question

buckbito avatar image
buckbito asked buckbito commented

Firewall options for Clover Mini on segmented network

Are there any firewall systems that satisfy the pcicomply questionnaire? (which should be based on B-IP in my case). I have segmented the Clover on its own VLAN where it is the only device in its IP range. I am running into brick walls in trying to implement a Firewall policy that satisfies the terribly vague statements presented by the pcicomply questionnaire's Internet Firewall section:

  1. A firewall (or similar protection) is in place. [YES]
  2. Only authorized communication between the POS equipment and the Internet is permitted.
  3. All non-business communication between the POS equipment and the Internet is denied.
  4. The firewall uses 'stateful inspection' (Most firewalls do this automatically.)
  5. Anti-spoofing measures are implemented.
  6. No / None of the above

Comments:

  1. YES
  2. What is that supposed to mean??? If I set up the firewall to ALLOW everything, I have "authorized" that communication... If I try to determine what traffic should be authorized I might look to the Clover FAQ, but what firewall provides the ability to effectively restrict traffic to specific DOMAINS rather than using IPTABLES - see:This devask topic. So that suggests that a HOST call should be made to provide IPs suitable for IPTABLES, but relies on DNS.
  3. See #2 above
  4. YES
  5. What are "Anti-spoofing measures"? - Does this refer to MAC spoofing? Does it refer to internal IP range spoofing? Does it refer to any type of spoofing? If I block bogon IPs, but can't tell if a non-bogon IP is being spoofed, have I implemented "Anti-spoofing measures"?

I expected the security of the internet connection between this Clover device and Clover's servers to be implemented between those points. I did not expect that I would need to implement security based on difficult to find information that is not presented in a way that makes sense in a firewall context: the Clover FAQ plus This devask topic.

If security is the goal, why can't Clover provide firewall rules that can be used in common firewall systems like pfsense, sophos, etc. or even better, IPTABLES rules that can be adapted to work in nearly any firewall?

I'm not even remotely close to being a security expert, but everything I read about using domain names for firewall rules points to it being a very poor choice, but I cannot find any concrete information on what IPs the Clover needs to access.

It seems that it could be very simple to isolate a Clover and truly lock down its segment to allow "Only authorized communication" by DENYing all but the required IPs and PORTs, but I cannot find the information to implement this anywhere on Clover's help system.

Does such information exist and if not, why not?

1 comment
10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

efriese avatar image efriese commented ·

Accidentally pressed comment instead of answer. Nothing to see here.

0 Likes 0 ·

1 Answer

efriese avatar image
efriese answered buckbito commented

I am a security expert (well according to a bunch of certification companies anyway), but I can't say I'm 100% on PCI. What I did to address the checklist item above:

  1. Segment my Clover to a separate VLAN.
  2. Use MAC whitelisting so that only Clover can attach to the network.
  3. Made sure there were no apps installed that could be used by the employees to connect directly to the internet (ie Browser). Also made sure my user accounts were locked down and appropriate permissions were in place.

Numbers 2 and 3 are achieved by segmentation and whitelisting the MAC. The locks it down to only authorized traffic and as long as the device is locked down, only business related transactions will occur. The anti-spoofing requirement is primarily concerned about traffic from the internet spoofing the IP address of an internal IP. Most firewalls have the option to block that type of behavior.

4 comments
10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

buckbito avatar image buckbito commented ·

Thanks for the Answer @efriese ! Unfortunately my links which are all to Clover domain URLs are missing. One goes to a Clover FAQ titled "Are there recommended firewall settings and configurations?" which suggests that PORTs 80, 443 and 123 should be locked down to specified Clover domains which makes a lot of sense to me, and would be very easy to implement if IPs rather than domain names were provided. I'm reluctant to attest to the veracity of my questionnaire that I've implemented firewall rules controlling traffic between Clover device and WAN although there are no such rules in place...

0 Likes 0 ·
buckbito avatar image buckbito commented ·

efriese, Regarding your #2, My segmented network is wired, so even a MAC check is rather superfluous...

0 Likes 0 ·
efriese avatar image efriese commented ·

Superfluous from the standpoint that it's pretty easy to spoof a MAC? This is true, but they need to know the MAC of your Clover to perform the attack. If you have proper access control in place this would be difficult to achieve.

I'm with you on using domain names for creating firewall rules. I don't think PCI-DSS is really asking you to lock it down that much though. Here's a link to a blog article I keep bookmarked that does a good job of discussion egress rules:

http://securityskeptic.typepad.com/th...

0 Likes 0 ·
buckbito avatar image buckbito commented ·

Hi efriese, Thanks for the additional comment and link! I was thinking the MAC would be superfluous because this VLAN is wired and I was thinking that the only way to attack in this manner would be to actually gain physical access to the little 5 port switch on the server rack, but perhaps I'm not thinking about it the right way...

0 Likes 0 ·

Welcome to the
Clover Developer Community