Firewall

Discussion in 'Technical Corner' started by Let'sgoflying!, Oct 18, 2017.

  1. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    14,770
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    I have a SonicWall firewall. A physical device, unlike the Windows software firewall (as I understand it).

    The SonicWall has about 6 RJ45 ports to plug stuff into.

    The credit card people said I have to have my terminal behind a firewall.
    I asked an IT person and they said go ahead, plug it in and we'll deal with it if it doesn't work.
    It works.
    The credit card company did some kind of 24 hr scan and it passed their scrutiny.

    Does a firewall automatically confer protection to anything plugged into it without 'setup' or software modification on either the firewall or the protected device?
     
  2. John221us

    John221us En-Route PoA Supporter

    Joined:
    Jan 5, 2012
    Messages:
    3,994
    Location:
    Rocklin, CA
    Display Name:

    Display name:
    John
    There is undoubtedly an outbound NAT rule that allows unfiltered egress for any device on the internal network. This will allow internally initiated communications from the credit card device, but will not allow external devices to directly communicate with the credit card machine, unless the credit card machine established the connection first. This is similar to any workstation reaching out to the Internet. There are probably some inspection protocols enabled, but without knowing more about the firewall and how it is configured, that is about all I can guess at.
     
  3. JGoodish

    JGoodish Cleared for Takeoff

    Joined:
    Jun 10, 2006
    Messages:
    1,239
    Display Name:

    Display name:
    JGoodish
    To directly answer your question, yes, by default most firewalls will protect what is behind them. From that point, you must configure access policies which permit specific inbound traffic. As John mentioned, most outbound traffic is generally permitted.


    JKG
     
    Let'sgoflying! likes this.
  4. deonb

    deonb Pattern Altitude PoA Supporter

    Joined:
    Aug 17, 2015
    Messages:
    1,546
    Display Name:

    Display name:
    deonb
    It's not a physical device (hardware firewall implementation). It's just a PC running SonicOS, which is based on CentOS - which is a Linux distro.

    So it's a Linux software firewall instead of a Windows software firewall.

    Up to you to decide which is better.

    One is a proprietary firewall running on a restricted device used by 10s of thousands of people. The other is a proprietary firewall running on a general purpose device, but that's used by a billion people. The first has less attack surface, the second has more people who can find problems and fix them. Honestly I think it's a toss-up until you get to the Cisco/Juniper level.
     
  5. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    14,770
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    Can you use both, or will the systems be confused? Belt and suspenders.
     
  6. Clark1961

    Clark1961 Touchdown! Greaser!

    Joined:
    Jun 7, 2008
    Messages:
    15,662
    Display Name:

    Display name:
    Throttle
    The windows firewall doesn't know that the sonicwall is doing anything. The sonicwall doesn't know the windows firewall is doing anything.
     
    Let'sgoflying! likes this.
  7. John221us

    John221us En-Route PoA Supporter

    Joined:
    Jan 5, 2012
    Messages:
    3,994
    Location:
    Rocklin, CA
    Display Name:

    Display name:
    John
    The Windows firewall is a service that runs on your PC and has nothing to do with the credit card machine. It only protects that single PC. The Sonicwall firewall is a network appliance that sits between the Internet and your private network and provides protection to all devices on the network. There is some overlap of functionality, but yes, you would typically run both.
     
    Let'sgoflying! likes this.
  8. EricVKX

    EricVKX Pre-Flight

    Joined:
    Jan 4, 2017
    Messages:
    45
    Display Name:

    Display name:
    EricVKX
    Hopefully your processor has mentioned PCI requirements. One of the first requirements in PCI compliance is firewalls and network segmentation, hopefully your terminals are segmented from your LAN.
     
  9. John221us

    John221us En-Route PoA Supporter

    Joined:
    Jan 5, 2012
    Messages:
    3,994
    Location:
    Rocklin, CA
    Display Name:

    Display name:
    John
    PCI is a different animal that requires centralized logging and segmentation like you mentioned. I don’t think he has a POS system, just the CC machine, but you make a good point, his IT guy should isolate the port on the firewall from the rest of the Network to be compliant.
     
    Let'sgoflying! likes this.
  10. sferguson524

    sferguson524 Cleared for Takeoff

    Joined:
    Feb 8, 2011
    Messages:
    1,449
    Location:
    Las Vegas
    Display Name:

    Display name:
    FormerSocalFlyer
    PCI, at least when I was dealing with it required at a minimum logical separation between PCI and Non PCI networks, otherwise, that non-pci network and everytthing attached to it became in scope for the audit.
     
  11. John221us

    John221us En-Route PoA Supporter

    Joined:
    Jan 5, 2012
    Messages:
    3,994
    Location:
    Rocklin, CA
    Display Name:

    Display name:
    John
    Right, but the only PCI device he has is the CC machine, so isolating the port on the firewall (make it a stubbed DMZ) should be adequate.
     
  12. tspear

    tspear Line Up and Wait

    Joined:
    Dec 10, 2010
    Messages:
    824
    Display Name:

    Display name:
    Timothy
    A single CC POS machine will not hit PCI requirements.
    Instead the merchant processor will require some basic protections, and likely want you to go to EMV and avoid the future PCI requirements.

    Tim
     
  13. EricVKX

    EricVKX Pre-Flight

    Joined:
    Jan 4, 2017
    Messages:
    45
    Display Name:

    Display name:
    EricVKX
    That certainly could be the case, but every merchant and processors are different. I have clients that are required by their processor to meet certain sections even with one terminal. It all depends on the processor requirements, lots of variables - big ones being how much $ is flowing and number of transactions.

    The post is mainly a recommendation to follow up on what you have signed off on. I've heard of merchants being on the hook for thousands of dollars because they said they complied to something but wasn't due to ignorance.
     
  14. sferguson524

    sferguson524 Cleared for Takeoff

    Joined:
    Feb 8, 2011
    Messages:
    1,449
    Location:
    Las Vegas
    Display Name:

    Display name:
    FormerSocalFlyer
    True!
     
  15. JGoodish

    JGoodish Cleared for Takeoff

    Joined:
    Jun 10, 2006
    Messages:
    1,239
    Display Name:

    Display name:
    JGoodish
    There have to be tens of thousands of CC terminals out there that aren’t behind firewalls. Heck, go to a craft/trade show and look at all the terminals running over cellular or local WiFi networks. I don’t know how IP terminals work, but I would assume that the transmission is encrypted and therefore isolated regardless of the connection medium.

    If I was a small operation with a single CC terminal, the PCI police would likely be the least of my worries. Securing the rest of my network (and data) would be of much greater concern.


    JKG
     
  16. John221us

    John221us En-Route PoA Supporter

    Joined:
    Jan 5, 2012
    Messages:
    3,994
    Location:
    Rocklin, CA
    Display Name:

    Display name:
    John
    Somewhat true, but recently the processors are making you fill out self-audits, or they charge you an additional fee for the higher risk (like $20 a month). It is probably just an angle to tack on an additional fee, but my GF got hit with that on her retail business (not the POS system, which is subscription based, but the online reservation system) because we couldn't meet the terms of the audit (it isn't even practical, considering the low volume of business and the cost it would take to implement the remediations).
     
  17. Skyrys62

    Skyrys62 Cleared for Takeoff

    Joined:
    Apr 5, 2017
    Messages:
    1,291
    Location:
    Owensboro, KY
    Display Name:

    Display name:
    Skyrys62
    We do maybe 5 to 10 cc transactions per month - only on dial up....and still have to self audit/comply with PCI regs.
    If you REALLY comply, it's a pain, especially at first. Then the yearly audits get a little easier as you have all the BS taken care of.

    The phone lines are already in place and add no cost, so it we chose that over IP terminals, which are a more aggressive audit/control procedure.

    SAQ-B vs. SAQ-IP

    if anyone cares:
    https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf?agreement=true