Description of Services

Network Security

  • Firewall: The barrier between the premise’s local area network and the Internet. Netsurion provides enterprise-grade firewalls as an element of our services.
  • Centralized firewall management: Allows for the consistent configuration, policy management, and administration of fleets of deployed firewalls through a consolidated management system. Deployed firewalls are monitored for availability, connectivity, and device health metrics (see critical device monitoring below).
  • Firewall logging: Firewall logs are stored in compliance with the Payment Card Industry Data Security Standard (PCI DSS) 3.2 standards, and per PCI requirements, firewall logs should be reviewed by the customer regularly.
  • Firewall policy templates: A customer with multiple locations can have standardized configuration templates and policies synchronized across all firewalls deployed at their locations.
  • Network segmentation: A method of creating multiple isolated networks within a single computer network environment to separate sensitive data or systems from less critical and / or public data or systems.
  • Remote installation: Simplified installation process in which our engineers guide a customer’s staff through the process of installing a firewall on their network without a Netsurion employee being physically present at the customer’s location.
  • Bring Your Own IP (BYOIP): This proprietary aspect of our installation process does not require the reconfiguration of your network’s IP address structure, thereby saving time, and eliminating issues reconnecting printers or other peripheral devices.
  • Web content filtering (UTM): A predefined set of restrictions applied to certain websites that have been categorized as potentially dangerous by Netsurion. If a website has not been categorized, and is thus categorized as “unknown” by Netsurion, IP traffic to and from that website is prohibited unless specifically allowed by a whitelist entry (which is a dedicated list that is allowed access). The intentions of these restrictions are to block potentially dangerous websites and / or servers from being accessed.
  • Whitelist: A list of IP addresses the customer has requested Netsurion to configure as allowable by the firewall. Once configured, these IP addresses or host names will no longer be blocked by the firewall, independent of other policy-specific restrictions.

PCI Validation

  • Data Breach Financial Protection: This is a breach-related reimbursement program available for some service types as part of an agreement with Netsurion. The terms and conditions of the Data Breach Financial Protection Program are specified at:
  • Firewall Circumvention Detection: A service that monitors data traffic flowing through the Netsurion Managed Firewall associated with the network segment that contains a customer’s point-of-sale (POS) traffic. If the volume of POS traffic falls below a certain threshold over a certain time period, an alert is raised indicating that the firewall may be bypassed.
  • Internal vulnerability scan: Netsurion will initiate the industry’s required Payment Card Industry Data Security Standard (PCI DSS) 3.2 scan and provide the results to the customer as part of the compliance process. Scans examine systems in the cardholder data environment for known vulnerabilities. If an issue is found, the customer is notified so they may undertake remediation efforts. Issues resulting in a failed scan must be resolved by the customer before subsequent scans will pass. According to PCI DSS 3.1, an entity must pass four internal vulnerability scans per year, one each quarter.
  • Penetration testing guide: A document that describes a penetration test, and provides general guidance to help minimize efforts when completing a penetration test and a form that will assist the customer with tracking the results of the testing.
  • Rogue Device Manager: A detection system that alerts specific customer contacts when a new computer is added to the network environment (behind a Netsurion firewall) that is either plugged into the protected interface of the Netsurion firewall directly or attempts to send traffic through a Netsurion firewall to the Internet.
  • Critical device monitoring: A system that creates a baseline of all critical devices connected to the network being protected by a Netsurion managed firewall. The system then monitors to ensure that all of those critical devices stay connected to the network, and alerts specific contacts if any critical device is removed or becomes unresponsive.
  • Security policy and procedure template: An editable document designed to assist a merchant in their development of a PCI-specific set of policies and procedures, including a checklist template to track hardware and software versions. This template is a best-practices guideline and is not meant to be an exhaustive list of all activities necessary to achieve compliance.
  • External vulnerability ASV scans: A PCI compliance-required scan that examines a public Internet address for known vulnerabilities. The results of the scan are provided to the customer for review and compliance. If an issue is found within the customer’s environment, it must be resolved or noted as an exception by the customer before subsequent scans will pass. According to the PCI DSS, an entity must pass four internal vulnerability scans per year, one each quarter.
  • Remote access with SSL VPN: A PCI compliant Virtual Private Network (VPN) service that enables secure remote communication via the Internet with a computer at a location protected by a Netsurion managed firewall. The service includes “two-factor authentication” which utilizes a username and password as the first factor and a one-time password that is sent to an e-mail address and/or a text message as the second factor of authentication. Netsurion’s Remote Access with SSL VPN is the only remote access tool recommended by Netsurion for secure remote access of customer environments behind a Netsurion firewall.
  • Forced Configuration Manager: A service that validates that the machine attempting to access the Remote Access with SSL VPN is running appropriate security software, i.e., anti-malware software.
  • SAQ Wizard: A Self-Assessment Questionnaire (SAQ) support process that in many cases simplifies the completion, printing, and storing of annual PCI compliance questionnaires for PCI regulated merchants. For Netsurion managed firewall customers, SAQ Wizard provides pre-built responses that may be used to complete certain relevant sections of the SAQ document.
  • PCI Compliance Manager Portal: A web portal where Netsurion clients can ease some PCI compliance requirements by having a single location where they can review external vulnerability scan results, various logs, and Self-Assessment Questionnaires (SAQ) in support of their compliance efforts.

Enhanced Security Services

  • Auto failover / failback connectivity (No longer sold after 1/1/2017): A feature that helps to maintain connectivity during broadband outages. In the event of a broadband failure, the firewall will automatically attempt to use an alternate Internet connection (typically a dial-up POTS line) for selected Internet traffic.
  • Cellular Backup Service: A feature that helps to maintain connectivity during primary Internet circuit outages. Working in conjunction with an Ethernet to cellular gateway device, should a primary circuit failure occur, the firewall will automatically route selected data traffic through the gateway to a cellular network. When the primary circuit connectivity is restored, the firewall will automatically return traffic to it.
  • 360° Web Traffic Control (formerly IP Data Blocker): A Netsurion service that limits traffic to Internet locations except those that have been specifically allowed by the firewall policy.
  • File integrity monitoring (FIM): Local event logging and file integrity monitoring software used by Netsurion to log critical data in a customizable way so businesses can efficiently review their logs to assist them in meeting certain PCI DSS file integrity monitoring and log management requirements. EventTracker FIM delivers file integrity monitoring (FIM).
  • Site-to-site VPN: A specific firewall configuration that enables a location to communicate to another location securely over a Virtual Private Network (VPN).

Basic Secure Wireless

  • Family-friendly Wi-Fi: A pre-defined set of content-specific websites blocked in an attempt to prevent the public viewing of potentially objectionable material.
  • Quality of Service (QoS): A method whereby bandwidth can be limited at certain times to certain network segments or devices so that high-priority services have sufficient Internet access.
  • Single SSID: The creation of a single wireless network with a dedicated SSID (public name of a wireless network).
  • Wireless access point detection: A Netsurion service that detects the Wireless Access Points in the area around the Netsurion firewall and reports on the detected SSIDs, wireless channels in use, and associated MAC addresses. Customers receive an email alerting them to any unknown or unauthorized wireless access points detected.

Standard Secure Wireless

  • Up to 4 Secure SSIDs (formerly referred to as Wi-Fi Hotspot Plus): This includes four separate wireless networks/SSIDs are provided that can be utilized for wireless connectivity for either public or private wireless networks. This service may include encrypted communications for private networks.
  • Power over Ethernet (PoE): A wireless access point that does not need a dedicated power supply as it derives its power through the Ethernet cable connecting it to the network.

Premium Secure Wireless

  • Wireless mesh: A network of multiple wireless access points connected together wirelessly, requiring that only one has a hard-wired connection. This facilitates the range and capacity expansion of a wireless network without having to install an Ethernet cable to each access point.
  • Wireless roaming: The ability of a wireless network with multiple access points to seamlessly support the roaming of a connected device from one access point to another. This provides for mobility of connected devices in a greater coverage area.

Other Terms

  • Network diagram template: A template designed to assist a small merchant who wants to create a PCI DSS compliant network diagram. It includes instructions and a sample diagram as a starting point.
  • Circuit monitoring, repair, and resolution: Electronic monitoring of the customer’s broadband connection and, if authorized, contact with the customer’s broadband supplier for notification and repair purposes should the customer’s broadband connection be lost. This is conditioned upon the customer providing Netsurion with current account information and appropriate permissions necessary to initiate a trouble ticket with the broadband provider.
  • Advanced web blocking: A service that allows the customer to select from the existing list of categories of websites that Netsurion will restrict at a location.
  • WAP management: Centralized management of Netsurion-provided wireless access points (WAP).
  • Payment Card Industry Data Security Standard (PCI DSS): A proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
  • SIEM-at-the-Edge: This is our security information event management (SIEM) solution designed specifically to protect small- and medium-size multi-location businesses, combining security event monitoring capabilities with managed detection and response (MDR).
  • Breach Detection Service: This is an automated breach alerting platform designed specifically for businesses looking for advanced threat detection capabilities that augment anti-virus, firewall, and other traditional security measures.