Firewall Wizards mailing list archives
Re: Proxy vs. NAT
From: William Stearns <wstearns () pobox com>
Date: Thu, 11 Nov 1999 23:42:18 -0500 (EST)
Good evening, Stan, On Thu, 11 Nov 1999, Stan Anderson wrote:
Why would I want to use proxy on my firewall instead of a NAT or vice versa. I recently moved to IBM's e-Network Firewall for AIX, and can't see any reason not to use NAT. On our old firewall if you didn't use proxy, you couldn't log the activity as well. Please help me, I just may not understand the difference.
In a NAT arrangement, the firewall accepts the packets on one side, plays a little with source or destination addresses or ports, but otherwise sends it on without touching or inspecting the contents of the data flow. An application level proxy has the opportunity *1 to validate the data flow itself. It can look at the incoming SMTP communication, for example, and make sure that the "HELO", "MAIL", "RCPT", etc. messages are properly formatted (is the object after "MAIL FROM:" a valid email address?) and aren't buffer overflows before sending those messages on to the destination server. At a severe risk of overgeneralizing, I would guess that NAT proxies would be generally faster that App level proxies, but are less secure. Cheers, - Bill *1 An app level proxy is not _required_ to inspect the data flow; a basic tcp proxy could simply take every data block it gets and pass it on to the other end of the connection. --------------------------------------------------------------------------- "If the entire earth, land and water, were covered with computers, IPv6 would allow 7x10^23 IP addresses per square meter. [...] While it was not the intention to give every molecule on the surface of the earth its own IP address, we are not that far off." -- Tannenbaum, _Computer_Networks_, 3rd Edition (Courtesy of Joseph Pingenot <jap3003 () ksu edu>) -------------------------------------------------------------------------- William Stearns (wstearns () pobox com). Mason, Buildkernel, named2hosts, and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/ --------------------------------------------------------------------------
Current thread:
- Proxy vs. NAT Stan Anderson (Nov 11)
- Re: Proxy vs. NAT William Stearns (Nov 14)
- <Possible follow-ups>
- Re: Proxy vs. NAT dwelch (Nov 17)