ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    how does this work? Modems/IPs/PCI Scans

    IT Discussion
    networking modems ip pci compliance
    8
    40
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 1
      1337 @Dashrender
      last edited by 1337

      @Dashrender said in how does this work? Modems/IPs/PCI Scans:

      Instead the firewall/cable modem should be setup with two internal networks (if possible - which is not likely) then the 192 computer couldn't get in the middle to be a MiTM.

      Or perhaps even better, the cable modem set to bridge mode and the 192.168.... connected as a second lan on the PCI firewall.

      J 1 Reply Last reply Reply Quote 0
      • J
        JaredBusch @Dashrender
        last edited by

        @Dashrender said in how does this work? Modems/IPs/PCI Scans:

        It sounds like your network looks like this
        bd0e3583-7483-4178-9c35-139914964619-image.png

        This sounds like exactly what he has.

        @WrCombs said in how does this work? Modems/IPs/PCI Scans:

        then chances are it's scanning the right PC and the fail is on the FW - right?

        It is 100% impossible for a server on the public internet to scan through a NAT device without something else at play. WTF ever PCI scanner you are using on the internet is not seeing anything on the first internal network. Let alone anything on the double nat'd network.

        1 Reply Last reply Reply Quote 1
        • J
          JaredBusch @Dashrender
          last edited by

          @Dashrender said in how does this work? Modems/IPs/PCI Scans:

          @WrCombs The only thing the PCI firewall is doing is preventing the PC on 192 network from attacking it directly.

          Correct

          @Dashrender said in how does this work? Modems/IPs/PCI Scans:

          Because it's on the 192 network, it could still act as a MiTM if it was able to shim its way in there.

          Nothing on the 192 network can simply MiTM. You can easily pcap the data though.

          You could then use the knowledge gained from that to spoof DNS or IP and then begin to get data with some sort of MiTM.

          @Dashrender said in how does this work? Modems/IPs/PCI Scans:

          So the PCI network is not as protected as it could be.

          It is not secure at all. this is a 100% fail.

          1 Reply Last reply Reply Quote 0
          • J
            JaredBusch @1337
            last edited by JaredBusch

            @Pete-S said in how does this work? Modems/IPs/PCI Scans:

            Or perhaps even better, the cable modem set to bridge mode and the 192.168.... connected as a second lan on the PCI firewall.

            This is the only secure method.

            You have to remove any network between the internet and the PCI firewall.

            Note, you don't need VLAN. You can just use two ports like in my next post.

            69f45bc4-b8f0-4f14-b9d3-46256d47908a-image.png

            1 Reply Last reply Reply Quote 0
            • J
              JaredBusch
              last edited by JaredBusch

              Actual setup that I have at the site I am sitting at now.

              F02E32E6-EB02-4A64-AC58-660C84C447E0.jpeg

              Only device on PCI LAN
              CB623AFA-DF20-4D16-82B3-933A07A2AFD1.jpeg

              Firewall rules drop 100% traffic from LAN to PCI LAN and PCI LAN to LAN.

              1 Reply Last reply Reply Quote 2
              • J
                JaredBusch
                last edited by

                Here is the config for that.

                jbusch@fsl-stl# show interfaces 
                 ethernet eth0 {
                     address 12.XXX.XXX.XXX/30
                     description "AT&T FIber"
                     duplex full
                     firewall {
                         in {
                             name WAN_IN
                         }
                         local {
                             name WAN_LOCAL
                         }
                     }
                     speed 100
                 }
                 ethernet eth1 {
                     duplex auto
                     speed auto
                 }
                 ethernet eth2 {
                     address 10.202.8.1/29
                     description "PCI LAN"
                     duplex auto
                     firewall {
                         in {
                             name PCI_IN
                         }
                         local {
                             name PCI_LOCAL
                         }
                     }
                     speed auto
                 }
                 ethernet eth3 {
                     address 10.202.0.1/23
                     description "FSL LAN"
                     duplex auto
                     firewall {
                         in {
                             name LAN_IN
                         }
                         local {
                             name LAN_LOCAL
                         }
                     }
                     speed auto
                     vif 10 {
                         address 10.202.10.1/24
                         description "Guest Wireless"
                         firewall {
                             in {
                                 name Public_WiFi_IN
                             }
                             local {
                                 name Public_WiFi_LOCAL
                             }
                         }
                     }
                     vif 20 {
                         address 10.202.11.1/24
                         description "Security Cameras"
                         mtu 1500
                     }
                 }
                 loopback lo {
                 }
                
                 name PCI_IN {
                     default-action accept
                     description "Network for PCI Devices"
                     rule 10 {
                         action drop
                         description "Block SMTP"
                         destination {
                             group {
                                 port-group SMTP_Ports
                             }
                         }
                         log disable
                         protocol tcp
                         state {
                             established enable
                             invalid enable
                             new enable
                             related enable
                         }
                     }
                     rule 20 {
                         action drop
                         description "Allow access to gateway"
                         destination {
                             group {
                                 address-group ADDRv4_eth2
                             }
                         }
                         log disable
                         protocol tcp
                         state {
                             established enable
                             invalid enable
                             new enable
                             related enable
                         }
                     }
                     rule 30 {
                         action drop
                         description "Block Access to LAN"
                         destination {
                             group {
                                 address-group 10_0_0_0_8
                             }
                         }
                         log disable
                         protocol all
                     }
                 }
                 name PCI_LOCAL {
                     default-action drop
                     description "Devices on PCI Network"
                 }
                
                 name LAN_IN {
                     default-action accept
                     description "LAN in to other interfaces"
                     rule 10 {
                         action accept
                         description "Devices Allowed SMTP"
                         destination {
                             group {
                                 port-group SMTP_Ports
                             }
                         }
                         log disable
                         protocol tcp
                         source {
                             group {
                                 address-group Email_Servers
                             }
                         }
                         state {
                             established enable
                             invalid disable
                             new enable
                             related enable
                         }
                     }
                     rule 40 {
                         action drop
                         description "Drop all other SMTP"
                         destination {
                             group {
                                 port-group SMTP_Ports
                             }
                         }
                         log enable
                         protocol tcp
                         state {
                             established enable
                             invalid enable
                             new enable
                             related enable
                         }
                     }
                     rule 50 {
                         action drop
                         description "Drop all to PCI LAN"
                         destination {
                             group {
                                 address-group NETv4_eth2
                             }
                         }
                         log disable
                         protocol all
                         state {
                             established enable
                             invalid enable
                             new enable
                             related enable
                         }
                     }
                 }
                
                1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender
                  last edited by

                  Few if any consumer level firewalls will provide the split like Jared is showing.

                  But a super cheap ER-X from Ubiquiti can do this very easily, as Jared's examples show.

                  1 Reply Last reply Reply Quote 0
                  • S
                    scotth
                    last edited by

                    I think that there's one more way. One firewall per network, both through the cable modem/router. Each is responsible for their own security. Any backoffice access is governed by the payment processor and security for the payment/processing side is provided by the payment processor.

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @scotth
                      last edited by

                      @scotth said in how does this work? Modems/IPs/PCI Scans:

                      I think that there's one more way. One firewall per network, both through the cable modem/router. Each is responsible for their own security. Any backoffice access is governed by the payment processor and security for the payment/processing side is provided by the payment processor.

                      This assumes you can get two ip from the isp.

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        scotth @Dashrender
                        last edited by scotth

                        @Dashrender said in how does this work? Modems/IPs/PCI Scans:

                        @scotth said in how does this work? Modems/IPs/PCI Scans:

                        I think that there's one more way. One firewall per network, both through the cable modem/router. Each is responsible for their own security. Any backoffice access is governed by the payment processor and security for the payment/processing side is provided by the payment processor.

                        This assumes you can get two ip from the isp.

                        You could also put one firewall behind the other. This happens a lot. The idea is to get the transaction(s) secure and to make absolutely sure that the PCI compliance is on the shoulders of the payment processor as much as possible. Audits are their responsibility. Remediation is their responsibility. Secure transactions are their responsibility.

                        EDIT: This does not exclude you (meaning anyone) from properly securing your own environment. Put the onus where it belongs.

                        1 Reply Last reply Reply Quote 0
                        • brandon220B
                          brandon220
                          last edited by

                          @JaredBusch example also is great for home use if you have IoT devices. I have an ERL behind a cable modem and this keeps everything I want separated from my normal LAN.

                          J 1 Reply Last reply Reply Quote 0
                          • J
                            JaredBusch @brandon220
                            last edited by

                            @brandon220 said in how does this work? Modems/IPs/PCI Scans:

                            @JaredBusch example also is great for home use if you have IoT devices. I have an ERL behind a cable modem and this keeps everything I want separated from my normal LAN.

                            That is a good way to practice this for business use

                            1 Reply Last reply Reply Quote 0
                            • 1
                            • 2
                            • 2 / 2
                            • First post
                              Last post