There are two scenarios I can envisage here.
1 - These workstations talk to some host on the Internet
You're screwed. You could protect stuff while it's inside your LAN, but as
soon as the information leaves your perimeter it's taking the cleartext bus
to Hackerville. If the transaction house doesn't offer some sort of VPN
option, or even tunneling over SSH/SSL or _something_ then you may as well
not bother. You're always going to have a security problem and you should
refuse to conduct CC transactions in this manner.
2 - The workstations talk to some host in your LAN/WAN
You're much better off. There are a variety of tricks you can use, mostly
revolving around building two ethernet fabrics within the LAN, one for
"secure" stuff and one for everything else. Look at things like
dual-ethernet routers, dual-homed hosts and servers with separate switches -
that sort of thing.
The basic problem here is not network security so much as confidentiality
(people seeing this CC data in transit is bad). That's why everyone is
harping on about VPNs and encryption rather than firewalls.
Cheers!
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: Young, Beth A. [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 1 February 2001 2:15
> To: [EMAIL PROTECTED]
> Subject: Securing workstations when Firewall isn't an option
>
>
> I have an unusual situation that I need help resolving.
>
> I have several physical locations (3-6 different buildings)
> that need a few
> workstations (like 1-3) segregated from the rest of the network. The
> workstations are doing credit-card transactions and from what
> we can see,
> the software doesn't encrypt the information so we need
> network security to
> fix the problem (why don't software companies, especially
> companies that
> deal with electronic commerce put in security?!? But that is another
> topic...)
>
> So, how can I segregate so few workstations without putting a
> firewall in
> each location? The expense of the 6 firewalls would be too
> costly for the
> department.
>
> Thanks for any suggestions,
> Beth
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
