Firewall Wizards mailing list archives
Re: Proxy vs. NAT
From: dwelch () uswestmail net
Date: 17 Nov 1999 00:03:16 -0800
On Thu, 11 November 1999, William Stearns wrote:
In a NAT arrangement, the firewall accepts the packets on one side, plays a little with source or destination addresses or ports, but otherwise sends it on without touching or inspecting the contents of the data flow.
Generally speaking, that's correct. But to properly support some protocols (like FTP), bits of the data stream also have to be twiddled. Most NAT implementations support things like FTP and RealAudio.
At a severe risk of overgeneralizing, I would guess that NAT proxies would be generally faster that App level proxies, but are less secure.
NAT generally *is* faster than an application proxy, mainly because "less work" is going on (i.e. not having to set up and tear down TCP connections). Application proxies can provide more "value" to the picture (such as content filtering), so they are *potentially* more secure, depending on the implementation. -- Dameon D. Welch, a.k.a. PhoneBoy (dwelch () phoneboy com) Check Point FireWall-1 FAQs at http://www.phoneboy.com/fw1/ The views expressed herein are not necessarily those of anyone else. -- Signup for your free USWEST.mail Email account http://www.uswestmail.net
Current thread:
- Proxy vs. NAT Stan Anderson (Nov 11)
- Re: Proxy vs. NAT William Stearns (Nov 14)
- <Possible follow-ups>
- Re: Proxy vs. NAT dwelch (Nov 17)