PCI DSS just came up with version 2 in October 2010 and one of the changes was:
"Removed specific references to IP masquerading and use of network address translation (NAT) technologies and added examples of methods for preventing private IP address disclosure." - merike On Jan 12, 2011, at 10:01 PM, Owen DeLong wrote: > PCI DSS does not require it. It suggests it. It allows you to do other things > which show equivalent security. > > Also, the PCI DSS requirements for NAT are not on the web server, they > are on the back-end processing machine which should NOT be the same > machine that is talking to the customers. (I believe that's also part of the > PCI DSS, but, I haven't read it recently). > > PCI DSS is in desperate need of revision and does not incorporate > current knowledge. > > Owen > > On Jan 12, 2011, at 9:02 PM, Justin Scott wrote: > >> Unfortunately there are some sets of requirements which require this >> type of configuration. The PCI-DSS comes to mind for those who deal >> with credit card transactions. >> >> -Justin >> >> On Wednesday, January 12, 2011, Dobbins, Roland <rdobb...@arbor.net> wrote: >>> >>> On Mar 21, 2007, at 5:41 AM, Tarig Ahmed wrote: >>> >>>> Security guy told me is not correct to assign public ip to a server, it >>>> should have private ip for security reasons. >>> >>> He's wrong. >>> >>>> Is it true that NAT can provide more security? >>> >>> >>> No, it makes things worse from an availability perspective. Servers should >>> never be NATted or placed behind a stateful firewall. >>> >>> ----------------------------------------------------------------------- >>> Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> >>> >>> Sell your computer and buy a guitar. >>> >>> >>> >>> >>> > >
