[arin-ppml] The role of NAT in IPv6

David Farmer farmer at umn.edu
Fri Apr 16 03:06:53 EDT 2010 

Stuart Sheldon wrote:
> I have never seen anything in writing that states you must run NAT to
> maintain HIPAA, PCI, or DSS compliance. If such a rule actually exists,
> can someone please post a URL for reference?

The PCI-DSS can be down loaded here;

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

There is a lot of nasty license agreement bla-bla-bla, that I just 
clicked through and have probably just violated to boot, but yes it does 
say NAT.

 From PCI DSS V1.2

------

PCI DSS Requirement

1.3.8 Implement IP masquerading to
prevent internal addresses from being
translated and revealed on the Internet,
using RFC 1918 address space. Use
network address translation (NAT)
technologies—for example, port address
translation (PAT).

Testing Procedures

1.3.8 For the sample of firewall and router components,
verify that NAT or other technology using RFC 1918
address space is used to restrict broadcast of IP
addresses from the internal network to the Internet (IP
masquerading).

------

Yes, you can provide Compensating Controls, but you will need to do more 
documentation and probably have to argue with auditors, managers, 
security consultants, etc... They will all point at this section, then 
you point to the Compensating Controls section, round and round and 
round you go....

We actually don't use NAT for PCI on our network, we document public 
addresses with stateful firewall as a Compensating Control.  However, we 
are tempted to switch to NAT because we are tired of arguing with people 
about it, we really do have better things to do you know.  Maybe like 
arguing with all of you on PPML, at least you all are more fun than the 
auditors. :)

HIPPA is a lot more complicated, and nowhere as clear cut either way, 
but since it has criminal penalties associated with it people get even 
more crazy.  I hope you have good heath insurance, because you are 
really going need therapy and good pharmaceuticals by the time you are 
done with those meetings. ;)

The real problem with all of this stuff is no one wants to be the nail 
standing tall or a field from everyone else, because you will get 
pounded down.

-- 
===============================================
David Farmer               Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota	
2218 University Ave SE	    Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

More information about the ARIN-PPML mailing list