[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 414
  • Last Modified:

IE Point of Sale and IE Internet Browsing Security

Our golf courses use a web based POS application that has Bar code scanners using a keyboard wedge type. This means anything read by the scanner is simply input the same as if a user typed the characters at a keyboard. The Cash drawers are also pretty simple. They are triggered by a command over a serial port similar to printing. All it does is release a latch on the cash drawer, a spring pushes the drawer out.

The security issue is protecting the CC data from a downloaded key-logger virus when the user browses the Internet.  We are thinking about setting up the local browser to be allowed to communicate only with the POS web application.  Then install a Citrix client to launch an IE browser for the user to be free to browse the Internet.  

Has anyone setup a similar configuration using Citrix for secure web browsing?  Any better ideas out there are appreciated?  

Thanks, Dan
0
danfiggolf
Asked:
danfiggolf
  • 2
1 Solution
 
nettek0300Commented:
I personally would not allow web browsing from the POS machines.  It would be a lot more secure if you placed a separate computer somewhere in the building for web surfing, preferably on a separate vLan.  
0
 
käµfm³d 👽Commented:
Does the POS machine have exposed ports? I would be concerned about USB keys being attached. Also, this statement worries me:
This means anything read by the scanner is simply input the same as if a user typed the characters at a keyboard.
Just because it's a barcode doesn't mean it's hack-proof. What if I bar-encoded the following?
' or 1=1;DROP ALL;--
...dependent on the backing database, of course. I am not saying it is or isn't likely, but is possible. I just hope your POS software is coded properly  ; )

Oh, and I agree with nettek0300 about having a separate machine.
0
 
btanExec ConsultantCommented:
I also see it as isolation especially for "vulnerable" machine due to the exposure it has with multi-user needs for business. It need to address such kiosk mode where various aspect need to be consider for defense in depth

a) Network layer - it is configured in one VLAN separated from the management LAN and corporate intranet. Any incoming traffic will pass through the firewall and content filter to scan for attack signature especially when visiting malicious sites or download executable like "fake AV", "flash codec" etc.

b) Endpoint layer - only allow user mode where no admin right is given to tamper the system resources, install programs, perform system admin process like user account. Have it centrally managed with policy and update pushed down if possible, else it need to make sure the host machine is updated with patches. Remote appl browsing through Citrix application is also one means, do check out remote desktop services (RDS) in Windows server 2008 R2 (its has strong RDP v7.0 that is secure from past attacks). Of course, the host will then be isolated since the server is doing the browsing on behalf. The server will then need to be secure with policy control and whitelisting since they provide such services. Check out Applocker too in whitelisting context (only in windows 7)

There are more but it just means adding more layers which I believe if we contained the entry point which is typically the web traffic via the browser. We may want to consider sandboxing the application such that it does not know the real host hence virtualised in that means. Check out sandboxie which does application sandboxing such that it created another space for that appl to "abuse".

Ideally the host machine has a base image that can be reverted but it can be tedious hence I rather focus on application and restricting what appl and how it interact with the "wild". Logging is crucial for investigation but probably in your case, not so key. Device control such as storage media should be disabled if not used (advised not to enable since we are not using it). Steadystate from Windows is another you may be interested (but note that it is not maintained)
0
 
btanExec ConsultantCommented:
thought client hypervisor is another new technology to be aware of

http://searchvirtualdesktop.techtarget.com/definition/client-hypervisor

Client hypervisors are useful in that they isolate the operating system from the hardware, making the OS hardware-agnostic. Client hypervisors can also be used to isolate and run different versions of operating systems on the same machine, which isn’t possible otherwise. For example, a user with a Windows 7 machine could run a virtualized version of Windows XP and an older version of Internet Explorer (IE) to access legacy applications that aren’t supported on Windows 7.

In addition, companies using virtual desktop infrastructure (VDI) to deploy desktops can use client hypervisors to support disconnected VDI. One of the problems with desktop virtualization is that users can only access their desktops while connected to a network. With a client hypervisor, their virtual desktop can run on the client device even when the user doesn’t have broadband access.

http://searchvirtualdesktop.techtarget.com/news/2240035473/Using-client-hypervisors-for-offline-virtual-desktops-and-security

Another security feature in client hypervisors is the ability to revoke privileges or kill company-owned VMs when employees leave the company or if their machines are lost or stolen.

The centralized desktop management features that client hypervisors provide also make it easier to roll out new OS images when it's time to replace compromised machines or upgrade to a new OS version. And security patch delivery can be done as part of image updates.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now