Guaranteed PCI Compliant Router

A

Asrial

Member
Reaction score
3
The back story...

My customer runs a small shop with a main store and a detached warehouse. The warehouse is a short distance away with a restaurant in between.

There's two register computers hard wired into the AT&T U-Verse router, which is in a corner of the store next to a window.

There's two office computers connected to an access point/router/something that has an attached "directional antenna" (I think that's what it is; the big square dish.. maybe it's just a receiver and not a sender..) in the warehouse. It's not near any windows and so is going through walls and the restaurant and product.

The connection is pretty stable and reliable and it takes about 10 minutes to transfer a 500mb file across the network.

My customer uses Security Metrics for their PCI compliance scanning. PCI compliance is basically this...

"The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment."

Security Metrics basically scans the IP address looking for various security risks (such as say having a wireless network).

Right now the scan is failing because UDP port 123 (deals with NTP and stuff) is open on the AT&T router. I've been back and forth and done all sorts of things trying to resolve it, but can't. Feel free to ask any questions you have and I'll do my best to answer them.

If someone is familiar with this situation, and has a solution, that'd be awesome.

What I'm looking for is this...

1) What are some routers that will pass PCI compliance? This is my first stop in researching, and my expertise is with home based routers and not commercial level ones. Affordability is important, but if we can get something amazingly awesome for $200.. that's worth the price I think. Above that and I'm probably going to want to pass.

2) If possible, what are some options for this additional router to dramatically boost the connection to the access point in there warehouse? I'm thinking something with a directed antenna to focus it in that direction.

What thoughts do you all have about this? Thanks!
 
I was told numerous times by AT&T people that I can't use my own router on U-verse business equipment. I mean, you can have a router behind it, but you can't put the public IP on your own router. So, you'd still have the same problem, because the PCI scan would only be able to test the U-verse hardware
 
Was it them saying "no, you can't do that because we said so" or "no, you can't do that because the router has no way of doing it"?

I don't know if AT&T has different level routers. This is the typical U-Verse home router.

To my knowledge what I need to do is set the attached router in the DMZ of the AT&T router, and this puts the AT&T router into a bridged mode.

I did this a while back with a Linksys router, and the Security Metrics scan definitely scanned the Linksys router, but then a day later it went crazy and I had to remove it from the network and try alternate methods to fix the issue. Also, the Linksys router still failed because UDP port 123 was still open.
 
No, it was me talking to numerous tech support guys....and like, guys that were in their engineering department and all kinds of people that had no phone skills at all... It wasn't just a level 1 tech support guy. They just told me "No, we don't have any modems that support bridged mode".

It ended in my customer terminating service and going with cable, so I'm sure they would have tried to give me what I want to keep his business. (I should note, though, this was also several years ago..things may have changed?)
 
Last edited:
I'm not 100% I understand your issue but this might help.

1) Purchase a static IP from AT&T. If you do then they have to give you a public IP address.

2) VPN Tunnel (two different location that looks like one segment)

3) Dual NAT (Avoid this if possible.) AT&T will NAT public to Private, then you will do a secondary NAT of Private too Private.

4) If you remove your router and just plug a switch then tell AT&T to do the NAT and your done.
 
1t Put a new router on a different subnet than the modem DHCP. I.e. set the ip to 192.168.2.1
2. New router WAN to a DMZ port on the modem.
3. New router set to obtain IP with DHCP
4. Release/renew WAN address on the new router. Should be the shared outside public IP.
5. The antenna is a directional antenna, that means it is focused in a specific direction. It transmits and recieves. It is probably the best option in this situation.

PCI requires you have a local NTP server. That is most likely what it is trying to warn you about. Port 123 may either be block by at&t or you don't have a proper time server on the local network. A router can serve this function easily.
 
Last edited:
As I'm previewing this post, a thought struck me...

Security Metrics keeps saying the port is open and that's why it's failing. However, the version of NTP on the AT&T router is also older than what they require and so THAT may be the reason why's it failing (and not because it's an open port).

The issue wasn't resolved when the scan was done to a home version of a Linksys router.

.

rsarceno said:
I'm not 100% I understand your issue but this might help...
Click to expand...
I don't think any of that will help as UDP port 123 is open on the AT&T router and that's what's causing the Security Metrics scan to fail.

smashedbotatos said:
PCI requires you have a local NTP server. That is most likely what it is trying to warn you about. Port 123 may either be block by at&t or you don't have a proper time server on the local network. A router can serve this function easily.
Click to expand...
The scan is failing because the port is OPEN on the AT&T router.

I know for sure everything is based on the equipment at the store because I humorously tested things by just turning off the AT&T router and the scan passed with no issues.
 
You can absolutely put your own router behind the AT&T U-Verse routers....both the home grade 2Wire (I have my own home setup this way, and have done many others), as well as the business gateways they use for static business accounts (Motorola 510 models).

The first biz U-Verse account I setup, the AT&T tech showed me how to do it.
The second U-Verse account, I thought I remembered how...but forgot, so I called support..and they walked me through it.
 
YeOldeStonecat said:
You can absolutely put your own router behind the AT&T U-Verse routers....both the home grade 2Wire (I have my own home setup this way, and have done many others), as well as the business gateways they use for static business accounts (Motorola 510 models).

The first biz U-Verse account I setup, the AT&T tech showed me how to do it.
The second U-Verse account, I thought I remembered how...but forgot, so I called support..and they walked me through it.
Click to expand...


Yeah...I thought it was strange to get that answer. I swear, though, this was a two week ordeal of dealing with tech support, where every single person I talked to either had no idea or told me "can't do it". All I wanted to do was get a vpn router set up
 
You must log in or register to reply here.

Similar threads

Rigo
ISA/EISA Card replacement PCI connection
Replies
11
Views
255
Sky-Knight
Sky-Knight
ComputerDave
Connect router to router
Replies
11
Views
668
ComputerDave
ComputerDave
britechguy
Orbi 6 used with Xfinity as internet connection source
Replies
2
Views
134
britechguy
britechguy
dee001
Setting up Google account with outlook 2016 using imap setting stop working
Replies
1
Views
80
britechguy
britechguy
ComputerDave
Macrium Reflect - Free Replacement
Replies
14
Views
524
xrobwx71
xrobwx71
Back
Top