Re: Is NAT can provide some kind of protection?

[Merike Kaeo <kaeo () merike com>]

PCI DSS just came up with version 2 in October 2010 and one of the changes was:

"Removed specific references to IP masquerading and use of network address translation (NAT) technologies and added 
examples of methods for preventing private IP address disclosure."

- merike


On Jan 12, 2011, at 10:01 PM, Owen DeLong wrote:

> PCI DSS does not require it. It suggests it. It allows you to do other things
> which show equivalent security.
>
> Also, the PCI DSS requirements for NAT are not on the web server, they
> are on the back-end processing machine which should NOT be the same
> machine that is talking to the customers. (I believe that's also part of the
> PCI DSS, but, I haven't read it recently).
>
> PCI DSS is in desperate need of revision and does not incorporate
> current knowledge.
>
> Owen
>
> On Jan 12, 2011, at 9:02 PM, Justin Scott wrote:
>
> > Unfortunately there are some sets of requirements which require this
> > type of configuration.  The PCI-DSS comes to mind for those who deal
> > with credit card transactions.
> >
> > -Justin
> >
> > On Wednesday, January 12, 2011, Dobbins, Roland <rdobbins () arbor net> wrote:
> > > On Mar 21, 2007, at 5:41 AM, Tarig Ahmed wrote:
> > >
> > > > Security guy told me is not correct to assign public ip to a server, it should have private ip for security 
> > > > reasons.
> > >
> > > He's wrong.
> > >
> > > > Is it true that NAT can provide more security?
> > >
> > >
> > > No, it makes things worse from an availability perspective.  Servers should never be NATted or placed behind a 
> > > stateful firewall.
> > >
> > > -----------------------------------------------------------------------
> > > Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>
> > >
> > >            Sell your computer and buy a guitar.