Windows Firewall
-
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
@scotth said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@scotth said in Windows Firewall:
I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.
I think that you mean draconian.
I don't mean to make anyone paranoid.... actually I do.
PCI compliance isn't something to fluff off.
If you're operating a POS and take credit and / or debit cards, you need all of your protections in place and verifiable, subject to audit.Processors will warn, will shut off, will fine a retailer. Why risk a retail outlet over a little effort?
All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.
Good Luck
All of our locations are provided hard ware firewalls, Our POS on our their own seperate Network as well, The only thing we dont have compared to you is POS OS Firewall from the sounds of it.
Yes, but hardware firewalls are useless here (or nearly so), they don't do anything important. Neither does having the separate network. None of that is required if your OSes weren't insecure and exposed like crazy. Now should you have the hardware firewall and the separate network? Sure, those are great, but they are "icing" not the "cake". They are crutches making is sound almost plausible to non-technical people that maybe security isn't all screwed up. But to us, it's plain as day that they are not even remotely secured to a minimum IT standard, let alone to a standard required for POS systems.
Remember that you must have BOTH the hardware firewall and the OS firewalls to meet a "minimum IT security baseline" for the least security systems that there are. That's the "lowest security minimum" you can have in our industry. That these are POS systems in real businesses handing customer data means that doing only the minimum industry baseline is not enough. And that you have PCI means it is not even close to enough.
And yet, they aren't doing it. They aren't meeting their industry obligations, their business responsibilities, nor their contractual requirements of their credit card processors. Nor are they being responsible to the customers.
There's more agreement to this than most might think.
Personally, I believe that the best way to hide issues is out in the open philosophy is being used.
'Look at all this stuff we have for you. Firewalls, routers, chip card readers.'
If there's a breach, no one will know or find out since the traffic doesn't occur where anyone could snoop, at least locally. -
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
First Way:
Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.
Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.
However, the best practice is that you never, ever skip either. It's always both.
I understand what you're saying, but i would like to point out, that we dont use edge routers, we have a variety of cisco and linksys switches and provide sonic walls to every site (I believe because everyones that has called in talks about the sonic wall).
Those are all edge routers. You can't not use them, it's effectively impossible. Sonic Walls are just cheap crappy edge routers.
Just make sure you know what Scott is talking about, by edge router, he means a routing device that's on the edge of the network, not the EdgeRouter from Ubiquiti.
-
@dashrender said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
So even though we provide hardware Firewalls to every site its still a problem?
First Way:
Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.
Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.
However, the best practice is that you never, ever skip either. It's always both.
I understand what you're saying, but i would like to point out, that we dont use edge routers, we have a variety of cisco and linksys switches and provide sonic walls to every site (I believe because everyones that has called in talks about the sonic wall).
Those are all edge routers. You can't not use them, it's effectively impossible. Sonic Walls are just cheap crappy edge routers.
Just make sure you know what Scott is talking about, by edge router, he means a routing device that's on the edge of the network, not the EdgeRouter from Ubiquiti.
Or from anyone. Just a router on the edge of the network. The name for any device that allows the WAN link (cable line, DSL, fiber, whatever) to interface to the network.
-
My apologies for not stating this clearly.
Comcast router -->> Watchguard Firewall -->> Cybera Router -->>PaySafe Firewall (EchoSAT).
I had to get permission to connect our backoffice which is offsite by statically addressing one of the Watchguard ports and then routing into the Cybera -- all done over VPN. While it works fine, it's just a little wonky to try to explain to the powers that be why we are doing it this way. Otherwise, I'l have to add an onsite Windows host. Just more layers.
Edit: I connected the specified Watchguard port to the POS (Cybera) router.
-
The topic of Windows Firewall came up again today when a site had turned it on
When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way." -
@wrcombs said in Windows Firewall:
The topic of Windows Firewall came up again today when a site had turned it on
When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."That's a win in my book, now setup wireshark and see what the hell is being used!
-
@dustinb3403 said in Windows Firewall:
@wrcombs said in Windows Firewall:
The topic of Windows Firewall came up again today when a site had turned it on
When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."That's a win in my book, now setup wireshark and see what the hell is being used!
My weekend plans basically. or maybe monday morning.. lets see what happens.
-
@dustinb3403 said in Windows Firewall:
@wrcombs said in Windows Firewall:
The topic of Windows Firewall came up again today when a site had turned it on
When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."That's a win in my book, now setup wireshark and see what the hell is being used!
Or just visit the vendor website and see what ports it uses... You can get the info from resource monitor too. That's how I usually find out... It's quicker.
-
@dustinb3403 said in Windows Firewall:
@wrcombs said in Windows Firewall:
The topic of Windows Firewall came up again today when a site had turned it on
When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."That's a win in my book, now setup wireshark and see what the hell is being used!
Or just look at netstat and know instantly.
-
@scottalanmiller said in Windows Firewall:
@dustinb3403 said in Windows Firewall:
@wrcombs said in Windows Firewall:
The topic of Windows Firewall came up again today when a site had turned it on
When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."That's a win in my book, now setup wireshark and see what the hell is being used!
Or just look at netstat and know instantly.
Ran netstat in CMD as admin.
Do I use the Foreign address or the IP address? -
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@dustinb3403 said in Windows Firewall:
@wrcombs said in Windows Firewall:
The topic of Windows Firewall came up again today when a site had turned it on
When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."That's a win in my book, now setup wireshark and see what the hell is being used!
Or just look at netstat and know instantly.
Ran netstat in CMD as admin.
Do I use the Foreign address or the IP address?Foreign is the device you are connected to. IP address is the local address.
-
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@dustinb3403 said in Windows Firewall:
@wrcombs said in Windows Firewall:
The topic of Windows Firewall came up again today when a site had turned it on
When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."That's a win in my book, now setup wireshark and see what the hell is being used!
Or just look at netstat and know instantly.
Ran netstat in CMD as admin.
Do I use the Foreign address or the IP address?Do netstat -a -b
You only care about listening ports.
-
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@dustinb3403 said in Windows Firewall:
@wrcombs said in Windows Firewall:
The topic of Windows Firewall came up again today when a site had turned it on
When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."That's a win in my book, now setup wireshark and see what the hell is being used!
Or just look at netstat and know instantly.
Ran netstat in CMD as admin.
Do I use the Foreign address or the IP address?Do netstat -a -b
You only care about listening ports.
Okay Thanks.
-
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@wrcombs said in Windows Firewall:
@scottalanmiller said in Windows Firewall:
@dustinb3403 said in Windows Firewall:
@wrcombs said in Windows Firewall:
The topic of Windows Firewall came up again today when a site had turned it on
When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."That's a win in my book, now setup wireshark and see what the hell is being used!
Or just look at netstat and know instantly.
Ran netstat in CMD as admin.
Do I use the Foreign address or the IP address?Do netstat -a -b
You only care about listening ports.
Okay Thanks.
You bet.