VendNovation Networking Overview

Abstract
This paper gives a descrip­tion of how VendNovation solutions utilize the Ethernet network. This infor­ma­tion is meant to answer typical questions that network admin­is­tra­tors will have regard­ing security.

Overview of VendNovation Solutions
VendNovation solutions enable vending machines to connect to VendNovation’s back end process­ing system for the purposes of credit card process­ing, user account authen­ti­ca­tion, or simply report­ing sales. Using this infor­ma­tion, the vending opera­tor can accurately deter­mine the status of the machine and provide high levels of service to the end user.
Connectivity

VendNovation solutions encrypt data using a combi­na­tion of RSA-2048 and AES-128, and trans­mit that data over HTTP (TCP 80). Included in the payload is a digital signa­ture (using RSA-2048) to prove that the client is a VendNovation device. All data sent to or from a VendNovation device is encrypted in this manner.
AES keys are randomly gener­ated and exchanged every time the VendNovation device contacts the server.

A typical trans­ac­tion with the server will send a total of about 2 kilobytes of data. When download­ing an update from the server, the data size can hit about 50 kilobytes. VendNovation solutions check for updates once a day, sometime between 3am and 4am, in order to minimize the impact of the increased network usage.

VendNovation solutions will only estab­lish connec­tions with VendNovation’s back end server (www.vendnovation.com), whose IP address is 50.112.128.240 (hosed in the Amazon cloud). Network admin­is­tra­tors are free to restrict the device’s commu­ni­ca­tions to this address. If, for some unfore­seen reason, the IP address of VendNovation’s server needs to be changed, all of VendNovation’s clients will be notified in advance, so that firewall rules can be updated.
VendNovation solutions do not support the proxy proto­col. If a proxy service is required, it must be a trans­par­ent proxy.

Every VendNovation device has a unique MAC address, purchased from IEEE. The MAC can be found on a sticker on the back of the control board, or in the service menu.

Cloud
VendNovation’s back end servers are hosted in Amazon’s secure, PCI compli­ant datacen­ters. The servers are only acces­si­ble to autho­rized VendNovation staff, and are engineered to provide maximum uptime while provid­ing data redun­dancy in the case of any hardware failure.

For an overview of Amazon’s cloud system security, visit:
http://aws.amazon.com/ec2/#highlights

For detailed infor­ma­tion about Amazon’s cloud hosting security, you can view the whitepa­per here:
http://d36cz9buwru1tt.cloudfront.net/pdf/AWS_Security_Whitepaper.pdf