Transcription

Network Requirements for Internet, POS & mPOSVersion 1.73 03/01/2016

IntroductionKWI requires a firewall, which can filter (block) both incoming and outgoing servicesby IP address/Protocol/Port and also by URL and (not just specific IP address,protocol, port number combinations). All firewalls can block incoming services, butnot all firewalls can block outgoing traffic by URL address.It is important to filter outgoing traffic by URL to limit the applications which thePOS is allowed to connect to externally, and to stop any Trojans or viruses which domake it inside the security perimeter from phoning home (remote control). Outgoingtraffic filtering helps to prevent your site from being used as a spam relay or to spreadinfections to others.You should treat the requirements detailed in this document as a baseline securitypolicy for traffic entering and leaving the store. If your business requires an “Intranet”between your store and corporate locations you should enhance this policy to preventrogue traffic between sites within your own internal network.Standardized Store/Internet ConfigurationsIn order to provide standardized services, KWI needs to connect to stores using IPover the public Internet. KWI cannot provision individual VPNs to each store.KWI also requires simultaneous access from its Help Desk to all clients’ stores. KWIcannot utilize a pcAnywhere or Ultra VNC gateway where effectively only a singleconnection is granted from KWI to be shared across all stores. A “single sessiongateway” prevents KWI from having multiple Help Desk technicians working onstores simultaneously creating a bottleneck where only one technician can access asingle store at a time.Standardized Store/Internet Configuration GoalsThe only TCP/IP access that should be allowed are the addresses & services listedbelow (in addition to any access that is needed for the Client’s day to day business).This policy is designed to limit Spyware and Virus programs from the Internet.1. Outbound SSH (secure shell) allows access to KWI’s SFTP polling. SSH/SFTPrequires TCP port 22 outbound to kligerweiss.net, ftp1.kligerweiss.net,ftp2.kligerweiss.net , ftp3.kligerweiss.net, ftp4.kligerweiss.net,ftp5.kligerweiss.net, ftp6.kligerweiss.net, ftp7.kligerweiss.net,ftp8.kligerweiss.net, ftp9.kligerweiss.net, ftp10.kligerweiss.net.V1.7303- ‐01- ‐2016

2. Inbound PC Anywhere for KWI help desk support. UDP & TCP ports 56xx-56xxinbound from 65.206.45.0/26, 65.51.69.64/26.PCanywhere’s port numbering convention is as follows and increases incrementallyto match register quantity on site.Example: 5631/5632 Reg-1. 5633/5634 Reg-2.*Ports will need to point to the IP of the corresponding registerFor stores that will be utilizing Port Forwarding, please refer to section #7a and 56325633/56345635/56361232.1. Inbound Ultra VNC for KWI help desk support. TCP Port 561xx inbound tra VNC’s port numbering convention is as follows and increases incrementallyto match register quantity on site.Format: 561xx where xx Register number.For stores that will be utilizing Port Forwarding, please refer to section #7a and 6101156102256103303- ‐01- ‐2016

3. Microsoft’s File sharing (CIFS/SMB shared drives) from the POS terminals toexternal locations must be blocked. KWI does use shared drives within the storefor application & support purposes (selected files & directories are sharedbetween registers within a store). This requirement can be met by blocking UDPports 137 & 138 and TCP ports 139 & 445 (both in and out) at the firewall.4. The below URL’s must be accessible to properly run Symantec NAV LiveUpdates & NAV com through backup.sp15.symanteccloud.comWebsites for Symantec NAV Live Updates:http://liveupdate.symantecliveupdate.com (Primary)http://liveupdate.symantec.com (Secondary)ftp://update.symantec.com (Last)5. Firewall openings for access to KWI Merchandising system iss.netV1.73IP RangePort65.206.45.0/2665.51.69.64/26TCP, UDP66.35.45.128/26TCP, UDP80, 8080, 443, 8443TCP, UDP80, 8080, 443, 844365.51.37.192/2880, 8080, 443, 8443Protocol80, 8080, 443, 8443TCP, UDP03- ‐01- ‐2016

6. For Internet credit card processing on the First Data North and South platformsusing Datawire IPN, KWI requires the following DNS addresses datawire.nethttps://support.datawire.netIP 3443To access the First Data “test” systems using Datawire IPN, KWI requires thefollowing DNS addresses / re.netIP 6.100.81Port4434434437. KWI needs the Static IP address info with unique subnets for the stores. Everylocation will need to have a public NAT (or have a range of publics) for KWI helpdesk to be able to access the terminals for support.7a. Port forwarding: For stores using a Single Public IP address that willhave multiple registers, the pcAnywhere/UltraVNC port(s) for each registerwill need to be listening on the External IP and forwarded to thecorresponding register and port(s) on the Local LAN.7b. Port forwarding: For stores using Multiple Public IP addresses configuredfor individual registers, the pcAnywhere/UltraVNC port(s) for each registerwill need to be listening on the External IP and forwarded to thecorresponding register and port(s) on the Local LAN.8. DNS must be enabled on the POS devices. The POS must be able to gainaccess to a DNS server to allow address resolution. KWI will not supportmanually created static host table entries at POS where specific DNS filteringis not available. This will allow easy access to your desired Internet resourcesusing traditional "www.kligerweiss.net" t ype names and/or migration oncespecific rotating IP change.V1.739. To sync the time IP address 192.5.41.209 UDP port 123 needs to be availableand open to NTP traffic.03- ‐01- ‐2016

10. For Internet gift card processing to Profit Point, KWI requires the followingsites and services accessible:URLPorthttps://www.wa.rewardforloyalt gn.net8080ServiceSNAP External ServicesHostRaw IP Transactionsipgw.profitpointinc.comWeb sitesnap.profitpointinc.comWeb sitemerchants.profitpointinc.comWeb siteadmin.profitpointinc.comAPI Interfacesapi.profitpointinc.comBalance Checkercheckbalance.rewardforloyalty.comUser Registrationregister.rewardforloyalty.comIP 4344344344380, 44380, 443Profit Point Outbound IP TrafficProfit Point requires the store firewall to allow the following IP addresses for outbound 08.179.137To connect to the Profit Point “test” system, KWI requires the sites are accessible:URLPorthttps://www.wa.rewardforloyalt n.net808011. For clients utilizing AJB credit/debit/check/gift card engine, we recommend therouter at the store level have Internet failover capabilities as AJB uses strictly IPconnections to all processors. i.e. Wireless Broadband or Secondary ISP.12. Versions of the Java run time plug-in for Internet Explorer will need to beupgraded from time to time to compliment new functionality being added to theback office system. For this: http://java.sun.com should also be left open.13. E-mail from KWI to customers may come from two domains: kwi.com andkligerweiss.net. Generally, human e-mail will come from the kwi.com domain,while automated e-mail (reports, etc.) will come from one of two addresses:[email protected] (display name “KWI”) or [email protected] Bothdomains should be trusted and excluded from spam filtering to prevent reportsand general correspondence from failing to be received by the intended user base.14. To allow Microsoft Windows services (e.g. Activation), KWI requires the belowdomains accessible. Add the below domains to the firewall allow V1.7303- ‐01- ‐2016

omhttp://*.ws.microsoft.comV1.7303- ‐01- ‐2016

mPOSOutbound and Inbound CommunicationsThe mPOS system requires access to the following links for production and support mhttps://ds700.awmdm.com1. Communication with *.airwatchportals.com and *.awmdm.comon TCP port 80, 443, 8087 for device services. IP address ranges are below.US: 205.139.50.0/23, 209.208.230.0/23, 199.106.140.0/23, 63.128.72.0/24, 63.128.76.0/24,192.30.64.0/20, 216.253.141.0/24.CANADA: 207.2.204.0/22, 206.152.33.0/24, 206.152.32.0/21.UK: 185.45.163.200 – 185.45.163.234, 213.86.109.144, 213.86.109.37, 46.244.37.28,206.101.38.112/29, 206.132.43.0/24, 206.151.160.0/22.2. Communication with the public Apple Push Notification Service (gateway.push.apple.com)on TCP port 5223. IP address range is 17.*.*.* (17.0.0.0/8)3. Communication with public Apple OCSP and iTunes (IP address ranges are hostedby Akamai and vary)a. *.apple.com TCP port 80, 443b. phobos.apple.com TCP port 80, 443c. ocsp.apple.com TCP port 80, 443d. ax.itunes.apple.com TCP port 80, 443e. ax.init.itunes.apple.com TCP port 80, 443f. *.mzstatic.com TCP port thisURLontheirfirewalltoblocktheiOSupdatepop- riOS.V1.7303- ‐01- ‐2016

4. Communication between the mPOS devices and KWI use the following URL’s and port number.kwigbsrv.kligerweiss.net, kwigbsrv2.kligerweiss.net, kwigbsrv3.kligerwiess.net.65.206.45.41, 65.51.69.83, 65.51.37.205, 66.35.45.149, port 90 TCP.5. mPOS peripherals and servicesa. mPOS payment server – mPOS stores with an AJB payment server communicate with the mPOSdevices through internal ports 24900 TCP & 24910 TCP.The AJB payment server can reside on Register-1 or on a dedicated laptop/desktop.mPOS stores that use ONLY Verifone sleds DO NOT need to open ports 24900 & 24910 TCP.b. mPOS Cash Drawers (Wired Ethernet) - use internal port 30998 TCP/UDP.c. mPOS Epson Receipt Printers (Wireless & Wired Ethernet)For mPOS versions 4.2.16 and lower, use internal port 9100 TCP/UDP.For mPOS versions 4.218 and higher, use internal ports 9100 TCP/UDP & 3289 TCP/UDP.6. KWI remote support services for stores using mPOS require reservations on the store router. Referto section “Network Requirements for Internet, POS & mPOS” sections 2.1, 7, 7a, 7b.mPOS stores that use a dedicated AJB payment server or a Register-1 require access throughremote access reservations.mPOS stores that use ONLY Verifone sleds do not need to apply remote access reservations.WAN Recommendations for mPOS-Only StoresFor WAN (Wide Area Network) redundancy in an mPOS-Only store, KWI recommends a backupInternet connection. A 4G Cellular Internet service can serve as an adequate backup Internetconnection. KWI recommends that the Primary WAN Internet Service Provider be different fromthe Secondary WAN Internet Service Provider.Traffic Management Recommendations for Stores with sthathavestreamingvideo&audio.This message and any attachments may contain confidential or privileged information and are intended only for the useof the intended recipients of this message. If you are not the intended recipient of this message, please notify the senderby return email, and delete this and all copies of this message and any attachments from your system. Any unauthorizeddisclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.V1.7303- ‐01- ‐2016

mPOSNetwork Requirements and RecommendationsThe store network for mPOS must comply with the below requirements and recommendations.1. Wireless FrequencyRequirementsThe 2.4 GHz frequency is compatible with all wireless KWI mPOS devices and peripherals.Option-1 If the store has a mixed environment of wireless devices where some mPOS devices and peripheralssupport 2.4 GHz frequency ONLY and other devices support both 2.4 and 5 GHz, enable Simultaneous DualBand on your wireless access point. Simultaneous Dual-Band allows devices on the 2.4 GHz and 5 GHzfrequencies to connect to the access point simultaneously. If the store enables the 5 GHz frequency in a mixedenvironment, it is a requirement that the access point support Simultaneous Dual-Band.Option-2 For optimal performance and if all mPOS devices and peripherals (mPOS Handheld, Receipt Printer,Cash Drawer) in the store support 5GHz wireless frequency. Connect all the mPOS devices and peripherals tothe 5 GHz frequency. Less interference is expected on 5 GHz frequency.Note: To re-configure the wireless receipt printer frequency (2.4 & 5 GHz), contact KWI.2. Wireless Network ProtocolRequirementsThe 2.4 GHz frequency with 802.11b protocol is compatible with all wireless KWI mPOS devices/peripherals.Option-1 If the store has a mixed environment of wireless devices with preferred network protocols, you canapply the below to support all wireless devices.If the access point utilizes 2.4 GHz frequency, enable 802.11 b/g/n protocols.If the access point utilizes 5 GHz frequency, enable 802.11 a/n protocols.If the access point has Simultaneous Dual-Band enabled to support both frequencies, apply all of the above.V1.73Option-2 If all wireless devices in the store support 802.11a or 802.11b you can apply the below configurationsfor optimal performance. Limiting the number of protocols on a frequency will reduce the number of channelsthe radio has to scan.If the access point utilizes 5GHz frequency and ALL wireless devices support protocol 802.11a, configure5GHz for 802.11 a-only.If the access point utilizes 2.4GHz frequency and ALL wireless devices support protocol 802.11b, configure2.4GHz for 802.11 b-only.If the access point has Simultaneous Dual-Band enabled to support both frequencies, apply all of the above.03- ‐01- ‐2016

3. Wireless Channel BandwidthRequirementsa. In order to support and maintain a consistent connection to all devices, it is a requirement that the belowChannel Bandwidths be enabled.If the access point has 2.4 GHz frequency enabled, enable 20 MHz Only.If the access point has 5 GHz frequency enabled, enable 20 MHz Only.4. Wireless ChannelsRecommendationsa. The wireless access point channels will vary based on the store environment. It is recommended that thewireless access point be set to the channel or parameter with the least interference. Scanning for channelinterference within the store is highly recommended.5. Wireless Security ModeRecommendationsa. The stores wireless security mode works best with WPA2-PSK (AES).b. WEP is not a secure mode.6. Wireless KeyRecommendationsa. The Passphrase should be a minimum of 8 characters. Use non-dictionary based words.Include letters (at least one uppercase letter) and numbers.7. Wireless SSID (Service Set Identifier)Recommendationsa. Change the default SSID. Routers out-of-box are pre-configured with a default SSID.b. SSID Broadcast should remain enabled.8. Wireless Access Point PositioningRequirementa. The wireless access point should be mounted and positioned properly to provide optimal WiFicoverage throughout the store. Conduct a site survey after the wireless access point is installed toensure consistent signal strength throughout the store and minimal to no WiFi dead spots. The mPOSdevice and peripherals should be positioned near the wireless access point.9. DHCP (Dynamic Host Configuration Protocol)Requirementsa. mPOS Handheld devices require a static IP.b. Peripherals such as the Cash Drawer and Receipt Printer require a static IP.Recommendationsc. If the DHCP server is enabled on the router, it is recommended that the DHCP IPaddress range be as small as possible for increased security.V1.7303- ‐01- ‐2016

10. MAC Address FilteringRecommendationsa. MAC Address Filtering should remain disabled.11. Router ManagementRecommendationsa. Remote Management should remain disabled.b. Enable “HTTPS” for management access of the Router.c. Keep your router firmware up to date. The firmware is provided by the device vendor.d. Change the default management password of the router. Use non-dictionary basedwords. Include letters & numbers.e. It is recommended to not use the default IP scheme that is commonly pre-configured onthe router.12. mPOS Handheld Device Network SettingsRequirementsa. A static IP is required for proper functionality.Recommendationsb. Turn-off WiFi “Auto-Join”.V1.7303- ‐01- ‐2016

Client Review and Sign OffWe acknowledge that we have reviewed the above documentation and agree to meet therequirements and specifications as outlined.Name (Print)SignatureDateV1.7303- ‐01- ‐2016

Change HistoryVersionDateItem1.68 11-07-2014 mPOS Outbound andInbound.1.69 02-04-2015 Network Requirements.Network Requirements 4. The below URL’s.6. For Internet credit card ------mPOS Outbound and.3. Communication with public Apple.TCP Port 80, 4435. All mPOS systems. mPOS-Only stores6. KWI remote support.Recommendations mPOS-Only stores1.7005/29/2015 5. mPOS peripherals andservices1.7107/20/2015 mPOS RecommendedConfiguration of NetworkSecurity1.7212/29/2015 Network Requirements forInternet POS & mPOS“2. Inbound PC Anywhere for KWI helpdesk support.” IP removed65.51.37.192/28.-----“10. POS health monitoring software.”This section on health monitoring hasbeen removed.1.7212/29/2015 mPOS Outbound andInbound Communications“1. Communication with*.airwatchportals.com.” IP’s of theURL’s added to this document.-----“3. Communication with public AppleOCSP.” Added optional address to thissection.-------“Traffic ManagementRecommendations.” Added a section onTraffic Management.1.7212/29/2015 Network Requirements andRecommendations.“1. Wireless Frequency. 2. WirelessNetwork Protocol.” These sections havebeen updated with requirements.1.7303-01-2016 MS Update Communication 1.For POSV1.73MPOS Outbound and .Change5. All mPOS 24900 &