1.4.5 The disclosure of internal IP addresses and routing information is limited to only authorized parties.

Defined Approach Requirements

1.4.5 The disclosure of internal IP addresses and routing information is limited to only authorized parties.

Customized Approach Objective

Internal network information is protected from unauthorized disclosure.

Defined Approach Testing Procedures

1.4.5.a Examine configurations of NSCs to verify that the disclosure of internal IP addresses and routing information is limited to only authorized parties.

1.4.5.b Interview personnel and examine documentation to verify that controls are implemented such that any disclosure of internal IP addresses and routing information is limited to only authorized parties.

Purpose

Restricting the disclosure of internal, private, and local IP addresses is useful to prevent a hacker from obtaining knowledge of these IP addresses and using that information to access the network.

Good Practice

Methods used to meet the intent of this requirement may vary, depending on the specific networking technology being used. For example, the controls used to meet this requirement may be different for IPv4 networks than for IPv6 networks.

Methods to obscure IP addressing may include, but are not limited to:

• IPv4 Network Address Translation (NAT).
• Placing system components behind proxy servers/NSCs.
• Removal or filtering of route advertisements for internal networks that use registered addressing.
• Internal use of RFC 1918 (IPv4) or use IPv6 privacy extension (RFC 4941) when initiating outgoing sessions to the internet.