Point-of-Sale security

Hi.

I've been tasked with setting-up a POS (Point-of-Sale) system for a small restaurant. The POS will consist of 5 terminals and a server (all WinXP-Pro), all networked together.

I would like to completely isolate the 5 terminals from the Internet. Also I would like to allow only very limited Internet access to/from the server, 1) for credit card authorization and 2) for remote access (e.g. RAdmin).

I am thinking that one way to accomplish this would be to have a "local" switch connecting all 5 terminals and the server, thereby securing the terminals. Then I would install a second NIC in the server and have it connected to an "Internet facing" switch connected to a router (connected to a DSL modem). I would then use the router's firewall to block all traffic to the server except those aforementioned.

A) Would this work? If so, are there any particular features my router would need, or can they all do this?

B) Is there a better / easier way to accomplish my goal, perhaps without needing the extra switch and NIC?

Please be gentle, this level of networking is mostly new to me. Thanks!

Dale

Reply to
Dale I. Green
Loading thread data ...

Pull the plug.

This is an oxymoron now. You will not manage to do what you want. The best compromize will be: don't route into the net on the server, and filter anything with the exception of the needed servces on the server.

Yes. Do so.

Yours, VB.

Reply to
Volker Birk

keep in mind, that they will need at least temporary internet access - e.g. for updates, patches etc.

M
Reply to
mak

mak wrote in news: snipped-for-privacy@nntpcache01.si.eunet.at:

Yes, thank you. I was thinking I could occassionally (monthly? / as needed?) apply patches to the terminals either by temporarily connecting the "local" switch to the Internet or by downloading patches to the server then pushing them out to the terminals.

Reply to
Dale I. Green

VB, Thank you for your input. I assume by your comments that you consider my goals to be naive but that you think my overall approach is solid. Is that right?

What do you mean by "don't route into the net on the server"? Also, by "filter" do you mean using the hardware router, a software firewall, or something else?

Kind regards, Dale

Reply to
Dale I. Green

You need a real firewall appliance and then you setup only the access that you want to permit - do not confuse a NAT Router as a firewall

With a real firewall appliance you can setup a IPSec client to allow you to remotely connect to the firewall itself, then from a rule in the firewall, your authenticated user can remotely admin the server.

You can also allow outbound to the credit card processing facility and block all other access.

Reply to
Leythos

You'll probably want something like this:

Internet | Firewall | e.g. 10.23.0.2/30 | | e.g. 10.23.0.1/30 Server | e.g. 192.168.0.1/29 | +- Client +- Client +- Client +- Client `- Client

Server has two NICs and does not route between those interfaces. Harden the server and restrict physical access to it (see e.g. [1,2]).

Firewall does packet filtering, NAT and port-forwarding to those services on the server that must be accessible from the outside (e.g. remote access). You may want to consider allowing remote access only through a VPN instead of forwarding ports for remote access, in which case the firewall device must also be a VPN endpoint.

Lock down the clients, too.

[1]
formatting link
formatting link
cu 59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Since you are dealing with a network that has CC data

I would start with a detailed description of what each machine is required to do, to perform it's tasks.

Remove anything from the machines that isn't required, only add network access as required

build in strong authentication & authorization methods for remote access , and local access

John

Reply to
John Mason Jr

Leythos wrote in news: snipped-for-privacy@adfree.Usenet.com:

Leythos, Thank you!

Does "IPSec" imply VPN?

Could you suggest a firewall appliance which would be suitable? I checked newegg and the best rated firewall is the NETGEAR FR114P. Would this be a good choice?

Finally, would you still recommend using 2 switches, a "local" and an "Internet facing"?

Thanks again. I appreciate your advice.

Kind regards, Dale

Reply to
Dale I. Green

Ansgar -59cobalt- Wiechers wrote in news: snipped-for-privacy@mid.individual.net:

Thank you Ansgar.

I assume by default routing is disabled between NICs, yes?

Also, if I choose to use VPN, would that simplify my firewall config?

Kind regards, Dale

Reply to
Dale I. Green

Yes, but you can do VPN with PPTP or IPSec.

LOL, sorry, firewall means something a little further up the food chain. I would suggest something in the line of a WatchGuard X750e series:

formatting link
This is a real firewall and as your needs grow/business increases you can purchase keys to increase the performance of the firewall, so you don't have to change the firewall out, just purchase an upgrade license/key.

If you have a real firewall, it will have a WAN (public) interface for your internet connection and then separate jacks for the LAN and DMZ network - so you don't need to have a switch at the WAN side, you get the ability to have real, isolated networks with real jacks for LAN and then DMZ.

These things are not cheap, but you need to consider how much it would cost if you have your users CC information stolen from your servers.

Additionally, the unit acts as a PPTP server and an IPSec VPN end-point, and you get client licenses for their VPN software to install on laptops and remote users computers if needed.

The FR114P is a base firewall, it provides very basic firewall functions, it doesn't provide all that you need, and it does not provide a real DMZ network isolated from the LAN - basically, it's a glorified NAT Router.

Reply to
Leythos

John Mason Jr wrote in news:12rcsqf4nspqve7 @news.supernews.com:

Thank you John.

Reply to
Dale I. Green

Leythos wrote in news: snipped-for-privacy@adfree.Usenet.com:

Wow!

I understand what you're saying. I think I need to go back and see what our exposure actually is. I'm not even sure if any CC data is ever stored unencrypted on the system; it might be, but I can't think of any reason it would need to be.

Practically, I don't see how we could afford this level of security, especially from an expertise standpoint. The restaurant is a seasonal mom-n-pop quick-service (window) shop. i.e. The budget is tight.

That said, I'll discuss this with the owner.

I really appreciate your help.

Kind regards, Dale

Reply to
Dale I. Green

Latest Breach May Force a New Approach to Data Security

formatting link
from above:

In a research note she was preparing for Gartner clients on Monday, Litan says, Gartner believes that it's impractical for the card industry to expect up to 5 million retailers to become security experts and change their systems to fix security holes. It's time for the banks to own up to the problem and accept responsibility. They must make changes to the payment system so that, even if data are stolen, the data are useless to the thieves.

... snip ...

somewhat related thread here

formatting link
Securing financial transactions a high priority for 2007

above reply to somebody's comment about the Gartner article:

Sounds obvious to me. Sam & Ella's coffee shop cannot afford to hire a security expert.

... snip ...

and old post about security proportional to risk

formatting link

Reply to
Anne & Lynn Wheeler

No, I did not want to say, that your approach is naive, sorry.

Don't route at all on the server. Don't do packet forwarding.

Does not matter how you're filtering. But filter anything with the exception of the needed services.

You could do this with a host based packet filter or additionally with a filtering device before the server.

Yours, VB.

Reply to
Volker Birk

If the CC information is stored, well, it's something that can be decrypted by some means, or there is no reason to store it.

Why do you need something like you described for that type of business - a simple QuickBooks POS terminal and a credit card swiper with a CC service would handle all that you need.

formatting link
They make the software and you can even buy a software + hardware solution directly from them, all you need to do is enter the products, costs, and setup a cc account with a cc processing company.

Doing this the wrong way could cost them their business and home, if you're going to do it, do it right or don't do it.

Reply to
Leythos

Leythos wrote in news: snipped-for-privacy@adfree.Usenet.com:

I should have simply stated that I'm not sure if any CC data is stored on the system. It seems to me, once a transaction is approved, and an approval code issued, the CC number itself is no longer needed. I've forwarded the question to our POS software vendor.

Hmmmmm... The QuickBooks POS is very similar to what we're using. (We actually looked at the QuickBooks, but found it to be a poor choice for a restaurant.) What did I say which implied otherwise? What is it about the QuickBooks POS system which eliminates security concerns? Now I'm really confused...

Reply to
Dale I. Green

Based on your initial description it's hard to tell what you're looking at, other than POS XP and database. No clear definition of your using a packaged solution, and you seem to indicate a home grown solution.

Nothing eliminates the security concerns, but, do you really think that they would develop a solution that they sell to tens of thousands of customers that would leave them wide open?

I would be willing to be that they've got all the bases covered and also offer recommendations on firewall solutions.

The big difference in purchasing a package is that the parts are already designed to be connected, to be secured, to work with each other, to provide support, and you don't have to wonder about database connections or how to properly secure them.

Reply to
Leythos

Leythos wrote in news: snipped-for-privacy@adfree.Usenet.com:

I guess that I should have included more details in my initial post. In any case, we are using a COTS POS software (Aldelo) running on COTS hardware (Mercury/DigiCom). Maybe I am trying to over-architect the security, but I thought it would be a good idea to isolate the system as much as reasonably possible. In my experience, the POS vendors simply show the firewall as a black-box and offer no detail, probably to avoid any future culpability.

Browsing POS related forums, it seems most businesses similar to ours are simply using residential routers with no more security than one would find in a typical home network. Given the amount of malware infected machines I regularly see, I felt this was insufficient.

Kind regards, Dale

Reply to
Dale I. Green

I've seen that type of solution before, and it works, UNTIL.

As a person that designs secure networks for many different levels of business and different markets, mainly Medical, I can only do my part by making you aware of the issues and hope that you determine that a firewall, not a pretend one, is worth its weight in gold to you and your customers.

If you have a database for your POS system you need to isolate it completely from the POS machines, except for the specific ports that the data connection needs.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.