Point-of-Sale security

Hi.

I've been tasked with setting-up a POS (Point-of-Sale) system for a
small restaurant. The POS will consist of 5 terminals and a server (all
WinXP-Pro), all networked together.

I would like to completely isolate the 5 terminals from the Internet.
Also I would like to allow only very limited Internet access to/from the
server, 1) for credit card authorization and 2) for remote access (e.g.
RAdmin).

I am thinking that one way to accomplish this would be to have a "local"
switch connecting all 5 terminals and the server, thereby securing the
terminals. Then I would install a second NIC in the server and have it
connected to an "Internet facing" switch connected to a router
(connected to a DSL modem). I would then use the router's firewall to
block all traffic to the server except those aforementioned.

A) Would this work? If so, are there any particular features my router
would need, or can they all do this?

B) Is there a better / easier way to accomplish my goal, perhaps without
needing the extra switch and NIC?

Please be gentle, this level of networking is mostly new to me.
Thanks!

Dale

Re: Point-of-Sale security

Dale I. Green wrote:
> I would like to completely isolate the 5 terminals from the Internet.

Pull the plug.

> Also I would like to allow only very limited Internet access to/from the
> server, 1) for credit card authorization and 2) for remote access (e.g.
> RAdmin).

This is an oxymoron now. You will not manage to do what you want. The
best compromize will be: don't route into the net on the server, and
filter anything with the exception of the needed servces on the server.

> I am thinking that one way to accomplish this would be to have a "local"
> switch connecting all 5 terminals and the server, thereby securing the
> terminals. Then I would install a second NIC in the server and have it
> connected to an "Internet facing" switch connected to a router
> (connected to a DSL modem). I would then use the router's firewall to
> block all traffic to the server except those aforementioned.

Yes. Do so.

Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz

Re: Point-of-Sale security

Dale I. Green wrote:
> Hi.
>
> I've been tasked with setting-up a POS (Point-of-Sale) system for a
> small restaurant. The POS will consist of 5 terminals and a server (all
> WinXP-Pro), all networked together.
>
> I would like to completely isolate the 5 terminals from the Internet.

keep in mind, that they will need at least temporary internet access - e.g. for updates, patches etc.

M

Re: Point-of-Sale security

mak wrote in
news:1169548806.93913@nntpcache01.si.eunet.at:

> keep in mind, that they will need at least temporary internet access -
> e.g. for updates, patches etc.
>
> M
>

Yes, thank you. I was thinking I could occassionally (monthly? / as
needed?) apply patches to the terminals either by temporarily connecting
the "local" switch to the Internet or by downloading patches to the
server then pushing them out to the terminals.

Re: Point-of-Sale security

VB, Thank you for your input. I assume by your comments that you
consider my goals to be naive but that you think my overall approach is
solid. Is that right?

>> Also I would like to allow only very limited Internet access to/from
>> the server, 1) for credit card authorization and 2) for remote access
>> (e.g. RAdmin).
>
> This is an oxymoron now. You will not manage to do what you want. The
> best compromize will be: don't route into the net on the server, and
> filter anything with the exception of the needed servces on the
> server.

What do you mean by "don't route into the net on the server"? Also, by
"filter" do you mean using the hardware router, a software firewall, or
something else?

Kind regards,
Dale

Re: Point-of-Sale security

Post removed (X-No-Archive: yes)

Re: Point-of-Sale security

Dale I. Green wrote:
> VB, Thank you for your input. I assume by your comments that you
>> This is an oxymoron now. You will not manage to do what you want. The
>> best compromize will be: don't route into the net on the server, and
>> filter anything with the exception of the needed servces on the
>> server.
>
> What do you mean by "don't route into the net on the server"? Also,
> by "filter" do you mean using the hardware router, a software
> firewall, or something else?

You'll probably want something like this:

Internet
|
Firewall
| e.g. 10.23.0.2/30
|
| e.g. 10.23.0.1/30
Server
| e.g. 192.168.0.1/29
|
+- Client
+- Client
+- Client
+- Client
`- Client

Server has two NICs and does not route between those interfaces. Harden
the server and restrict physical access to it (see e.g. [1,2]).

Firewall does packet filtering, NAT and port-forwarding to those
services on the server that must be accessible from the outside (e.g.
remote access). You may want to consider allowing remote access only
through a VPN instead of forwarding ports for remote access, in which
case the firewall device must also be a VPN endpoint.

Lock down the clients, too.

[1] http://www.microsoft.com/technet/security/prodtech/windowsxp /secwinxp/default.mspx
[2] http://www.nsa.gov/snac/downloads_winxp.cfm?MenuID=scg10.3.1 .1

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Point-of-Sale security

Dale I. Green wrote:
> Hi.
>
> I've been tasked with setting-up a POS (Point-of-Sale) system for a
> small restaurant. The POS will consist of 5 terminals and a server (all
> WinXP-Pro), all networked together.
>
> I would like to completely isolate the 5 terminals from the Internet.
> Also I would like to allow only very limited Internet access to/from the
> server, 1) for credit card authorization and 2) for remote access (e.g.
> RAdmin).
>
> I am thinking that one way to accomplish this would be to have a "local"
> switch connecting all 5 terminals and the server, thereby securing the
> terminals. Then I would install a second NIC in the server and have it
> connected to an "Internet facing" switch connected to a router
> (connected to a DSL modem). I would then use the router's firewall to
> block all traffic to the server except those aforementioned.
>
> A) Would this work? If so, are there any particular features my router
> would need, or can they all do this?
>
> B) Is there a better / easier way to accomplish my goal, perhaps without
> needing the extra switch and NIC?
>
> Please be gentle, this level of networking is mostly new to me.
> Thanks!
>
> Dale


Since you are dealing with a network that has CC data


I would start with a detailed description of what each machine is
required to do, to perform it's tasks.

Remove anything from the machines that isn't required, only add network
access as required

build in strong authentication & authorization methods for remote access
, and local access

John

Re: Point-of-Sale security

Leythos wrote in
news:MPG.201fc7f9b1e6380698984e@adfree.Usenet.com:

> In article ,
> dig@notmail.com says...
>> VB, Thank you for your input. I assume by your comments that you
>> consider my goals to be naive but that you think my overall approach
>> is solid. Is that right?
>>
>> >> Also I would like to allow only very limited Internet access
>> >> to/from the server, 1) for credit card authorization and 2) for
>> >> remote access (e.g. RAdmin).
>> >
>> > This is an oxymoron now. You will not manage to do what you want.
>> > The best compromize will be: don't route into the net on the
>> > server, and filter anything with the exception of the needed
>> > servces on the server.
>>
>> What do you mean by "don't route into the net on the server"? Also,
>> by "filter" do you mean using the hardware router, a software
>> firewall, or something else?
>
> You need a real firewall appliance and then you setup only the access
> that you want to permit - do not confuse a NAT Router as a firewall
>
> With a real firewall appliance you can setup a IPSec client to allow
> you to remotely connect to the firewall itself, then from a rule in
> the firewall, your authenticated user can remotely admin the server.
>
> You can also allow outbound to the credit card processing facility and
> block all other access.
>

Leythos, Thank you!

Does "IPSec" imply VPN?

Could you suggest a firewall appliance which would be suitable? I
checked newegg and the best rated firewall is the NETGEAR FR114P. Would
this be a good choice?

Finally, would you still recommend using 2 switches, a "local" and an
"Internet facing"?

Thanks again. I appreciate your advice.

Kind regards,
Dale

Re: Point-of-Sale security

Ansgar -59cobalt- Wiechers wrote in
news:51mpr8F1hninpU1@mid.individual.net:

> You'll probably want something like this:
>
> Internet
> |
> Firewall
> | e.g. 10.23.0.2/30
> |
> | e.g. 10.23.0.1/30
> Server
> | e.g. 192.168.0.1/29
> |
> +- Client
> +- Client
> +- Client
> +- Client
> `- Client
>
> Server has two NICs and does not route between those interfaces.
> Harden the server and restrict physical access to it (see e.g. [1,2]).
>
> Firewall does packet filtering, NAT and port-forwarding to those
> services on the server that must be accessible from the outside (e.g.
> remote access). You may want to consider allowing remote access only
> through a VPN instead of forwarding ports for remote access, in which
> case the firewall device must also be a VPN endpoint.
>

Thank you Ansgar.

I assume by default routing is disabled between NICs, yes?

Also, if I choose to use VPN, would that simplify my firewall config?

Kind regards,
Dale

Re: Point-of-Sale security

Post removed (X-No-Archive: yes)

Re: Point-of-Sale security

John Mason Jr wrote in news:12rcsqf4nspqve7
@news.supernews.com:

> Since you are dealing with a network that has CC data
>
>
> I would start with a detailed description of what each machine is
> required to do, to perform it's tasks.
>
> Remove anything from the machines that isn't required, only add network
> access as required
>
> build in strong authentication & authorization methods for remote access
> , and local access
>
> John

Thank you John.

Re: Point-of-Sale security

Leythos wrote in
news:MPG.20209a2a4006469198985a@adfree.Usenet.com:


> https://www.watchguard.com/products/x750e.asp
> These things are not cheap, but you need to consider how much it would
> cost if you have your users CC information stolen from your servers.

Wow!

I understand what you're saying. I think I need to go back and see what
our exposure actually is. I'm not even sure if any CC data is ever
stored unencrypted on the system; it might be, but I can't think of any
reason it would need to be.

Practically, I don't see how we could afford this level of security,
especially from an expertise standpoint. The restaurant is a seasonal
mom-n-pop quick-service (window) shop. i.e. The budget is tight.

That said, I'll discuss this with the owner.

I really appreciate your help.

Kind regards,
Dale

Re: Point-of-Sale security

"Dale I. Green" writes:
> Practically, I don't see how we could afford this level of security,
> especially from an expertise standpoint. The restaurant is a seasonal
> mom-n-pop quick-service (window) shop. i.e. The budget is tight.

Latest Breach May Force a New Approach to Data Security
http://www.digitaltransactions.net/newsstory.cfm?newsid=1226

from above:

In a research note she was preparing for Gartner clients on Monday,
Litan says, Gartner believes that it's impractical for the card
industry to expect up to 5 million retailers to become security
experts and change their systems to fix security holes. It's time for
the banks to own up to the problem and accept responsibility. They
must make changes to the payment system so that, even if data are
stolen, the data are useless to the thieves.

.... snip ...

somewhat related thread here
http://www.garlic.com/~lynn/2007c.html#38 Securing financial transactions a high priority for 2007

above reply to somebody's comment about the Gartner article:

Sounds obvious to me. Sam & Ella's coffee shop cannot afford to hire a
security expert.

.... snip ...

and old post about security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61

Re: Point-of-Sale security

Dale I. Green wrote:
> VB, Thank you for your input. I assume by your comments that you
> consider my goals to be naive but that you think my overall approach is
> solid. Is that right?

No, I did not want to say, that your approach is naive, sorry.

> What do you mean by "don't route into the net on the server"?

Don't route at all on the server. Don't do packet forwarding.

> Also, by
> "filter" do you mean using the hardware router, a software firewall, or
> something else?

Does not matter how you're filtering. But filter anything with the
exception of the needed services.

You could do this with a host based packet filter or additionally with a
filtering device before the server.

Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz

Re: Point-of-Sale security

Post removed (X-No-Archive: yes)

Re: Point-of-Sale security

Leythos wrote in
news:MPG.2021116934bf66cc98985d@adfree.Usenet.com:


>> I understand what you're saying. I think I need to go back and see
>> what our exposure actually is. I'm not even sure if any CC data is
>> ever stored unencrypted on the system; it might be, but I can't think
>> of any reason it would need to be.
>
> If the CC information is stored, well, it's something that can be
> decrypted by some means, or there is no reason to store it.

I should have simply stated that I'm not sure if any CC data is stored
on the system. It seems to me, once a transaction is approved, and an
approval code issued, the CC number itself is no longer needed. I've
forwarded the question to our POS software vendor.



>> Practically, I don't see how we could afford this level of security,
>> especially from an expertise standpoint. The restaurant is a
>> seasonal mom-n-pop quick-service (window) shop. i.e. The budget is
>> tight.
>
> Why do you need something like you described for that type of business
> - a simple QuickBooks POS terminal and a credit card swiper with a CC
> service would handle all that you need.

Hmmmmm... The QuickBooks POS is very similar to what we're using. (We
actually looked at the QuickBooks, but found it to be a poor choice for
a restaurant.) What did I say which implied otherwise? What is it
about the QuickBooks POS system which eliminates security concerns? Now
I'm really confused...

Re: Point-of-Sale security

Post removed (X-No-Archive: yes)

Re: Point-of-Sale security

Leythos wrote in
news:MPG.20212a9fd2f06257989862@adfree.Usenet.com:

> Based on your initial description it's hard to tell what you're
> looking at, other than POS XP and database. No clear definition of
> your using a packaged solution, and you seem to indicate a home grown
> solution.

> Nothing eliminates the security concerns, but, do you really think
> that they would develop a solution that they sell to tens of thousands
> of customers that would leave them wide open?
>
> I would be willing to be that they've got all the bases covered and
> also offer recommendations on firewall solutions.
>
> The big difference in purchasing a package is that the parts are
> already designed to be connected, to be secured, to work with each
> other, to provide support, and you don't have to wonder about database
> connections or how to properly secure them.
>

I guess that I should have included more details in my initial post. In
any case, we are using a COTS POS software (Aldelo) running on COTS
hardware (Mercury/DigiCom). Maybe I am trying to over-architect the
security, but I thought it would be a good idea to isolate the system as
much as reasonably possible. In my experience, the POS vendors simply
show the firewall as a black-box and offer no detail, probably to avoid
any future culpability.

Browsing POS related forums, it seems most businesses similar to ours
are simply using residential routers with no more security than one
would find in a typical home network. Given the amount of malware
infected machines I regularly see, I felt this was insufficient.

Kind regards,
Dale

Re: Point-of-Sale security

Post removed (X-No-Archive: yes)

Re: Point-of-Sale security

Dale I. Green wrote:
> Ansgar -59cobalt- Wiechers wrote:
>> You'll probably want something like this:
>>
>> Internet
>> |
>> Firewall
>> | e.g. 10.23.0.2/30
>> |
>> | e.g. 10.23.0.1/30
>> Server
>> | e.g. 192.168.0.1/29
>> |
>> +- Client
>> +- Client
>> +- Client
>> +- Client
>> `- Client
>>
>> Server has two NICs and does not route between those interfaces.
>> Harden the server and restrict physical access to it (see e.g. [1,2]).
>>
>> Firewall does packet filtering, NAT and port-forwarding to those
>> services on the server that must be accessible from the outside (e.g.
>> remote access). You may want to consider allowing remote access only
>> through a VPN instead of forwarding ports for remote access, in which
>> case the firewall device must also be a VPN endpoint.
>
> I assume by default routing is disabled between NICs, yes?

Yes.

> Also, if I choose to use VPN, would that simplify my firewall config?

Most likely, if you terminate the VPN on the router. However, without
knowing your exact requirements I can't give you a definitive answer
here.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Point-of-Sale security

Leythos wrote in
news:MPG.20213c9a3be5aff0989863@adfree.Usenet.com:

>> Browsing POS related forums, it seems most businesses similar to ours
>> are simply using residential routers with no more security than one
>> would find in a typical home network. Given the amount of malware
>> infected machines I regularly see, I felt this was insufficient.
>
> I've seen that type of solution before, and it works, UNTIL.
>
> As a person that designs secure networks for many different levels of
> business and different markets, mainly Medical, I can only do my part
> by making you aware of the issues and hope that you determine that a
> firewall, not a pretend one, is worth its weight in gold to you and
> your customers.

Would you recommend the DFL-200/700 as a compromise? (I saw you
recommended the DFL-700 in another thread.)



> If you have a database for your POS system you need to isolate it
> completely from the POS machines, except for the specific ports that
> the data connection needs.
>

Why? Malware?



Kind regards,
Dale

Re: Point-of-Sale security

Post removed (X-No-Archive: yes)

Re: Point-of-Sale security

Leythos wrote in
news:MPG.2023d74de9142ca3989893@adfree.Usenet.com:

> I thought it was funny that you asked me if I thought the DFL was a
> good "Compromise" when we're talking about compromising networks :)


Poor word choice on my part! :)

Ideally, our system would be 100% secure. The practical reality however
is that we have a budget (money & time & expertise) and we need to do
the best we can. You could argue (and I'm guessing you will) that our
budget is too small for the task, and you may be correct. Nevertheless,
it's mostly fixed and I'm caught in the middle trying to put something
together.

I want to thank you, Leythos, and everyone else for contributing to this
thread. I'm still not sure what to do, but at least now I have some
information to chew on (yum!).

Dale

Re: Point-of-Sale security

In article ,
dig@notmail.com says...
> Leythos wrote in
> news:MPG.2023d74de9142ca3989893@adfree.Usenet.com:
>
> > I thought it was funny that you asked me if I thought the DFL was a
> > good "Compromise" when we're talking about compromising networks :)
>
>
> Poor word choice on my part! :)
>
> Ideally, our system would be 100% secure. The practical reality however
> is that we have a budget (money & time & expertise) and we need to do
> the best we can. You could argue (and I'm guessing you will) that our
> budget is too small for the task, and you may be correct. Nevertheless,
> it's mostly fixed and I'm caught in the middle trying to put something
> together.
>
> I want to thank you, Leythos, and everyone else for contributing to this
> thread. I'm still not sure what to do, but at least now I have some
> information to chew on (yum!).

You didn't mention what type of database - if you are using something
like a file access based database (like MS Access) then you can't do
much, as the file sharing ports would kill your security. If you are
using MS SQL, Oracle, My SQL, you can do it based on ports, and that's
going to give you control over security.

Just remember, don't use Windows Authentication if you don't have to as
a requirement, use SQL authentication.

If you can't afford a full firewall, the DFL-700 will be your best
choice if you were considering the NAT Routers caliming to be firewalls.
I am not responsible for any security issues if you use that method.

--

spam999free@rrohio.com
remove 999 in order to email me