Windows Firewall
-
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
The "Job title" held by my boss is Direct supervisor for PoS tech support, it's very much possible that this is set up above him and he never asked questions....
So this is where we get into a bunch of questions like...
- Is he responsible for asking questions?
- Is he responsible for anything involving basic security and practices that put customers at risk?
- Is breaching PCI and other regulations okay even if you are told to do so?
- Is repeating a lie as if it were true acceptable, when it is known that it can't reasonably be true?
I think point 4 is the main one. If HE told you the BS reasons for why things are the way that they are, he risks having grabbed hold of the hot potato even if he didn't have it before.
I honestly have no clue. I wish I had a better explanation.
I Just wasnt sure what the reasoning surronding the non useSo even though we provide hardware Firewalls to every site its still a problem?
Im sure that question will come up -
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
So there are two ways to look at this. But simply, yes.
-
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
First Way:
Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.
Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.
However, the best practice is that you never, ever skip either. It's always both.
-
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
Second Way:
This is a ridiculous bit of misdirection that implies that there is some case where there isn't a hardware firewall at the edge of the network. A statement like this would be used only to trick someone into thinking that not having that firewall is an option, it is not. There is no way to not have a firewall there.
We had a thread about this maybe a month ago. Router and firewall are synonymous terms in the real world since the early 1990s. You can't get a router that isn't a firewall, you can't get a firewall that isn't a router. Sure, the routing functions and the firewall functions are mostly different aspects of the same device, but they are always the same device.
In order to "have a network" you must have a firewall. So the very existence of ANY Windows system has the assumption that there is a firewall there because, essentially, there has to be. How could the network exist otherwise? So the very idea that having provided a hardware firewall is "something special" and would somehow negate the need for something else makes no sense.
This tells us that someone making that statement either doesn't know what a firewall is or is trying to mislead us.
Imagine if we were discussing water (Windows Firewall) and food (hardware firewall) and your life mentor just explained to you the importance of water and you responded with "do we still need water, even if we have provided food?"
What? Of course you still need water, providing food is necessary, of course, but when we said you need water to live, we weren't implying that you don't need food. That all living things need food was a base assumption that we shouldn't have needed to mention. That's where we are here.
When someone explains that the Windows Firewall is needed, that's always in the context, or essentially so, that a hardware firewall is already there. This assumption is so obvious that no one realizes that it needs to be stated because it's nonsensical to think otherwise. But people trying to pull a fast one sometimes rely on this assumption to act as if it might be viable to have another case and try to use the necessity of the situation as a smoke screen for pretending that the Windows firewall might exist for some use case that really doesn't exist.
-
You may not want to hear this but if you don't have your protections turned on, you'll eventually have major PCI compliance issues. By the middle of 2020, if your outfit is found to not be in compliance, the regulators (if they find out) will literally shut off your credit / debit card processing. You'll be cash only until you correct this. And, if you have multiple violations, you'll also be fined in graduating levels.
Also, your credit card processor, your franchiser (if you are part of a franchise), even your vendors may and have the right to ask for your compliance proof.
I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.
Keep after this with your higher ups. They'll see the light eventually.
-
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
First Way:
Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.
Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.
However, the best practice is that you never, ever skip either. It's always both.
I understand what you're saying, but i would like to point out, that we dont use edge routers, we have a variety of cisco and linksys switches and provide sonic walls to every site (I believe because everyones that has called in talks about the sonic wall).
-
@scotth said in Windows Firewall:
I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.
I think that you mean draconian.
-
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
First Way:
Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.
Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.
However, the best practice is that you never, ever skip either. It's always both.
I understand what you're saying, but i would like to point out, that we dont use edge routers, we have a variety of cisco and linksys switches and provide sonic walls to every site (I believe because everyones that has called in talks about the sonic wall).
Those are all edge routers. You can't not use them, it's effectively impossible. Sonic Walls are just cheap crappy edge routers.
-
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
First Way:
Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.
Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.
However, the best practice is that you never, ever skip either. It's always both.
I understand what you're saying, but i would like to point out, that we dont use edge routers, we have a variety of cisco and linksys switches and provide sonic walls to every site (I believe because everyones that has called in talks about the sonic wall).
Those are all edge routers. You can't not use them, it's effectively impossible. Sonic Walls are just expensive crappy edge routers.
fixed.
-
@scottalanmiller said in Windows Firewall:
@scotth said in Windows Firewall:
I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.
I think that you mean draconian.
I don't mean to make anyone paranoid.... actually I do.
PCI compliance isn't something to fluff off.
If you're operating a POS and take credit and / or debit cards, you need all of your protections in place and verifiable, subject to audit.Processors will warn, will shut off, will fine a retailer. Why risk a retail outlet over a little effort?
All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.
Good Luck
-
@scotth said in Windows Firewall:
All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.
Over spend much?
-
@jaredbusch said in Windows Firewall:
@scotth said in Windows Firewall:
All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.
Over spend much?
Not my idea. We operated branded convenience stores.
Really nice money grab for the 3rd party providers.Edit: 2nd hardware layer is the brand / POS provider's requirement
-
@scotth said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@scotth said in Windows Firewall:
I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.
I think that you mean draconian.
I don't mean to make anyone paranoid.... actually I do.
PCI compliance isn't something to fluff off.
If you're operating a POS and take credit and / or debit cards, you need all of your protections in place and verifiable, subject to audit.Processors will warn, will shut off, will fine a retailer. Why risk a retail outlet over a little effort?
All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.
Good Luck
All of our locations are provided hard ware firewalls, Our POS on our their own seperate Network as well, The only thing we dont have compared to you is POS OS Firewall from the sounds of it.
-
@wrcombs said in Windows Firewall:
@scotth said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@scotth said in Windows Firewall:
I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.
I think that you mean draconian.
I don't mean to make anyone paranoid.... actually I do.
PCI compliance isn't something to fluff off.
If you're operating a POS and take credit and / or debit cards, you need all of your protections in place and verifiable, subject to audit.Processors will warn, will shut off, will fine a retailer. Why risk a retail outlet over a little effort?
All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.
Good Luck
All of our locations are provided hard ware firewalls, Our POS on our their own seperate Network as well, The only thing we dont have compared to you is POS OS Firewall from the sounds of it.
Sounds like your POS provider should be able to give you the information that you need to help you out.
-
@wrcombs said in Windows Firewall:
@scotth said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@scotth said in Windows Firewall:
I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.
I think that you mean draconian.
I don't mean to make anyone paranoid.... actually I do.
PCI compliance isn't something to fluff off.
If you're operating a POS and take credit and / or debit cards, you need all of your protections in place and verifiable, subject to audit.Processors will warn, will shut off, will fine a retailer. Why risk a retail outlet over a little effort?
All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.
Good Luck
All of our locations are provided hard ware firewalls, Our POS on our their own seperate Network as well, The only thing we dont have compared to you is POS OS Firewall from the sounds of it.
Yes, but hardware firewalls are useless here (or nearly so), they don't do anything important. Neither does having the separate network. None of that is required if your OSes weren't insecure and exposed like crazy. Now should you have the hardware firewall and the separate network? Sure, those are great, but they are "icing" not the "cake". They are crutches making is sound almost plausible to non-technical people that maybe security isn't all screwed up. But to us, it's plain as day that they are not even remotely secured to a minimum IT standard, let alone to a standard required for POS systems.
Remember that you must have BOTH the hardware firewall and the OS firewalls to meet a "minimum IT security baseline" for the least security systems that there are. That's the "lowest security minimum" you can have in our industry. That these are POS systems in real businesses handing customer data means that doing only the minimum industry baseline is not enough. And that you have PCI means it is not even close to enough.
And yet, they aren't doing it. They aren't meeting their industry obligations, their business responsibilities, nor their contractual requirements of their credit card processors. Nor are they being responsible to the customers.
-
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
@scotth said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@scotth said in Windows Firewall:
I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.
I think that you mean draconian.
I don't mean to make anyone paranoid.... actually I do.
PCI compliance isn't something to fluff off.
If you're operating a POS and take credit and / or debit cards, you need all of your protections in place and verifiable, subject to audit.Processors will warn, will shut off, will fine a retailer. Why risk a retail outlet over a little effort?
All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.
Good Luck
All of our locations are provided hard ware firewalls, Our POS on our their own seperate Network as well, The only thing we dont have compared to you is POS OS Firewall from the sounds of it.
Yes, but hardware firewalls are useless here (or nearly so), they don't do anything important. Neither does having the separate network. None of that is required if your OSes weren't insecure and exposed like crazy. Now should you have the hardware firewall and the separate network? Sure, those are great, but they are "icing" not the "cake". They are crutches making is sound almost plausible to non-technical people that maybe security isn't all screwed up. But to us, it's plain as day that they are not even remotely secured to a minimum IT standard, let alone to a standard required for POS systems.
Remember that you must have BOTH the hardware firewall and the OS firewalls to meet a "minimum IT security baseline" for the least security systems that there are. That's the "lowest security minimum" you can have in our industry. That these are POS systems in real businesses handing customer data means that doing only the minimum industry baseline is not enough. And that you have PCI means it is not even close to enough.
And yet, they aren't doing it. They aren't meeting their industry obligations, their business responsibilities, nor their contractual requirements of their credit card processors. Nor are they being responsible to the customers.
There's more agreement to this than most might think.
Personally, I believe that the best way to hide issues is out in the open philosophy is being used.
'Look at all this stuff we have for you. Firewalls, routers, chip card readers.'
If there's a breach, no one will know or find out since the traffic doesn't occur where anyone could snoop, at least locally. -
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
First Way:
Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.
Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.
However, the best practice is that you never, ever skip either. It's always both.
I understand what you're saying, but i would like to point out, that we dont use edge routers, we have a variety of cisco and linksys switches and provide sonic walls to every site (I believe because everyones that has called in talks about the sonic wall).
Those are all edge routers. You can't not use them, it's effectively impossible. Sonic Walls are just cheap crappy edge routers.
Just make sure you know what Scott is talking about, by edge router, he means a routing device that's on the edge of the network, not the EdgeRouter from Ubiquiti.
-
@dashrender said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
First Way:
Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.
Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.
However, the best practice is that you never, ever skip either. It's always both.
I understand what you're saying, but i would like to point out, that we dont use edge routers, we have a variety of cisco and linksys switches and provide sonic walls to every site (I believe because everyones that has called in talks about the sonic wall).
Those are all edge routers. You can't not use them, it's effectively impossible. Sonic Walls are just cheap crappy edge routers.
Just make sure you know what Scott is talking about, by edge router, he means a routing device that's on the edge of the network, not the EdgeRouter from Ubiquiti.
Or from anyone. Just a router on the edge of the network. The name for any device that allows the WAN link (cable line, DSL, fiber, whatever) to interface to the network.
-
My apologies for not stating this clearly.
Comcast router -->> Watchguard Firewall -->> Cybera Router -->>PaySafe Firewall (EchoSAT).
I had to get permission to connect our backoffice which is offsite by statically addressing one of the Watchguard ports and then routing into the Cybera -- all done over VPN. While it works fine, it's just a little wonky to try to explain to the powers that be why we are doing it this way. Otherwise, I'l have to add an onsite Windows host. Just more layers.
Edit: I connected the specified Watchguard port to the POS (Cybera) router.
-
The topic of Windows Firewall came up again today when a site had turned it on
When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."