Is NAT can provide some kind of protection?

Owen DeLong owen at delong.com
Thu Jan 13 00:01:04 CST 2011


PCI DSS does not require it. It suggests it. It allows you to do other things
which show equivalent security.

Also, the PCI DSS requirements for NAT are not on the web server, they
are on the back-end processing machine which should NOT be the same
machine that is talking to the customers. (I believe that's also part of the
PCI DSS, but, I haven't read it recently).

PCI DSS is in desperate need of revision and does not incorporate
current knowledge.

Owen

On Jan 12, 2011, at 9:02 PM, Justin Scott wrote:

> Unfortunately there are some sets of requirements which require this
> type of configuration.  The PCI-DSS comes to mind for those who deal
> with credit card transactions.
> 
> -Justin
> 
> On Wednesday, January 12, 2011, Dobbins, Roland <rdobbins at arbor.net> wrote:
>> 
>> On Mar 21, 2007, at 5:41 AM, Tarig Ahmed wrote:
>> 
>>> Security guy told me is not correct to assign public ip to a server, it should have private ip for security reasons.
>> 
>> He's wrong.
>> 
>>> Is it true that NAT can provide more security?
>> 
>> 
>> No, it makes things worse from an availability perspective.  Servers should never be NATted or placed behind a stateful firewall.
>> 
>> -----------------------------------------------------------------------
>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>> 
>>             Sell your computer and buy a guitar.
>> 
>> 
>> 
>> 
>> 





More information about the NANOG mailing list