[arin-ppml] IPV4 allocations

Michael K. Smith mksmith at adhost.com
Sun Jan 4 13:00:47 EST 2009


I'm not sure I agree, but I'll keep it brief because this is PPML and not a
PCI list after all.  :-)


On 1/4/09 5:53 AM, "McNutt, Justin M." <McNuttJ at missouri.edu> wrote:

> 
>> If IPv6 is going to pass through the present litany of compliance
> bodies
>> then Firewalls and NAT are here to stay.  PCI requires both, HIPAA
> doesn't
>> specifically, but there's no other way to meet the privacy
> requirements
>> without them and now Microsoft's new PII standard has similar wording
> to
>> PCI.
> 
> Actually, PCI requires firewalls, but not NAT.  I'm told by our
> compliance people that a firewall that rejects all incoming traffic
> makes the host "unaddressable from the Internet," which is sufficient.
> I've never heard an auditor complain once he was shown the
> accountability issue on top of it.
> 

Check out PCI DSS 1.2 Section 1.3.8

"Implement IP masquerading to prevent internal addresses from being
translated and revealed on the Internet, using RFC 1918 address space. Use
network address translation (NAT) technologies‹for example, port address
translation (PAT)."

Having the cardholder data completely locked down and unavailable is also
required, but you have to have NAT in front of the application that serves
the whole compliant network.

Regards,

Mike





More information about the ARIN-PPML mailing list