Is NAT can provide some kind of protection?
Merike Kaeo
kaeo at merike.com
Thu Jan 13 07:44:53 UTC 2011
PCI DSS just came up with version 2 in October 2010 and one of the changes was:
"Removed specific references to IP masquerading and use of network address translation (NAT) technologies and added examples of methods for preventing private IP address disclosure."
- merike
On Jan 12, 2011, at 10:01 PM, Owen DeLong wrote:
> PCI DSS does not require it. It suggests it. It allows you to do other things
> which show equivalent security.
>
> Also, the PCI DSS requirements for NAT are not on the web server, they
> are on the back-end processing machine which should NOT be the same
> machine that is talking to the customers. (I believe that's also part of the
> PCI DSS, but, I haven't read it recently).
>
> PCI DSS is in desperate need of revision and does not incorporate
> current knowledge.
>
> Owen
>
> On Jan 12, 2011, at 9:02 PM, Justin Scott wrote:
>
>> Unfortunately there are some sets of requirements which require this
>> type of configuration. The PCI-DSS comes to mind for those who deal
>> with credit card transactions.
>>
>> -Justin
>>
>> On Wednesday, January 12, 2011, Dobbins, Roland <rdobbins at arbor.net> wrote:
>>>
>>> On Mar 21, 2007, at 5:41 AM, Tarig Ahmed wrote:
>>>
>>>> Security guy told me is not correct to assign public ip to a server, it should have private ip for security reasons.
>>>
>>> He's wrong.
>>>
>>>> Is it true that NAT can provide more security?
>>>
>>>
>>> No, it makes things worse from an availability perspective. Servers should never be NATted or placed behind a stateful firewall.
>>>
>>> -----------------------------------------------------------------------
>>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>>>
>>> Sell your computer and buy a guitar.
>>>
>>>
>>>
>>>
>>>
>
>
More information about the NANOG
mailing list