Firewall Wizards mailing list archives

Re: A question regarding SOCKs/Proxy vs NAT/PAT

From: hermit1 <hermits () mac com>
Date: Thu, 15 Mar 2001 06:40:17 -0800

I am not familiar with NAT since I don't use it, and I have a simplequestion. If I set up NAT so that most hosts behind by NAT device don'tget an address mapping, doesn't that provide rather good security forthem? How could anyone send them packets?


hermit1

At 01:52 PM 3/13/01 -0800, Crist Clark wrote:

Michael Gliva wrote:

[snip]

> I like the idea of terminating all sessions at the border of our network,
> as SOCKs/Proxy does now, it gives us options (eg, WEB filtering and
> logging) that I don't believe we would have in a NAT environment.  However,
> I'm not sure if a proxy set-up really adds any more protections to our
> network than does a firewall running NAT and PAT.    And, I really don't
> know what the general industry trend is regarding the question of
> SOCKs/Proxy vs. NAT/PAT.    Can anyone help to enlighten me?

OK, one more time, everyone repeat after me,

  "NAT is not a security measure."
  "NAT is not a security measure."
  ...

A proxy is much, much more secure than NAT. NAT's intention has always
been a way to increase the apparent size of the IPv4 space. (Again) it
is not a security feature. In fact, read RFC1631, "The IP Network Address
Translator (NAT),"

   Unfortunately, NAT reduces the number of options for providing
   security.

The only plus they list for NAT is that people cannot tell what and
how many hosts you have behind a NAT box.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

A question regarding SOCKs/Proxy vs NAT/PAT Michael Gliva (Mar 13)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 14)
  - Re: A question regarding SOCKs/Proxy vs NAT/PAT hermit1 (Mar 15)
- <Possible follow-ups>
- RE: A question regarding SOCKs/Proxy vs NAT/PAT Ben Nagy (Mar 15)
  - Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 15)