnets or large off-hours data transfers.

Real-time Alerting & Automated Response:
Build SOAR (Security Orchestration, Automation & Response) workflows: anomaly detection → auto-block (ACL/blackhole route) → alert notification (Slack/WeCom) → ticket creation (ServiceNow).

Develop threat hunting scripts for proactive incident detection (beaconing, DNS covert tunneling).

Network Automation & AI-driven Operations:
Build integrated network-security automation platforms.

Develop traffic analysis engines with Python/Go, integrate Elasticsearch for PB-scale traffic log storage & retrieval.

Use Ansible/Terraform for Security-as-Code orchestration (Firewall Rule as Code).

Develop anomaly detection algorithms (time series, isolation forest) for traffic pattern change.

Integrate with third-party security platforms (Splunk ES, IBM QRadar, Azure Sentinel) or open-source security stacks (Wazuh + TheHive + Cortex).

2. Enterprise IT & Zero-Trust Security (20%)
Deploy 802.1X + Cisco ISE for identity-based dynamic network access (NAC).
Manage endpoint EDRs (CrowdStrike/SentinelOne) in coordination with network-layer controls to enable
endpoint-network collaborative responses.
Maintain IT asset CMDB, build asset-to-IP-to-traffic mapping for quick traceability.

3. Trading Platform Network Assurance & Financial-Grade Security(30%)
24/7 trading network protection: monitor market data feeds (Reuters/Bloomberg/direct exchange feeds) for traffic integrity and latency anomalies.
Dedicated line security monitoring: detect leased line (MPLS/private) interruptions, route hijacks, MITM attacks.
Lead red/blue teaming exercises: simulate APT attack vectors, verify segmentation and detection effectiveness.
Develop financial security compliance programs (MAS TRM, PCI-DSS, ISO 27001).

Requirements
  • 5+ years enterprise networking operations, 3+ years in finance/highfrequency
trading/multinational environments
  • Expert on Cisco: Nexus 9000 (VPC/OTV/ACI), Catalyst 9000, Firepower
4100/9300, ISE
  • Routing protocol expert: OSPF/BGP advanced tuning (BGP FlowSpec for
DDoS mitigation), BFD, BGP-LS
  • IPSec/SSL VPN: DMVPN, GETVPN, FlexVPN, AnyConnect posture
Full-time

重要安全守则

申请工作时,切勿提供您的银行或信用卡详细资料。不要转账或完成无关的在线调查问卷。如果您发现可疑内容,请举报此招聘广告。

了解更多