Market:marker Platform - Security

Security

Market:marker is the name for the suite of products released by Tullett Prebon Limited.
This constituent list will grow over time, but the general principle is that each new product will build upon its predecessors. As a result, the products share a technological heritage. This means that the products naturally benefit from improvements and enhancements unveiled in their associates - and end users benefit from the commonality of the Market:marker products infrastructure. The name "TTooL:kit" is used to refer to the technology underpinning the Market:marker products.

Market:marker products, though built using the shared TTooL:kit technology do manifest themselves in a couple of different ways. The full-featured members of the product suite run as Visual Basic applications, that essentially consist of ActiveX components running within a VB container. There are also somewhat lighter members in the suite, and these use Microsoft Internet Explorer to run an ActiveX component. The suite is very much based upon Microsoft technology, and as such no support for Netscape platforms is offered.

This document discusses matters of security relating to TTooL:kit, and is generally applicable to Market:marker heavy desktop products, Data:marker (internet) products or all products.

Select Product group for security information

Network Issues

Are the products used via the Internet or leased line?
Data:marker products
The Data:marker product is available over the Internet, under extreme circumstances it can be run over leased line connectivity. Leased lines do of course offer better security and some better degree of (guaranteed) quality of service.

It's worth noting that establishing leased line communications for one Market:marker products means that it is established for all. Thus, the cost and effort incurred in commissioning a leased line connection can be shared across a number of products, making this approach reasonably efficient and cost effective in the longer term.
What IP addresses are used?
Data:marker products
The IP address used by Data:marker are 192.149.225.181 & 192.149.225.190.
Are heart beats used?
Data:marker products
A heart beat is user to ensure connectivity.
What routing protocols are used?
Data:marker products
None.
Can the Market:marker products work with IP addresses that are internal to customer firms and not officially allocated?

All products
Yes.
Which protocols are used by the application?
All products
Market:marker products use HTTP / HTTPS / TCP.
What DNS names are associated with product usage (if any)? Are they fully qualified and officially registered?
Data:marker products
Datamarker's official DNS name is www.datamarker.com.

The Market:marker Resources site uses DNS name: marker.tullib.com [note that the omission of the "www." is intentional]. This DNS is not essential for the application to work.
Which TCP ports are used by the application? Are they duly registered with the IANA (Internet Assigned Numbers Authority)?
Data:marker uses TCP ports 80 and 5463. HTTPS uses port 443 and is essential. When configuring network devices we would recommend that all ports are opened up to Market:marker traffic.
All ports are used "as advertised" (i.e. we don't encapsulate and forward non-standard HTTP over port 80. Port 5463 has been registered with IANA: the following excerpt comes from their site at www.iana.org/assignments/port-numbers.

Port Assignments:
Keyword         Decimal         Description
-------              -------           -----------
ttl-publisher    5462/tcp      TTL Publisher
ttl-publisher    5462/udp     TTL Publisher
#                Peter Jacobs <pjacobs@tullib.com>
ttlpriceproxy     5463/tcp     TTL Price Proxy
ttlpriceproxy     5463/udp     TTL Price Proxy
#                Peter Jacobs <pjacobs@tullib.com>

Authentication

What kind of user authentication is employed by the Market:marker products?

All products
At present, authentication is accomplished via username and password.

The first time a user signs on to the system the password MUST be changed. Passwords are stored in encrypted format within the Market:marker system, and cannot be discovered: if a user forgets their password a new one-time one must be issued for the user's account to be re-initialised.
How are passwords issued to end users? How are they revoked?

All products
As part of the installation process, username and password combinations are passed directly to the customer/trader by Tullett Prebon's Client Support personnel.

Passwords can be issued, reset, and revoked in real time by contacting Tullett Prebon. This contact can be by way of a customer's broker, via Client Support, or calling Tullett Prebon's Client Support for Market:marker on [+44] (0)20 7200 7775.
Is encryption used? And, if so, what is the nature of it?

Data:marker products
The product does support the use of HTTPS for real-time price delivery. Passwords are encrypted in the database.
Are passwords stored on the client workstation? If they are, where and how are they stored?
Data:marker products
No.
What are the creation rules for passwords?
All products
There are a few rules relating to passwords:
- the initial password, or one that gets reset, must be changed before the system can be used
- the password must have a minimum length of six characters
- the password must be alpha-numeric.
- the user is locked out after three invalid logon attempt.

Product Technology

Is Java used?
Data:marker products
Java is used for Data:marker.
Is ActiveX used?
Data:marker products
Internet Explorer will need the following settings set through 'Internet Options' on the Tools menu, then choose the Security tab. You can modify the settings individually to ActiveX controls and plug-ins: Script ActiveX controls marked safe for scripting - Enable.
Are cookies used?

Data:marker products
No client side cookies are used.
Are digital certificates used within the Market:marker products?
Data:marker products
Digital certificates are used for real-time price delivery.
How/in which direction are user sessions established?
All products
Sessions are always established by clients: no unsolicited connections are made outbound from Tullett Prebon to customer sites.

Other Issues

Does the application run on dedicated hardware platforms?
Data:marker products
No. Data:marker is an internet product and runs off any PC connected to the internet.
Are Market:marker security logs maintained by Tullett Prebon? If so, for how long are they held and can they be made available to end-user firms?
All products
Extensive system logs are maintained by Tullett Prebon, and if requested can be made available for review to customers. This should be coordinated via Client Support.
What (kind of) information flows between the central Market:marker servers and the product workstations located on customer premises?
All products
When the user first connects to the system a username/password combination gets sent to the central servers. With a correct pairing received, user configuration details are returned to the system client. On the basis of this configuration and/or selections made in the front end by the user, the workstation then gets subscribed to data updates relevant to the expressed product interest.
What kind of virus checking is performed on client software prior to its release and distribution by Tullett Prebon?
All products
All Market:marker software is scanned by a number of well-known virus scanning packages. Virus definition files for these packages are updated daily.
Illustrate a Sample Network Architecture for Data:marker.
Data:marker products

Security Issues

Network Issues

Internet or leased line?
IP addresses
TCP keep alive packets
Routing Protocols
Internal Customer IP addresses
Which Protocols?
DNS names
TCP Ports and IANA

Authentication

User Authentication
Passwords
Encryption
Storing passwords
Password Creation rules

Product Technology

Java
ActiveX
Cookies
Digital Certificates
User Sessions

Other Issues

Dedicated Hardware platforms
Security Logs
Information flows across servers
Virus Checking
Sample Data:marker Network architecture