Client/Server Communication

• Communication between client and server is via WCF, point-to-point with transport security and message credentials, encrypted via an SSL certificate.
• Transport level security guarantees integrity and confidentiality of the data. Message credentials handle authentication on every call.
• Communication between the client and server is done over TCP. This goes for any remote Report and Email Delivery services as well.
• Local Report and Email services communicate via named pipes.
• MarketWide Online (MWO) and the digital feedback server are secured using the same SSL certificate, configured via IIS.
• The MarketWide server requires only a single open port for duplex communication with the clients, and an optional open 443 port if MWO or digital feedback servers are being exposed outside the network.
• For fully intranet installations, we optionally support the Kerberos protocol, which offers additional authentication at the Windows domain level.

Passwords

• During system installation, the admin can choose from one of two authentication rulesets:
  • NIST’s Digital Identity Guidelines
  • Authentication against a local LDAP server. (This method puts the client fully in charge of rules and password policy.)
• When using NIST authentication ruleset, passwords are never transmitted unencrypted, and are stored hashed and with salted.
• User accounts are locked out after 5 unsuccessful login attempts, requiring an admin to re-enable an account.

SQL Database Security

MarketWide clients do not and cannot connect directly to the SQL database. All connections occur only from the MarketWide server. Therefore, as long as the MarketWide host (including MWO in IIS) is sitting on the same network as the db, the database server can be closed off from connections outside the network.