[134947] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Jan 13 01:06:42 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTikhRomKtAkL4dq6jejEeuRaP1WK1=d7MuNQ+z1D@mail.gmail.com>
Date: Wed, 12 Jan 2011 22:01:04 -0800
To: Justin Scott <leviathan@darktech.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
PCI DSS does not require it. It suggests it. It allows you to do other =
things
which show equivalent security.
Also, the PCI DSS requirements for NAT are not on the web server, they
are on the back-end processing machine which should NOT be the same
machine that is talking to the customers. (I believe that's also part of =
the
PCI DSS, but, I haven't read it recently).
PCI DSS is in desperate need of revision and does not incorporate
current knowledge.
Owen
On Jan 12, 2011, at 9:02 PM, Justin Scott wrote:
> Unfortunately there are some sets of requirements which require this
> type of configuration. The PCI-DSS comes to mind for those who deal
> with credit card transactions.
>=20
> -Justin
>=20
> On Wednesday, January 12, 2011, Dobbins, Roland <rdobbins@arbor.net> =
wrote:
>>=20
>> On Mar 21, 2007, at 5:41 AM, Tarig Ahmed wrote:
>>=20
>>> Security guy told me is not correct to assign public ip to a server, =
it should have private ip for security reasons.
>>=20
>> He's wrong.
>>=20
>>> Is it true that NAT can provide more security?
>>=20
>>=20
>> No, it makes things worse from an availability perspective. Servers =
should never be NATted or placed behind a stateful firewall.
>>=20
>> =
-----------------------------------------------------------------------
>> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>>=20
>> Sell your computer and buy a guitar.
>>=20
>>=20
>>=20
>>=20
>>=20
