The main disadvantage of NAT is that it interfers with the continuity of VPN/IPsec tunnel and also cause some processing stress on the machine. However, NAT makes your private network invisible from the Internet and allows you to use private address definitions behind the firewall. Using the same IP on both sides is just opposite of NAT, it exposes your private network to the Internet. Hope this helps.
Cheers
Janbaz
>From: kk downing <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>CC: [EMAIL PROTECTED], Enrique Martin <[EMAIL PROTECTED]>, [EMAIL PROTECTED], Bill Royds <[EMAIL PROTECTED]>
>Subject: RE: Migration from Gauntlet 5 to Firewall-1
>Date: Thu, 4 Apr 2002 09:00:37 -0800 (PST)
>
>Interesting. Does the Gauntlet have the ability to act
>on these violations, like nimbda or FTP over DNS or do
>you need a seperate IDS to take care of that. Anyway I
>thought the job of the IDS was to do that sort of
>inspecting anyway but if a FW-1 supports natively like
>that it seems pretty cool and I am wondering why
>someone would be inclined to switch vendors if that
>was in fact the case. Can you elborate on problems
>that arise from NAT and using the same IP on both
>sides of a stream? That part confused me.
>--- [EMAIL PROTECTED] wrote:
> > Proxy firewalls create a new sessions for a
> > connection. One session is
> > between client and firewall; the second is between
> > firewall and server. It
> > then examines the session for conformance to the
> > RFC's, normalizes
> > character sets, catches buffer overflows etc.. So,
> > for example, a proxy
> > firewall could prevent Nimda attacks on servers
> > because it would already
> > convert unicode strings to correct characters before
> > IIS saw it (although
> > many proxy firewalls did not do this, some did).
> > A stateful inspection firewall does not examine the
> > contents of packets,
> > only the headers (although it does keep track of TCP
> > state to catch of
> > packet sequence spoofing etc.). It does not normally
> > look at actual
> > contents of packets so it would allow FTP over a
> > DNS port without batting
> > an eye. FW-1 has a full proxy for HTTP to handle
> > this, but the stateful
> > inspection firewall does not. Of course a proxy also
> > handles all the
> > filtering features of a stateful inspection
> > firewall. NAT is inherent in
> > the structure and the problem sometimes arises that
> > it takes special
> > effort to allow the same IP to be used for both
> > sides of the stream.
> > Even if a proxy firewall is only using a null
> > proxy (not actually
> > examining the contents), it still regenerates the
> > stream, preventing
> > sequence number attacks, fragmentation attacks etc.
> > so is better than
> > stateful inspection.
> > But this dual stream approach comes at the price
> > of more processing and
> > more latency.
> > With modern CPU's, they can generally handle the
> > actual data flow, but
> > they pause at the front for a time giving them more
> > latency.
> >
> >
> > kk downing said:
> > I agree with your observations on
> > marketing-fueled
> > economies but my question is whay is a proxy
> > firewall
> > inherently more secure than stateful inspection. I
> > haven't used the Guantlet but it sounds labor
> > intensive.
> >
> >
> >
> >
> > Bill Royds
> > Acting System Administrator,
> > Canadian Heritage Information Network
> > (819) 994-1200 X 239
> >
>
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Tax Center - online filing with TurboTax
>http://taxes.yahoo.com/
>_______________________________________________
>Firewalls mailing list
>[EMAIL PROTECTED]
>http://lists.gnac.net/mailman/listinfo/firewalls
.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
