>>> On 4/13/2011 at 4:02 PM, Kim Geiger <[log in to unmask]> wrote:
> Before I throw in the towel and spend money, I thought I would see if
you all
> had any ideas.
>
> Two firewalls on machines to enter credit numbers in a PCI-compliant
fashion.
>
> One is a Netgear FVS318 and it works fine, though I'm "wasting" seven
ports
> of it.
>
> The other is a Netgear FVS114. When we start off at a server on the
same
> subnet as the firewall's WAN port, all is well. But when it's time
to go to
> Web Credit or CASHNet, there is a appreciable delay. I know,
slowness is
> relative, but this really is long enough to be annoying and slows
down the
> flow of data entry in a bad way.
>
> The config of these Netgears is not especially complicated and I've
been
> over both with a fine-toothed comb, comparing settings. The LAN
ports on the
> FVS114 are 10/100 Mbps, while the FVS318 is 100/Full; that's the
biggest
> difference. I've fiddled with the negotiation rates and even the
slow unit's
> MTU.
>
> Can you think of some obvious principle of networking that I may be
missing?
>
> Thanks for any thoughts.
I got a lot of good advice offlist * I guess people don't like to
speculate in front of everyone!
In the end, my problem wasn't DNS or the link speed or anything tcp/ip
at all, but the fact that the firewall was too old to adequately handle
a modern-day secure connection * it was dawdling at every security
cert it came across. So even if I could account for every cert authority
that the process might visit, if one of the sites changes, the rules
will stop working. Etc.
In order to be used for PCI-DSS compliant credit card data entry, each
machine we use for that purpose must be stripped down and have a
hardware firewall. I just bit the bullet and bought new ones--sometimes
you have to spend money to take/make money, I guess.
--
Kim Geiger
Information Technologist
Broadcasting Services
Michigan State University
517-432-3120 x 429
|