Firewall

[Let'sgoflying!]

I have a SonicWall firewall. A physical device, unlike the Windows software firewall (as I understand it).

The SonicWall has about 6 RJ45 ports to plug stuff into.

The credit card people said I have to have my terminal behind a firewall.
I asked an IT person and they said go ahead, plug it in and we'll deal with it if it doesn't work.
It works.
The credit card company did some kind of 24 hr scan and it passed their scrutiny.

Does a firewall automatically confer protection to anything plugged into it without 'setup' or software modification on either the firewall or the protected device?

 

[John221us]

There is undoubtedly an outbound NAT rule that allows unfiltered egress for any device on the internal network. This will allow internally initiated communications from the credit card device, but will not allow external devices to directly communicate with the credit card machine, unless the credit card machine established the connection first. This is similar to any workstation reaching out to the Internet. There are probably some inspection protocols enabled, but without knowing more about the firewall and how it is configured, that is about all I can guess at.

 

[JGoodish]

To directly answer your question, yes, by default most firewalls will protect what is behind them. From that point, you must configure access policies which permit specific inbound traffic. As John mentioned, most outbound traffic is generally permitted.


JKG

 

[deonb]

I have a SonicWall firewall. A physical device, unlike the Windows software firewall (as I understand it).

It's not a physical device (hardware firewall implementation). It's just a PC running SonicOS, which is based on CentOS - which is a Linux distro.

So it's a Linux software firewall instead of a Windows software firewall.

Up to you to decide which is better.

One is a proprietary firewall running on a restricted device used by 10s of thousands of people. The other is a proprietary firewall running on a general purpose device, but that's used by a billion people. The first has less attack surface, the second has more people who can find problems and fix them. Honestly I think it's a toss-up until you get to the Cisco/Juniper level.

 

[Let'sgoflying!]

Can you use both, or will the systems be confused? Belt and suspenders.

 

[Clark1961]

Can you use both, or will the systems be confused? Belt and suspenders.

The windows firewall doesn't know that the sonicwall is doing anything. The sonicwall doesn't know the windows firewall is doing anything.

 

[John221us]

The Windows firewall is a service that runs on your PC and has nothing to do with the credit card machine. It only protects that single PC. The Sonicwall firewall is a network appliance that sits between the Internet and your private network and provides protection to all devices on the network. There is some overlap of functionality, but yes, you would typically run both.

 

[EricVKX]

Hopefully your processor has mentioned PCI requirements. One of the first requirements in PCI compliance is firewalls and network segmentation, hopefully your terminals are segmented from your LAN.

 

[John221us]

Hopefully your processor has mentioned PCI requirements. One of the first requirements in PCI compliance is firewalls and network segmentation, hopefully your terminals are segmented from your LAN.

PCI is a different animal that requires centralized logging and segmentation like you mentioned. I don’t think he has a POS system, just the CC machine, but you make a good point, his IT guy should isolate the port on the firewall from the rest of the Network to be compliant.

 

[sferguson524]

PCI, at least when I was dealing with it required at a minimum logical separation between PCI and Non PCI networks, otherwise, that non-pci network and everytthing attached to it became in scope for the audit.

 

[John221us]

PCI, at least when I was dealing with it required at a minimum logical separation between PCI and Non PCI networks, otherwise, that non-pci network and everytthing attached to it became in scope for the audit.

Right, but the only PCI device he has is the CC machine, so isolating the port on the firewall (make it a stubbed DMZ) should be adequate.

 

[tspear]

Hopefully your processor has mentioned PCI requirements. One of the first requirements in PCI compliance is firewalls and network segmentation, hopefully your terminals are segmented from your LAN.

A single CC POS machine will not hit PCI requirements.
Instead the merchant processor will require some basic protections, and likely want you to go to EMV and avoid the future PCI requirements.

Tim

 

[EricVKX]

A single CC POS machine will not hit PCI requirements.
Instead the merchant processor will require some basic protections, and likely want you to go to EMV and avoid the future PCI requirements.

Tim

That certainly could be the case, but every merchant and processors are different. I have clients that are required by their processor to meet certain sections even with one terminal. It all depends on the processor requirements, lots of variables - big ones being how much $ is flowing and number of transactions.

The post is mainly a recommendation to follow up on what you have signed off on. I've heard of merchants being on the hook for thousands of dollars because they said they complied to something but wasn't due to ignorance.

 

[sferguson524]

Right, but the only PCI device he has is the CC machine, so isolating the port on the firewall (make it a stubbed DMZ) should be adequate.

True!

 

[JGoodish]

There have to be tens of thousands of CC terminals out there that aren’t behind firewalls. Heck, go to a craft/trade show and look at all the terminals running over cellular or local WiFi networks. I don’t know how IP terminals work, but I would assume that the transmission is encrypted and therefore isolated regardless of the connection medium.

If I was a small operation with a single CC terminal, the PCI police would likely be the least of my worries. Securing the rest of my network (and data) would be of much greater concern.


JKG

 

[John221us]

There have to be tens of thousands of CC terminals out there that aren’t behind firewalls. Heck, go to a craft/trade show and look at all the terminals running over cellular or local WiFi networks. I don’t know how IP terminals work, but I would assume that the transmission is encrypted and therefore isolated regardless of the connection medium.

If I was a small operation with a single CC terminal, the PCI police would likely be the least of my worries. Securing the rest of my network (and data) would be of much greater concern.


JKG

Somewhat true, but recently the processors are making you fill out self-audits, or they charge you an additional fee for the higher risk (like $20 a month). It is probably just an angle to tack on an additional fee, but my GF got hit with that on her retail business (not the POS system, which is subscription based, but the online reservation system) because we couldn't meet the terms of the audit (it isn't even practical, considering the low volume of business and the cost it would take to implement the remediations).

 

[Skyrys62]

We do maybe 5 to 10 cc transactions per month - only on dial up....and still have to self audit/comply with PCI regs.
If you REALLY comply, it's a pain, especially at first. Then the yearly audits get a little easier as you have all the BS taken care of.

The phone lines are already in place and add no cost, so it we chose that over IP terminals, which are a more aggressive audit/control procedure.

SAQ-B vs. SAQ-IP

if anyone cares:
https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf?agreement=true