Firewall Wizards mailing list archives

Re: Proxy vs. NAT

From: dwelch () uswestmail net
Date: 17 Nov 1999 00:03:16 -0800

On Thu, 11 November 1999, William Stearns wrote:

In a NAT arrangement, the firewall accepts the packets on one
side, plays a little with source or destination addresses or ports, but
otherwise sends it on without touching or inspecting the contents of the
data flow.


Generally speaking, that's correct. But to properly support some protocols (like FTP), bits of the data stream also 
have to be twiddled. Most NAT implementations support things like FTP and RealAudio.

At a severe risk of overgeneralizing, I would guess that NAT
proxies would be generally faster that App level proxies, but are less
secure.


NAT generally *is* faster than an application proxy, mainly because "less work" is going on (i.e. not having to set up 
and tear down TCP connections). Application proxies can provide more "value" to the picture (such as content 
filtering), so they are *potentially* more secure, depending on the implementation.

--
Dameon D. Welch, a.k.a. PhoneBoy (dwelch () phoneboy com)
Check Point FireWall-1 FAQs at http://www.phoneboy.com/fw1/
The views expressed herein are not necessarily those of anyone else.
--
Signup for your free USWEST.mail Email account http://www.uswestmail.net

Current thread:

Proxy vs. NAT Stan Anderson (Nov 11)
- Re: Proxy vs. NAT William Stearns (Nov 14)
- <Possible follow-ups>
- Re: Proxy vs. NAT dwelch (Nov 17)