80 likes | 200 Views
„Port Based Security“ – „Drop-In-Mode“. The ideal solution for retail chains . Port Based Security. Situation: in the branch sites. One private IP subnet (= one IP broadcast domain) in each branch Static IP addresses on the LAN (no DHCP) Allow POS transactions to HQ
E N D
„Port Based Security“ – „Drop-In-Mode“ The ideal solution for retail chains
Port Based Security Situation: in the branch sites • One private IP subnet (= one IP broadcast domain) in each branch • Static IP addresses on the LAN (no DHCP) • Allow POS transactions to HQ • Customer card transactions via IP connected card machines • Mobile phone topup tranactions and lottery transactions • Remote maintance of the POS equipment • Remote maintance of other IP connected equipment in the branch by 3rd parties • The requirments of the „Payment Card Industry Data Security Standard (PCI)” must be met. • To fulfil these requirements, the network topology at the branch office LAN must be changed (IP subnetting / VLANs). • A change to the Network topology in hundreds or thousands of branches is both expensive and logistically prohibitive
Port Based Security Problem: How can I prevent access between equipment without extensive modification of network topology? VPN VPN-Gateway R1202 .1 IP-Subnet10.0.0.0/24 Switch .3 .8 „Card Terminal“ „M2M/Lottery/etc“ .7 .9 .5 .2 „CRM“
Port Based Security The Challange: • Virtual separation of the network components WITHOUT removing equipment from the common IP subnet • Although the network components are in a common IP broadcast domain ensure they CAN NOT DIRECTLY communicate with each other ... • ......but to allow communication via the router, which can control the access between network components via its existing Layer 3 features (firewall, ACL)
Port Based Security "Drop-In Mode" - also known as "transparent mode" Solution: Access is via the "drop in" router with firewall / ACL rules VPN-Gateway„Drop-In-Router“ IP-Subnet10.0.0.0/24 R1202 .1 .1 .1 Switch .3 .8 „Card terminal“ „M2M/Lottery/etc“ .7 .9 .5 .2 „CRM“
Port Based Security The solution: "Drop-In Mode" - also known as "transparent mode" • Physical separation of network components with the help of separate LAN ports on the router (optionally VLAN also possible) • The IP broadcast domain extends above it to the entire Ethernet network • Within each physical (virtual) “Zone“ the direct communication with each other continues to be permitted • The „Drop-In-Router“ can now control all the traffic • betweeen the „Zones“ („Intra-Domain-Routing“) • Between the IP-Broadcast-Domain and other Networks the Layer-3 features control and regulate this
Port Based Security The advantages of the "drop-in mode" Solution • No complex changes to the network topology are required • Requests between the network components can reliably be controlled via the router security features (firewall, ACL) • No VLAN segmentation is required, however optionally VLAN is also possible. • Easy configuration in the branch router in just a few steps (Go & Protect) • Ethernet port configuration is identical in all stores ... • small number of branch-specific parameters ... • Therefore little effort ... in installation and maintenance • Compared to other solutions only ONE VPN tunnel to the central office required • Less administrative work • More Performance • Better stablity • Central site solution needs only minimul adjustment