[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Requirements for IPv6 Firewalls

Subject: Requirements for IPv6 Firewalls
From: mpalmer at hezmatt.org (Matt Palmer)
Date: Sat, 19 Apr 2014 09:02:04 +1000
In-reply-to: <CF772128.50EA3%[email protected]>
References: <CAP-guGV-NJEUaSRJPVfNGtdar5ABRkjEbEpqsaDU2Vq0B=rEBQ@mail.gmail.com> <[email protected]> <CAP-guGUquwcsESnKbe9QKE79NzfSBNsye4Sq4cFgjwr8xLODSw@mail.gmail.com> <CALgc3C6v_u3Xrjf1rQ=u+62ctExOEfYWUsor-DzfamLVv+z+uA@mail.gmail.com> <CAK__Kzs7_tY0HggT7PG2STorHqcV-3BAXHmYF=pia0bPa6YXzg@mail.gmail.com> <CALgc3C7Fi0rhBODH+kc2Vk6pE9s9TAoa303TFftTCN_K4G77kA@mail.gmail.com> <CAP-guGXia-YLnN0LN8FrQnQFC7gRQMbbiGXh=OLK+4cz02p+Rg@mail.gmail.com> <CAFy81rnw-Q7gYb8eSz-0LqH+kRgSS6+vWieMH=AL9Ay-x2KPDg@mail.gmail.com> <CAK__Kzub-4ZK+kSDC3qsnNqbauhLHnP68Y3Jg0WDQLh0rYEyXw@mail.gmail.com> <CF772128.50EA3%[email protected]>

On Fri, Apr 18, 2014 at 06:37:28PM -0400, Lee Howard wrote:
> On 4/18/14 4:33 PM, "George Herbert" <george.herbert at gmail.com> wrote:
> >
> >If William and I fight that fight, lose it, and come back and tell you
> >"They won't go because insufficient NAT" you need to listen.  I've fought
> >this in a dozen places and lost 8 of them, not because I don't know v6,
> >but
> >because the clients have inertia and politics around security posture
> >changes (and in some cases, PCI compliance regs).
> 
> IPv6 evangelists are used to fighting inertia.
> PCI, however. . . anyone have any contacts there?

If you get to talk to them, they'll probably look at you funny and say,
"whatchoo talkin' 'bout?".  PCI DSS *does not require NAT*.  Anyone who
says differently is selling something (probably a NAT box).  You can refer
to the source documents yourself -- they're freely available
(https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf, for
example).  As a testimonial, we run a no-NAT environment and got full PCI
compliance with nary a twitch of the eyebrow.  Didn't even have to argue the
toss with anyone.

- Matt

References:
- Requirements for IPv6 Firewalls
  - From: bill at herrin.us (William Herrin)
- Requirements for IPv6 Firewalls
  - From: fernando at gont.com.ar (Fernando Gont)
- Requirements for IPv6 Firewalls
  - From: bill at herrin.us (William Herrin)
- Requirements for IPv6 Firewalls
  - From: eugen at imacandi.net (Eugeniu Patrascu)
- Requirements for IPv6 Firewalls
  - From: george.herbert at gmail.com (George Herbert)
- Requirements for IPv6 Firewalls
  - From: eugen at imacandi.net (Eugeniu Patrascu)
- Requirements for IPv6 Firewalls
  - From: bill at herrin.us (William Herrin)
- Requirements for IPv6 Firewalls
  - From: tmorizot at gmail.com (Timothy Morizot)
- Requirements for IPv6 Firewalls
  - From: george.herbert at gmail.com (George Herbert)
- Requirements for IPv6 Firewalls
  - From: Lee at asgard.org (Lee Howard)

Prev by Date: OT: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
Next by Date: Requirements for IPv6 Firewalls
Previous by thread: Requirements for IPv6 Firewalls
Next by thread: Requirements for IPv6 Firewalls
Index(es):
- Date
- Thread