Is NAT can provide some kind of protection?

Merike Kaeo kaeo at merike.com
Thu Jan 13 01:44:53 CST 2011


PCI DSS just came up with version 2 in October 2010 and one of the changes was:

"Removed specific references to IP masquerading and use of network address translation (NAT) technologies and added examples of methods for preventing private IP address disclosure."

- merike


On Jan 12, 2011, at 10:01 PM, Owen DeLong wrote:

> PCI DSS does not require it. It suggests it. It allows you to do other things
> which show equivalent security.
> 
> Also, the PCI DSS requirements for NAT are not on the web server, they
> are on the back-end processing machine which should NOT be the same
> machine that is talking to the customers. (I believe that's also part of the
> PCI DSS, but, I haven't read it recently).
> 
> PCI DSS is in desperate need of revision and does not incorporate
> current knowledge.
> 
> Owen
> 
> On Jan 12, 2011, at 9:02 PM, Justin Scott wrote:
> 
>> Unfortunately there are some sets of requirements which require this
>> type of configuration.  The PCI-DSS comes to mind for those who deal
>> with credit card transactions.
>> 
>> -Justin
>> 
>> On Wednesday, January 12, 2011, Dobbins, Roland <rdobbins at arbor.net> wrote:
>>> 
>>> On Mar 21, 2007, at 5:41 AM, Tarig Ahmed wrote:
>>> 
>>>> Security guy told me is not correct to assign public ip to a server, it should have private ip for security reasons.
>>> 
>>> He's wrong.
>>> 
>>>> Is it true that NAT can provide more security?
>>> 
>>> 
>>> No, it makes things worse from an availability perspective.  Servers should never be NATted or placed behind a stateful firewall.
>>> 
>>> -----------------------------------------------------------------------
>>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>>> 
>>>            Sell your computer and buy a guitar.
>>> 
>>> 
>>> 
>>> 
>>> 
> 
> 




More information about the NANOG mailing list