>>> On 4/13/2011 at 4:02 PM, Kim Geiger <[log in to unmask]> wrote: > Before I throw in the towel and spend money, I thought I would see if you all > had any ideas. > > Two firewalls on machines to enter credit numbers in a PCI-compliant fashion. > > One is a Netgear FVS318 and it works fine, though I'm "wasting" seven ports > of it. > > The other is a Netgear FVS114. When we start off at a server on the same > subnet as the firewall's WAN port, all is well. But when it's time to go to > Web Credit or CASHNet, there is a appreciable delay. I know, slowness is > relative, but this really is long enough to be annoying and slows down the > flow of data entry in a bad way. > > The config of these Netgears is not especially complicated and I've been > over both with a fine-toothed comb, comparing settings. The LAN ports on the > FVS114 are 10/100 Mbps, while the FVS318 is 100/Full; that's the biggest > difference. I've fiddled with the negotiation rates and even the slow unit's > MTU. > > Can you think of some obvious principle of networking that I may be missing? > > Thanks for any thoughts. I got a lot of good advice offlist * I guess people don't like to speculate in front of everyone! In the end, my problem wasn't DNS or the link speed or anything tcp/ip at all, but the fact that the firewall was too old to adequately handle a modern-day secure connection * it was dawdling at every security cert it came across. So even if I could account for every cert authority that the process might visit, if one of the sites changes, the rules will stop working. Etc. In order to be used for PCI-DSS compliant credit card data entry, each machine we use for that purpose must be stripped down and have a hardware firewall. I just bit the bullet and bought new ones--sometimes you have to spend money to take/make money, I guess. -- Kim Geiger Information Technologist Broadcasting Services Michigan State University 517-432-3120 x 429