IRENE. Intelligence between POS terminal and authorization system. Gateway. Increased security, availability and transparency.

Transcription

1 Gateway IRENE INTELLIGENT ROUTER FOR ENHANCED NETWORKING WITH ETHERNET PROTOCOLS Intelligence between POS terminal and authorization system Increased security, availability and transparency.

2 »»» MORE INSIGHT FOR BETTER OVERview Credit card authorization is a mission critical application, requiring absolute availability all around the clock. But there is a complete technical infrastructure between a POS terminal and the authorization system, which can cause multiple problems. Most likely, you already have experienced situations, where everything seems to run smoothly and customers are still complaining about excessive response times. You also have experienced availability problems reported to the hotline even all systems are running in the green zone. In such situations you need a solution which provides just the right kind of information to support fast, targeted troubleshooting. Even better would be a system which is able to detect problems way ahead of time and initiates the required deescalation process before customers have reasons to complain. A truly ideal solution would be a technology, which even supports pro-active capacity management and manages automatic load balancing in order to maintain uninterrrupted data traffic even in case of a partial system failure. WHAT YOU NEED IS IRENE This intelligent router for enhanced networking with ethernet protocols is a gateway, which is a class of its own. It was designed especially to match the specific requirements of credit card authorization within a functional environment that provides increased transparency, availability and security. Firewall www with BMP encryption Authorization systems www VPN www DSL with SSL Gateway IRENE firewall / open SSL

3 »»» LESS WORK DUE TO SIMPLIFIED STRUCTURES The more complex a system is, the higher are the efforts needed for administration and troubleshooting. For this reason, IRENE offers a number of features which allow for greater transparency as well as simplified operation of the complete system considerably. JOINING TECHNOLOGY GENERATIONS The terminals at the point of sales represent different types of technologies, varying from SSL via ISDN all the way to the good old modem. IRENE integrates all of these diverse systems, thereby becoming the central interface for all types of data communication. Different ISDN area codes can be assigned to specific IP addresses or port numbers of the authorization system. In this way, terminals of different technology generations can be integrated seamlessly into the system. As far as load balancing is concerned, all terminals are treated equal. Each request is recorded in a syslog independent from its communication path to be available for detailed analysis. EFFORTLESS TESTING Changes and additions are part of everyday life of any system administrator. In this field as well, IRENE makes things a lot easier. The gateway allows setting up dedicated test access for system administrators. This allows easy testing of new terminal types or software versions without imposing additional traffic load on the authorization system. This feature also allows analyzing technical problems independent from the overall system. Using the powerful tracing options, any issue can be solved within the minimum time-frame. Using this test feature simply requires changing the number of the target port at the terminal to be tested, while the authorization system itself remains untouched. Software-Update the easy way In case a terminal management system (TMS) is connected via IRENE, even software updates are a simple procedure. Individual terminals always refer to the same connection point and are automatically connected to the correct TMS. In the case of re-location or re-configuration, TCP addresses do not need to be changed at any terminal, but only at the gateway. This means more security and transparency while requiring less maintenance efforts. REMOTE MAINTENANCE IRENE allows total remote maintenance, making it the ideal gateway for geographically distributed systems. The service technician is able to establish a secure VPN or PPP connection to the gateway, in order to obtain all information required for targeted error detection. Fort this purpose, access rights can be tailored precisely to the requirements of PCI. All entries can be recorded and transferred to an external log server.

4 »»» INCREASED INTELLIGENCE FOR MORE TRANSPARENCY POS terminals use different channels to communicate with the authorization system. Doing so, they employ a variety of technologies, ranging from analogue modems via ISDN (X.31 over the B channel and V.110) all the way to GSM. The general development, however, points to increased communication via the Internet. Via the Internet, SSL encryption guarantees secure access and allows password protected connection to prevent any unauthorized external intrusion. A request sent by a POS terminal is transmitted to the gateway together with the IP address, which will only transfer such requests to the firewall of the authorization system, whose source and target port can be verified with the entries of an IP table. NO IP, NO HISTORIC ANALYSIS With conventional network technologies, the IP address of the terminal is replaced by the IP of the access technology, when a request is transferred to the authorization system. This means, the original IP address gets lost, making it impossible to find out which terminals were able to get through within a certain time frame. Transparency all the way to the source IRENE inserts the IP address of the POS terminal into the data stream just as a calling X.25 address. This differentiates the router from any conventional network router. The advantages are obvious: Data communication with the POS terminals becomes fully transparent, since tracing any call all the way back to the terminal only requires a glance at the X.25 log. This allows targeted troubleshooting and greatly contributes to faster problem solutions. Firewall Authorization systems Access A with OPAL header TCP server ATOS ISO filter X x data path X.25 switch X.25 TCP client Access B without OPAL header TCP server ISO filter X.25 Gateway IRENE

5 FLEXIBLE ROUTING Depending on their terminal type or ISO 8583 message type, POS terminals need to be routed to different target ports of the authorization system. For this purpose, IRENE utilizes the TCP listen port addressed by the terminal in order to assign the request to a specific target on the authorization system. Alternatively, routing can also take place based upon individual data fields of the ISO 8583 message, such as message type, processing code or terminal ID. This requires only changing an entry in the routing table, which can even take place while the system is online. In combination with utilizing the TCP port number of the terminal, this allows for a highly flexible message routing, which even matches the requirements of a heterogeneous network. Target port: 54000: Production authorization system POS terminal DSL DSL www 54001: 54002: Test authorization system POS terminal DSL 55000: 55001: Acceptance authorization system external TMS POS terminal internal TMS Gateway IRENE minimal CONFIGURATION EFFORT IRENE is an intelligent interface between the POS terminals and the authorization system. Changes within the authorization network do not require any modification of the remote terminals. Instead, it is sufficient to configure the gateway accordingly and each request is automatically routed to the correct address. In this way, IRENE provides a level of flexibility which is simply not possible with conventional network routers. TRANSPARENCY BASED UPON INFORMATION IRENE generates a syslog entry for each incoming transaction, which contains information, such as date, time, IP and TCP address, ISO data type, terminal ID and block length. This takes place independently from the communication path used (ISDN, X.25 or SSL) to connect the POS terminal to the system. This comprehensive information is the basis for a pro-active capacity management. It allows detailed analysis and provides a comprehensive overview over the distribution of message and terminal types, as well as the time-related load of the authorization system within a specific time frame (day, week, month).

6 »»» A NEW DIMENSION OF SAFETY Conventional firewalls only verify IP address and TCP ports to keep malicious program code and undesired garbage data from the system. IRENE, however, goes one step further. A special ISO filter checks each ISO 8583 message for its correct syntax, thereby guaranteeing at application level, that only authorized requests can reach the system. APPLICATION LEVEL FIREWALL Most POS terminals send messages according to the ISO 8583 format with OPAL header. With this format, two control bytes determine the exact length of the data block. IRENE checks the compliance of each data block with the ISO standard in order to verify that it contains a valid message according to the ISO standard. Only after successfully passing this verification process, the message will be routed via the TCP client to an active authorization system. Native messages, in TCP format without OPAL headers, are simply routed to a different TCP target port. The requests are processed in the lower data path. With its application layer firewall, IRENE offers an unparalleled level of security which no other system on the market can offer. EFFECTIvE SHIELDING FROM TCP ATTACKS Routing all VPN data traffic via the IRENE gateway means installing an effective fortress against TCP attacks, such as Brute Force Attack, Spoofing, DoS or SYN Flood. Such attacks are effectively blocked by the gateway and therefore cannot penetrate all the way to the authorization network. Installing two IRENE gateways with different IP addresses means that even a total flooding of one gateway with spoofing packages does not lead to a total breakdown of the credit card authorization process. Even if both gateways are flooded, all attacks are effectively blocked and cannot reach the main system. In this case, the Internet access will be fully available again, as soon as the attack is over. TIMER-CONTROLLED ACCESS MONITORING Normally, a connection is initiated by the POS terminal sending a request. As soon as the authorization system has returned its answer, the POS terminal will terminate the connection and the respective port is available again. In the case of any disturbance of this normal procedure, the authorization system will terminate the connection after a pre-determined time in order to free the respective port for further processing. IRENE offers additional security by automatically terminating any connection in case the timers of both systems are not activated for any reason. In this way, the gateway guarantees that valuable TCP ports are not occupied longer than necessary and are available shortly after any faulty connection. DMZ (demilitarized zone) Gateway IRENE Authorization system A Authorization system B DSL router www VPN tunnel DSL router Firewall POS terminal Load balancer

7 »»» Load Balancing AT APPLICATION LEVEL Load balancing is the key to flawless system operation. Truly effective load balancing, however, is not limited to evenly distributing the processing load to the individual authorization systems, but must also include the reliable exclusion of any malfunctioning system. AVAILABILITY GUARANTEED Most of the conventional load balancer currently available are supporting application layer health checking for the most common standard protocols used in Internet applications, like http (web), sftp and ftp (file transfer) as well as smtp and imap ( ). For non-standard applications, only rather primitive check algorithms are implemented, e.g. ping a destination system. A service based availability check method is not implemented, only the availability of certain discrete systems is checked. In this field as well, IRENE goes one step further and verifies up to the highest level, whether an authorization system is actually available. For this purpose, it sends a diagnosis message in specific time intervals to each of the authorization systems involved. These must be answered by the respective application. Only if the diagnosis reply is received within a specified time frame, the respective system is considered fully functioning. If this is not the case, the respective system will be excluded from active load balancing. Detection of a malfunctioning system automatically triggers an SNMP alarm and puts the service technician in a position to take care of the problem before customers will be affected by the missing system. irene IS THE ONLY GATEWAY ON THE MARKET OFFERING SUCH AN INTELLIGENT LOAD BALANCING WITH AUTOMATIC ALARM TRIGGERING. Firewall Authorization systems cyclic availability check Gateway IRENE

8 »»» IRENE A GATEWAY WITH ADDED VALUE

9 »»» TECHNICAL SPECIFICATIONS SUPPORTED PROTOCOLS V.24 ISO8583, V.22bis with Autocall ISO8583, V.22bis with PAD (Poseidon) ISO8583, 9600 baud with Autocall ISO8583, 9600 baud with PAD (Poseidon) V.24, LSV baud half duplex Makatel V.23 ISDN X.25 within the B channel (X.31) X.25 within the D channel V.110 with Autocall V.110 with PAD (Poseidon) ISO 8583, V.22bis with Autocall ISO 8583, V.22bis with PAD (Poseidon) ISO 8583, V.32/V.32bis with Autocall ISO 8583, V.32/V.32bis with PAD (Poseidon) APACS 40 TCP/IP PPP VPN GPRS SSL TERMINALS Host TCP/IP 10/100/1000 Mbps XOT ISO TP0 (RFC 1046) ATOS (OPAL) format (message with length byte) X.25 with HDLC V.24/X.21 until 2Mbps ISDN Up to 3 x S 2M -connections with 30 modems each Management WEB SNMP Syslog NRPE SSH GENERAL Dimensions Weight Power rating 485 mm (19 ) x 178 mm (4HE) x 462 mm; inclusive S 2M -connections depending on installed components between 10 and 18 kg 120 watts continuous power / 480 watts maximum power

10 »»» Technical support WITHOUT IF OR BUT DAFÜR stands for direct communication and fast reaction. For example, customers have direct access to the R&D team and get comprehensive support without detours. UNTIL EVERYTHING WORKS IRENE comes with a comprehensive commissioning guarantee. This means, our experts will remain on site until the system works without problems. SATISFACTION GUARANTEED Your investment in our IRENE GATEWAY is an investment in your security. That s why our focus in on gaining your full satisfaction. In case you are not fully satisfied with our services, we will take back the unit within 2 months and will refrain from charging any installation and restitution costs. FAST SUPPORT The online helpdesk of DAFÜR is your direct connection to the know-how of our engineers and offers fast and firsthand support. DAFÜR Datenfernübertragung ROHM GmbH Zur Eisernen Hand 27 D Mühltal Phone: 49 (0) Fax: 49 (0)