Unrouted Wireless Network setup
-
@WrCombs said in Unrouted Wireless Network setup:
Or, Upgrade their switch entirely to a bigger switch, with more ports to add the AP's to it directly without the need to jumper the 2 switches together.
This mostly depends on traffic patterns and budget. Adding a switch is cheaper, but slower, than replacing with a bigger switch. But rarely does it matter.
-
@scottalanmiller said in Unrouted Wireless Network setup:
What's the reason for wanting to be unrouted? I assume that this actually means "no Internet access". Without Internet access, how will they patch their systems? I can only guess that they want to do this for security reasons, but I'm not sure being offline to the Internet, but without live standard patching, will be better because they will be being attacked from the LAN anyway.
the main reason for unrouted is because the AP's will be running Tablets as terminals on the POS side of the networ, which we have setup as unrouted through a second NIC on the Server.
We don't want tablets to have internet access , the same way the terminals can't get to the internet. -
@scottalanmiller said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
my Initial thought is: Have the site purchase a switch (or supply a switch) plug all AP's into that switch and plug that switch into the Unrouted switch for the POS
Even if the VLAN isn't routed, the switch should be, for management, support, and patching.
That would have to be setup differently.
Because we aren't using VLAN's. We use Dumb Plug-N-Play Switches, for convenience sake. -
@WrCombs said in Unrouted Wireless Network setup:
@scottalanmiller said in Unrouted Wireless Network setup:
What's the reason for wanting to be unrouted? I assume that this actually means "no Internet access". Without Internet access, how will they patch their systems? I can only guess that they want to do this for security reasons, but I'm not sure being offline to the Internet, but without live standard patching, will be better because they will be being attacked from the LAN anyway.
the main reason for unrouted is because the AP's will be running Tablets as terminals on the POS side of the networ, which we have setup as unrouted through a second NIC on the Server.
We don't want tablets to have internet access , the same way the terminals can't get to the internet.What's the security process to keep them patched and PCI compliant? Tablets generally require Internet access to be viable.
-
@WrCombs said in Unrouted Wireless Network setup:
@scottalanmiller said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
my Initial thought is: Have the site purchase a switch (or supply a switch) plug all AP's into that switch and plug that switch into the Unrouted switch for the POS
Even if the VLAN isn't routed, the switch should be, for management, support, and patching.
That would have to be setup differently.
Because we aren't using VLAN's. We use Dumb Plug-N-Play Switches, for convenience sake.So no management at all? That seems very risky for an unpatched network. While it's not impossible to do, does this mean that you have no monitoring, and that the APs, as well as the tablets, are unpatched but exposed to anyone who walks nearby?
-
@scottalanmiller said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
@scottalanmiller said in Unrouted Wireless Network setup:
What's the reason for wanting to be unrouted? I assume that this actually means "no Internet access". Without Internet access, how will they patch their systems? I can only guess that they want to do this for security reasons, but I'm not sure being offline to the Internet, but without live standard patching, will be better because they will be being attacked from the LAN anyway.
the main reason for unrouted is because the AP's will be running Tablets as terminals on the POS side of the networ, which we have setup as unrouted through a second NIC on the Server.
We don't want tablets to have internet access , the same way the terminals can't get to the internet.What's the security process to keep them patched and PCI compliant? Tablets generally require Internet access to be viable.
I'm confused...
The tablets are terminals, Just more compact.
So what would a windows 10 tablet need internet for if it acts just like it's windows 10 cousin the terminal? -
@scottalanmiller said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
@scottalanmiller said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
my Initial thought is: Have the site purchase a switch (or supply a switch) plug all AP's into that switch and plug that switch into the Unrouted switch for the POS
Even if the VLAN isn't routed, the switch should be, for management, support, and patching.
That would have to be setup differently.
Because we aren't using VLAN's. We use Dumb Plug-N-Play Switches, for convenience sake.So no management at all? That seems very risky for an unpatched network. While it's not impossible to do, does this mean that you have no monitoring, and that the APs, as well as the tablets, are unpatched but exposed to anyone who walks nearby?
The AP's are typically locked down by MAC address or IP filtering,
What do you mean "management" ? like are we updating firmware/aps?
No because we Don't support AP's, We are not in Networking, We are in Point of Sale.
The AP's go through someone completely different.My customer asked me to look into what will be needed, and here i am, trying to give my customer the best answer as to what it will take for their system to be able to run tablets.
-
@WrCombs said in Unrouted Wireless Network setup:
The AP's are typically locked down by MAC address or IP filtering,
That's not really locked down. That's classified as "no security" because anyone can just sniff the working MACs and use them. To someone honestly trying to get in, it's like having a screen door in front of your main door, with no lock on the screen. Even a good wind will open it.
-
@WrCombs said in Unrouted Wireless Network setup:
What do you mean "management" ? like are we updating firmware/aps?
That, but also watch for bad traffic or deal with networking issues. How can you tell which AP is doing what it should if you cant look at them?
-
@WrCombs said in Unrouted Wireless Network setup:
My customer asked me to look into what will be needed, and here i am, trying to give my customer the best answer as to what it will take for their system to be able to run tablets.
That's what I'm trying to answer. I think that they should step back and consider the need for PCI, security, and management. It'll lower costs while providing better results.
-
@scottalanmiller said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
What do you mean "management" ? like are we updating firmware/aps?
That, but also watch for bad traffic or deal with networking issues. How can you tell which AP is doing what it should if you cant look at them?
The AP's working/security/management is on whoever the customer decides they want to bring in to set up their network to add the tablets.
-
@WrCombs said in Unrouted Wireless Network setup:
@scottalanmiller said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
What do you mean "management" ? like are we updating firmware/aps?
That, but also watch for bad traffic or deal with networking issues. How can you tell which AP is doing what it should if you cant look at them?
The AP's working/security/management is on whoever the customer decides they want to bring in to set up their network to add the tablets.
Okay, but that'll make for one hefty contract because they'll need them to engineer solutions for security in that environment. It's doable, but not something you'd ever expect a hospitality business to be willing (or able) to afford. Because this means taking something that is simple and almost free to be secure normally, and making it into something extremely complex and niche.
I'm not saying it can't be done. I'm saying that it's not reasonable for situation and it's a total guarantee that once they realize what it takes, will refuse to do it. Dollars to donuts not one restaurant, bar, or hotel in America does this today.
-
@scottalanmiller said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
Or, Upgrade their switch entirely to a bigger switch, with more ports to add the AP's to it directly without the need to jumper the 2 switches together.
This mostly depends on traffic patterns and budget. Adding a switch is cheaper, but slower, than replacing with a bigger switch. But rarely does it matter.
how is it slower? because you have to configure it? You'd have to configure a replacement switch too, so I would think it would be a wash.
-
@Dashrender said in Unrouted Wireless Network setup:
@scottalanmiller said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
Or, Upgrade their switch entirely to a bigger switch, with more ports to add the AP's to it directly without the need to jumper the 2 switches together.
This mostly depends on traffic patterns and budget. Adding a switch is cheaper, but slower, than replacing with a bigger switch. But rarely does it matter.
how is it slower? because you have to configure it? You'd have to configure a replacement switch too, so I would think it would be a wash.
No, slower because it introduces additional bottlenecks.
-
@WrCombs said in Unrouted Wireless Network setup:
My customer asked me to look into what will be needed, and here i am, trying to give my customer the best answer as to what it will take for their system to be able to run tablets.
It sounds like you're doing something your company specifically does NOT want you doing - anything to do with networking. You shouldn't be giving them any answer, since some other company handles all of the networking. If you engineer it wrong, you'll be blamed, but if you do it right, you have no benefit - and don't say he'll like you more because of it, because the bar owner shouldn't give two shits about you - he only cares about function and cost of your solution, and will bail on you in a second if a better solution comes along.
-
@scottalanmiller said in Unrouted Wireless Network setup:
@Dashrender said in Unrouted Wireless Network setup:
@scottalanmiller said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
Or, Upgrade their switch entirely to a bigger switch, with more ports to add the AP's to it directly without the need to jumper the 2 switches together.
This mostly depends on traffic patterns and budget. Adding a switch is cheaper, but slower, than replacing with a bigger switch. But rarely does it matter.
how is it slower? because you have to configure it? You'd have to configure a replacement switch too, so I would think it would be a wash.
No, slower because it introduces additional bottlenecks.
Ok, that's true, but likely not a real issue in this situation.
-
@Dashrender said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
My customer asked me to look into what will be needed, and here i am, trying to give my customer the best answer as to what it will take for their system to be able to run tablets.
It sounds like you're doing something your company specifically does NOT want you doing - anything to do with networking. You shouldn't be giving them any answer, since some other company handles all of the networking. If you engineer it wrong, you'll be blamed, but if you do it right, you have no benefit - and don't say he'll like you more because of it, because the bar owner shouldn't give two shits about you - he only cares about function and cost of your solution, and will bail on you in a second if a better solution comes along.
This is for the sake of learning to think like i'm in an IT job, atleast that was the goal.
My answer to them was "that will be on the company you pick to do the AP's"
I just didn't put that part in, and now I'm being told more and more about how I don't know shit. -
@WrCombs said in Unrouted Wireless Network setup:
My answer to them was "that will be on the company you pick to do the AP's"
That's a fair answer. But they should bring in PCI advisors before they make networking decisions, not bring in PCI "fixers" after it's a problem. It'll be more secure, and vastly cheaper.
-
@scottalanmiller said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
My customer asked me to look into what will be needed, and here i am, trying to give my customer the best answer as to what it will take for their system to be able to run tablets.
That's what I'm trying to answer. I think that they should step back and consider the need for PCI, security, and management. It'll lower costs while providing better results.
I can't believe you're only now after 6+ months of seeing him post about how they set things up
https://i.imgur.com/LslreWp.png
The company he works for believes that because the terminals can't access the internet, that they are safe, hell they might even think they are providing a PCI compliant environment, but of course, you and I both know they are not, in either case.
-
@Dashrender said in Unrouted Wireless Network setup:
@scottalanmiller said in Unrouted Wireless Network setup:
@WrCombs said in Unrouted Wireless Network setup:
My customer asked me to look into what will be needed, and here i am, trying to give my customer the best answer as to what it will take for their system to be able to run tablets.
That's what I'm trying to answer. I think that they should step back and consider the need for PCI, security, and management. It'll lower costs while providing better results.
I can't believe you're only now after 6+ months of seeing him post about how they set things up
https://i.imgur.com/LslreWp.png
The company he works for believes that because the terminals can't access the internet, that they are safe, hell they might even think they are providing a PCI compliant environment, but of course, you and I both know they are not, in either case.
FYI... the PCI docs cover that specifically in page 13 that if the terminals talk to a server, they have to be patched. They actually address that imagined scenario to dispute it ahead of time.