-1

For the purposes of PCI-DSS compliance, I have been asked to see if there's a small consumer router/etc that can accept a packet from one network segment, and change the destination IP address (from itself to a new IP) and change the source address (from the original source to the router's IP), and then send it out on the second network segment.

As a (simplified) example:

I have a POS on IP 1.1.1.1

It "knows" about a credit card processing device on 2.2.2.2

It (the POS) sends a packet [from: 1.1.1.1] to 2.2.2.2

But 2.2.2.2 is actually a proxy router. The real credit card processing device is on 3.3.3.3.

The proxy router changes the destination IP to: 3.3.3.3, and, for the sake of compliance, changes the source address to 2.2.2.2, and passes that packet along to the actual credit card processing device.

The device processes the data, and sends a response back, [from: 3.3.3.3] to 2.2.2.2, which is, of course, the proxy router. The proxy router converts the source to 2.2.2.2 and the destination to 1.1.1.1 and sends it back along to the POS.

I know I can solve this in an ugly way with a pair of NAT routers hooked up back-to-back, but I'm hoping there's a more elegant fix.

Thanks

johnbr
  • 119
  • 4
  • Any router that can run Linux (whether Tomato, OpenWRT, DD-WRT, or whatever) can do it. Dual NAT is implemented using `iptables`. You do the destination NAT in the pre-routing phase and the source NAT in the post-routing phase. – David Schwartz Dec 03 '12 at 21:06
  • Cisco ASA OS 8.3 and up can also accomplish this with "Twice NAT." However, Dennis's answer below is spot on in the sense that this sort of arrangement isn't security -- and warrants several questions back to your auditor. – Weaver Dec 04 '12 at 00:22
  • Thanks for the feedback. I hadn't thought about Tomato, etc, those are good ideas. And yes, I am very skeptical of the auditor's wisdom here, but attempts to convince them otherwise have fallen on deaf ears. – johnbr Dec 04 '12 at 15:23

1 Answers1

6

You want your creditcard processing done behind consumer-grade devices? Why? And why the extra NAT, PCI-DSS has no such requirement. I suggest getting a different QSA or auditor instead so you don't have to do these things that don't make sense :)

Dennis Kaarsemaker
  • 19,277
  • 2
  • 44
  • 70
  • 2
    You are preaching to the choir, sir. I personally think this is dumb, dumb, dumb. But the customer refuses to QSA shop, and so here we are. W.R.T. the consumer grade devices, they're just there for a few months, one of our vendors is cooking up a dedicated, hardened appliance just to solve this dual-NAT problem. It's astonishing how much money Fortune 500 companies will waste because two guys are golfing buddies. – johnbr Dec 04 '12 at 15:18
  • in that case, just grab your average openwrt capbale router and muck about with iptables until it works. Then run like the wind to find better clients :) – Dennis Kaarsemaker Dec 04 '12 at 16:00