Firewall Wizards mailing list archives
Re: A question regarding SOCKs/Proxy vs NAT/PAT
From: hermit1 <hermits () mac com>
Date: Thu, 15 Mar 2001 06:40:17 -0800
I am not familiar with NAT since I don't use it, and I have a simple question. If I set up NAT so that most hosts behind by NAT device don't get an address mapping, doesn't that provide rather good security for them? How could anyone send them packets?
hermit1 At 01:52 PM 3/13/01 -0800, Crist Clark wrote:
Michael Gliva wrote: [snip] > I like the idea of terminating all sessions at the border of our network, > as SOCKs/Proxy does now, it gives us options (eg, WEB filtering and > logging) that I don't believe we would have in a NAT environment. However, > I'm not sure if a proxy set-up really adds any more protections to our > network than does a firewall running NAT and PAT. And, I really don't > know what the general industry trend is regarding the question of > SOCKs/Proxy vs. NAT/PAT. Can anyone help to enlighten me? OK, one more time, everyone repeat after me, "NAT is not a security measure." "NAT is not a security measure." ... A proxy is much, much more secure than NAT. NAT's intention has always been a way to increase the apparent size of the IPv4 space. (Again) it is not a security feature. In fact, read RFC1631, "The IP Network Address Translator (NAT)," Unfortunately, NAT reduces the number of options for providing security. The only plus they list for NAT is that people cannot tell what and how many hosts you have behind a NAT box. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- A question regarding SOCKs/Proxy vs NAT/PAT Michael Gliva (Mar 13)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 14)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT hermit1 (Mar 15)
- <Possible follow-ups>
- RE: A question regarding SOCKs/Proxy vs NAT/PAT Ben Nagy (Mar 15)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 15)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 14)