XLN Telecom

Have a friend interested in getting a biz line & DSL (EO area..) in her and apparently there has never been a phone line in the shop... she is currently using a 4G hotspot for her broadband and transaction connection which is working out awfully expensive, she's been looking at xln.co.uk but I've never heard of them.
Was going to suggest to her somewhere like Uno (who I'm with) or TTB themselves.

i'm assuming XLN are a LLU reseller? TT?

Anyone had Good or bad service from them.. looks TOO cheap for my liking.

Was staying in a guest house that used them on an ADSL line.
They had a Thomson router, configured with 2 SSID....
one a Guest wifi with SSID/password access, on a VPN to XLN HQ and brought up a splash page collecting email address.
The other one theirs / on the LAN sockets
There was however a problem - they left a port (80) open, and every time the credit card Co scanned the IP of their Card machine they violated the T&C and were fined 150 odd pounds (per month of failure)

The owners had complained to XLN many times/many months to be told nothing to do with them.
When I arrived, I quickly closed that for them (as Admin password was default !).

FYI: The idea of collecting some ID, is that you have some traceability if the line is abused, and that it terminates on a VPN to HQ, means abuse is separated from your local IP.

When they upgraded to FTTC (as the cabinet was under their window !), they changed the router to a different Thomson one.
They installed a guest Wifi - but completely open !!
and also a password protected SSID for their own use.
however, there was no longer a VPN / separation of traffic - which is a violation of most credit card machine company conditions.again (but is not visible externally).
When I highlighted that, the owners got on to XLN and the guest wifi was protected with a password (at least).

When changing to FTTC the termination ISP changed to Daisy Wholesale, so clearly a white label reseller of their services.
It is and always was a Static IP (Value changed when going ADSL -> FTTC)

So installation and support I would say less than perfect.
but speeds fine.. as I have seen with other Daisy connections.

I think what you need to establish is what they expect
- from a Business line (personal or with Guest wifi)
- from support
- IPv6 as well as IPv4 needed ?
(Daisy cannot do IPv6 on their lines, no matter who they re-sell)
etc.

if Guest wifi needed.. maybe BT would be fine..
They offer static IP's as well 'if needed' and
if you get a block of IP's their BHubs can do Multi NAT (NAT on each and every IP in the block by simple drop down menu config).
and offer BT Wifi as a guest facility....

of course there are the Zen's, AAISP which I would expect to be better support than BT or XLN.

Depends the needs and expectations..

and why go for a business line unless you have a real SLA that they will put it back in service if it is essential to your business. Might be better to go with a residential line (and offer), and get a second residential ISP as your redundancy ?

Where a PCI-listed P2PE solution is implemented the scope can be reduced irrespective of network architecture.

A hotel should not be relying upon their ISP to meet compliance, an ISP simply provides internet. Indeed a Thomson Speedtouch device is not intended to meet the segmentation requirements of the PCI industry, nor should it be expected to meet those requirements. XLN have no obligation to ensure the network topology is designed with the payment card industry in mind.

Indeed, an option is end-to-end encryption used on a payment device which transmits out over GPRS, with a third party complaint provider utilized. The hotel would be wise to only get tokens where transactions are approved, and not to store process or transmit any cardholder data in the clear. This would ensure physically separate networks. Typically, the payment device does not even sync with the POS, and the member of staff enters the transaction amount into the payment device, where it then bills the card over mobile network.

My key message here is it is unfair to discredit XLNs support for compliance matters unrelated to their service (providing internet only).

Yes and no..
And it was an opinion with a particular experience why..
It may have been an exception, and many will come on to say how brilliant they are.

My comment was to indicate the level of support I had seen by XLN as a business provider (and over several months)... and if that was in line with the friend of the OP's expectation.
'My' other experiences are that the Zen's etc are way better and not more expensive that the rates I have seen being paid for XLN. Your mileage may vary (as they say).

In particular XLN promotes their 'safe' and 'sane' choice
See here
They are selling card and other connectivity services to businesses.

My perspective is that if they don't want to support configuring the system then they should not supply any equipment. If they don't want to take the responsibility when it is reported by a non-technical owner that there is a problem, they should say they need pay for a specialist IT person or take the responsibility for their installation (incl password on router etc).

In general, what are small business owners to do ?

XLN had provided and configured the router.
at the simplest level...if a port was left open by the configurer ..
it was surely their responsibility to assist in solving the issue (directly or who to go to, not deny it was an issue)
Likewise, no one should be setting up a wifi with zero password/open status and not saying ??


As for the credit card Machine.
I agree, I did not understand why the supplier was concerned at external ports being open anyway.It is no indication of access in/out of the LAN or the card machine. The card link should be encrypted end to end with certificates etc.

And as it happens, yes, the machine was standalone connected by wifi, and where staff manually enter the amount also.

Back to expectations...
Business owners all over the country are buying 'business' connections from suppliers. They don't come with warnings any more than residential ones. But I know (like this owner), they expect support and that the supplied equipment is installed safely or they be explicitly warned what services / support they should additionally get, So can make an informed choice.
I also think the credit card Co's are setting unrealistic box ticking (i.e. not them expectations) in their T&C without providing a service (paid for or otherwise) to get a secure installation (not that as above it should be needed - ipsec etc..)

But hey, maybe my expectations are unreasonable.
And every small shop keeper / business owner should be only buying 'services' not standalone business broadband. BT currently has posters showing happy transactions on coffee shop owners taking payments, etc. As do some other providers wanting to be friends of businesses.

In an ideal world, no expectations and go to an all in one supplier (but from some ISP's the advert suggests that is what they are...even though they are not).

My banking client uses Verizon Business for their internet connection. Is verizon now responsible for ensuring the bank is secure from a cyber security perspective?

In particular XLN promotes their 'safe' and 'sane' choice
See here
They are selling card and other connectivity services to businesses.

In the absence of the end user purchasing XLNs card payment setup, we cannot comment. Based on your original comment it sounds as if the hotel owner has their own setup, which simply connects into XLN provided broadband.

My perspective is that if they don't want to support configuring the system then they should not supply any equipment.

They did not supply the payment machine, or did they? If not, there was zero requirement to ensure the router met the security requirements to take card payments. It's like me buying a shop, and then later installing an ATM, then ringing the mortgage company to ensure the ATM is installed in the shop securely. When it all goes wrong I then say the mortgage company should not be providing shops at all if don't support configuring everything in the properties.

In general, what are small business owners to do ?

Ensure IT systems they install meet baseline security standards, where they do not have the knowledge, invest in a specialist.

XLN had provided and configured the router.
at the simplest level...if a port was left open by the configurer ..

I cannot be certain however I can say it is almost unheard of for ISPs to supply routers with the router management internet facing on port 80 as a standard practice.

it was surely their responsibility to assist in solving the issue (directly or who to go to, not deny it was an issue)

There responsibility ends with supplying an internet connection via the ISP supplied kit. This they were doing.

Likewise, no one should be setting up a wifi with zero password/open status and not saying ??

It is common play for devices to come with default credentials, a basic concept of security is to change default credentials.

I agree, I did not understand why the supplier was concerned at external ports being open anyway.It is no indication of access in/out of the LAN or the card machine. The card link should be encrypted end to end with certificates etc.

An open port is a potential entry point into the network, each open port represents a possible attack vector. If the router had a known vulnerability, it could be exploited over this port. Further, it is possible to enumerate information regarding the home network by logging in remotely to the network. You mention there are default credentials. Encryption on card machines is not standard, and even the Payment Card Industry does not mandate it, but rather requires network segmentation. Where segmentation is not possible we often see companies moving to these end-to-end encryption methods... It is commonplace to see card details being transmitted in clear-text, some companies even store the details in clear-text, but as a compensating control the server which stores the data will be segmented without access to the internet.

And as it happens, yes, the machine was standalone connected by wifi, and where staff manually enter the amount also.

Notice I mentioned over GPRS, this is not WiFi but the mobile phone network. E.g. the device will have an EE/Vodafone SIM internally, so it has it's own network connection outside of the standard network (used by the POS devices).

Back to expectations...
Business owners all over the country are buying 'business' connections from suppliers. They don't come with warnings any more than residential ones. But I know (like this owner), they expect support and that the supplied equipment is installed safely or they be explicitly warned what services / support they should additionally get, So can make an informed choice.
I also think the credit card Co's are setting unrealistic box ticking (i.e. not them expectations) in their T&C without providing a service (paid for or otherwise) to get a secure installation (not that as above it should be needed - ipsec etc..)

But hey, maybe my expectations are unreasonable.

And every small shop keeper / business owner should be only buying 'services' not standalone business broadband. BT currently has posters showing happy transactions on coffee shop owners taking payments, etc. As do some other providers wanting to be friends of businesses.

BT Broadband can take card payments, as can any other ISP, the end user needs to ensure that installation is then secure.

Banks use Verizon, Vodafone, BT etc, the security design remains the same irrespective of ISP. The ISPs job is not to ensure the security of installations in the business users network environment. At the end of the day, if a busines user decides to connect in a 15 year old end of life Windows XP machine and use that for a point of sale, the ISP can do zilch. The ISP isn't going to say "hey this is insecure."

Thanks for all that info of your experience. I�ll be setting up the connection and router so there shouldn�t be any issues like you experienced.

She�s decided this afternoon to go with Pulse8 instead as I�ve had (and a few friends) have had better experiences with them. Should be interesting as no ISP can find the premises (in the middle of the city centre) on the BT OR systems.

She does not need a public/guest WiFi.

Just checking my monitoring and noticed this thread, I work at XLN tech so if you do decide to go with XLN and need any support you dont get on the phone feel free to PM me

I have no opinion on whether this is or is not a member of the XLN tech team, but as always never divulge personal details to people when you cannot be certain who they are.

Post deleted by technoman29