Point-of-Sale security

- A
- Ansgar -59cobalt- Wiechers
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Wed, Jan 24, 2007 4:28 PM

Yes.

Most likely, if you terminate the VPN on the router. However, without knowing your exact requirements I can't give you a definitive answer here.

cu

59cobalt

- D
- Dale I. Green
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Fri, Jan 26, 2007 1:50 PM

Leythos wrote in news: snipped-for-privacy@adfree.Usenet.com:

Would you recommend the DFL-200/700 as a compromise? (I saw you recommended the DFL-700 in another thread.)

Why? Malware?

Kind regards, Dale

- L
- Leythos
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Fri, Jan 26, 2007 2:16 PM

Well, compromise, that's a bad word and when it comes to security I don't take the job if I have to compromise on security.

The DFL-700 will give you a true LAN and true DMZ that are isolated from each other by default.

The first rule of security is that you provide NO ACCESS and then only what is required for the application/business. So, in this case, you only want the database to be reached why the computers in the LAN (or you could think of it as in the DMZ if you want) and then only on the ports needed to communicate with the database.

Yes, the reason is that there are many things that attack databases, as well as other things on computers, if you limit the ports/exposure, you greatly lessen the opportunity for the malware.

As an example, MS SQL (MSDE) communicates over port TCP 1433, the command ports (used to control, rather than just data) is on port TCP

1434. Port 1434 is a normal attack port for malware.

I thought it was funny that you asked me if I thought the DFL was a good "Compromise" when we're talking about compromising networks :)

- D
- Dale I. Green
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Fri, Jan 26, 2007 3:15 PM

Leythos wrote in news: snipped-for-privacy@adfree.Usenet.com:

Poor word choice on my part! :)

Ideally, our system would be 100% secure. The practical reality however is that we have a budget (money & time & expertise) and we need to do the best we can. You could argue (and I'm guessing you will) that our budget is too small for the task, and you may be correct. Nevertheless, it's mostly fixed and I'm caught in the middle trying to put something together.

I want to thank you, Leythos, and everyone else for contributing to this thread. I'm still not sure what to do, but at least now I have some information to chew on (yum!).

Dale

- L
- Leythos
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Fri, Jan 26, 2007 3:22 PM

You didn't mention what type of database - if you are using something like a file access based database (like MS Access) then you can't do much, as the file sharing ports would kill your security. If you are using MS SQL, Oracle, My SQL, you can do it based on ports, and that's going to give you control over security.

Just remember, don't use Windows Authentication if you don't have to as a requirement, use SQL authentication.

If you can't afford a full firewall, the DFL-700 will be your best choice if you were considering the NAT Routers caliming to be firewalls. I am not responsible for any security issues if you use that method.