IRENE
Gateway
INTELLIGENT ROUTER FOR eNHANCED NETWORKINGWITH eTHERNET PROTOCOLS
Intelligence between POS terminal
and authorization system
»
»
»
MORE INSIGHT
FOR BETTER OVERVIEw
This intelligent router forenhanced networking withethernet protocols is a gateway, which is a class of its own. It was designed especially to match the specific requirements of credit card authorization within a functional environment that provides increased transparency, availability and security.
Credit card authorization is a mission critical application, requiring absolute availability all around the clock. But there is a complete technical infrastructure between a POS terminal and the authorization system, which can cause multiple problems. Most likely, you already have experienced situations, where everything seems to run smoothly and customers are still complaining about excessive response times. You also have experienced availabi-lity problems reported to the hotline even all systems are running in the green zone.
In such situations you need a solution which provides just the right kind of information to support fast, targeted troubleshooting.
Even better would be a system which is able to detect problems way ahead of time and initiates the required de-escalation process before customers have reasons to complain. A truly ideal solution would be a technology, which even supports pro-active capacity management and manages automatic load balancing in order to maintain uninterrrupted data traffic even in case of a partial system failure.
wHAT YOU NEED IS
IRENE
Authorization systems
Gateway IRENE
Firewall
www
VPN
www
with BMP
encryption
The terminals at the point of sales represent different types of technologies, varying from SSL via ISDN all the way to the good old modem. irene integrates all of these diverse sys-tems, thereby becoming the central interface for all types of data communication.
Different ISDN area codes can be assigned to specific IP addresses or port numbers of the authorization system. In this way, terminals of different technology generations can be inte-grated seamlessly into the system. As far as load balancing is concerned, all terminals are treated equal. Each request is re-corded in a syslog independent from its communication path to be available for detailed analysis.
Changes and additions are part of everyday life of any system administrator. In this field as well, irene makes things a lot easier. The gateway allows setting up dedicated test access for system administrators. This allows easy testing of new terminal types or software versions without imposing additional traffic load on the authorization system. This feature also allows ana-lyzing technical problems independent from the overall system.
Using the powerful tracing options, any issue can be solved within the minimum time-frame.
Using this test feature simply requires changing the number of the target port at the terminal to be tested, while the authoriza-tion system itself remains untouched.
In case a terminal management system (TMS) is connected via IRENE, even software updates are a simple procedure. Indivi-dual terminals always refer to the same connection point and are automatically connected to the correct TMS. In the case
of re-location or re-configuration, TCP addresses do not need to be changed at any terminal, but only at the gateway. This means more security and transparency while requiring less maintenance efforts.
»
»
»
LESS WORK
DUE TO SIMPLIFIED STRUCTURES
The more complex a system is, the higher are the efforts needed for administration and troubleshooting. For this reason, IRENE offers a number of features which allow for greater transparency as well as simplified operation of the complete system considerably.
JOINING
TECHNOLOGY GENERATIONS
EFFORTLESS
TESTING
SOFTWaRE-UPdaTE
THE EASY wAY
irene allows total remote maintenance, making it the ideal
gateway for geographically distributed systems. The service technician is able to establish a secure VPN or PPP connec-tion to the gateway, in order to obtain all informaconnec-tion required
for targeted error detection. Fort this purpose, access rights can be tailored precisely to the requirements of PCI. All entries can be recorded and transferred to an external log server.
with conventional network technologies, the IP address of the terminal is replaced by the IP of the access technology, when a request is transferred to the authorization system. This
means, the original IP address gets lost, making it impossible to find out which terminals were able to get through within a certain time frame.
irene inserts the IP address of the POS terminal into the data
stream just as a calling X.25 address. This differentiates the router from any conventional network router. The advantages are obvious: Data communication with the POS terminals
be-comes fully transparent, since tracing any call all the way back to the terminal only requires a glance at the X.25 log. This al-lows targeted troubleshooting and greatly contributes to faster problem solutions.
»
»
»
INCREaSEd INTELLIGENCE
FOR MORE TRANSPARENCY
POS terminals use different channels to communicate with the authorization system. Doing so, they employ a variety of technologies, ranging from analogue modems via ISDN (X.31 over the B channel and V.110) all the way to GSM. The general development, however, points to increased communication via the Internet. Via the Internet, SSL encryption guarantees secure access and allows password protected connection to prevent any unauthorized external intrusion.
A request sent by a POS terminal is transmitted to the gateway together with the IP address, which will only transfer such requests to the firewall of the authorization system, whose source and target port can be verified with the entries of an IP table.
NO IP
, NO HISTORIC ANALYSIS
TRaNSPaRENCy
ALL THE wAY TO THE SOURCE
Firewall
Access A
with OPAL header
Authorization systems
Access B
without OPAL header
TCP
server ATOS filterISO X.25
TCP
server filterISO X.25
X.25 TCP
client
X.25 switch
irene is an intelligent interface between the POS terminals and the authorization system. Changes within the authoriza-tion network do not require any modificaauthoriza-tion of the remote terminals. Instead, it is sufficient to configure the gateway
accordingly and each request is automatically routed to the correct address. In this way, irene provides a level of flexi-bility which is simply not possible with conventional network routers.
MINIMaL
CONFIGURATION EFFORT
irene generates a syslog entry for each incoming transaction,
which contains information, such as date, time, IP and TCP address, ISO data type, terminal ID and block length. This takes place independently from the communication path used (ISDN, X.25 or SSL) to connect the POS terminal to the system.
This comprehensive information is the basis for a pro-active capacity management. It allows detailed analysis and provides a comprehensive overview over the distribution of message and terminal types, as well as the time-related load of the authoriza-tion system within a specific time frame (day, week, month).
TRaNSPaRENCy
BASED UPON INFORMATION
Depending on their terminal type or ISO 8583 message type, POS terminals need to be routed to different target ports of the authorization system. For this purpose, irene utilizes the TCP listen port addressed by the terminal in order to assign the request to a specific target on the authorization system.
Alternatively, routing can also take place based upon individual data fields of the ISO 8583 message, such as message type, processing code or terminal ID. This requires only changing an entry in the routing table, which can even take place whi-le the system is online. In combination with utilizing the TCP port number of the terminal, this allows for a highly flexible message routing, which even matches the requirements of a heterogeneous network.
FLEXIBLE
ROUTING
www Gateway IRENE Production authorization system Target port: DSL DSL DSL Test authorization system Acceptance authorization system
external TMS
internalTMS POS terminal POS terminal POS terminal 54000: 54001: 54002: 55000: 55001:
Conventional firewalls only verify IP address and TCP ports to keep malicious program code and undesired garbage data from the system. IRENE, however, goes one step further. A special ISO filter checks each ISO 8583 mes-sage for its correct syntax, thereby guaranteeing at application level, that only authorized requests can reach the system.
Most POS terminals send messages according to the ISO 8583 format with OPAL header. with this format, two control bytes determine the exact length of the data block. irene
checks the compliance of each data block with the ISO standard in order to verify that it contains a valid message according to the ISO standard. Only after successfully passing this verification process, the message will be routed via the TCP client to an active authorization system.
Native messages, in TCP format without OPAL headers, are simply routed to a different TCP target port. The requests are processed in the lower data path.
with its application layer firewall, irene offers an unparalle-led level of security which no other system on the market can offer.
Routing all VPN data traffic via the IRENE gateway means installing an effective fortress against TCP attacks, such as Brute Force Attack, Spoofing, DoS or SYN Flood. Such attacks are effectively blocked by the gateway and therefore cannot penetrate all the way to the authorization network.
Installing two irene gateways with different IP addresses means that even a total flooding of one gateway with spoofing
packages does not lead to a total breakdown of the credit card authorization process.
Even if both gateways are flooded, all attacks are effectively blocked and cannot reach the main system. In this case, the Internet access will be fully available again, as soon as the attack is over.
APPLICATION LEVEL
FIREWaLL
EFFECTIvE SHIELdING
FROM TCP ATTACKS
»
»
»
A NEw DIMENSION OF
SaFETy
Normally, a connection is initiated by the POS terminal sending a request. As soon as the authorization system has returned its answer, the POS terminal will terminate the connection and the respective port is available again. In the case of any disturbance of this normal procedure, the authorization system will terminate the connection after a pre-determined time in order to free the respective port for further processing.
irene offers additional security by automatically terminating
any connection in case the timers of both systems are not activated for any reason. In this way, the gateway guarantees that valuable TCP ports are not occupied longer than neces-sary and are available shortly after any faulty connection.
»
»
»
LOad BaLaNCING
AT APPLICATION LEVEL
Authorization systems
Gateway IRENE
cyclic availability check
Firewall
Most of the conventional load balancer currently available are supporting application layer health checking for the most common standard protocols used in Internet applications, like http (web), sftp and ftp (file transfer) as well as smtp and imap (email). For non-standard applications, only rather primitive check algorithms are implemented, e.g. ping a destination system. A service based availability check method is not im-plemented, only the availability of certain discrete systems is checked.
In this field as well, irene goes one step further and veri-fies up to the highest level, whether an authorization system
is actually available. For this purpose, it sends a diagnosis message in specific time intervals to each of the authorization systems involved. These must be answered by the respec-tive application. Only if the diagnosis reply is received within a specified time frame, the respective system is considered fully functioning. If this is not the case, the respective system will be excluded from active load balancing.
Detection of a malfunctioning system automatically triggers an SNMP alarm and puts the service technician in a position to take care of the problem before customers will be affected by the missing system.
Load balancing is the key to flawless system operation. Truly effective load balancing, however, is not limited to evenly distributing the processing load to the individual authorization systems, but must also include the reliable exclusion of any malfunctioning system.
avaILaBILITy
GUARANTEED
IRENE
IS THE ONLY GATEwAY ON THE MARKET OFFERING SUCH AN
»
»
»
IRENE
– A GATEwAY wITH ADDED VALUE
+
+
+
+
+
»
»
»
TECHNICaL
SPECIFICATIONS
SUPPORTED
PROTOCOLS
V.24
• ISO8583, V.22bis with Autocall • ISO8583, V.22bis with PAD (Poseidon) • ISO8583, 9600 baud with Autocall • ISO8583, 9600 baud with PAD
(Poseidon)
• V.24, LSV2
• 1200 baud half duplex • Makatel
• V.23
isdn
• X.25 within the B channel (X.31) • X.25 within the D channel • V.110 with Autocall • V.110 with PAD (Poseidon) • ISO 8583, V.22bis with Autocall • ISO 8583, V.22bis with PAD (Poseidon) • ISO 8583, V.32/V.32bis with Autocall • ISO 8583, V.32/V.32bis with PAD
(Poseidon)
• APACS 40
tcp/ip
• PPP • VPN • GPRS • SSL
TERMINaLS
host
• TCP/IP 10/100/1000 Mbps • XOT
• ISO TP0 (RFC 1046) • “ATOS” (OPAL) format
(message with length byte)
• X.25 with HDLC V.24/X.21
until 2Mbps
isdn
• Up to 3 x S
2M-connections
with 30 modems each
MaNaGEMENT
• wEB • SNMP • Syslog • NRPE • SSH
GENERaL
dimensions 485 mm (19”) x 178 mm (4HE) x 462 mm; inclusive S2M-connections
weight depending on installed components between 10 and 18 kg
daFÜR stands for direct communication and fast reaction. For example, customers have direct access to the
R&d team and get comprehensive support without detours.
»
»
»
TECHNICaL SUPPORT
wITHOUT IF OR BUT
irene comes with a comprehensive commissioning guarantee.
This means, our experts will remain on site until the system works without problems.
UNTIL
EvERyTHING WORKS
Your investment in our irene gatewaY is an investment in your security.
That‘s why our focus in on gaining your full satisfaction. In case you are not fully satisfied with our services, we will take back the unit within 2 months and will refrain from charging any installation and restitution costs.
SATISFACTION
GUaRaNTEEd
The online helpdesk of daFÜr is your direct connection to the know-how of our engineers and offers fast and firsthand support.
