PCI Compliance and security Cameras. Segregate? Sub-domains?

[Knightsman]

Client:
a marina, has main store, and a dock on the water. both sites now connected via wifi with Nanostation M5's. They were hard wired before, but the lines became unstable after only 4 years due to the salt and the tides coming and out. Re-running the lines would have been very expensive. Old lines are stuck in the old conduit (corroded), would have to run new conduit, new flex lines into water and onto deck, etc. Not to mention It would be about 300ft of cat5.

History:
Before I started helping them, they had a security company come in and put in two DVR's. One at the dock on the water, and one in the store.

I have since added a 3rd security camera system, on a separate domain, but connected to the same SMC box through their ISP. Main routers have 2 separate IP Addresses.

Problem:
They have been failing PCI compliance because of the 2 DVR's on their main network.

The risks they found:

vulnerable Lighttpd version:​

1.4.20
csnews.cgi present

All firmware for the devices are up to date.


Question:
separating the two devices on the dock is going to be expensive.
How do you guys normally get around this. I'm feeling the only option is to segregate the two devices and put in on the new network I created for the 3rd system.

Would sub-domains pass as compliant, and make the cost impact lower for the client?

 

[angry_geek]

Why not just put them on a vlan and call it a day?

 

[Knightsman]

Oh my gosh. I must have been tired, i meant vlan when i wrote sub-domain. Makes sense now why i wasnt getting good info when i was researching kast night.

So no what im reading is vlans are not considered enough segregation with out ADD d hardware to monitor for attacks.

 

[angry_geek]

Sounds like you're running some pci compliance test software rammed down your throat by the cc processing service at the expense of a couple hundred dollars a year. If so, get a new processor. What they're wanting, I think, is a firewall with intrusion detection and prevention. If so, that's bs. It would be preferable to a cheap nat router, but not required by the law. If your client is willing, get a good firewall in there. Sonicwall, untangle, clearos, something. Configure a separate vlan for your security system, point the necessary ports at the dvrs. If you want to go overkill, get another ip address from the isp, point that straight at the security vlan, configure a route for internal access.

 

[Knightsman]

The only problem Is the system they are using is integrated into the POS software, according to them they cant change it, or it would be an accounting nightmare.

 

[Knightsman]

But yes, your right, its a scanner from HELL!!!

 

[angry_geek]

The security camera system is integrated into the pos? Or the cc processor? I'm assuming the latter, in which case my solution will work just fine.

 

[Markverhyden]

Looks to me that the DVR's are hanging on the same subnet as the rest or the stuff. Never heard of a POS system running a DVR.

That being said the proper thing would be to have two subnets. One for the POS system and one for everything else. For example use 192.168.100.x for the POS and use 10.10.10.x for everything else. Technically patching the vulnerability will work but it's a never ending catch up job.

 

[Knightsman]

Looks to me that the DVR's are hanging on the same subnet as the rest or the stuff. Never heard of a POS system running a DVR.

That being said the proper thing would be to have two subnets. One for the POS system and one for everything else. For example use 192.168.100.x for the POS and use 10.10.10.x for everything else. Technically patching the vulnerability will work but it's a never ending catch up job.

Even if I separate on the subnet, they scan based on external IP address, and they scan the open ports, and find the DVR's.

What I meant by integrated, is the credit card processor is software integrated into their POS. Their DVR is right next to it, on a dock, with 1 source of access to the network.

 

[Markverhyden]

Even if I separate on the subnet, they scan based on external IP address, and they scan the open ports, and find the DVR's.

What I meant by integrated, is the credit card processor is software integrated into their POS. Their DVR is right next to it, on a dock, with 1 source of access to the network.

They could only see that if the DVR's are setup for remote access, if it is truly an external scan. If you need remote DVR access then setup up something like free TV on a local machine. Every DVR software I have seen allows some rudimentary firewall type rules. So, for example, you can set it up to only accept connections from one local IP or local IP subnet

To be honest most places these days have the POS systems on separate ISP's. Just the cost of compliance. And having the POS and everything else on separate subnets is very common as well.

By the way, have you approached the DVR vendor about an update. I checked and that version of lighttpd dates from '08.

 

[Knightsman]

According to the vendor its all up to date, and they are the ones with the contract to maintain it.

I did some research and cannot find a new firmware version to download for it, pretty sad if you ask me. Its a Honeywell DVR. one of those "expensive and cheap" models.

I think ill just push to add another nanostation to each building and create two networks sent to the dock. connect it to the security system that I put in that's on a separate external IP address.

Based on the input from you guys and from what ive been reading, seems to be the point of least resistance.

 

[Lone99star]

Changing CC processor is not as big a deal as you would think, most big processing companies will bend over backwards to get your business, the last time I did it a company called Mercury paid for the integration, matched the rate and did all of the work themselves. We changed processors in about 45 minutes.