0

my boss wont hire a network guy, so im trying my best to get this done and help out. i know my way around the sonicwall os well enough to get into trouble, but i am not an expert by any means. here is my problem:

we have a simple network protected by a sonicwall nsa 240. it has been running great for a couple of years now. its a t1, and we have a single usable ip. recently, we needed to pass PCI compliance for our merchant account credit card system. everything passes except for 1 item... a video security system dvr that is accessible from the outside world through our ip on port 8080 (incoming) and 5900(outgoing) (this is hardcoded in the dvr, and cannot be changed - i have verified that with the manufacturer). because it is accessible, and answers to requests, we have failed our pci test.

i can get another ip address (although they are making me jump through hoops to get it), but im not sure if this would help. i am already using the dmz on the sonicwall for a public in store wifi for our place, and it doesnt appear that i can setup 2 dmz's.

is there any way i could route this so that the security system dvr would not be accessible and completely segregated on another external ip address? whether or not its accessible to the LAN doesnt really matter. i just need it to be on its own external ip address entirely. obviously, the easiest means to the end here would simply be to get another internet connection (cable or dsl) but we are trying to avoid that extra $50/month when we already have a t1 with plenty of bandwidth.

mdrdot
  • 1
  • Do you need the DVR accessible to the outside world? You could just cut that off. – Michael Hampton Apr 02 '13 at 00:04
  • yes. unfortunately, the dvr has to be accessible to the outside world. – mdrdot Apr 02 '13 at 00:06
  • I'm not a PCI compliance expert, but how is this considered a fail to comply? I don't see how this is a compromise of your security. Do they realize that port 8080 incoming isn't for your payment systems but for a DVR? – TheCleaner Apr 02 '13 at 00:26
  • yes, and visa doesnt care. i am even LESS of a pci compliance expert... but they have told us very specifically, that whatever public ip address we have (they run a test from a local workstation to verify... so i cant fib the ip. i tried) must not respond to any outside traffic. they have said that is visa's new rule. – mdrdot Apr 02 '13 at 00:29
  • and yes... i tried to explain that it is a proprietary dvr system running a custom linux os (which is also obvious per the response when hitting our ip), but they do not care. gave me an excuse along the lines of "it could be an access point leaving your local area network vulnerable, and or allow a lan network sniffer". all cc data is encrypted pretty heavily, but... those are the rules i guess. – mdrdot Apr 02 '13 at 00:32

1 Answers1

0

When you say you can get another IP address, would that be routed through your T1 line, or are you talking about a new physical line coming into the box? If you can get a second IP address routed through your existing T1 line, then yes, you could easily NAT all requests on the new IP address on port 8080 to the DVR, then anyone from the outside would have to be notified to access it on the new IP address. If it's a new physical wire, you should still be able to do it as long as you have an available interface. Just plug it in, set it to a WAN zone, configure it with the new IP address, and set your NAT rules.

If it's anything like the nsa 3500 (which is what I use, which I'm thinking it should be since they both use the Sonicwall OS Enhanced) then yes, you should be able to create more than one DMZ, though if you don't require that your DVR be off the LAN, then it probably isn't necessary.

Safado
  • 4,726
  • 7
  • 35
  • 53
  • yes, another ip through the same t1 line (and i have that as of late last night - so i am tinkering with it now). so how exactly would i go about routing that? everything i have tried thus far, and all the wizards, allows me to access that dvr from the new ip, but does not restrict its access, meaning i can still access it through the old ip. – mdrdot Apr 02 '13 at 16:07
  • Check through all your NAT rules. Look for any rules that involve the private IP address of your DVR. You're now to the point where there's not a lot we can do without looking at your NAT policies (and I don't suggest posting them for us to see). If there's a specific policy nating the original public ip port 8080 to the private ip port 8080 of the DVR, get rid of it. If it's a policy a little more generic but still achieving the same thing, then try and adjust it accordingly. – Safado Apr 02 '13 at 16:15