Educause Security Discussion mailing list archives
Re: Merchant services credit card project
From: Steve Bernard <sbernard () GMU EDU>
Date: Mon, 27 Jun 2005 00:35:22 -0400
Specific access controls seem to be about as nebulous as the use of NAT. They don't specify how NAT should be configured, just that NAT should be used. So, if I give a processing system a private RFC-1918 address, but map it to a public IP address on the external interface of the NAT gateway, anything sent to the public IP address will be forwarded to the private without change ... unless a proxy or other application layer inspection is performed, but they don't say anything about that. My example is only one of many possible uses of NAT/PAT, but it serves to illustrate the point. It seems to be constructed as to require that you have one of their approved assessment partners come in to provide the answers and sign off on any compensating controls that don't match their check list explicitly. From what we were told by one such partner, all items must have a positive response, or an approved compensation. Steve On Jun 26, 2005, at 11:51 PM, Scott Genung wrote:
Willis, OK. That's the definition I've been pushing. So the next question is (also part of the debate), what constitutes a firewall? Can it be host based (this was implied) or must it be a network appliance? Or, can it be router ACLs using the established keyword for providing basic stateful inspection protection? At 10:19 PM 6/26/2005, Willis Marti wrote:> For example, the term public facing (used in the > self assessment) is something that we don't seem to agree on here. Does > this mean the public Internet or basically anyone (including campus users) > that interface to the front-end transaction gateway? We have about 10 different processing sites physically on our main campus. Our understanding is that for each processing system, I have to establish a demarcation point, using a firewall that does NAT, such that all traffic to a credit card system flows through that firewall. Any system "behind" the firewall must be covered by the assessment. Anything outside that firewall is the public. So we have a campus (and some departmental) firewall, but we also have a firewall in front of every processing system. Our residence halls, for example, are behind the campus firewall, but are "public" compared to any of the card processing systems. Cheers, Willis Marti Associate Director for Networking Computing & Information Services Texas A&M UniversityScott Genung Manager of Networking Systems Telecommunications and Networking Illinois State University 124 Julian Hall Normal, IL 61790-3500 sagenung () ilstu edu Phone: (309)438-7258 Web: http://www.tel.ilstu.edu
Current thread:
- Merchant services credit card project Theresa M Rowe (Jun 24)
- <Possible follow-ups>
- Re: Merchant services credit card project Scott Genung (Jun 26)
- Re: Merchant services credit card project Willis Marti (Jun 26)
- Re: Merchant services credit card project Scott Genung (Jun 26)
- Re: Merchant services credit card project Steve Bernard (Jun 26)
- Re: Merchant services credit card project Steve Bernard (Jun 26)
- Re: Merchant services credit card project Willis Marti (Jun 27)
- Re: Merchant services credit card project Willis Marti (Jun 27)
- Re: Merchant services credit card project Theresa M Rowe (Jun 27)