IRENEGateway

INTELLIGENT ROUTER FOR eNHANCED NETWORKING WITH eTHERNET PROTOCOLS

Intelligence between POS terminal and authorization system

Increased security, availability and transparency.

» » » MORE INSIGHT FOR BETTER OVERVIEw

This intelligent router for enhanced networking with ethernet protocols is a gateway, which is a class of its own. It was designed especially to match the specific requirements of credit card authorization within a functional environment that provides increased transparency, availability and security.

Gateway IRENE

Credit card authorization is a mission critical application, requiring absolute availability all around the clock. But there is a complete technical infrastructure between a POS terminal and the authorization system, which can cause multiple problems. Most likely, you already have experienced situations, where everything seems to run smoothly and customers are still complaining about excessive response times. You also have experienced availabi-lity problems reported to the hotline even all systems are running in the green zone.

In such situations you need a solution which provides just the right kind of information to support fast, targeted troubleshooting.

Even better would be a system which is able to detect problems way ahead of time and initiates the required de-escalation process before customers have reasons to complain. A truly ideal solution would be a technology, which even supports pro-active capacity management and manages automatic load balancing in order to maintain uninterrrupted data traffic even in case of a partial system failure.

wHAT YOU NEED IS IRENE

Authorization systems

Gateway IRENEfirewall / open SSL

wwwDSL with SSL

Firewall

wwwVPN

wwwwith BMPencryption

The terminals at the point of sales represent different types of technologies, varying from SSL via ISDN all the way to the good old modem. irene integrates all of these diverse sys-tems, thereby becoming the central interface for all types of data communication.

Different ISDN area codes can be assigned to specific IP addresses or port numbers of the authorization system. In this way, terminals of different technology generations can be inte-grated seamlessly into the system. As far as load balancing is concerned, all terminals are treated equal. Each request is re-corded in a syslog independent from its communication path to be available for detailed analysis.

Changes and additions are part of everyday life of any system administrator. In this field as well, irene makes things a lot easier. The gateway allows setting up dedicated test access for system administrators. This allows easy testing of new terminal types or software versions without imposing additional traffic load on the authorization system. This feature also allows ana-lyzing technical problems independent from the overall system.

Using the powerful tracing options, any issue can be solved within the minimum time-frame.

Using this test feature simply requires changing the number of the target port at the terminal to be tested, while the authoriza-tion system itself remains untouched.

In case a terminal management system (TMS) is connected via IRENE, even software updates are a simple procedure. Indivi-dual terminals always refer to the same connection point and are automatically connected to the correct TMS. In the case

of re-location or re-configuration, TCP addresses do not need to be changed at any terminal, but only at the gateway. This means more security and transparency while requiring less maintenance efforts.

» » » LESS WORK DUE TO SIMPLIFIED STRUCTURES

The more complex a system is, the higher are the efforts needed for administration and troubleshooting. For this reason, IRENE offers a number of features which allow for greater transparency as well as simplified operation of the complete system considerably.

JOINING TECHNOLOGY GENERATIONS

EFFORTLESS TESTING

SOFTWaRE-UPdaTE THE EASY wAY

Gateway IRENE

irene allows total remote maintenance, making it the ideal gateway for geographically distributed systems. The service technician is able to establish a secure VPN or PPP connec-tion to the gateway, in order to obtain all information required

for targeted error detection. Fort this purpose, access rights can be tailored precisely to the requirements of PCI. All entries can be recorded and transferred to an external log server.

REMOTE MaINTENaNCE

with conventional network technologies, the IP address of the terminal is replaced by the IP of the access technology, when a request is transferred to the authorization system. This

means, the original IP address gets lost, making it impossible to find out which terminals were able to get through within a certain time frame.

irene inserts the IP address of the POS terminal into the data stream just as a calling X.25 address. This differentiates the router from any conventional network router. The advantages are obvious: Data communication with the POS terminals be-

comes fully transparent, since tracing any call all the way back to the terminal only requires a glance at the X.25 log. This al-lows targeted troubleshooting and greatly contributes to faster problem solutions.

» » » INCREaSEd INTELLIGENCE FOR MORE TRANSPARENCY

POS terminals use different channels to communicate with the authorization system. Doing so, they employ a variety of technologies, ranging from analogue modems via ISDN (X.31 over the B channel and V.110) all the way to GSM. The general development, however, points to increased communication via the Internet. Via the Internet, SSL encryption guarantees secure access and allows password protected connection to prevent any unauthorized external intrusion.

A request sent by a POS terminal is transmitted to the gateway together with the IP address, which will only transfer such requests to the firewall of the authorization system, whose source and target port can be verified with the entries of an IP table.

NO IP, NO HISTORIC ANALYSIS

TRaNSPaRENCy ALL THE wAY TO THE SOURCE

Gateway IRENE

Gateway IRENE

Firewall

Access Awith OPAL header

Authorization systems

Access Bwithout OPAL

header

TCPserver

ATOS ISOfilter

X.25

TCPserver

ISOfilter

X.25

X.25 TCPclient

X.25

sw

itch

250x data path

Gateway IRENE

irene is an intelligent interface between the POS terminals and the authorization system. Changes within the authoriza-tion network do not require any modification of the remote terminals. Instead, it is sufficient to configure the gateway

accordingly and each request is automatically routed to the correct address. In this way, irene provides a level of flexi-bility which is simply not possible with conventional network routers.

MINIMaL CONFIGURATION EFFORT

irene generates a syslog entry for each incoming transaction, which contains information, such as date, time, IP and TCP address, ISO data type, terminal ID and block length. This takes place independently from the communication path used (ISDN, X.25 or SSL) to connect the POS terminal to the system.

This comprehensive information is the basis for a pro-active capacity management. It allows detailed analysis and provides a comprehensive overview over the distribution of message and terminal types, as well as the time-related load of the authoriza-tion system within a specific time frame (day, week, month).

TRaNSPaRENCy BASED UPON INFORMATION

Depending on their terminal type or ISO 8583 message type, POS terminals need to be routed to different target ports of the authorization system. For this purpose, irene utilizes the TCP listen port addressed by the terminal in order to assign the request to a specific target on the authorization system.

Alternatively, routing can also take place based upon individual data fields of the ISO 8583 message, such as message type, processing code or terminal ID. This requires only changing an entry in the routing table, which can even take place whi-le the system is online. In combination with utilizing the TCP port number of the terminal, this allows for a highly flexible message routing, which even matches the requirements of a heterogeneous network.

FLEXIBLE ROUTING

www

Gateway IRENE

Productionauthorization system

Target port:

DSL

DSL

DSL

Testauthorization system

Acceptanceauthorization system

external TMS

internal TMS

POS terminal

POS terminal

POS terminal

54000:

54001:

54002:

55000:

55001:

Conventional firewalls only verify IP address and TCP ports to keep malicious program code and undesired garbage data from the system. IRENE, however, goes one step further. A special ISO filter checks each ISO 8583 mes-sage for its correct syntax, thereby guaranteeing at application level, that only authorized requests can reach the system.

Most POS terminals send messages according to the ISO 8583 format with OPAL header. with this format, two control bytes determine the exact length of the data block. irene checks the compliance of each data block with the ISO standard in order to verify that it contains a valid message according to the ISO standard. Only after successfully passing this verification process, the message will be routed via the TCP client to an active authorization system.

Native messages, in TCP format without OPAL headers, are simply routed to a different TCP target port. The requests are processed in the lower data path.

with its application layer firewall, irene offers an unparalle-led level of security which no other system on the market can offer.

Routing all VPN data traffic via the IRENE gateway means installing an effective fortress against TCP attacks, such as Brute Force Attack, Spoofing, DoS or SYN Flood. Such attacks are effectively blocked by the gateway and therefore cannot penetrate all the way to the authorization network.

Installing two irene gateways with different IP addresses means that even a total flooding of one gateway with spoofing

packages does not lead to a total breakdown of the credit card authorization process.

Even if both gateways are flooded, all attacks are effectively blocked and cannot reach the main system. In this case, the Internet access will be fully available again, as soon as the attack is over.

APPLICATION LEVEL FIREWaLL

EFFECTIvE SHIELdING FROM TCP ATTACKS

» » » A NEw DIMENSION OF SaFETy

Normally, a connection is initiated by the POS terminal sending a request. As soon as the authorization system has returned its answer, the POS terminal will terminate the connection and the respective port is available again. In the case of any disturbance of this normal procedure, the authorization system will terminate the connection after a pre-determined time in order to free the respective port for further processing.

irene offers additional security by automatically terminating any connection in case the timers of both systems are not activated for any reason. In this way, the gateway guarantees that valuable TCP ports are not occupied longer than neces-sary and are available shortly after any faulty connection.

TIMER-CONTROLLEd ACCESS MONITORING

POS terminal

Gateway IRENE

wwwVPN tunnel

DSL router DSL router

DMZ (demilitarized zone)

Firewall

Load balancer

Authorization system A

Authorization system B

Gateway IRENE

» » » LOad BaLaNCING AT APPLICATION LEVEL

Gateway IRENE

Authorization systems

Gateway IRENE

cyclic availability check

Firewall

Most of the conventional load balancer currently available are supporting application layer health checking for the most common standard protocols used in Internet applications, like http (web), sftp and ftp (file transfer) as well as smtp and imap (email). For non-standard applications, only rather primitive check algorithms are implemented, e.g. ping a destination system. A service based availability check method is not im-plemented, only the availability of certain discrete systems is checked.

In this field as well, irene goes one step further and veri-fies up to the highest level, whether an authorization system

is actually available. For this purpose, it sends a diagnosis message in specific time intervals to each of the authorization systems involved. These must be answered by the respec-tive application. Only if the diagnosis reply is received within a specified time frame, the respective system is considered fully functioning. If this is not the case, the respective system will be excluded from active load balancing.

Detection of a malfunctioning system automatically triggers an SNMP alarm and puts the service technician in a position to take care of the problem before customers will be affected by the missing system.

Load balancing is the key to flawless system operation. Truly effective load balancing, however, is not limited to evenly distributing the processing load to the individual authorization systems, but must also include the reliable exclusion of any malfunctioning system.

avaILaBILITy GUARANTEED

IRENE IS THE ONLY GATEwAY ON THE MARKET OFFERING SUCH AN INTELLIGENT LOAD BALANCING wITH AUTOMATIC ALARM TRIGGERING.

» » » IRENE – A GATEwAY wITH ADDED VALUE

+

+

+

+

Gateway IRENE

+

+

+

+

» » » TECHNICaL SPECIFICATIONS

SUPPORTED PROTOCOLS

V.24• ISO8583, V.22bis with Autocall

• ISO8583, V.22bis with PAD (Poseidon)

• ISO8583, 9600 baud with Autocall

• ISO8583, 9600 baud with PAD

(Poseidon)

• V.24, LSV2

• 1200 baud half duplex

• Makatel

• V.23

isdn• X.25 within the B channel (X.31)

• X.25 within the D channel

• V.110 with Autocall

• V.110 with PAD (Poseidon)

• ISO 8583, V.22bis with Autocall

• ISO 8583, V.22bis with PAD (Poseidon)

• ISO 8583, V.32/V.32bis with Autocall

• ISO 8583, V.32/V.32bis with PAD

(Poseidon)

• APACS 40

tcp/ip• PPP

• VPN

• GPRS

• SSL

TERMINaLS

host• TCP/IP 10/100/1000 Mbps

• XOT

• ISO TP0 (RFC 1046)

• “ATOS” (OPAL) format

(message with length byte)

• X.25 with HDLC V.24/X.21

until 2Mbps

isdn• Up to 3 x S2M-connections

with 30 modems each

MaNaGEMENT

• wEB

• SNMP

• Syslog

• NRPE

• SSH

GENERaL

dimensions 485 mm (19”) x 178 mm (4HE) x 462 mm; inclusive S2M-connections

weight depending on installed components between 10 and 18 kg

power rating 120 watts continuous power / 480 watts maximum power

Gateway IRENE

daFÜRDatenfernübertragung ROHM GmbH

Zur Eisernen Hand 27D-64367 Mühltal

Phone: +49 (0)6151-9514-0 Fax: +49 (0)6151-144 260

daFÜR stands for direct communication and fast reaction. For example, customers have direct access to the R&d team and get comprehensive support without detours.

» » » TECHNICaL SUPPORT wITHOUT IF OR BUT

www.dafuer.com

irene comes with a comprehensive commissioning guarantee. This means, our experts will remain on site until the system works without problems.

UNTIL EvERyTHING WORKS

Your investment in our irene gatewaY is an investment in your security. That‘s why our focus in on gaining your full satisfaction. In case you are not fully satisfied with our services, we will take back the unit within 2 months and will refrain from charging any installation and restitution costs.

SATISFACTION GUaRaNTEEd

The online helpdesk of daFÜr is your direct connection to the know-how of our engineers and offers fast and firsthand support.

FaST SUPPORT