Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Retail Location Security Complexities
1. Retail Location Security Complexities
Starter Question -
What is the most important / critical system in foods department store?
Etienne Liebetrau - CISSP
Infrastructure Architect @Woolworths Holdings South Africa, Africa and Australia
Security Consultant
Technical Writer
Solution Deployment Contractor
Researcher
Firewall / UTM collector
Public Speaker – working on it!
The views and opinions expressed in this presentation are my personal ones based on experience in the field.
It is not sanctioned by any 3rd party customer or vendor.
6. LAN – Wired Network
Multiple LAN Points in RED – Public Zone points subject to being hijacked
LAN Points in Blue connect Wireless Aps – Each SSID is a Target
Each Connected device increases you attack surface
Each device type increases your vulnerability / exploit potential
7. WiFi is great to connect devices but comes with containment issues
Signal Bleed
• Not all devices are equal
• Capability
• Security
• Vulnerability
• Remediation ability
• Manageability of devices
WiFi eliminates need for
access within the physical
retail location. Defeats
physical defences such as
security gates & swipe card
access controls
8. Zone LAN Access
Internet / SaaS
Access Cloud Access 3Rd Party Auth
Stock management x PSK
POS x None / AD
Refridgeration x x x None
HVAC / BMS x x x None
IOT x x x x Basic
Customer x Customer
Staff x x x AD / BYOD
BackOffice x x x AD
Zones have different requirements
• Not all zones SHOULD communicate with one another
• Those that do require access to one another require integrity checking
• Network segmentation required – prevent lateral penetration
Required network access
9. Stock
CUTO
MER
REF
POS
BO
IOT
Internet Cloud
HO /
Corp
Legacy Approach:
VLAN based segmentation
Using Existing ACLs on L3 switches
Fundamental problem:
By default networks allow traffic
Manual Blacklist
Manual White List
Policy Engines not geared for this
No integrity checking possible
L2,L3,L4 devices at best
Cloud and internet access is basic
ZScaler is awesome but does not
address on premises requirements
Conditional Access Required
10. Stock
CUTOM
ER
REF
POS
BO
IOT
Internet
Cloud
HO / Corp
L7 Net
Use a Firewall as your core
Advantages:
Automatic Blacklist
Zone Based White List
Inter-zone filtering
Clean traffic only - IPS
Advance Routing
MPLS + Inet
Advanced Logging
Cloud Enablement
Inbound Remote access to a
single zone
Drawbacks:
Cost
Complexity
Contemporary Approach
11. Web filtering essential
• Performance – Limit unwanted traffic
• Security
• Liability
• Customer's kid uses you Wifi for porn
Basic Network protection
• Perimeter network is used ion distributed attack
• Your Wifi network allows client to client attacks on personal devices
Multiprotocol Support – It not just Web
Whats App (IM uses HTTPS on TCP Voice and Video used UDP)
Peer to Peer – Traffic Signature based blocking needed.
Prioritising of traffic
All available bandwidth will be used –
Starving essential traffic affects the Availability of systems (CIA)
Customer services prioritised over customer consumption
IPS – Advanced threat / C&C Botnet detection and prevention
VPN Capability is Key
MPLS cost reduction
Connectivity to Corporate
Connectivity to Cloud – Express route not viable for 500 sites