Educause Security Discussion mailing list archives
Re: mobile POS system
From: Mark Monroe <markm196 () NETSCAPE NET>
Date: Wed, 6 Aug 2008 11:25:35 -0500
Thank you for all of your comments. They have been very helpful. Mark Memisyazici, Aras wrote:
Having actually faced this situation 1st hand, please allow me to relay my condolences... Believe me I understand your pain my friend! With that being said, me and my partner in crime did the following to satisfy PCI compliance for a mobile station by: 1) Those that did support being hooked up to LAN via physical cable, were in fact converted. 2) Those that WEREN'T capable, we bought a Linksys router, put OpenWRT on it and configured it to negotiate @ WPA2-AES/PSK and enabled the built-in FW features (way more capable & smarter than the std. one) on the router as well as ensured 1-to-1 NAT (given our current wired/wireless network infrastructure and the way the mother-app was designed this was a necessity) had only the absolute minimum required ports being forwarded. The router of course was plugged into the LAN uplink-wise and physically secured so noone could interrupt it's functionality 3) The client was Embedded XP based (*shudders*) so, we setup stunnel on it with a 4096-bit key for the port(s) it communicated on, then d/l'd and installed Comodo FW and (disabled the joke-of-a-win-fw) set it up to only allow traffic from the 'server' and no where else. 4) Ensured physically it was inaccessible by placing it in a lockable podium and located it in a public area so that if anyone attempted to tinker with the lock, it would grab attention. 5) Locked down the system via Local Security Policy and ensured passwords were long, complex and salted! 6) On the server setup stunnel to receive said traffic with corresponding key. With all of the above in place, informed the mgmt that best practice was to NOT use the system, only for when absolutely necessary... And to take it down as soon as the need was satisfied. We passed our internal audit that way (which as Valdis pointed out is a group of infosec pros that are EXTREMELY hard to convince on anything :p ) Hope this helps, Aras "Russ" Memisyazici Systems Administrator CISSP, GCIH, GCIA, GCFA Trained Office of the Vice President for Research Virginia Tech P.S. This year an outside PCI approved auditor is coming apparently... (I've recently been promoted to another dept. and am thankfully no longer responsible for PCI compliance!) I'll keep my eyes open on that and let you know how it goes!=
Current thread:
- mobile POS system Mark Monroe (Aug 05)
- <Possible follow-ups>
- Re: mobile POS system Megan Carney (Aug 05)
- Re: mobile POS system Bill Terry (Aug 05)
- Re: mobile POS system Valdis Kletnieks (Aug 05)
- Re: mobile POS system Scott Weyandt (Aug 05)
- Re: mobile POS system Ellen Smout (Aug 05)
- Re: mobile POS system Memisyazici, Aras (Aug 06)
- Re: mobile POS system Mark Monroe (Aug 06)