PCI scan and Video System

[Rudy]

My recent quarterly PCI scan failed because my Lorex video system doesn't have a secure way to logon. It (I think) uses port 80 (unsecure). To pass PCI, it needs to receive the logon information securely....(port 443??)....and this is something that the Lorex DVR doesn't support.

My holiday was spent reading about setting up a VLAN for the DVR system. Has anyone done this, or had any experience with this?

The concept...involves setting up seperate LANs. One for the Credit Card computer....and one for the DVR system. They both have access to the internet, but one LAN cannot communicate with the other. This appears to be important if a bad guy somehow tunnels into the DVR...and then can access the Credit Card system.

Separating the two devices into seperate networks effectively isolates the bad guy to the DVR only.

I have an Asus AC RT68p router. What would I need to set up a separate LAN for the DVR system?

Ideas?

 

[Car_Wash_Guy]

Are you using a static IP? I use port 80 and have no issues passing the PCI

 

[MEP001]

If this is accurate, you just need a second router.

http://www.tomshardware.com/answers/id-3707888/setup-separate-network.html

 

[Rudy]

I do NOT have a static ip....but use a DDNS service with my router.

The port 80 issue involves logging onto the Lorex DVR via the web. As far as I can tell, only port 80 (unsecure) can be used. Port 443(secure) would be the better way, but that isn't an option with the Lorex DVR menu.

The PCI picks up that there's an "unsecure" method of passing passwords.... That's the problem.

Thanks for the link for the second router. I'll read up.

 

[Car_Wash_Guy]

Yeah, you're going to need to separate the NVR from the other stuff. I have two separate routers. One that my server/POS/CC stuff is connected through, and an ASUS that is for my NVR.

I would also think that a dynamic IP would be a PITA - get statics.

 

[Rudy]

Static IP costs $$$$ with my ISP. I've had zero issues with a DDNS provider.

It seems like the device I may need is a "managed switch". I think plugging this into the internet modem will allow me seperate vLAN's?

 

[OurTown]

This was recommended to us by a certified network engineer that Mrs. Ourtown works with:

https://meraki.cisco.com/

It's worth looking into to solve that network security problem.

 

[MEP001]

Static IP costs $$$$ with my ISP.

You can get a static IP for your NVR through a VPN for less.

 

[Car_Wash_Guy]

Static IP costs $$$$ with my ISP. I've had zero issues with a DDNS provider.

It seems like the device I may need is a "managed switch". I think plugging this into the internet modem will allow me seperate vLAN's?

I have 5 static IP's and my broadband service - costs $100/mo. What does it cost there?