[134950] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Merike Kaeo)
Thu Jan 13 02:45:12 2011
From: Merike Kaeo <kaeo@merike.com>
In-Reply-To: <4B795F7A-2D6F-4BCE-9261-725D82A98974@delong.com>
Date: Wed, 12 Jan 2011 23:44:53 -0800
To: Owen DeLong <owen@delong.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
PCI DSS just came up with version 2 in October 2010 and one of the =
changes was:
"Removed specific references to IP masquerading and use of network =
address translation (NAT) technologies and added examples of methods for =
preventing private IP address disclosure."
- merike
On Jan 12, 2011, at 10:01 PM, Owen DeLong wrote:
> PCI DSS does not require it. It suggests it. It allows you to do other =
things
> which show equivalent security.
>=20
> Also, the PCI DSS requirements for NAT are not on the web server, they
> are on the back-end processing machine which should NOT be the same
> machine that is talking to the customers. (I believe that's also part =
of the
> PCI DSS, but, I haven't read it recently).
>=20
> PCI DSS is in desperate need of revision and does not incorporate
> current knowledge.
>=20
> Owen
>=20
> On Jan 12, 2011, at 9:02 PM, Justin Scott wrote:
>=20
>> Unfortunately there are some sets of requirements which require this
>> type of configuration. The PCI-DSS comes to mind for those who deal
>> with credit card transactions.
>>=20
>> -Justin
>>=20
>> On Wednesday, January 12, 2011, Dobbins, Roland <rdobbins@arbor.net> =
wrote:
>>>=20
>>> On Mar 21, 2007, at 5:41 AM, Tarig Ahmed wrote:
>>>=20
>>>> Security guy told me is not correct to assign public ip to a =
server, it should have private ip for security reasons.
>>>=20
>>> He's wrong.
>>>=20
>>>> Is it true that NAT can provide more security?
>>>=20
>>>=20
>>> No, it makes things worse from an availability perspective. Servers =
should never be NATted or placed behind a stateful firewall.
>>>=20
>>> =
-----------------------------------------------------------------------
>>> Roland Dobbins <rdobbins@arbor.net> // =
<http://www.arbornetworks.com>
>>>=20
>>> Sell your computer and buy a guitar.
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>=20
>=20
