Question re using socks for outside-to-inside connections

["Moore, James" <James.Moore () MSFC NASA GOV>]

Some folks in our organization have proposed using the socks server on our
firewall to handle connections from an external webserver to various hosts
behind the firewall. I'm not used to seeing socks used this way, and hoped I
could get some informed opinions on the security implications.

Here's the deal: 
        Remote users obtain services by connecting to an external (outside
our firewall) webserver. Software applications on the webserver then make
connections to the required hosts behind the firewall. In the past, this has
been handled by setting up "ip forwarders" on the firewall... I believe
these are proxies that restrict source ip, destination ip, port and
protocol. The socks daemon that runs on the firewall has traditionally been
used to make inside-to-outside connections. 

        Recently it has been proposed that we use the socks server on the
firewall to facilitate outside-to-inside connections. As with the ip
forwarder/proxies, the socks server would be configured to accept outside
connections only from the webserver using specified protocols to designated
inside hosts on specified ports. The rationale is that using socks presents
no added risk (above the ip forwarder approach), and it's quicker and easier
to set up. 

I'm not aware of any inherent weaknesses in socks, but I've never heard much
about its strengths, either. Any informed opinions on the security of the
proposed approach would be greatly appreciated.

Best Regards,
Jim Moore