Windows Firewall
-
@obsolesce said in Windows Firewall:
@wrcombs said in Windows Firewall:
I am not a "Junior Admin" Im a support tech for POS across the US in Restaurants.
So, this could be a wide-spread thing across many restaurants in the U.S....
I'd definitely be taking this up the ladder.
Could be? LOL most definitely IS!
-
@wrcombs said in Windows Firewall:
From our Guides:
Configuring the Windows Network
ā¢ Install an up to date operating system on all computers in the Aloha network, such as Windows
XP, or Windows Server 2003.
ā¢ Establish a network firewall that includes a firewall device, such as a router, between the Aloha
network and the Internet. Install firewall software on each computer in the network, or enable
and configure the Windows firewall.That's a pretty bad guide and STILL better than what the boss said, lol.
-
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
I am not a "Junior Admin" Im a support tech for POS across the US in Restaurants.
We didn't think that you were. I thought that he said that your boss was the Junior Admin.
I was calling Wr a junior admin because I had no clue what his title was.
-
@dashrender said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
I am not a "Junior Admin" Im a support tech for POS across the US in Restaurants.
We didn't think that you were. I thought that he said that your boss was the Junior Admin.
I was calling Wr a junior admin because I had no clue what his title was.
OH!!! You responded as if the Junior Admin was his boss, because it was his boss I was questioning. And given his job role, Admin doesn't fit, so it never occurred to me you were implying him.
-
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
I am not a "Junior Admin" Im a support tech for POS across the US in Restaurants.
We didn't think that you were. I thought that he said that your boss was the Junior Admin.
The "Job title" held by my boss is Direct supervisor for PoS tech support, it's very much possible that this is set up above him and he never asked questions, I on the other hand, having learned from @Dashrender and my Dad, I thought it was weird we turned windows firewall off, and I ask questions, Hence the post, I don't believe that my boss is knowingly and blanatly cuasing a possibile breach. I think it's a fair assumption that he does what the vendor tells us to do, or he was taught wrong.
My curiosity of why it wouldn't work has now turned into a Much bigger deal than I originally thought it to be. So I thank you for bring it to my attention, definitely will be looking into this more.
-
@wrcombs said in Windows Firewall:
I don't believe that my boss is knowingly and blanatly cuasing a possibile breach
It seems like he is... I could ask anyone (outside of IT even) what it means to turn off a firewall or if it's good or bad to do it... and I'm sure most would say it's bad.
I doubt he is 100% clueless given he's a tech support supervisor, so this means not only does he know what it means to have a firewall turned off, he's actively telling people to do it, and ignoring all aspects of it.
-
@wrcombs said in Windows Firewall:
The "Job title" held by my boss is Direct supervisor for PoS tech support, it's very much possible that this is set up above him and he never asked questions....
So this is where we get into a bunch of questions like...
- Is he responsible for asking questions?
- Is he responsible for anything involving basic security and practices that put customers at risk?
- Is breaching PCI and other regulations okay even if you are told to do so?
- Is repeating a lie as if it were true acceptable, when it is known that it can't reasonably be true?
I think point 4 is the main one. If HE told you the BS reasons for why things are the way that they are, he risks having grabbed hold of the hot potato even if he didn't have it before.
-
@wrcombs said in Windows Firewall:
My curiosity of why it wouldn't work has now turned into a Much bigger deal than I originally thought it to be. So I thank you for bring it to my attention, definitely will be looking into this more.
It's a bit like asking "should these prisoners under the warden's nose" be allowed to run a heroin market?
Um.....
-
@wrcombs said in Windows Firewall:
I think it's a fair assumption that he does what the vendor tells us to do, or he was taught wrong.
Well, working in IT means that doing "what the vendor says" is no excuse. That's like driving over pedestrians and claiming "the car maker said it was okay". That's not how it works, the rules for operating a car have zero dependency on manufacturer statements.
If he was taught wrong, this goes against all industry education, best practices, and common sense. It means he's not been taught up to the most minimal standards and is pretty hard to overlook.
-
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
The "Job title" held by my boss is Direct supervisor for PoS tech support, it's very much possible that this is set up above him and he never asked questions....
So this is where we get into a bunch of questions like...
- Is he responsible for asking questions?
- Is he responsible for anything involving basic security and practices that put customers at risk?
- Is breaching PCI and other regulations okay even if you are told to do so?
- Is repeating a lie as if it were true acceptable, when it is known that it can't reasonably be true?
I think point 4 is the main one. If HE told you the BS reasons for why things are the way that they are, he risks having grabbed hold of the hot potato even if he didn't have it before.
I honestly have no clue. I wish I had a better explanation.
I Just wasnt sure what the reasoning surronding the non useSo even though we provide hardware Firewalls to every site its still a problem?
Im sure that question will come up -
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
So there are two ways to look at this. But simply, yes.
-
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
First Way:
Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.
Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.
However, the best practice is that you never, ever skip either. It's always both.
-
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
Second Way:
This is a ridiculous bit of misdirection that implies that there is some case where there isn't a hardware firewall at the edge of the network. A statement like this would be used only to trick someone into thinking that not having that firewall is an option, it is not. There is no way to not have a firewall there.
We had a thread about this maybe a month ago. Router and firewall are synonymous terms in the real world since the early 1990s. You can't get a router that isn't a firewall, you can't get a firewall that isn't a router. Sure, the routing functions and the firewall functions are mostly different aspects of the same device, but they are always the same device.
In order to "have a network" you must have a firewall. So the very existence of ANY Windows system has the assumption that there is a firewall there because, essentially, there has to be. How could the network exist otherwise? So the very idea that having provided a hardware firewall is "something special" and would somehow negate the need for something else makes no sense.
This tells us that someone making that statement either doesn't know what a firewall is or is trying to mislead us.
Imagine if we were discussing water (Windows Firewall) and food (hardware firewall) and your life mentor just explained to you the importance of water and you responded with "do we still need water, even if we have provided food?"
What? Of course you still need water, providing food is necessary, of course, but when we said you need water to live, we weren't implying that you don't need food. That all living things need food was a base assumption that we shouldn't have needed to mention. That's where we are here.
When someone explains that the Windows Firewall is needed, that's always in the context, or essentially so, that a hardware firewall is already there. This assumption is so obvious that no one realizes that it needs to be stated because it's nonsensical to think otherwise. But people trying to pull a fast one sometimes rely on this assumption to act as if it might be viable to have another case and try to use the necessity of the situation as a smoke screen for pretending that the Windows firewall might exist for some use case that really doesn't exist.
-
You may not want to hear this but if you don't have your protections turned on, you'll eventually have major PCI compliance issues. By the middle of 2020, if your outfit is found to not be in compliance, the regulators (if they find out) will literally shut off your credit / debit card processing. You'll be cash only until you correct this. And, if you have multiple violations, you'll also be fined in graduating levels.
Also, your credit card processor, your franchiser (if you are part of a franchise), even your vendors may and have the right to ask for your compliance proof.
I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.
Keep after this with your higher ups. They'll see the light eventually.
-
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
First Way:
Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.
Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.
However, the best practice is that you never, ever skip either. It's always both.
I understand what you're saying, but i would like to point out, that we dont use edge routers, we have a variety of cisco and linksys switches and provide sonic walls to every site (I believe because everyones that has called in talks about the sonic wall).
-
@scotth said in Windows Firewall:
I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.
I think that you mean draconian.
-
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
First Way:
Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.
Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.
However, the best practice is that you never, ever skip either. It's always both.
I understand what you're saying, but i would like to point out, that we dont use edge routers, we have a variety of cisco and linksys switches and provide sonic walls to every site (I believe because everyones that has called in talks about the sonic wall).
Those are all edge routers. You can't not use them, it's effectively impossible. Sonic Walls are just cheap crappy edge routers.
-
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
First Way:
Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.
Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.
However, the best practice is that you never, ever skip either. It's always both.
I understand what you're saying, but i would like to point out, that we dont use edge routers, we have a variety of cisco and linksys switches and provide sonic walls to every site (I believe because everyones that has called in talks about the sonic wall).
Those are all edge routers. You can't not use them, it's effectively impossible. Sonic Walls are just expensive crappy edge routers.
fixed.
-
@scottalanmiller said in Windows Firewall:
@scotth said in Windows Firewall:
I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.
I think that you mean draconian.
I don't mean to make anyone paranoid.... actually I do.
PCI compliance isn't something to fluff off.
If you're operating a POS and take credit and / or debit cards, you need all of your protections in place and verifiable, subject to audit.Processors will warn, will shut off, will fine a retailer. Why risk a retail outlet over a little effort?
All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.
Good Luck
-
@scotth said in Windows Firewall:
All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.
Over spend much?
