Educause Security Discussion mailing list archives

Re: mobile POS system

From: "Memisyazici, Aras" <arasm () VT EDU>
Date: Wed, 6 Aug 2008 11:26:13 -0400

Having actually faced this situation 1st hand, please allow me to relay my condolences... Believe me I understand your
pain my friend!

With that being said, me and my partner in crime did the following to satisfy PCI compliance for a mobile station by:

1) Those that did support being hooked up to LAN via physical cable, were in fact converted.

2) Those that WEREN'T capable, we bought a Linksys router, put OpenWRT on it and configured it to negotiate @
WPA2-AES/PSK and enabled the built-in FW features (way more capable & smarter than the std. one) on the router as well
as ensured 1-to-1 NAT (given our current wired/wireless network infrastructure and the way the mother-app was designed
this was a necessity) had only the absolute minimum required ports being forwarded. The router of course was plugged
into the LAN uplink-wise and physically secured so noone could interrupt it's functionality

3) The client was Embedded XP based (*shudders*) so, we setup stunnel on it with a 4096-bit key for the port(s) it
communicated on, then d/l'd and installed Comodo FW and (disabled the joke-of-a-win-fw) set it up to only allow traffic
from the 'server' and no where else.

4) Ensured physically it was inaccessible by placing it in a lockable podium and located it in a public area so that if
anyone attempted to tinker with the lock, it would grab attention.

5) Locked down the system via Local Security Policy and ensured passwords were long, complex and salted!

6) On the server setup stunnel to receive said traffic with corresponding key.

With all of the above in place, informed the mgmt that best practice was to NOT use the system, only for when
absolutely necessary... And to take it down as soon as the need was satisfied.

We passed our internal audit that way (which as Valdis pointed out is a group of infosec pros that are EXTREMELY hard
to convince on anything :p )

Hope this helps,

Aras "Russ" Memisyazici
Systems Administrator
CISSP, GCIH, GCIA, GCFA Trained

Office of the Vice President for Research
Virginia Tech

P.S. This year an outside PCI approved auditor is coming apparently... (I've recently been promoted to another dept.
and am thankfully no longer responsible for PCI compliance!) I'll keep my eyes open on that and let you know how it
goes!

Current thread:

mobile POS system Mark Monroe (Aug 05)
- <Possible follow-ups>
- Re: mobile POS system Megan Carney (Aug 05)
- Re: mobile POS system Bill Terry (Aug 05)
- Re: mobile POS system Valdis Kletnieks (Aug 05)
- Re: mobile POS system Scott Weyandt (Aug 05)
- Re: mobile POS system Ellen Smout (Aug 05)
- Re: mobile POS system Memisyazici, Aras (Aug 06)
- Re: mobile POS system Mark Monroe (Aug 06)