The SOX auditor ought to know better. Any auditor that requires NAT is incompenent.
Sadly, there are many audit REQUIREMENTS explicitly naming NAT and RFC1918 addressing ...
SOX auditors are incompetent. I've been asked about anti-virus software on UNIX servers and then asked to prove that they run UNIX.........
Fair enough, but my point was that it isn't the auditors' faults in _all_ cases. When the compliance explicitly requires something they are required to check for it, they don't have the option of ignoring or waving requirements ... and off the top of my head I don't recall if it is SOX that calls for RFC1918 explicitly but I know there are some that do.
Please cite references.
I can find plenty of firewall required references but I'm yet to find a NAT and/or RFC 1918 required.
Minor correction (I did say I wasn't sure it was SOX) ... It is PCI that requires RFC1918 and translation. For SOX, what is your assessment of (IPv6) internal controls and risk based on? Has anyone (with the authority to do so) developed and released guidance? Do we have a repository of "current best practices" to rely on (yet)? Interestingly, with SOX, I am curious if lack of IPv6 preparation will play into the risk assessment as well :). Current versions of the rest (HIPAA, GLBA, SOX, FIPS, etc.) simply tend to omit IPv6 completely, and generally require everything not explicitly called out to be disabled ... thus, no IPv6 on any network that falls under any of these regulations. We are just starting to see finalized product profiles and STIGs for IPv6 configuration - without that guidance Defense networks really couldn't <wink> run IPv6 either. (In other words (again, generally speaking) - if you run IPv6, your current C&A (or perhaps your CTO (Certificate To Operate)) is invalid).