Mark Andrews wrote:
Please cite references.
I can find plenty of firewall required references but I'm
yet to find a NAT and/or RFC 1918 required.
(Skip if you've participated in a SOX audit from the IT department POV)
The way it works is that the law doesn't call for specific measures. The
law calls for audits. Audits are done by outside firms (like "large
accounting firms") using their internally-developed checklists for
compliance. Passing the checklist gets you an unqualified audit. Failing
a few items gets you a qualified audit. Failing more means you don't
have the necessary audit document to present.
The exact details of every line item are typically under non-disclosure
when presented to the IT department for review, so for instance I can't
post the ones from the last audit I participated in.
Firms are also free to develop their own internal control guidelines, as
long as they can convince the outside auditor that the controls are at
least as strong as the ones on the checklist.
Other regulations, like HIPPA, also require the same thing. For
instance, the top Google hit for HIPPA and "private address space" links
to a wustl.edu document regarding how their controls over
HIPPA-protected information are implemented (including the use of
private address space and the use of multiple layers of NAT).
It takes a *lot* longer to get policies changed and auditors to sign off
on the revised policies than it does to make a change in a router. That
means that the process of updating policies should have started *even
sooner* than the process of upgrading and reconfiguring routers for
IPv6. But since there's still open questions (like the recent discussion
of IPv6 NAT on the BEHAVE list) that have no answers at all, I can
imagine why some folks might be putting off revising their policies and
asking for external review of those.
Matthew Kaufman
