I'm trying to get my small retail business in compliance with PCI DSS credit card requirements, and they now require advanced security against intrusion, like Next Generation Firewall (NGFW) or Unified Threat Management (UTM). Can Apple's Time Capsule security be configured to satisfy this, or is there software available? McAfee addresses this but looks like they just do Windows. Another thread mentioned NAT (I don't know that acronym...) - will that help me?
There is no firewall in the Apple Routers.
It is a home not a business device.. you will need to buy something with proper firewall.. I do not have suggestions but check with installers what is usually acceptable for small retail.
There is no firewall in the Apple Routers.
It is a home not a business device.. you will need to buy something with proper firewall.. I do not have suggestions but check with installers what is usually acceptable for small retail.
But Apple say Time Capsule does have a firewall.
GoodGuy007 wrote:
But Apple say Time Capsule does have a firewall.
It can be a case of definition. Some people call NAT a firewall. I don't. NAT is simply a routing method that does operate in a similar way and does offer some protection. But it is not up to the business standards required for card transactions.
The airports do not have an SPI firewall. Apple has set that task to the firewall built into the clients.
Anyway there are no controls that allow you to control a firewall.. the Airport utility I thought had some level of control for ipv6 but that is a different issue, since NAT is not used.
AFAIK btw.. I do not have the latest version AC models.. !!
Please post any firewall controls you can find in your airport utility.. and I will modify my comments.
GoodGuy007 wrote:
But Apple say Time Capsule does have a firewall.
Yes you are correct. The firewall is part of the NAT router.
https://www.apple.com/airport-time-capsule/specs/
NAT is 'network address translation'. Start at wikipedia & then search around if you need it explained in detail…
http://en.wikipedia.org/wiki/Network_address_translation
In short NAT will translate the local device addresses into ones that come from or go to the internet. In effect it 'firewalls' the local clients from the internet by connecting the public internet into the local network. It's not as robust as dedicated firewall hardware.
As LaPastenague said you need to buy a commercial grade firewall and possibly a router.
I'd only consider a Time Capsule for a small wifi network in a buisness that was completely separate to the PCI DSS network.
Thanks for this discussion. It's been more helpful than the PCI DSS police. After LaPastenague's initial reply, I double-checked that our Macs' individual firewalls were also on, and set to stealth mode. And the NAT aspect is clear, and in place.
In the interim, I received a report that my network passed the vulnerability scan for intrusion penetration as it is now set up. And our new cc terminal clearly has very robust security of its own. Unfortunately, though I'm relieved I personally have "passed" the PCI DSS security test and that two days of frustrating distraction jumping through their hoops is over, I suspect, from this discussion, that even their rigorous tests do not assure that one's network is secure!
The moral to this may be to upgrade hardware and software components regularly in order to maintain better security. My store is too small to employ a dedicated IT person so, for my peace of mind, I undertake that responsibility. But I'd prefer to spend most of my time selling books! Thanks again for all the advice.
Next Generation Firewall?
