Need recommendations for a low cost PCI compliant router for small business.

[bbhaag]

Earlier this year we switched to a different cc processor. It turns out they are sticklers on PCI compliance and needless to say our cheapo $30 Asus all in one wifi router from Walmart is not cutting it. They use a company called Trustwave to scan our network monthly and so far we have failed almost every time. There was a brief period when I was using an EdgerouterX that I managed to get passing but that was short lived and to complicated.

Anyway, I need a solution that is easy to manage because I'm the IT guy and I hate networking and on the cheap since we are a small business. We have four cc terminals and two workstations on the network. Wifi is not a must have but would be better if the price was right. Budget is pretty tight on this so if anyone has a recommendation that is budget friendly(around$300)I would appreciate it.

 

[VirtualLarry]

What ISP? And do you have business-class services from the ISP? Why not use their supplied router? If they are serving businesses, logically, then their router hardware should be PCI-Compliant, should it not? Even if you have to pay to your ISP to "rent" the equipment.

I hate to get "down and dirty" on specifics, but how it this "Trustwave" scanning your network? Just a port-scan, and if any open ports show up, it flags you?

Because, TBH, most consumer routers work the same way, SPI + NAT, and if you're failing a portscan, then you've got something mis-configured, or you have services listening on your WAN address that you may be unaware of. (Which could indeed be a PCI-Compliance issue.)

I'm really not sure that anyone can just point you to a router and say "buy this one", and then be in PCI-Compliance heaven from thereafter.

I think that this will take some actual effort, both in understanding what they're scanning for, and why you've failed your last PCI-Compliance scans, and how to configure your router and your services on your host(s) to be PCI-Compliant.

Edit: N.B. I have no direct experience in PCI-Compliance, but I do know a thing or two about wireless and network security.

https://www.securitymetrics.com/blog/firewall-pci-compliance-5-things-youre-doing-wrong

Doing some reading, it seems that PCI Compliance, is an ongoing process, and not just "buy router X,Y, or Z, for PCI Compliance". I wonder if possibly, you are in over your head a little bit. (No offense intended, but the "I hate networking", when that appears to be one of the core things about PCI Compliance, network-related security, and my personal knowledge of how easy it can be to screw things up. I was breached, and it could have been down to me confusing the dark blue with the black network cable, and exposing my LAN. Basically, I bridged past my WAN-LAN firewall, by plugging in the wrong cable, to the outer router.)

 

[PliotronX]

The biggest thing is keeping untrusted nodes from accessing the network (think VLAN) that Cardholder Data Envrionments (CDE) reside in. Just about any router ought to pass public facing Trustwave scans because even cheap ones don't allow management from the WAN by default and usually have things enabled like SPI. Things get interesting only when you have ports forwarded or say SSL VPNs or web servers that are present. If you can certify that the CDE is not accessible by the network that include certain problem servers, you might be able to challenge the Trustwave scan and make it show compliant.

 

[VirtualLarry]

Just about any router ought to pass public facing Trustwave scans

That's what I'm saying. Most consumer routers are based on the same basic SPI + NAT technology, so unless they have firmware defects, then failing a public IP address port-scan, is a matter of configuration, not necessarily router choice. (*Some routers may have certain ports hard-wired open, or allow ICMP PING on the WAN, etc. But most allow configuring these things.)

 

[PliotronX]

That's what I'm saying. Most consumer routers are based on the same basic SPI + NAT technology, so unless they have firmware defects, then failing a public IP address port-scan, is a matter of configuration, not necessarily router choice. (*Some routers may have certain ports hard-wired open, or allow ICMP PING on the WAN, etc. But most allow configuring these things.)

Great minds I did experience an anomaly with a Watchguard T30 where I had to add the scanners ip block to a whitelist but that was a different vendor from Trustwave. Seemed odd because doesn't that mean the appliance is doing its job? LOL

 

[bbhaag]

I was looking at the Fortinet FortiGate 30E. It's on Amazon right now for $400 which seems like an ok price but I'm confused about the ENT and UTM designations. Does anyone know the what the difference is? Do they have a yearly subscription cost? Does anyone here use one if so how do you like it?

I like how the Fortinet product description states it's already PCI compliant and offers support to stay that way. It seems like a pretty solid firewall that does what I need.

Advanced Features
The FortiGate/FortiWiFi 30E offers beyond the industry’s best firewall with the latest in Advanced Threat Protection including Sandboxing and anti-bot protection, Feature Select Options for simplifying configurations and deployments, and Contextual Visibility for enhanced reporting and management.
VDOMs on the FortiGate/FortiWiFi 30E let you segment networks to enable guest and employee access, or protect things like cardholder data. You get the flexibility to match your business needs and meet compliance standards like PCI and HIPAA.

 

[mxnerd]

Like what others have said, it's probably not what your router couldn't be PCI compliant, it's probably you did not configure your router correctly.

If you buy a proclaimed router / firewall but don't configure it correctly, you still will fall into same non PCI compliant situation.

You should describe what Trustwave's scan report looks like and what didn't pass the scan, like open ports, etc.

You should at least disable something like UPNP, PING request, remote management for your router to begin with.

If you have any port forwarding, use non standard port numbers.

Your choice of FortiGate 30E looks great though.

 

[bbhaag]

It is highly unlikely that the Netgear R6020 can be made PCI compliant and even if it can I doubt it would stay that way for very long because like VL mentioned PCI compliance is an ongoing process.
That is why I wanted recommendations for a better long term solution. Instead all I got where questions that I don't need the answers to and then PliotronX and VL patting each other on the back for it. I had a question in my OP and my second post but it seems no one here can help me with it.

 

[VirtualLarry]

needless to say our cheapo $30 Asus all in one wifi router from Walmart

that the Netgear R6020

Not even sure what hardware that you have now?

I mean, sure, I'm not suggesting that you go with consumer gear, quite the contrary, if you want to do this serious-like (and I'm a little out of my element with corporate networking gear, I'm most familiar with SOHO router configs).

But what we were suggesting that simply buying the appropriate, capable, hardware, like that FortiGate, is not in itself a panacea, it still needs to be configured properly. I don't think PCI-compliance is just "buy this hardware and drop it in".

 

[bbhaag]

No I wrote the OP from home when I didn't have it right in front of me and couldn't remember the exact name so I just rattled off a generic tech name to get the ball rolling for the thread.

 

[VirtualLarry]

Edit: Fair enough. I guess, I would suggest something with the appropriate VLAN support and firewall support, to segregate the LAN to protect card data from unwanted access, and reduce your "attack surface", to the internet. That's about all I know about PCI compliance. That, and run an anti-malware / anti-virus on the host machines, or at least a network IDS at the perimeter.

 

[bbhaag]

Not even sure what hardware that you have now?

I mean, sure, I'm not suggesting that you go with consumer gear, quite the contrary, if you want to do this serious-like (and I'm a little out of my element with corporate networking gear, I'm most familiar with SOHO router configs).

But what we were suggesting that simply buying the appropriate, capable, hardware, like that FortiGate, is not in itself a panacea, it still needs to be configured properly. I don't think PCI-compliance is just "buy this hardware and drop it in".

No kidding....where did I ask for a drop in solution that is ready to go and never have to
be touched again?
I hate quoting myself but I guess I'm going to have to...sigh...

Earlier this year we switched to a different cc processor. It turns out they are sticklers on PCI compliance and needless to say our cheapo $30 Asus all in one wifi router from Walmart is not cutting it. They use a company called Trustwave to scan our network monthly and so far we have failed almost every time.

Anyway, I need a solution that is easy to manage because I'm the IT guy and I hate networking and on the cheap since we are a small business. We have four cc terminals and two workstations on the network. Wifi is not a must have but would be better if the price was right. Budget is pretty tight on this so if anyone has a recommendation that is budget friendly(around$300)I would appreciate it.

I was looking at the Fortinet FortiGate 30E. It's on Amazon right now for $400 which seems like an ok price but I'm confused about the ENT and UTM designations. Does anyone know the what the difference is? Do they have a yearly subscription cost? Does anyone here use one if so how do you like it?
I like how the Fortinet product description states it's already PCI compliant and offers support to stay that way. It seems like a pretty solid firewall that does what I need.[/B]

 

[VirtualLarry]

Sorry, I guess I have a reading comprehension problem today. My apologies. It sounded to me, upon initial impression, that you just wanted a drop-in solution ("already PCI Compliant").

Anyways, I don't have any real experience with PCI compliance yet, so I'll bow out of this discussion, because I think I'm being un-helpful. Ping me if you need help configuring a SOHO router though.

Edit: One last comment, pro-sumer (Ubiquity) and enterprise (Cisco, Fortinet) gear is more likely to actually get firmware updates, and NOT have "stupid, non-working feature" firmware bugs, that some SOHO routers have.

 

[PliotronX]

What I'm saying is that internet based port scanning is just one component in general security. Sorry you took it the other way but it sounded like you are just trying to pass that part of it. The internal network is just as important if not more so. I helped an office undergo an audit to earn the ability to use background checks with Equifax and their compliance seemed just a slight more pervasive to meet than even HIPAA and PCI. For network related items, we really needed more advanced features for internal management and IDS/IPS was really the only external attack related requirement which we gained the ability to do with A Sophos XG 115 (and I am sure your sonicwalls, forigates, Watchguard etc can do the same). A lot of it is common sense however and I honestly thought you were just trying to pass this scan and what I was saying is that Belkins can do this. To really improve security, I would abide by best practices as they align often times with compliance and are easier to reference. Good luck and welcome to the quagmire of security.

 

[sdifox]

Pfsense appliance? Of courae you need to understand what trustwave wants.

 

[PliotronX]

Pfsense appliance? Of courae you need to understand what trustwave wants.

If budget is super important, this makes sense. Old Optiplex workhorse computers go for 40 bucks on fleabay, a dual port Intel NIC is 15 or 20 and with add-ons you have all tools at your disposal to manhandle compliance (in areas of layer 7 filtering) provided you have the time to invest in configuring it but out of the box it will pass Trustwave.

 

[bbhaag]

Alright here ya go guys. Here is sampling of what Trustwave wants me to correct on the Netgear R6020 in order to be PCI compliant. Please let me know how to do this using the most current firmware that Netgear has provided and I will be forever in your debt.

 

[PliotronX]

Based on that, I would inspect your remote management settings which goes by many names. This looks like the HTTPS management interface is exposed to the internet. Even without seeing the ports involved, I am going to say closing that up will pass the scan. Uncheck the topmost box:

 

[bbhaag]

Unfortunately there is no option to disable "Remote Management" in the current firmware provided by Netgear for the R6020. Perhaps there is a cli option to do this?haha "It goes by many names" isn't very specific. Could you maybe elaborate on that? What other names could it go by besides "Remote Management"?

EDIT:After reading through the documentation for the R6020 it appears "Remote Management" maybe called "UPnP" but I won't get to test it until tomorrow when I'm at work.
This just seems crazy guys....this router is obviously meant for a very basic home network not for a SMB that does close to 1.1 million a year in sales.
Can we please just get off the whole idea of using what I have and get to a real recommendation?

 

[PliotronX]

HTTPS, web or GUI management off the top of my head. You may have to use the genie (I feel dirty even writing it) app. Page 35 of the R6020 manual:

 

[bbhaag]

You posted that very shortly after I edited my post above. C'mon man now I need a Genie App? I'll just copy and paste my edit from above.
This just seems crazy guys....this router is obviously meant for a very basic home network not for a SMB that does close to 1.1 million a year in sales.
Can we please just get off the whole idea of using what I have and get to a real recommendation?

 

[mxnerd]

Go ahead and purchase that FortiGate firewall and turn that Netgear or ASUS router into access point.

You might have to purchase some kind of yearly support from FortiNet, it's a good investment though if you need their help, at least for 1st year.

 

[bbhaag]

Go ahead and purchase that FortiGate firewall and turn that Netgear or ASUS router into access point.

You might have to purchase some kind of yearly support from FortiNet, it's a good investment though if you need their help, at least for 1st year.

Can you answer any of my questions about the Fortigate? I'm honestly surprised at the push back I'm getting for wanting to ditch the R6020 and go with something more on par with what I need. Why is that and why such an aversion to recommending a SMB router that is easy to manage and offers support? Maybe it's a lack of knowledge on the subject or perhaps this wasn't the right forum to ask such a niche question but I just don't understand why you guys are so dead set on me using the R6020.

 

[mxnerd]

Why you guys are so dead set on me using the R6020?

Because you said your budget is very tight, so everyone wants to save you some money.

And you never mention what did not pass PCI compliance until now.

==

Anyway, I had a little bit of experience many years back when I work for a company for a short period of time and they use FortiGate.

I once saw the network manager called FortiGate for support (I don't know if they come with one year support or you have to buy it) and they walked him step by step. I did have experience logged in the firewall (not very long) and I'm impressed by the interface.

 

[bbhaag]

Why you guys are so dead set on me using the R6020?

Because you said your budget is very tight, so everyone wants to save you some money.

And you never mention what did not pass PCI compliance until now.

==

Anyway, I had a little bit of experience many years back when I work for a company for a short period of time and they use FortiGate.

I once saw the network manager called FortiGate for support (I don't know if they come with one year support or you have to buy it) and they walked him step by step. I did have experience logged in the firewall (not very long) and I'm impressed by the interface.

I didn't ask how to make my current router PCI compliant but you three took it upon your selves to try. I asked for a recommendation on a replacement and even now you guys seem dead set on not helping. Do you have anymore recommendations on how to make the R6020 PCI compliant besides dl'ing the Genie App?