Re: Merchant services credit card project

[Steve Bernard <sbernard () GMU EDU>]

Specific access controls seem to be about as nebulous as the use of
NAT.  They don't specify how NAT should be configured, just that NAT
should be used.  So, if I give a processing system a private RFC-1918
address, but map it to a public IP address on the external interface
of the NAT gateway, anything sent to the public IP address will be
forwarded to the private without change ... unless a proxy or other
application layer inspection is performed, but they don't say
anything about that.  My example is only one of many possible uses of
NAT/PAT, but it serves to illustrate the point.  It seems to be
constructed as to require that you have one of their approved
assessment partners come in to provide the answers and sign off on
any compensating controls that don't match their check list
explicitly.  From what we were told by one such partner, all items
must have a positive response, or an approved compensation.


Steve



On Jun 26, 2005, at 11:51 PM, Scott Genung wrote:

> Willis,
>
> OK. That's the definition I've been pushing. So the next question
> is (also part of the debate), what constitutes a firewall? Can it
> be host based (this was implied) or must it be a network appliance?
> Or, can it be router ACLs using the established keyword for
> providing basic stateful inspection protection?
>
> At 10:19 PM 6/26/2005, Willis Marti wrote:
>
> > > For example, the term public facing (used in the
> > > self assessment) is something that we don't seem to agree on
> > here. Does
> > > this mean the public Internet or basically anyone (including
> > campus users)
> > > that interface to the front-end transaction gateway?
> >
> >  We have about 10 different processing sites physically on our
> > main campus.
> > Our understanding is that for each processing system, I have to
> > establish a
> > demarcation point, using a firewall that does NAT, such that all
> > traffic to
> > a credit card system flows through that firewall. Any system
> > "behind" the
> > firewall must be covered by the assessment. Anything outside that
> > firewall
> > is the public. So we have a campus (and some departmental)
> > firewall, but we
> > also have a firewall in front of every processing system. Our
> > residence halls,
> > for example, are behind the campus firewall, but are "public"
> > compared to any
> > of the card processing systems.
> > Cheers,
> >  Willis Marti
> >  Associate Director for Networking
> >  Computing & Information Services
> >  Texas A&M University
>
>
> Scott Genung
> Manager of Networking Systems
> Telecommunications and Networking
> Illinois State University
> 124 Julian Hall
> Normal, IL 61790-3500
>
> sagenung () ilstu edu
> Phone: (309)438-7258
> Web: http://www.tel.ilstu.edu