Aloha Internet Access 1

[bperl1]

Hi,

I need to be able to access the internet while using my Aloha System to run a third party program. Can someone please tell me what I need to do.

Thanks

 

[coorsman]

Add a second nic card to your server with a different ip scheme - attach it to the modem or router.

Kevin

 

[SwampGas]

You can use the same nic card if you are using a router and you have the routing configured correctly to only allow internet to the BOH PC. If not using a router, then do what Coorsman says and use a second nic -Uncheck everything but TCP/IP in the properties, make sure the second nic is the lower priority in the Advanced settings in the Adapters and Bindings tab and your lana info is set correctly.

I use dual NICs in every location throughout the country. One for POS terminals and one for the WAN. Very clean and easy this way.

---
MegabyteCoffee.com

 

[TobeThor]

Does bperl1 have any DSS/PCI concerns when configuring it in either way it was suggested? I realize the answer is only valid as of 2:14PM today (you never know about DSS rules) Thanks

 

[SwampGas]

I am level 1 PCI. The configuration itself has nothing to do with PCI/DSS. How you secure your system regarding credit cards is where PCI/DSS comes into play, and depending on your PCI level, your rules may be more relaxed than mine.




---
MegabyteCoffee.com

 

[partpricer]

PCI-DSS regulations are the same no matter if you are level 1, 2, 3 or 4. The only differences are which SAQ you can use or if you require a 3rd party assessment.

What is being suggested here should not be done. First, PCI does not allow any part of the card holder environment to directly access the Internet. Not only do you require a firewall, but all access must be through a proxy. Second, that access must only be done because of documented business requirements that can not be otherwise mitigated. Two NICs in the same device doesn't cut it.

 

[SwampGas]

All access through a proxy? Where is that documented in the PCI-DSS regulations?



---
MegabyteCoffee.com

 

[partpricer]

The wording was changed from PCI-DSS 1.1 to 1.2 that removed the word "proxy", but the intention and meaning remains the same.

1.3.5 Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ.

If components in your Aloha environment need to talk to the Internet for any reason, they need to be proxied through a device in your DMZ.

 

[SwampGas]

So, for some small mom-and-pop places a firewall that only allows outgoing initiated traffic is not acceptable?

How are all these smaller restaurant comapanies that have their systems facing the internet with only a router protecting them from incoming traffic passing? I know of two different chains that have the same configuration.


Maybe I am not clear on this since none of my sites are connected to the internet, only a private frame connection to my office. And at my firewall the bank provided a VPN router that we installed so only credit card traffic routes from my firewall to the bank.







---
MegabyteCoffee.com

 

[bperl1]

Thanks for all the replies. I need to be a little more forthcoming. The product is a PC based loyalty program that uses the internet to get to its data center. The software needs to comunicate to and from the data center to pass realtime information to the program which would be running on the same Aloha system. There is no criticall data (credit card info) being used. The system uses port 2433 and I have the IP address of the data center. Is there attributes of the Aloha software that can be modified to allow communication without the need for additional hardware etc.

 

[SwampGas]

Partpricer is right, the BOH machine should have no internet access unless it is allowed for business use only -No incoming connections allowed, only specified outbound initiated connections only. The BOH computer cannot be directly facing the internet also. A software based firewall does not cut it either for PCI, you will need an external firewall minimum.

Connecting your BOH computer directly to the internet without a firewall device in between your internet modem and the BOH PC is not allowed if you process credit cards through that same BOH computer.



My conversation with Partpricer is a great one because of the number of sites that directly connect their BOH to the internet. I have a small franchise community that I am not directly responsible for, but I wish to engage and discuss with Partpricer and others on their methods, solutions and interpretations, and compare how that relates to a franchise or similar type of concepts that are different than my own.

---
MegabyteCoffee.com

 

[partpricer]

Thanks for all the replies. I need to be a little more forthcoming. The product is a PC based loyalty program that uses the internet to get to its data center. The software needs to comunicate to and from the data center to pass realtime information to the program which would be running on the same Aloha system. There is no criticall data (credit card info) being used. The system uses port 2433 and I have the IP address of the data center. Is there attributes of the Aloha software that can be modified to allow communication without the need for additional hardware etc.

I hate to turn this into a PCI discussion, but you can't do that.

2.2.1 Implement only one primary function per server.

The Aloha server is a component in your cardholder data environment. Thereby, the PCI regulations apply.


To address your need, I would suggest that a separate PC needs to be used for your loyalty program. But, be aware that if that device needs to pull any information from your Aloha system, you will be opening up an entry point into your cardholder data environment that must be addressed by using, at a minimum, network segmentation and secure encrypted connections. you must also log all access.

 

[bperl1]

The only common element is the fact that both Aloha and the loyalty software are running on the same PC. The software does not have to directly interface in any way with the Aloha system. The integrity of the firewall can still be left in place by allowing a specific IP address etc that would comunicate over an SSL. Again the only problem I am having is the ability to access the internet while sharing the PC with the Aloha system. Thanks

 

[partpricer]

The concern is that if you happen to get compromised by your loyalty systems access to the Internet, you have compromised your cardholder data environment since it would be on the same server.

Technically, you can do what you are asking about. But, I would not offer you any advice to accomplish it. You would be making a choice to jeopardize the integrity of your environment and that can never be a good thing.

 

[partpricer]

My conversation with Partpricer is a great one because of the number of sites that directly connect their BOH to the internet. I have a small franchise community that I am not directly responsible for, but I wish to engage and discuss with Partpricer and others on their methods, solutions and interpretations, and compare how that relates to a franchise or similar type of concepts that are different than my own.

Chris, why don't you start a new thread on this topic? I would like to hear the different approaches that people are using for their environments. I'm sure it could generate some lively discussion.

 

[bperl1]

You are assuming that the Aloha system is runnig credit cards through it as opposed to using a third party terminal base system which operates completely outside of the Aloha System. Without any secure data flowing through the Aloha there really is no additional concern for data being compromised. Since the loyalty system is configured to talk directly to data center over an SSL and the rest of the system is locked down the overall risk is very low.

 

[TobeThor]

I like the idea of a new thread re: DSS/PCI to discuss do's and dont's of this very critical concern.

 

[partpricer]

I do apologize for my incorrect assumption that your Aloha system is part of your cardholder data environment.

Some of the suggestions earlier in this thread should work fine.