Commotion router should be able to block all traffic to host's LAN from Mesh

[Protagonistics]

Businesses in Pittsburgh are beginning to host nodes. But they are under PCI and HIPPA compliance rules that require their networks to be private and inaccessible by the public. Currently, Commotion does not support a built-in solution for shutting off access to a range of IP addresses. While it would be a better practice to have the host's router handle VLANning, with many consumer-grade pieces of equipment this is not an option.

Currently this issue is preventing us from connecting our mesh WAPs to their network without purchasing an additional device capable of separating LAN traffic from Mesh traffic-- a cost neither anticipated by our company nor our grant proposals.

While a separate device would be preferable to manage the VLANning, some hosts do not own the equipment to properly VLAN or segregate traffic from the Mesh from penetrating their network. Purchasing this equipment may be a deal-breaker for the host and a prospective installation may be cancelled, endangering the adoption of mesh networks in an area.

I propose that a GUI page be added that allows the administrator to define a range of IP addresses to completely block all traffic to and from. Obviously, if the gateway is this range it should be allowed (and it would be a good idea to place a note on the page requesting that the gateway IP be omitted from the range). By doing this, hosts who are concerned about privacy or are under PCI and HIPPA compliance requirements will be able to ensure that any requests for their internal resources will be denied at the Mesh router itself. Meta Mesh in Pittsburgh will attempt to do this via IPTables and manually adding those firewall rules to each node we install unless requested not to by the host but there should be an easy way to do this from the GUI.

[westbywest]

As a high-level question, and posed as a Commotion 'outsider', I am curious what regulations actually stipulate PCI and HIPAA-level security considerations on what are still just wireless access points (WAPs). Usually, these requirements focus on datacenters. I am unaware of even commercial/enterprise WAP products that are capable of fully satisfying such requirements (since they're not really designed to). Besides just being diligent about employing VPN-style isolation (e.g. tor, tinc, iptables rules) where is it possible.

[Protagonistics]

This I do not know from a legal or policy stand point but I DO know that I have worked at a retail location that was required by PCI to have a separate NIC installed for all financial transactions on an Internet-connected computer. Very odd. I just want to stay as far away from sharing financial or health information over an insecure zone as possible.

[westbywest]

POS systems would indeed see some level of PCI requirements (since they receive credit card #'s), but I think the conventional approach is to use SSL for transport, and for the POS to otherwise assume its connection back to merchant services to be unfriendly. Compare Square's credit card processing, which uses SSL over whatever connection is available, and where locally collected personal info (card swipe data) is not stored locally in some fashion that could be compromised. Meraki, a commercial mesh wifi vendor, has whitepapers on their PCI and HIPAA compliance status, which are likely good points of reference: https://meraki.cisco.com/lib/pdf/meraki_whitepaper_HIPAA.pdf https://meraki.cisco.com/lib/pdf/meraki_whitepaper_PCI.pdf

HIPAA and PCI would be terrifying cans of worms to open. I think the usual approach is to not open them unless your legal council says you have to, and/or explain in thorough detail (cf. Meraki's white papers) your best efforts in performing the due dilligence that is possible. ;)

[Protagonistics]

Ok, perhaps I should have used those terms initially. However, the issue remains that many people- businesses and individuals alike, may not want to share their files or services out onto the mesh and there DOES need to be an easier way to block traffic. I would still like to be able to more-easily cut off access at the Commotion WAP instead of relying on models of varying sophistication the host may own.

Thanks for those pdf's I'm hanging on to those!