Firewall Wizards mailing list archives

RE: A question regarding SOCKs/Proxy vs NAT/PAT

From: Ben Nagy <ben.nagy () marconi com au>
Date: Thu, 15 Mar 2001 10:57:52 +1030

-----Original Message-----
From: Crist Clark [mailto:crist.clark () globalstar com]
Sent: Wednesday, 14 March 2001 8:23 
To: Michael Gliva
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] A question regarding SOCKs/Proxy vs NAT/PAT


Michael Gliva wrote:

[snip]

[...]

And, I

really don't

know what the general industry trend is regarding the question of
SOCKs/Proxy vs. NAT/PAT.    Can anyone help to enlighten me?


OK, one more time, everyone repeat after me,

  "NAT is not a security measure."
  "NAT is not a security measure."
  ...


Why not? In theory, dynamic NAT, or "hide NAT" or "overload NAT" or whatever
the newest name is provides as much protection as a dumb stateful packet
filter. Jeez, people run ipchains or dumb Cisco ALCs and consider them a
"security measure" and they're not even _stateful_!

I would (and do) argue that dynamic NAT is functionally equivalent to a
stateful packet filter. While it's true that many devices that implement NAT
aren't written by security companies and therefore may be badly implemented,
I think this should be separated from the theoretical side of the debate.

This is very similar to the "VLANs aren't secure" mantra. In theory, they
are. In practice they don't seem to be. (The same could be said of several
vendors' firewall solutions).

A proxy is much, much more secure than NAT.


I can't agree with "much, much" more secure (unless you know of some _good_
proxies - I can't find any) but I'll agree that it's more secure. Then
again, a good proxy is as or more secure in theory than any packet filtering
solution as well (cf "Carson's Law" ;).

NAT's intention has always
been a way to increase the apparent size of the IPv4 space.


Yup.

(Again) it 
is not a security feature.


Can be...

In fact, read RFC1631, "The IP 
Network Address 
Translator (NAT),"

   Unfortunately, NAT reduces the number of options for providing
   security.


This quote refers to the difficulty of cryptographic authentication of IP
endpoints through NAT (eg IPSec AH). It also dates from 1994. I think that's
a contextual stretch. 8)

[...]

-- 
Crist J. Clark                                Network 
Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926


Cheers,

--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

A question regarding SOCKs/Proxy vs NAT/PAT Michael Gliva (Mar 13)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 14)
  - Re: A question regarding SOCKs/Proxy vs NAT/PAT hermit1 (Mar 15)
- <Possible follow-ups>
- RE: A question regarding SOCKs/Proxy vs NAT/PAT Ben Nagy (Mar 15)
  - Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 15)