Shipping & Mailing Pstage Meters Cnnect+/SendPr P Series Netwrking Technical Specificatin Intrductin 2 Netwrk Requirements 2 Prt/Cmmunicatin Requirements 2 URL Infrmatin 3 FAQs 10 Service Cllateral SV62440 Rev P March, 13 2017
Intrductin This dcument details the netwrking technical cnsideratins fr the Cnnect+/SendPr P Series. Netwrk Requirements The Cnnect+/SendPr system will require a high-speed netwrk cnnectin. The Cnnect+/SendPr system will initiate all cmmunicatin. The Cnnect+/SendPr system will initiate all cmmunicatin (via HTTP r HTTPS), s it can safely sit behind mst crprate firewalls. The Cnnect+/SendPr system will cmmunicate t external Web Services via HTTP ver Prt 80. The Cnnect+/SendPr system will cmmunicate t PB secure server(s) via HTTPS ver prt 443. The Cnnect+/SendPr system will use Prt 53 fr DNS lkup. Pitney Bwes requires a minimum netwrk bandwidth f 384 kbps (upstream and dwnstream) t perate, but we recmmend 1 Mbit/sec fr best perfrmance. It is recmmended that DSL r 3G mdem devices are nt shared acrss multiple Cnnect+/SendPr systems. Custmer wned web filtering devices r sftware, as well as SSL packet inspectin shuld be disabled fr these prts as they can affect perfrmance. Prt/Cmmunicatin Requirements All cmmunicatin is initiated frm the Cnnect+/SendPr system via prts 80 (HTTP) and 443 (HTTPS). All cmmunicatin frm the Cnnect+/SendPr system t the back end system is in the frm f XML messages. Prt 80 (HTTP) OS Update AV Updates Web Services TeamViewer Pitney Bwes Service Cllateral March, 2017 Page 2 f 11
Prt 443 (HTTPS) Cnnect+ will send requests t refill r audit its PSD (Pstal Security Device) based n a lw funds r inspectin date. Refills currently ccur when the PSD funds drp belw $xx.xx). Audits ccur if the PSD inspectin date has expired. During initial install, the system will autmatically request an Operatinal Blck, frm the infrastructure, fr the PSD. On PSD replacement the System will autmatically request the cnfiguratin data fr the replacement PSD. Transactin Recrds frm the Cnnect+/SendPr system are autmatically upladed when: The System ges int Sleep Mde. While pwering dwn the system. Activating Web Accunting Services. Uplading Pstal Infrmatin. On pwer up the System freshens the Web Service (checks fr Sftware, Rates and Graphic Updates. It will als cntact Supplies, My Accunt, Tracking etc.) cnfiguratin data. Prt 53 DNS lkup IT departments that use a "rules based" methd fr allwing specific prts t pass traffic n their netwrk fr prt 53 and make sure t allw BOTH UDP and TCP traffic fr this prt. Prt 53 listens fr DNS requests and may respnd n either prtcl, based n the type f request it receives. Shrt respnses shuld cme in ver UDP. Lnger, mre detailed respnses n TCP. URL Infrmatin The fllwing URLs must be accessible frm the Cnnect+/SendPr system, withut any bstructins. It is strngly recmmended that the firewall reference the URL rather than IP address, which can change ver time. If IP addresses must be referenced, it is suggested t keep pen the blck f IP addresses 199.231.32.0 t 199.231.47.255, 152.144.128.0 t 152.144.128.255, 209.85.128.000 t 209.85.255.255. Pitney Bwes Service Cllateral March, 2017 Page 3 f 11
Teamviewer TeamViewer is used by service and sales fr remte diagnstics and training. A TeamViewer sessin can nly be initiated by smene n the custmer end and therefre the system cannt be accessed withut the custmers knwledge. All cmmunicatin is initiated frm the Cnnect+/SendPr system via prts 80 (HTTP) and 443 (HTTPS). All cmmunicatin frm the Cnnect+/SendPr system t the back end system is in the frm f XML messages. There are tw ptins t unblck Teamviewer: 1. General unlcking f Prt 5938 TCP fr utging cnnectins (recmmended). Prt 5938 is nly used by a few prgrams and therefre is n security risk. This traffic shuld then neither be filtered r cached. 2. Unlcking f URLs f the fllwing frmats (t any Server) GET /din.aspx?s= &client=dyngate GET /dut.aspx?s= &client=dyngate POST /dut.aspx?s= &client=dyngate Regardless f which methd is chsen t unblck TeamViewer, als check that n cntent filter r similar is blcking ne f the fllwing URLs: *.teamviewer.cm *.dyngate.cm. Required firewall exceptins Cnnect+/SendPr P Series Netwrk Linux Prxy Test Descriptin: Built in tls that pings select PB servers fr cnnectivity testing. Used by PB Service (Resides n Linux Desktp). Netwrk Test: Pitney Bwes Service Cllateral March, 2017 Page 4 f 11
http://www.ggle.cm (Dmain www.ggle.cm; IP=72.14.253.104) http:// www.l.ggle.cm (Dmain www.ggle.cm; IP=74.125.230.81, 74.125.230.82, 74.125.230.83, 74.125.230.84, 74.125.230.80) http://www.nvell.cm SUSE Linux Prxy Test Dmain ftp.nvell.cm IP = 130.57.1.88 http:// www.l.ggle.cm (Dmain www.ggle.cm; IP=74.125.230.81, 74.125.230.82, 74.125.230.83, 74.125.230.84, 74.125.230.80) Distributr Descriptin: Main PB Server that authenticates machine fr access t ther PB web service. Distributr: http://distservp1.pb.cm/dstprduct.asp https://distservp1.pb.cm/dstprduct.asp (Dmain distservp1.pb.cm; IP=152.144.128.244, 152.144.128.230, 199.231.44.31, 199.231.43.31, 199.231.45.46) Funds (Funds Management & Refills) Descriptin: Funds are managed thrugh a separate Funds Server system. http://cmetservc1.pb.cm/t3cmetserver_03.asp https://cmetservc1.pb.cm/t3cmetserver_03.asp (Dmain cmetservp1.pb.cm; IP=152.144.128.230, 152.144.128.236, 199.231.45.37, 199.231.43.215) Rates and Updates (Dwnlad Services) Descriptin: Dwnlads, new sftware, graphics, rate price data etc. Misc. Data Uplad: https://pbgdspp1.pb.cm/ms1cnfiguratinuplad/ms1prductcnfiguratinuplad.svc (Dmain pbgdspp1.pb.cm; IP= 199.231.44.222, 199.231.44.148 and 199.231.45.41,199.231.45.35) Pitney Bwes Service Cllateral March, 2017 Page 5 f 11
ClamAV: http://clamserver.pb.cm (Dmain clamserver.pb.cm; IP=199.231.45.165; 199.231.44.54, 199.231.33.54,199.231.35.165) Errr lg uplads: (Dmain pbdlsp1.pb.cm; IP=199.231.44.30; 199.231.45.38) Cnfiguratin web page: https://myms1cnfiguratin.pb.cm (Dmain MyMS1Cnfiguratin.pb.cm; IP=199.231.44.166) OS Updates: https://smt.pb.cm (Dmain SMT.pb.cm; IP=199.231.44.54; 199.231.35.165) File Updates: https://pbgdspp1.pb.cm/ms1/dlaservice.svc (Dmain pbgdspp1.pb.cm; IP=199.231.44.222) Orders (CCD): https://pbgdspp1.pb.cm/ms1ccd/dlaccdservice.svc (Dmain pbgdspp1.pb.cm; IP=199.231.44.222) Manage Accunts (Accunting): Descriptin: Separate PB Server that manages Accunting including Accunt Creatin, Reprts etc. Accunting Web Applicatin: https://ms1app.pb.cm/ (Dmain ms1app.pb.cm; IP=199.231.32.67) Accunting Web Services: https://ms1app.pb.cm/ms1atweb/services/ (Dmain ms1app.pb.cm; IP=199.231.32.47) Pitney Bwes Service Cllateral March, 2017 Page 6 f 11
On Line Help Descriptin: This is the n line website. http://supprt.pb.cm/help_vides/sv62370-help/default.htm (Dmain supprt.pb.cm, IP=152.144.192.210, IP=152.144.192.211) Buy Ink Express Descriptin: Allws direct access t Ink Ordering page http://www.pitneybwes.us/shp/ink-and-supplies/pstage-meter-ink-supplies/cnnectseries--1/en-us/streus (Dmain: www.pitneybwes.cm; IP Address 199.231.33.6, 199.231.44.12) Health Data Update Descriptin: Machine Health Infrmatin uplad https://cplus-lgs-fusin.pb.cm/api/v1/uplads (Dmain: www.pb.cm ; IP Address = 199.231.33.6, 199.231.44.12) Optinal firewall exceptins (enabled by default) Verify Address (address cleansing) Descriptin: Utility website t validate addresses against USPS database http://www.pb.cm/ms1av/checkaddress.jsp (Dmain www.pb.cm; IP=199.231.44.12) Yur Accunt (PB.cm) Descriptin: Utility website t access yur accunt n PB.cm. https://www.pb.cm/cgi-bin/pb.dll/jsp/lgin.d?lang=en&cuntry=us&ga1=ms1 (Dmain www.pb.cm; IP=199.231.44.12) (Dmain http://www.ggle.cm/analytics; IP=209.85.128.000, 209.85.227.101, 209.85.227.113) Pitney Bwes Service Cllateral March, 2017 Page 7 f 11
Discunt & Presrt Services Descriptin: Utility website t manage Discunts & Presrting. http://www.pb.cm/mailstream/mailing-services (Dmain www.pb.cm; IP=199.231.44.12) Buy Supplies Descriptin: Utility website t rder Cnnect+/SendPr P Series supplies http://www.pb.cm/mailstream/supplies/ms1 (Dmain www.pb.cm; IP=199.231.44.12) Track a Package Descriptin: Carrier independent web tracking site fr packages. http://pb.bxh.cm/ (Dmain pb.bxh.cm; IP=72.47.250.186) Apps & Tls Descriptin: Utility website fr additinal applicatins and tls. http://www.pb.cm/cnnectplus/apps/ (Dmain www.pb.cm; IP=199.231.44.12) Optinal firewall exceptins (disabled by default) Ship a Package Descriptin: Package shipping applicatin. http://shipapackage.us.pitneybwes.cm (Dmain www.pb.cm; IP address = 199.231.44.12) Ship A Package is a legacy Shipping Applicatin that is being replaced by SendPr. If this is a new installatin, yu d nt need t pen up the firewall fr Ship A Package. Pitney Bwes Service Cllateral March, 2017 Page 8 f 11
SendPr Descriptin: Newest package shipping applicatin. https://sending.us.pitneybwes.cm/ (Dmain www.pitneybwes.cm; IP address 199.231.33.6, 199.231.44.12) SendSuite Tracking Descriptin: SendSuite Tracking applicatin. http://sendsuitetracking/pitneybwes.cm/ (Dmain: www.pitneybwes.cm; IP Address 199.231.33.6, 199.231.44.12 ) Pitney Bwes Service Cllateral March, 2017 Page 9 f 11
FAQs Questin Answer What OS des this device run? SUSE Linux Sled 11 What cntrls are in place t prtect this device against netwrk-based malware (viruses/wrms) threats? Cntrls include: White list f URL s HTTPS Anti Virus Sftware Only executes services needed t perfrm activities OS distributin has been ptimized and lcked dwn Des it have a firewall? Wh cntrls the firewall rules? Hw are the firewall rules cnfigured? What is the security patch prcess? What anti-virus cntrls des Cnnect+ use? What is the sftware update prcess, and hw ften des this ccur? What is the netwrk traffic flw t and frm the Cnnect+/SendPr system? What firewall rules need t be in place t allw the necessary cmmunicatin? Yes Pre-cnfigured and nt mdifiable Allw nly the prts Http, Https and DNS Cnnect+ security patches are applied by emergency updates via PB nly, and n a regular schedule thrugh PB services. ClamAv is installed n every system. AV signature updates regularly updated As required, in sme cases mnthly Outging cntact initiated (n push) utilizing HTTPS, URLs prvided by PB services Outging - transactinal data Incming is bth transactinal data and files and Web Services Can yu identify suspicius activity affecting Cnnect+? Yes. An audit prcess exists t validate the financial integrity f the system. Errr lgs are available and can be upladed t the PB data center. Regularly scheduled physical visits frm PB Service Pitney Bwes Service Cllateral March, 2017 Page 10 f 11
Questin What are the access cntrls in place t secure Cnnect+? Hw d yu authenticate an individual? A service? Are there audit trails in place? Is data stred n the device? What cntrls prtect the data? Des the Cnnect+ Series allw remte administratin? Answer The applicatin access is managed by the custmer using User IDs and passwrds. Unique, cryptgraphically strng passwrds fr each machine restricts access t the perating system. The applicatin access is managed by the custmer using User IDs and passwrds. The Cnnect+ Series des nt prvide services ver a netwrk s authenticatin nt required. Yes. PSD transactinal audits, extensive lgs all financial transactins are audited by the PB infrastructure. The Cnnect+ Series lgs all errr cnditins, and maintains ink usage lgs, print usage lgs, etc. Yes. The Cnnect+ Series stres transactinal data, graphic images, custmer prfiles and settings, files (rates, etc.). All files and data interface utilizing HTTPS. Incming data and files are signed and verified prir t use. If cnsumed by the printer, it is verified n each use. If used by the applicatin, it is verified n lad. Pitney Bwes will use TeamViewer t trublesht system prblems remtely. The end user will initiate the sessin using a special cde. Pitney Bwes Service Cllateral March, 2017 Page 11 f 11