Found at: http://www.surebox.com/article/articleprint/67/-1/83/

What is Firewall, proxy and NAT?

What is Firewall, proxy and NAT?
This article explains some of the key features of NAT, firewall and proxy server software products as they can be used to securely share an internet connection (with only one IP address) through a cable or xDSL modem.

This is what you need: Cable or DSL Modem, one PC with two ethernet cards, a few PC\'s with one ethernet card, a hub and enough ethernet cables to tie it all together. The printer is optional.

Network Address Translation (NAT) or a proxy server will allow you to share an IP address between multiple machines. This does not necessarily imply any security. If your gateway device is using NAT or a proxy, it does not imply that the gateway is anymore secure than it would be if those services were not running. It does usually mean that the network behind is harder to get to or attack, but even that is not always true.
As said above NAT and proxy do not necessarily do anything for your security. The real firewall technologies are packet filtering and proxies.
NAT
In general, a NAT is easier to set up and use than a Proxy Server because you simply install it on the computer that is directly connected to the cable modem. Proxy Servers generally require settings for each client computer on your local network.
All the PC NAT products do address/port mapping, and keep state information that prevent incoming connections. This provides the same protection as stateful packet filtering.
A NAT product should replace the TCP/IP stack on the PPP/NIC adapter with it is own IP stack. That protects the gateway machine as well as the computers on the local network. Normally product documentation should indicate this, however in many cases this is not clearly specified. Maybe in an attempt to keep things simple for the less experienced buyer.
NAT makes the machines on the local network behind the gateway machine more secure essentially because the client computers on the local network use IP addresses that are reserved for use on internal networks only. Those IP addresses will not show up on the internet.
Proxy Server
Proxy Servers are used where you want tighter control of what the client machines are allowed to do, or when you have many client machines. The proxy lightens the load on the cable or xDSL modem by caching web pages that are downloaded. So assuming that the users on the local network tend to surf the same pages, the performance can be greatly enhanced. With a NAT, every request requires retrieval through the cable modem - no caching.
Firewall
When designing a firewall gateway, you are often looking to address two problems.
1: Mapping your network into a limited number of public IP addresses.
2: Providing security.
NAT addresses the first problem, and is generally used when you are using a packet filtering firewall to provide the security. Combined, they solve both of the problems.
Proxy Servers can be used to solve both of the problems.
Most commercial gateway firewall products these days are a combination of all of these. Proxy Servers can be highly secure, and let you look into the application data of the packets, so you can do things like rewrite mail headers, block URL’s, etc. However, they can be somewhat limiting because writing an intelligent, secure proxy for every protocol/application is more than anyone can handle. Most firewalls use either packet filtering and NAT or they use packet filtering and a generic proxy to cover the areas where they do not have a good proxy written. Packet filtering/NAT also tends to have less overhead than proxy servers.
Conclusion
There is no issue that I am aware of, from a security perspective, where you would preferentially choose a NAT instead of a proxy or vice-versa. A proxy allows the administrator more control over what is or is not allowed onto the client computers on the local network, while a NAT typically offers easier set up.
To some extent, NAT and proxy servers act as firewalls, but it is only true for the machines behind the NAT or proxy server. It does not in any way protect the gateway machine running the NAT/Proxy.
With that said, there are products that combine the functions of a NAT or Proxy (or both!) and a firewall. Sygate in an example of a program that does offer some sort of firewall protection for the gateway computer running Sygate.

| Back to normal page view | Send this article to a friend |