vLANs random question.
-
I almost don't want to post this, because I feel like its a stupid question on my part - but hey, screw it, maybe I'll learn something more.
I got asked randomly and vaguely "has anyone set up separate vLANs for registers and payment devices"
I asked for the reasoning behind it - because Registers have to communicate to the payment devices to get transaction details - send to processors-send authorization detail to the POS registers - I was curious why would you wan to separate them.
The answer I got was about what you'd expect.Claiming its more secure, reduced PCI Questionaire (which I dont see how it reduced the questionaire), but they've been told it's possible - which I agree it is, but I still dont get why.
My first thought to help them - without having any other information , is to set a rule in the firewall to allow communication between the 2 networks, assuming they already did this, and it's not working what other options do they have?
Would a DMZ work in this situation ? something tells me yes from the past readings and videos that it would be reasonable to try.
how would you get 2 vLANs to communicate through the layer 3 device internally but only send payment transactions through 1 ? ( if that even makes sense)
I forgot my book at home, usually i bring it with me to work so i can look through it when I have these questions, or issues arise.
-
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
-
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
That's a good answer.
When devices are in the same subnet, traffic doesn't pass any external router/firewall. So any device can access any port on any other device in the subnet.
When two devices are in different subnets the traffic must pass the router/firewall and you can set up rules there to allow or block certain traffic.
Being picky here but VLAN are just a way to split switches into virtual switches. It's having different subnets that makes the traffic pass the router.
-
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..
-
I definitely don't see what anyone's saving by splitting those two groups of devices.
Hopefully they have guest wifi split.
-
@WrCombs said in vLANs random question.:
I got asked randomly and vaguely "has anyone set up separate vLANs for registers and payment devices"
I asked for the reasoning behind it - because Registers have to communicate to the payment devices to get transaction details - send to processors-send authorization detail to the POS registers - I was curious why would you wan to separate them.
The answer I got was about what you'd expect.Normally you do network segmentation with different VLAN/subnets to be able to secure them with a different set of firewall rules.
I don't know enough about POS systems to discuss specifics. However if devices of type A needs to communicate with devices of type B then you set up a rule to allow that. If devices B needs to communicate with the internet you set up a rule for that. And so on.
What you end up with is a set of rules that only allow the type of traffic that is needed between devices, VLANs and WAN for things to work. Everything else is blocked.
This is the principle of least privilege. You allow only what's needed.
It's more secure because if one device is compromised with malicious code it can't spread easily to everything else. It also forces you to find out the traffic flow of your devices. The more specific the rules are the better it is, but it's also more work. So somewhere there is a balance of cost versus risk.A DMZ is basically a simple form of network segmentation.
-
@WrCombs said in vLANs random question.:
Claiming its more secure, reduced PCI Questionaire (which I dont see how it reduced the questionaire), but they've been told it's possible - which I agree it is, but I still dont get why.
If the two can talk to each other, the PCI exposure spreads between them.
-
@WrCombs said in vLANs random question.:
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..
Actually that makes it make more sense. It's minimal value, but that doesn't mean zero. It will improve security and simplify audits if they are both SaaS connected devices like that. Not a big deal, but not bad, either.
-
@WrCombs said in vLANs random question.:
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..
In that case, if they both have to be on separate VLANS, make sure the router / firewall doesn't let traffic cross those two vlans, but still allows communications to the internet.
To simplify things, put them both on the same VLAN. That is what we did per recommendation from a vendor at the time from my last job.
-
FYI, PCI DSS V4.0 has just been released. So whatever one chooses to do it would be a good idea to check that it is compliant against the new standard.
-
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
Claiming its more secure, reduced PCI Questionaire (which I dont see how it reduced the questionaire), but they've been told it's possible - which I agree it is, but I still dont get why.
If the two can talk to each other, the PCI exposure spreads between them.
thats what I thought - so i thought it was a weird request.
-
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..
Actually that makes it make more sense. It's minimal value, but that doesn't mean zero. It will improve security and simplify audits if they are both SaaS connected devices like that. Not a big deal, but not bad, either.
So how would you make that work? just using firewall rules, to let the 2 talk to pull transaction information?
-
@WrCombs said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..
Actually that makes it make more sense. It's minimal value, but that doesn't mean zero. It will improve security and simplify audits if they are both SaaS connected devices like that. Not a big deal, but not bad, either.
So how would you make that work? just using firewall rules, to let the 2 talk to pull transaction information?
If they talk only to the hosted apps, the intercommunications should be on the server, not the client. Is that not correct?
If you need devices on two different LANs (vLANs are just LANs without physical separation) then communications between them is always through a router, and routers are firewalls. So first you have to build a route, then block traffic, then allow the traffic that you want.
-
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..
Actually that makes it make more sense. It's minimal value, but that doesn't mean zero. It will improve security and simplify audits if they are both SaaS connected devices like that. Not a big deal, but not bad, either.
So how would you make that work? just using firewall rules, to let the 2 talk to pull transaction information?
If they talk only to the hosted apps, the intercommunications should be on the server, not the client. Is that not correct?
If you need devices on two different LANs (vLANs are just LANs without physical separation) then communications between them is always through a router, and routers are firewalls. So first you have to build a route, then block traffic, then allow the traffic that you want.
in a "normal" IT system, that would be the case, as I'm sure you know.
POS however, the Pin pads talk directly to the Register to pull that transaction data to the Pin Pad - otherwise the pin pad wont know how much to charge the credit card - -
@WrCombs said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..
Actually that makes it make more sense. It's minimal value, but that doesn't mean zero. It will improve security and simplify audits if they are both SaaS connected devices like that. Not a big deal, but not bad, either.
So how would you make that work? just using firewall rules, to let the 2 talk to pull transaction information?
If they talk only to the hosted apps, the intercommunications should be on the server, not the client. Is that not correct?
If you need devices on two different LANs (vLANs are just LANs without physical separation) then communications between them is always through a router, and routers are firewalls. So first you have to build a route, then block traffic, then allow the traffic that you want.
in a "normal" IT system, that would be the case, as I'm sure you know.
POS however, the Pin pads talk directly to the Register to pull that transaction data to the Pin Pad - otherwise the pin pad wont know how much to charge the credit card -Then you need to connect the two VLANs, effectively defeating the purpose. It's not entirely defeated, it is still a secondary firewall but only replicating the vastly more important local firewall.
-
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..
Actually that makes it make more sense. It's minimal value, but that doesn't mean zero. It will improve security and simplify audits if they are both SaaS connected devices like that. Not a big deal, but not bad, either.
So how would you make that work? just using firewall rules, to let the 2 talk to pull transaction information?
If they talk only to the hosted apps, the intercommunications should be on the server, not the client. Is that not correct?
If you need devices on two different LANs (vLANs are just LANs without physical separation) then communications between them is always through a router, and routers are firewalls. So first you have to build a route, then block traffic, then allow the traffic that you want.
in a "normal" IT system, that would be the case, as I'm sure you know.
POS however, the Pin pads talk directly to the Register to pull that transaction data to the Pin Pad - otherwise the pin pad wont know how much to charge the credit card -Then you need to connect the two VLANs, effectively defeating the purpose. It's not entirely defeated, it is still a secondary firewall but only replicating the vastly more important local firewall.
ROFMAO - like the terminals have firewalls - HAHAHAHAHAHA
-
@Dashrender said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..
Actually that makes it make more sense. It's minimal value, but that doesn't mean zero. It will improve security and simplify audits if they are both SaaS connected devices like that. Not a big deal, but not bad, either.
So how would you make that work? just using firewall rules, to let the 2 talk to pull transaction information?
If they talk only to the hosted apps, the intercommunications should be on the server, not the client. Is that not correct?
If you need devices on two different LANs (vLANs are just LANs without physical separation) then communications between them is always through a router, and routers are firewalls. So first you have to build a route, then block traffic, then allow the traffic that you want.
in a "normal" IT system, that would be the case, as I'm sure you know.
POS however, the Pin pads talk directly to the Register to pull that transaction data to the Pin Pad - otherwise the pin pad wont know how much to charge the credit card -Then you need to connect the two VLANs, effectively defeating the purpose. It's not entirely defeated, it is still a secondary firewall but only replicating the vastly more important local firewall.
ROFMAO - like the terminals have firewalls - HAHAHAHAHAHA
They do, people just disable them intentionally to introduce security risks.
-
@dashrender said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..
Actually that makes it make more sense. It's minimal value, but that doesn't mean zero. It will improve security and simplify audits if they are both SaaS connected devices like that. Not a big deal, but not bad, either.
So how would you make that work? just using firewall rules, to let the 2 talk to pull transaction information?
If they talk only to the hosted apps, the intercommunications should be on the server, not the client. Is that not correct?
If you need devices on two different LANs (vLANs are just LANs without physical separation) then communications between them is always through a router, and routers are firewalls. So first you have to build a route, then block traffic, then allow the traffic that you want.
in a "normal" IT system, that would be the case, as I'm sure you know.
POS however, the Pin pads talk directly to the Register to pull that transaction data to the Pin Pad - otherwise the pin pad wont know how much to charge the credit card -Then you need to connect the two VLANs, effectively defeating the purpose. It's not entirely defeated, it is still a secondary firewall but only replicating the vastly more important local firewall.
ROFMAO - like the terminals have firewalls - HAHAHAHAHAHA
on this particular system (which I am the Admin for) Windows firewalls are required to stay on - for all 3 options no matter what.
-
@WrCombs said in vLANs random question.:
@dashrender said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@scottalanmiller said in vLANs random question.:
@WrCombs said in vLANs random question.:
@dafyre said in vLANs random question.:
The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.
if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..
Actually that makes it make more sense. It's minimal value, but that doesn't mean zero. It will improve security and simplify audits if they are both SaaS connected devices like that. Not a big deal, but not bad, either.
So how would you make that work? just using firewall rules, to let the 2 talk to pull transaction information?
If they talk only to the hosted apps, the intercommunications should be on the server, not the client. Is that not correct?
If you need devices on two different LANs (vLANs are just LANs without physical separation) then communications between them is always through a router, and routers are firewalls. So first you have to build a route, then block traffic, then allow the traffic that you want.
in a "normal" IT system, that would be the case, as I'm sure you know.
POS however, the Pin pads talk directly to the Register to pull that transaction data to the Pin Pad - otherwise the pin pad wont know how much to charge the credit card -Then you need to connect the two VLANs, effectively defeating the purpose. It's not entirely defeated, it is still a secondary firewall but only replicating the vastly more important local firewall.
ROFMAO - like the terminals have firewalls - HAHAHAHAHAHA
on this particular system (which I am the Admin for) Windows firewalls are required to stay on - for all 3 options no matter what.
See!! Firewalls!
