Firewall Wizards mailing list archives

Re: Proxy vs. NAT

From: William Stearns <wstearns () pobox com>
Date: Thu, 11 Nov 1999 23:42:18 -0500 (EST)

Good evening, Stan,

On Thu, 11 Nov 1999, Stan Anderson wrote:

Why would I want to use proxy on my firewall instead of a NAT or vice versa.
I recently moved to IBM's e-Network Firewall for AIX, and can't see any
reason not to use NAT.  On our old firewall if you didn't use proxy, you
couldn't log the activity as well.  Please help me, I just may not
understand the difference.


        In a NAT arrangement, the firewall accepts the packets on one
side, plays a little with source or destination addresses or ports, but
otherwise sends it on without touching or inspecting the contents of the
data flow.
        An application level proxy has the opportunity *1 to validate the
data flow itself.  It can look at the incoming SMTP communication, for
example, and make sure that the "HELO", "MAIL", "RCPT", etc. messages are
properly formatted (is the object after "MAIL FROM:" a valid email
address?) and aren't buffer overflows before sending those messages on to
the destination server.
        At a severe risk of overgeneralizing, I would guess that NAT
proxies would be generally faster that App level proxies, but are less
secure.
        Cheers,
        - Bill

*1 An app level proxy is not _required_ to inspect the data flow; a basic
tcp proxy could simply take every data block it gets and pass it on to the
other end of the connection.

---------------------------------------------------------------------------
        "If the entire earth, land and water, were covered with computers, 
IPv6 would allow 7x10^23 IP addresses per square meter.  [...]  While it
was not the intention to give every molecule on the surface of the earth
its own IP address, we are not that far off."
        -- Tannenbaum, _Computer_Networks_, 3rd Edition
(Courtesy of Joseph Pingenot <jap3003 () ksu edu>)
--------------------------------------------------------------------------
William Stearns (wstearns () pobox com).  Mason, Buildkernel, named2hosts, 
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/
--------------------------------------------------------------------------

Current thread:

Proxy vs. NAT Stan Anderson (Nov 11)
- Re: Proxy vs. NAT William Stearns (Nov 14)
- <Possible follow-ups>
- Re: Proxy vs. NAT dwelch (Nov 17)