Point-of-Sale security - Firewalls

This is a discussion on Point-of-Sale security - Firewalls ; Dale I. Green wrote: > Ansgar -59cobalt- Wiechers wrote: >> You'll probably want something like this: >> >> Internet >> | >> Firewall >> | e.g. 10.23.0.2/30 >> | >> | e.g. 10.23.0.1/30 >> Server >> | e.g. 192.168.0.1/29 >> ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 25 of 25

Thread: Point-of-Sale security

  1. Re: Point-of-Sale security

    Dale I. Green wrote:
    > Ansgar -59cobalt- Wiechers wrote:
    >> You'll probably want something like this:
    >>
    >> Internet
    >> |
    >> Firewall
    >> | e.g. 10.23.0.2/30
    >> |
    >> | e.g. 10.23.0.1/30
    >> Server
    >> | e.g. 192.168.0.1/29
    >> |
    >> +- Client
    >> +- Client
    >> +- Client
    >> +- Client
    >> `- Client
    >>
    >> Server has two NICs and does not route between those interfaces.
    >> Harden the server and restrict physical access to it (see e.g. [1,2]).
    >>
    >> Firewall does packet filtering, NAT and port-forwarding to those
    >> services on the server that must be accessible from the outside (e.g.
    >> remote access). You may want to consider allowing remote access only
    >> through a VPN instead of forwarding ports for remote access, in which
    >> case the firewall device must also be a VPN endpoint.

    >
    > I assume by default routing is disabled between NICs, yes?


    Yes.

    > Also, if I choose to use VPN, would that simplify my firewall config?


    Most likely, if you terminate the VPN on the router. However, without
    knowing your exact requirements I can't give you a definitive answer
    here.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  2. Re: Point-of-Sale security

    Leythos wrote in
    news:MPG.20213c9a3be5aff0989863@adfree.Usenet.com:

    >> Browsing POS related forums, it seems most businesses similar to ours
    >> are simply using residential routers with no more security than one
    >> would find in a typical home network. Given the amount of malware
    >> infected machines I regularly see, I felt this was insufficient.

    >
    > I've seen that type of solution before, and it works, UNTIL.
    >
    > As a person that designs secure networks for many different levels of
    > business and different markets, mainly Medical, I can only do my part
    > by making you aware of the issues and hope that you determine that a
    > firewall, not a pretend one, is worth its weight in gold to you and
    > your customers.


    Would you recommend the DFL-200/700 as a compromise? (I saw you
    recommended the DFL-700 in another thread.)



    > If you have a database for your POS system you need to isolate it
    > completely from the POS machines, except for the specific ports that
    > the data connection needs.
    >


    Why? Malware?



    Kind regards,
    Dale

  3. Re: Point-of-Sale security

    In article ,
    dig@notmail.com says...
    > Leythos wrote in
    > news:MPG.20213c9a3be5aff0989863@adfree.Usenet.com:
    >
    > >> Browsing POS related forums, it seems most businesses similar to ours
    > >> are simply using residential routers with no more security than one
    > >> would find in a typical home network. Given the amount of malware
    > >> infected machines I regularly see, I felt this was insufficient.

    > >
    > > I've seen that type of solution before, and it works, UNTIL.
    > >
    > > As a person that designs secure networks for many different levels of
    > > business and different markets, mainly Medical, I can only do my part
    > > by making you aware of the issues and hope that you determine that a
    > > firewall, not a pretend one, is worth its weight in gold to you and
    > > your customers.

    >
    > Would you recommend the DFL-200/700 as a compromise? (I saw you
    > recommended the DFL-700 in another thread.)


    Well, compromise, that's a bad word and when it comes to security I
    don't take the job if I have to compromise on security.

    The DFL-700 will give you a true LAN and true DMZ that are isolated from
    each other by default.

    > > If you have a database for your POS system you need to isolate it
    > > completely from the POS machines, except for the specific ports that
    > > the data connection needs.
    > >

    >
    > Why? Malware?


    The first rule of security is that you provide NO ACCESS and then only
    what is required for the application/business. So, in this case, you
    only want the database to be reached why the computers in the LAN (or
    you could think of it as in the DMZ if you want) and then only on the
    ports needed to communicate with the database.

    Yes, the reason is that there are many things that attack databases, as
    well as other things on computers, if you limit the ports/exposure, you
    greatly lessen the opportunity for the malware.

    As an example, MS SQL (MSDE) communicates over port TCP 1433, the
    command ports (used to control, rather than just data) is on port TCP
    1434. Port 1434 is a normal attack port for malware.

    I thought it was funny that you asked me if I thought the DFL was a good
    "Compromise" when we're talking about compromising networks

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  4. Re: Point-of-Sale security

    Leythos wrote in
    news:MPG.2023d74de9142ca3989893@adfree.Usenet.com:

    > I thought it was funny that you asked me if I thought the DFL was a
    > good "Compromise" when we're talking about compromising networks



    Poor word choice on my part!

    Ideally, our system would be 100% secure. The practical reality however
    is that we have a budget (money & time & expertise) and we need to do
    the best we can. You could argue (and I'm guessing you will) that our
    budget is too small for the task, and you may be correct. Nevertheless,
    it's mostly fixed and I'm caught in the middle trying to put something
    together.

    I want to thank you, Leythos, and everyone else for contributing to this
    thread. I'm still not sure what to do, but at least now I have some
    information to chew on (yum!).

    Dale


  5. Re: Point-of-Sale security

    In article ,
    dig@notmail.com says...
    > Leythos wrote in
    > news:MPG.2023d74de9142ca3989893@adfree.Usenet.com:
    >
    > > I thought it was funny that you asked me if I thought the DFL was a
    > > good "Compromise" when we're talking about compromising networks

    >
    >
    > Poor word choice on my part!
    >
    > Ideally, our system would be 100% secure. The practical reality however
    > is that we have a budget (money & time & expertise) and we need to do
    > the best we can. You could argue (and I'm guessing you will) that our
    > budget is too small for the task, and you may be correct. Nevertheless,
    > it's mostly fixed and I'm caught in the middle trying to put something
    > together.
    >
    > I want to thank you, Leythos, and everyone else for contributing to this
    > thread. I'm still not sure what to do, but at least now I have some
    > information to chew on (yum!).


    You didn't mention what type of database - if you are using something
    like a file access based database (like MS Access) then you can't do
    much, as the file sharing ports would kill your security. If you are
    using MS SQL, Oracle, My SQL, you can do it based on ports, and that's
    going to give you control over security.

    Just remember, don't use Windows Authentication if you don't have to as
    a requirement, use SQL authentication.

    If you can't afford a full firewall, the DFL-700 will be your best
    choice if you were considering the NAT Routers caliming to be firewalls.
    I am not responsible for any security issues if you use that method.

    --

    spam999free@rrohio.com
    remove 999 in order to email me

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2