Solved

Firewall-Harware to Bypass-Bridge

Posted on 2014-03-01
12
350 Views
Last Modified: 2014-03-04
so a client i know is adding a vending machine to their lunch room that requires connection to the network for payment options. Is there a piece of hardware that can be purchased to attach to "atm" that will bypass the firewall security of their Network. apparently it is being blocked by their firewall....any suggestions....you would think that said vending mach. vendors would have this info....thx
0
Comment
Question by:gstevederby
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 39898673
basically, you just want to connect this ATM directly to the internet, by bypassing the client's existing firewall?
0
 

Author Comment

by:gstevederby
ID: 39898788
yes
0
 
LVL 32

Expert Comment

by:_
ID: 39898835
Did you try putting it's address in the DMZ?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 37

Accepted Solution

by:
bbao earned 500 total points
ID: 39899279
if the client's firewall does provide a DMZ zone, Coral47's suggestion is the way to go.

if not, enable port forwarding on the firewall to allow required ports to be remapped to the ATM on an internal IP.

actually, if the client's ISP could offer one more public IP address, the most simple way is to put small switch before the firewall and connect the ATM to the switch to make sure the ATM is physically sepaeated from the client's network.
0
 
LVL 32

Expert Comment

by:_
ID: 39899306
>> ...if the client's ISP could offer one more public IP address...

Good idea. Definitely the way to go, if possible.
0
 
LVL 64

Expert Comment

by:btan
ID: 39899568
also to note that likely the PCI DSS compliance may need to be considered such as end to end encryption to ensure the confidentiality of the credit info in transit and data at rest/data in use in the vendor mach, if applicable. so besides bypassing the FW, this has to be taken into consideration. there may be a vpn tunnel end to end and terminate at the FW (assuming that is the perimeter for all payment services including that "atm")
0
 
LVL 37

Expert Comment

by:bbao
ID: 39899591
> likely the PCI DSS compliance may need to be considered
> besides bypassing the FW, this has to be taken into consideration.
> a vpn tunnel end to end and terminate at the FW.

yes PCI DSS and all related security standards should be followed but i would say those are all the ATM vendor's responsibility, not the party that just provides the space.

is your client the owner of this ATM? if yes, you really need to consider breadtan's suggestions.
0
 
LVL 64

Expert Comment

by:btan
ID: 39900385
indeed as bbao shared. Also if vendor machine has those credit card details of the end user stored on that machine  (which i supposed not by default and not recommended) then this has to be factor to ensure confidentiality as well. This is not necessary the ATM onus since they do not own those machine and just serving as 3rd party payment services. The project team need to have oversight of the whole ecosystem in the various system and their interfaces.

Even the PCI DSS may implicate your overall design and by having not those sensitive data and offloading those to payment service to address it will scope down your service security requirement. We should apprise the stakeholder collectively to make a complete assessment of the designed security service offering. Just another few cents worth...keep the design simple and complexity is enemy to security
0
 

Author Closing Comment

by:gstevederby
ID: 39902476
all very good ideas, i will run them past the powers to be for decision...thank you all
0
 
LVL 64

Expert Comment

by:btan
ID: 39903058
glad to help but suggest if answers help have assisted it is good to point out so that others can benefit when they chanced on this solved question. Helped to make informed decision on the larger user base :) Nonetheless, thanks!
0
 

Author Comment

by:gstevederby
ID: 39904178
The problem is as a consultant I can only recommend what the client should do , ultimately it is up to the company if they want to invest in purchase of another isp line or add hub. What I am recommending is port forwarding and bringing up the security issues involved with each choice. While I understand the need for a definitive answer for the larger audience I feel that ALL the suggestions will work...but end of the day it is up to the client if they are to spend more money to get there.
 So on this  question that is the best i can say Unfortunately. Prob. should have split the points awarded in this answer...and as you mentioned, keep it simple..thanks again
0
 
LVL 64

Expert Comment

by:btan
ID: 39905158
Noted and well received. if you will like to split the answer I believe the moderator can re-open for your kind allocation :)
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question