PCI DSS + Firewall NAT + cPanel

[HappyPappy]

Hi there,

Firstly, sorry for the long post this could be but I think it only fitting to give some background if I am hopeful enough to get a response. As you will quickly gather we are not experts by any stretch of the imagination.

We have a dedicated cPanel server hosting four accounts, each with dedicated IP's for SSL's. Excellent system.

Our server has CSF firewall (software) and has been hardened and passes the PCI scanning from McAfee. All good.

However, the new version of PCI (v1.2) plus a minor change in the way the sites now handle credit card data sees us now requiring a hardware firewall solution. NAT is a specific requirement as stipulated in the PCI DSS for the PCI level we need to be compliant with.

Rather than have our server provider simply "plug on" a hardware firewall device to our existing server we decided to play safe and set up a second server (new host name) then migrate accounts over once the new server was set up, working and passing the PCI scanning bit.

This is where we (and our server provider) has hit a brick wall. We can not seem to get things working properly with the NAT firewall.

Hardware firewall with NAT is an integral requirement of PCI for some levels of compliance (but not all) so it was a little disappointing to read so many posts suggesting cPanel and NAT are not compatible (hard to believe)

I have scoured these forums and have found only limited info on configuring cPanel with NAT.

Is there a definitive guide to configuring cPanel with NAT or visa verse perhaps?

The hardware firewall is a Cisco ASA5510. These are the NAT details from the server provider ...
inside - yyy.yy.yy.1 outside - xxx.xx.xx.1 netmask 255.255.255.255
inside - yyy.yy.yy.2 outside - xxx.xx.xx.2 netmask 255.255.255.255
inside - yyy.yy.yy.3 outside - xxx.xx.xx.3 netmask 255.255.255.255
inside - yyy.yy.yy.4 outside - xxx.xx.xx.4 netmask 255.255.255.255
inside - yyy.yy.yy.5 outside - xxx.xx.xx.5 netmask 255.255.255.255
inside - yyy.yy.yy.6 outside - xxx.xx.xx.6 netmask 255.255.255.255

IP 1 is for server host name & ns1 nameserver. IP2 is for ns2 nameserver, the remainder are for the hosting accounts (dedicated IP's - SSL's).

If anyone knows of any documentation regarding NAT and cPanel or if anyone could kindly shed a little light on things I would be very much thankful.

Thank you

 

[cPanelDavidG]

At this time, we do not natively support NAT - but many have managed to get cPanel/WHM servers to work well behind NAT.

You mentioned a PCI Compliance spec that mentioned a requirement for NAT in addition to a hardware firewall. Can you provide me with a link to this specification? We realize PCI compliance is a high priority. If NAT is a requirement for some levels of PCI compliance, I would like to have documentation to present to our development team so they can be aware of this necessity.

 

[myusername]

https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf

There are other issues besides just NAT.

Look at section 1.3.8 for NAT/PAT but the entire firewall section is good.

Then section 2.4 how they have a provision in there for shared hosting providers is beyond me because none of PCI DSS is really compatible with shared hosting...

I suppose if we could get an answer to the NAT issue then I can cite some other problem areas.

 

[HappyPappy]

Quoting from the actual PCI DSS 1.2 ...

PCI DSS REQUIREMENTS (1.3.8):
"Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, using RFC 1918 address space. Use network address translation (NAT) technologies—for example, port address translation (PAT)."

PCI TESTING PROCEDURES (1.3.8):
"For the sample of firewall and router components, verify that NAT or other technology using RFC 1918 address space is used to restrict broadcast of IP addresses from the internal network to the Internet (IP masquerading)."

As they continue to enforce PCI I guess there will be more and more people, companies and organisations moving to become compliant - if you want to accept credit cards legally under PCI and not risk heavy fines and penalties then you just have to be PCI DSS compliant.

I have to admit, I find it very hard to fathom that cPanel have not yet got this very important part covered (NAT), considering it is a very clear and important requirement of PCI DSS.

In the interim I'm still hoping to stay using cPanel but it seems if I want to be PCI DSS and install a hardware firewall and NAT so I'm not risking it, then cPanel is not looking all that good. Please, please prove me wrong

Again, any help or advice would be much appreciated.

Cheers

 

[cPanelDavidG]

Quoting from the actual PCI DSS 1.2 ...

PCI DSS REQUIREMENTS (1.3.8):
"Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, using RFC 1918 address space. Use network address translation (NAT) technologies—for example, port address translation (PAT)."

PCI TESTING PROCEDURES (1.3.8):
"For the sample of firewall and router components, verify that NAT or other technology using RFC 1918 address space is used to restrict broadcast of IP addresses from the internal network to the Internet (IP masquerading)."

As they continue to enforce PCI I guess there will be more and more people, companies and organisations moving to become compliant - if you want to accept credit cards legally under PCI and not risk heavy fines and penalties then you just have to be PCI DSS compliant.

I have to admit, I find it very hard to fathom that cPanel have not yet got this very important part covered (NAT), considering it is a very clear and important requirement of PCI DSS.

In the interim I'm still hoping to stay using cPanel but it seems if I want to be PCI DSS and install a hardware firewall and NAT so I'm not risking it, then cPanel is not looking all that good. Please, please prove me wrong

Again, any help or advice would be much appreciated.

Cheers

I am not a PCI compliance expert, however reading this PCI compliance requirement and testing verbiage, it seems to essentially discuss not leaking internal IP addresses to those not on your internal network.

The verbiage suggests this applies to your cPanel/WHM server if your server is using RFC 1918 address space. cPanel does not support using cPanel/WHM within RFC 1918 address space at this time. The only known method to get cPanel/WHM licensing to work from within RFC 1918 address space is to use NAT, which is not natively supported by cPanel/WHM. This PCI compliance item suggests that if you are placing your server on RFC 1918 address space that you should use NAT and ensure that internal addresses cannot be leaked externally.

A server outside of RFC 1918 address space (most typical of a cPanel/WHM implementation) would likely not be connected to resources within RFC 1918 address space, so it doesn't seem like this requirement would apply to such servers. Granted, there could be exceptions where RFC 1918 address space would be used (e.g. using remote MySQL server hosted in the same facility).

If you find verbiage to clearly support the claim that no server can be PCI compliant unless it is within RFC 1918 address space and using NAT to acquire an address outside of the RFC 1918 address space, please let me know.