Tullett Prebon
Security Image

Tel: [+44] (0)20 7200 7775

tradingsystemsservices@tullettprebon.com

Security

Market:marker is the name for the suite of products released by Tullett Prebon Limited.
This constituent list will grow over time, but the general principle is that each new product will build upon its predecessors. As a result, the products share a technological heritage. This means that the products naturally benefit from improvements and enhancements unveiled in their associates - and end users benefit from the commonality of the Market:marker products infrastructure. The name "TTooL:kit" is used to refer to the technology underpinning the Market:marker products.

Market:marker products, though built using the shared TTooL:kit technology do manifest themselves in a couple of different ways. The full-featured members of the product suite run as Visual Basic applications, that essentially consist of ActiveX components running within a VB container. There are also somewhat lighter members in the suite, and these use Microsoft Internet Explorer to run an ActiveX component. The suite is very much based upon Microsoft technology, and as such no support for Netscape platforms is offered.

This document discusses matters of security relating to TTooL:kit, and is generally applicable to Market:marker heavy desktop products, Data:marker (internet) products or all products.

Select Product group for security information Desktopdata:marker

Network Issues

  • Are the products used via the Internet or leased line?
  • Market:marker Desktop products
    Both. The products can be made available over the Internet if the customer requires it, though most larger customers have opted, often as a matter of internal policy, for leased line connectivity. Leased lines do of course offer better security and some better degree of (guaranteed) quality of service, but for smaller, remote customers products can opt to connect via the Internet.

    It's worth noting that establishing leased line communications for one Market:marker products means that it is established for all. Thus, the cost and effort incurred in commissioning a leased line connection can be shared across a number of products, making this approach reasonably efficient and cost effective in the longer term.
  •  
  • What IP addresses are used?
  • Market:marker Desktop products
    The IP address used by Market:marker Desktop heavy products is 192.149.225.177.
  •  
  • Are TCP keep alive packets used?
  • Market:marker Desktop products
    No.
  •  
  • What routing protocols are used?
  • Market:marker Desktop products
    None.
  •  
  • Can the Market:marker products work with IP addresses that are internal to customer firms and not officially allocated?

  • All products
    Yes.
  •  
  • Which protocols are used by the application?
  • Market:marker Desktop products
    Market:marker products use HTTP.

    At a lower level, the connectivity is TCP packets over IP.
  •  
  • What DNS names are associated with product usage (if any)? Are they fully qualified and officially registered?
  • Market:marker Desktop products
    The Market:marker products do have an official DNS name: marker.tullib.com [note that the omission of the "www." is intentional].
  •  
  • Which TCP ports are used by the application? Are they duly registered with the IANA (Internet Assigned Numbers Authority)?
  • Heavy products use TCP ports 80 and 5462. When configuring network devices we would recommend that all ports are opened up to Market:marker traffic since an expected fuller adoption of HTTPS in the future will be accommodated.

    All ports are used "as advertised" (i.e. we don't encapsulate and forward non-standard HTTP over port 80. Port 5462 has been registered with IANA: the following excerpt comes from their site at www.iana.org/assignments/port-numbers.

    Port Assignments:
    Keyword         Decimal         Description
    -------              -------           -----------
    ttl-publisher    5462/tcp      TTL Publisher
    ttl-publisher    5462/udp     TTL Publisher
    #                Peter Jacobs <pjacobs@tullib.com>
    ttlpriceproxy     5463/tcp     TTL Price Proxy
    ttlpriceproxy     5463/udp     TTL Price Proxy
    #                Peter Jacobs <pjacobs@tullib.com>

  •  

Authentication

  • What kind of user authentication is employed by the Market:marker products?

  • All products
    At present, authentication is accomplished via username and password.

    The first time a user signs on to the system the password MUST be changed. Passwords are stored in encrypted format within the Market:marker system, and cannot be discovered: if a user forgets their password a new one-time one must be issued for the user's account to be re-initialised.
  •  
  • How are passwords issued to end users? How are they revoked?

  • All products
    As part of the installation process, username and password combinations are passed directly to the customer/trader by Tullett Prebon's Client Support personnel.

    Passwords can be issued, reset, and revoked in real time by contacting Tullett Prebon. This contact can be by way of a customer's broker, via Client Support, or calling Tullett Prebon's Client Support for Market:marker on [+44] (0)20 7200 7775.
  •  
  • Is encryption used? And, if so, what is the nature of it?

  • Market:marker Desktop products
    Generally speaking, the answer is, "No." For authentication purposes passwords are encrypted in the database as stated above, but network data is sent in unencrypted format.
  •  
  • Are passwords stored on the client workstation? If they are, where and how are they stored?
  • Market:marker Desktop products
    In certain circumstances a customer may be allowed to store passwords on their local machine. Specifically, if the customer is using "view only" products (i.e. products that are functioning solely as replacements for the old "green screens") they may be permitted to save their password from session to session.
  •  
  • What are the creation rules for passwords?
  • All products
    There are a few rules relating to passwords:
    • the initial password, or one that gets reset, must be changed before the system can be used
    • the password must have a minimum length of six characters
    • the password must be alpha-numeric.
    • the user is locked out after three invalid logon attempt.
  •  

Product Technology

  • Is Java used?
  • Market:marker Desktop products
    Java is not used for heavy desktop Market:marker products.
  •  
  • Is ActiveX used?
  • Market:marker Desktop products
    ActiveX is a key underlying technology within the products. In the case of the full-featured, VB-based products the ActiveX components get installed directly to the target workstation from a CD (or by way of a customer's own packaging process).
  •  
  • Are cookies used?

  • Market:marker Desktop products
    No.
  •  
  • Are digital certificates used within the Market:marker products?
  • Market:marker Desktop product
    Digital certificates are not currently used, but hooks are in place to enable their use when customer demand warrants it.
  •  
  • How/in which direction are user sessions established?
  • All products
    Sessions are always established by clients: no unsolicited connections are made outbound from Tullett Prebon to customer sites.
  •  

Other Issues

  • Does the application run on dedicated hardware platforms?
  • Market:marker Desktop product
    This is an option for the customer. The Market:marker product can run either on an existing machine or one dedicated to the purpose.
  •  
  • Are Market:marker security logs maintained by Tullett Prebon? If so, for how long are they held and can they be made available to end-user firms?
  • All products
    Extensive system logs are maintained by Tullett Prebon, and if requested can be made available for review to customers. This should be coordinated via Client Support.
  •  
  • What (kind of) information flows between the central Market:marker servers and the product workstations located on customer premises?
  • All products
    When the user first connects to the system a username/password combination gets sent to the central servers. With a correct pairing received, user configuration details are returned to the system client. On the basis of this configuration and/or selections made in the front end by the user, the workstation then gets subscribed to data updates relevant to the expressed product interest.
  •  
  • What kind of virus checking is performed on client software prior to its release and distribution by Tullett Prebon?
  • All products
    All Market:marker software is scanned by a number of well-known virus scanning packages. Virus definition files for these packages are updated daily.
  •  
  • What kind of use is made of the user's workstation? (file system, registry, etc.)
  • Market:marker Desktop product
    The file system is obviously used during installation of a Market:marker product, but nothing gets added to the system thereafter.

    The registry gets entries under the keys of "Tullett" and "Tullett & Tokyo LIberty plc". The former is where entries for shared infrastructure are established; the latter is where uninstallation information is held. The installation software, by the way, is InstallShield.

    Registry IllustrationThis diagram shows detail of the registry structure following installation of Repo:marker. You'll note reference to "EqWeb" under the "Tullett" key: EqWeb was the predecessor of the Market:marker suite and has been retained in order to ensure backward-compatibility for our early customers.
  •  

Security Issues

Legal Information | © copyright Tullett Prebon.