ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Windows Firewall

    Water Closet
    windows firewall
    8
    91
    5.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scotth @scottalanmiller
      last edited by

      @scottalanmiller said in Windows Firewall:

      @scotth said in Windows Firewall:

      I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.

      I think that you mean draconian. 🙂

      I don't mean to make anyone paranoid.... actually I do.

      PCI compliance isn't something to fluff off.
      If you're operating a POS and take credit and / or debit cards, you need all of your protections in place and verifiable, subject to audit.

      Processors will warn, will shut off, will fine a retailer. Why risk a retail outlet over a little effort?

      All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.

      Good Luck

      JaredBuschJ WrCombsW 2 Replies Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch @scotth
        last edited by

        @scotth said in Windows Firewall:

        All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.

        Over spend much?

        S 1 Reply Last reply Reply Quote 3
        • S
          scotth @JaredBusch
          last edited by scotth

          @jaredbusch said in Windows Firewall:

          @scotth said in Windows Firewall:

          All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.

          Over spend much?

          Not my idea. We operated branded convenience stores.
          Really nice money grab for the 3rd party providers.

          Edit: 2nd hardware layer is the brand / POS provider's requirement

          1 Reply Last reply Reply Quote 0
          • WrCombsW
            WrCombs @scotth
            last edited by

            @scotth said in Windows Firewall:

            @scottalanmiller said in Windows Firewall:

            @scotth said in Windows Firewall:

            I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.

            I think that you mean draconian. 🙂

            I don't mean to make anyone paranoid.... actually I do.

            PCI compliance isn't something to fluff off.
            If you're operating a POS and take credit and / or debit cards, you need all of your protections in place and verifiable, subject to audit.

            Processors will warn, will shut off, will fine a retailer. Why risk a retail outlet over a little effort?

            All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.

            Good Luck

            All of our locations are provided hard ware firewalls, Our POS on our their own seperate Network as well, The only thing we dont have compared to you is POS OS Firewall from the sounds of it.

            S scottalanmillerS 2 Replies Last reply Reply Quote 1
            • S
              scotth @WrCombs
              last edited by

              @wrcombs said in Windows Firewall:

              @scotth said in Windows Firewall:

              @scottalanmiller said in Windows Firewall:

              @scotth said in Windows Firewall:

              I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.

              I think that you mean draconian. 🙂

              I don't mean to make anyone paranoid.... actually I do.

              PCI compliance isn't something to fluff off.
              If you're operating a POS and take credit and / or debit cards, you need all of your protections in place and verifiable, subject to audit.

              Processors will warn, will shut off, will fine a retailer. Why risk a retail outlet over a little effort?

              All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.

              Good Luck

              All of our locations are provided hard ware firewalls, Our POS on our their own seperate Network as well, The only thing we dont have compared to you is POS OS Firewall from the sounds of it.

              Sounds like your POS provider should be able to give you the information that you need to help you out.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @WrCombs
                last edited by

                @wrcombs said in Windows Firewall:

                @scotth said in Windows Firewall:

                @scottalanmiller said in Windows Firewall:

                @scotth said in Windows Firewall:

                I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.

                I think that you mean draconian. 🙂

                I don't mean to make anyone paranoid.... actually I do.

                PCI compliance isn't something to fluff off.
                If you're operating a POS and take credit and / or debit cards, you need all of your protections in place and verifiable, subject to audit.

                Processors will warn, will shut off, will fine a retailer. Why risk a retail outlet over a little effort?

                All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.

                Good Luck

                All of our locations are provided hard ware firewalls, Our POS on our their own seperate Network as well, The only thing we dont have compared to you is POS OS Firewall from the sounds of it.

                Yes, but hardware firewalls are useless here (or nearly so), they don't do anything important. Neither does having the separate network. None of that is required if your OSes weren't insecure and exposed like crazy. Now should you have the hardware firewall and the separate network? Sure, those are great, but they are "icing" not the "cake". They are crutches making is sound almost plausible to non-technical people that maybe security isn't all screwed up. But to us, it's plain as day that they are not even remotely secured to a minimum IT standard, let alone to a standard required for POS systems.

                Remember that you must have BOTH the hardware firewall and the OS firewalls to meet a "minimum IT security baseline" for the least security systems that there are. That's the "lowest security minimum" you can have in our industry. That these are POS systems in real businesses handing customer data means that doing only the minimum industry baseline is not enough. And that you have PCI means it is not even close to enough.

                And yet, they aren't doing it. They aren't meeting their industry obligations, their business responsibilities, nor their contractual requirements of their credit card processors. Nor are they being responsible to the customers.

                S 1 Reply Last reply Reply Quote 1
                • S
                  scotth @scottalanmiller
                  last edited by

                  @scottalanmiller said in Windows Firewall:

                  @wrcombs said in Windows Firewall:

                  @scotth said in Windows Firewall:

                  @scottalanmiller said in Windows Firewall:

                  @scotth said in Windows Firewall:

                  I'm not trying to sound all Frankenstein, but I've sloughed through this for several years and fortunately, our outfit has been ok.

                  I think that you mean draconian. 🙂

                  I don't mean to make anyone paranoid.... actually I do.

                  PCI compliance isn't something to fluff off.
                  If you're operating a POS and take credit and / or debit cards, you need all of your protections in place and verifiable, subject to audit.

                  Processors will warn, will shut off, will fine a retailer. Why risk a retail outlet over a little effort?

                  All of our locations have the POS and the backoffice on separate networks which are also separated by a second router and separate firewall--both hardware based--just for the POS protection. All credit credit / debit cards are processed behind two hardware firewalls and the POS OS firewall is in place and functioning as well.

                  Good Luck

                  All of our locations are provided hard ware firewalls, Our POS on our their own seperate Network as well, The only thing we dont have compared to you is POS OS Firewall from the sounds of it.

                  Yes, but hardware firewalls are useless here (or nearly so), they don't do anything important. Neither does having the separate network. None of that is required if your OSes weren't insecure and exposed like crazy. Now should you have the hardware firewall and the separate network? Sure, those are great, but they are "icing" not the "cake". They are crutches making is sound almost plausible to non-technical people that maybe security isn't all screwed up. But to us, it's plain as day that they are not even remotely secured to a minimum IT standard, let alone to a standard required for POS systems.

                  Remember that you must have BOTH the hardware firewall and the OS firewalls to meet a "minimum IT security baseline" for the least security systems that there are. That's the "lowest security minimum" you can have in our industry. That these are POS systems in real businesses handing customer data means that doing only the minimum industry baseline is not enough. And that you have PCI means it is not even close to enough.

                  And yet, they aren't doing it. They aren't meeting their industry obligations, their business responsibilities, nor their contractual requirements of their credit card processors. Nor are they being responsible to the customers.

                  There's more agreement to this than most might think.
                  Personally, I believe that the best way to hide issues is out in the open philosophy is being used.
                  'Look at all this stuff we have for you. Firewalls, routers, chip card readers.'
                  If there's a breach, no one will know or find out since the traffic doesn't occur where anyone could snoop, at least locally.

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said in Windows Firewall:

                    @wrcombs said in Windows Firewall:

                    @scottalanmiller said in Windows Firewall:

                    @wrcombs said in Windows Firewall:

                    So even though we provide hardware Firewalls to every site its still a problem?

                    First Way:

                    Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.

                    Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.

                    However, the best practice is that you never, ever skip either. It's always both.

                    I understand what you're saying, but i would like to point out, that we dont use edge routers, we have a variety of cisco and linksys switches and provide sonic walls to every site (I believe because everyones that has called in talks about the sonic wall).

                    Those are all edge routers. You can't not use them, it's effectively impossible. Sonic Walls are just cheap crappy edge routers.

                    Just make sure you know what Scott is talking about, by edge router, he means a routing device that's on the edge of the network, not the EdgeRouter from Ubiquiti.

                    scottalanmillerS 1 Reply Last reply Reply Quote 3
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @dashrender said in Windows Firewall:

                      @scottalanmiller said in Windows Firewall:

                      @wrcombs said in Windows Firewall:

                      @scottalanmiller said in Windows Firewall:

                      @wrcombs said in Windows Firewall:

                      So even though we provide hardware Firewalls to every site its still a problem?

                      First Way:

                      Network Edge firewalls do almost nothing to protect workloads inside of the company. The majority of network risks originate inside the LAN, not from outside of it. That's not to say that that edge firewall is a bad thing, it's quite good, but it is trivial in importance compared to the ones on the computers because they do the same job that it does, and a lot more. The firewall on the network edge is almost superfluous as it is redundant with the vastly more important system firewalls.

                      Basically you "need" the Windows Firewall here, the extra network edge firewall is good, but just a "nicety." You can replace the hardware firewall with the Windows firewalls, but not vice versa.

                      However, the best practice is that you never, ever skip either. It's always both.

                      I understand what you're saying, but i would like to point out, that we dont use edge routers, we have a variety of cisco and linksys switches and provide sonic walls to every site (I believe because everyones that has called in talks about the sonic wall).

                      Those are all edge routers. You can't not use them, it's effectively impossible. Sonic Walls are just cheap crappy edge routers.

                      Just make sure you know what Scott is talking about, by edge router, he means a routing device that's on the edge of the network, not the EdgeRouter from Ubiquiti.

                      Or from anyone. Just a router on the edge of the network. The name for any device that allows the WAN link (cable line, DSL, fiber, whatever) to interface to the network.

                      1 Reply Last reply Reply Quote 0
                      • S
                        scotth
                        last edited by scotth

                        My apologies for not stating this clearly.

                        Comcast router -->> Watchguard Firewall -->> Cybera Router -->>PaySafe Firewall (EchoSAT).

                        I had to get permission to connect our backoffice which is offsite by statically addressing one of the Watchguard ports and then routing into the Cybera -- all done over VPN. While it works fine, it's just a little wonky to try to explain to the powers that be why we are doing it this way. Otherwise, I'l have to add an onsite Windows host. Just more layers.

                        Edit: I connected the specified Watchguard port to the POS (Cybera) router.

                        1 Reply Last reply Reply Quote 0
                        • WrCombsW
                          WrCombs
                          last edited by

                          The topic of Windows Firewall came up again today when a site had turned it on
                          When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
                          He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."

                          DustinB3403D 1 Reply Last reply Reply Quote 1
                          • DustinB3403D
                            DustinB3403 @WrCombs
                            last edited by DustinB3403

                            @wrcombs said in Windows Firewall:

                            The topic of Windows Firewall came up again today when a site had turned it on
                            When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
                            He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."

                            That's a win in my book, now setup wireshark and see what the hell is being used!

                            WrCombsW ObsolesceO scottalanmillerS 3 Replies Last reply Reply Quote 2
                            • WrCombsW
                              WrCombs @DustinB3403
                              last edited by

                              @dustinb3403 said in Windows Firewall:

                              @wrcombs said in Windows Firewall:

                              The topic of Windows Firewall came up again today when a site had turned it on
                              When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
                              He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."

                              That's a win in my book, now setup wireshark and see what the hell is being used!

                              My weekend plans basically. or maybe monday morning.. lets see what happens.

                              1 Reply Last reply Reply Quote 1
                              • ObsolesceO
                                Obsolesce @DustinB3403
                                last edited by

                                @dustinb3403 said in Windows Firewall:

                                @wrcombs said in Windows Firewall:

                                The topic of Windows Firewall came up again today when a site had turned it on
                                When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
                                He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."

                                That's a win in my book, now setup wireshark and see what the hell is being used!

                                Or just visit the vendor website and see what ports it uses... You can get the info from resource monitor too. That's how I usually find out... It's quicker.

                                1 Reply Last reply Reply Quote 1
                                • scottalanmillerS
                                  scottalanmiller @DustinB3403
                                  last edited by

                                  @dustinb3403 said in Windows Firewall:

                                  @wrcombs said in Windows Firewall:

                                  The topic of Windows Firewall came up again today when a site had turned it on
                                  When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
                                  He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."

                                  That's a win in my book, now setup wireshark and see what the hell is being used!

                                  Or just look at netstat and know instantly.

                                  WrCombsW 1 Reply Last reply Reply Quote 1
                                  • WrCombsW
                                    WrCombs @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in Windows Firewall:

                                    @dustinb3403 said in Windows Firewall:

                                    @wrcombs said in Windows Firewall:

                                    The topic of Windows Firewall came up again today when a site had turned it on
                                    When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
                                    He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."

                                    That's a win in my book, now setup wireshark and see what the hell is being used!

                                    Or just look at netstat and know instantly.

                                    Ran netstat in CMD as admin.
                                    Do I use the Foreign address or the IP address?

                                    black3dynamiteB scottalanmillerS 2 Replies Last reply Reply Quote 0
                                    • black3dynamiteB
                                      black3dynamite @WrCombs
                                      last edited by

                                      @wrcombs said in Windows Firewall:

                                      @scottalanmiller said in Windows Firewall:

                                      @dustinb3403 said in Windows Firewall:

                                      @wrcombs said in Windows Firewall:

                                      The topic of Windows Firewall came up again today when a site had turned it on
                                      When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
                                      He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."

                                      That's a win in my book, now setup wireshark and see what the hell is being used!

                                      Or just look at netstat and know instantly.

                                      Ran netstat in CMD as admin.
                                      Do I use the Foreign address or the IP address?

                                      Foreign is the device you are connected to. IP address is the local address.

                                      1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller @WrCombs
                                        last edited by

                                        @wrcombs said in Windows Firewall:

                                        @scottalanmiller said in Windows Firewall:

                                        @dustinb3403 said in Windows Firewall:

                                        @wrcombs said in Windows Firewall:

                                        The topic of Windows Firewall came up again today when a site had turned it on
                                        When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
                                        He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."

                                        That's a win in my book, now setup wireshark and see what the hell is being used!

                                        Or just look at netstat and know instantly.

                                        Ran netstat in CMD as admin.
                                        Do I use the Foreign address or the IP address?

                                        Do netstat -a -b

                                        You only care about listening ports.

                                        WrCombsW 1 Reply Last reply Reply Quote 3
                                        • WrCombsW
                                          WrCombs @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in Windows Firewall:

                                          @wrcombs said in Windows Firewall:

                                          @scottalanmiller said in Windows Firewall:

                                          @dustinb3403 said in Windows Firewall:

                                          @wrcombs said in Windows Firewall:

                                          The topic of Windows Firewall came up again today when a site had turned it on
                                          When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
                                          He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."

                                          That's a win in my book, now setup wireshark and see what the hell is being used!

                                          Or just look at netstat and know instantly.

                                          Ran netstat in CMD as admin.
                                          Do I use the Foreign address or the IP address?

                                          Do netstat -a -b

                                          You only care about listening ports.

                                          Okay Thanks.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @WrCombs
                                            last edited by

                                            @wrcombs said in Windows Firewall:

                                            @scottalanmiller said in Windows Firewall:

                                            @wrcombs said in Windows Firewall:

                                            @scottalanmiller said in Windows Firewall:

                                            @dustinb3403 said in Windows Firewall:

                                            @wrcombs said in Windows Firewall:

                                            The topic of Windows Firewall came up again today when a site had turned it on
                                            When I asked "Shouldnt there be a way to write rules in the windows firewall so that we could just keep it on?"
                                            He replied: "look into that, and see what you can find. It would have been better for the vendor to add that to their image they give us to boot the POS but if you can find a way to do it we can try it that way."

                                            That's a win in my book, now setup wireshark and see what the hell is being used!

                                            Or just look at netstat and know instantly.

                                            Ran netstat in CMD as admin.
                                            Do I use the Foreign address or the IP address?

                                            Do netstat -a -b

                                            You only care about listening ports.

                                            Okay Thanks.

                                            You bet.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 5 / 5
                                            • First post
                                              Last post