Firewall Wizards mailing list archives
RE: A question regarding SOCKs/Proxy vs NAT/PAT
From: Ben Nagy <ben.nagy () marconi com au>
Date: Thu, 15 Mar 2001 10:57:52 +1030
-----Original Message----- From: Crist Clark [mailto:crist.clark () globalstar com] Sent: Wednesday, 14 March 2001 8:23 To: Michael Gliva Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] A question regarding SOCKs/Proxy vs NAT/PAT Michael Gliva wrote: [snip]
[...]
And, Ireally don'tknow what the general industry trend is regarding the question of SOCKs/Proxy vs. NAT/PAT. Can anyone help to enlighten me?OK, one more time, everyone repeat after me, "NAT is not a security measure." "NAT is not a security measure." ...
Why not? In theory, dynamic NAT, or "hide NAT" or "overload NAT" or whatever the newest name is provides as much protection as a dumb stateful packet filter. Jeez, people run ipchains or dumb Cisco ALCs and consider them a "security measure" and they're not even _stateful_! I would (and do) argue that dynamic NAT is functionally equivalent to a stateful packet filter. While it's true that many devices that implement NAT aren't written by security companies and therefore may be badly implemented, I think this should be separated from the theoretical side of the debate. This is very similar to the "VLANs aren't secure" mantra. In theory, they are. In practice they don't seem to be. (The same could be said of several vendors' firewall solutions).
A proxy is much, much more secure than NAT.
I can't agree with "much, much" more secure (unless you know of some _good_ proxies - I can't find any) but I'll agree that it's more secure. Then again, a good proxy is as or more secure in theory than any packet filtering solution as well (cf "Carson's Law" ;).
NAT's intention has always been a way to increase the apparent size of the IPv4 space.
Yup.
(Again) it is not a security feature.
Can be...
In fact, read RFC1631, "The IP Network Address Translator (NAT)," Unfortunately, NAT reduces the number of options for providing security.
This quote refers to the difficulty of cryptographic authentication of IP endpoints through NAT (eg IPSec AH). It also dates from 1994. I think that's a contextual stretch. 8) [...]
-- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926
Cheers, -- Ben Nagy Network Security Specialist Marconi Services Australia Pty Ltd Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- A question regarding SOCKs/Proxy vs NAT/PAT Michael Gliva (Mar 13)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 14)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT hermit1 (Mar 15)
- <Possible follow-ups>
- RE: A question regarding SOCKs/Proxy vs NAT/PAT Ben Nagy (Mar 15)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 15)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 14)