Re: A question regarding SOCKs/Proxy vs NAT/PAT

["Crist Clark" <crist.clark () globalstar com>]

Michael Gliva wrote:

[snip]

> I like the idea of terminating all sessions at the border of our network,
> as SOCKs/Proxy does now, it gives us options (eg, WEB filtering and
> logging) that I don't believe we would have in a NAT environment.  However,
> I'm not sure if a proxy set-up really adds any more protections to our
> network than does a firewall running NAT and PAT.    And, I really don't
> know what the general industry trend is regarding the question of
> SOCKs/Proxy vs. NAT/PAT.    Can anyone help to enlighten me?

OK, one more time, everyone repeat after me,

  "NAT is not a security measure."
  "NAT is not a security measure."
  ...

A proxy is much, much more secure than NAT. NAT's intention has always
been a way to increase the apparent size of the IPv4 space. (Again) it 
is not a security feature. In fact, read RFC1631, "The IP Network Address 
Translator (NAT),"

   Unfortunately, NAT reduces the number of options for providing
   security.

The only plus they list for NAT is that people cannot tell what and
how many hosts you have behind a NAT box.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards