Note: Methods to obscure IP addressing may include, but are not limited to:
• Network Address Translation (NAT)
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Removal or filtering of route advertisements for private networks that employ registered addressing,
• Internal use of RFC1918 address space instead of registered addresses.
1.3.7.a Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet.
1.3.7.b Interview personnel and examine documentation to verify that any disclosure of private IP addresses and routing information to external entities is authorized.
Restricting the disclosure of internal or private IP addresses is essential to prevent a hacker “learning” the IP addresses of the internal network, and using that information to access the network.
Methods used to meet the intent of this requirement may vary depending on the specific networking technology being used. For example, the controls used to meet this requirement may be different for IPv4 networks than for IPv6 networks.