LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: July 28th, 2014
Linux Advisory Watch: July 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
( NAT vs. Proxy ) - How does IP Masquerade differ from Proxy or NAT services?

7.6. ( NAT vs. Proxy ) - How does IP Masquerade differ from Proxy or NAT services?

Proxy:  Proxy servers are available for: Win95, NT, Linux, Solaris, etc.

            Pro:    + (1) IP address ; cheap
                    + Optional caching for better performance (WWW, etc.)

            Con:    - All applications behind the proxy server must both SUPPORT 
                      proxy services (SOCKS) and be CONFIGURED to use the Proxy 
                      server
                    - Screws up WWW counters and WWW statistics

	 A proxy server uses only (1) public IP address, like IP MASQ, and acts  
	 as a translator to clients on the private LAN (WWW browser, etc.).
	 This proxy server receives requests like TELNET, FTP, WWW, 
	 etc. from the private network on one interface.  It would then in turn,
	 initiate these requests as if someone on the local box was making the
	 requests.   Once the remote Internet server sends back the requested
	 information, it would re-translate the TCP/IP addresses back to the 
	 internal MASQ client and send traffic to the internal requesting host.  
	 This is why it is called a PROXY server.  

		Note:  ANY applications that you might want to use on the 
			internal machines *MUST* have proxy server support 
			like Netscape and some of the better TELNET and FTP 
			clients.  Any clients that don't support proxy servers 
			won't work.

	 Another nice thing about proxy servers is that some of them
	 can also do caching (Squid for WWW).  So, imagine that you have 50 
	 proxied hosts all loading Netscape at once.  If they were installed 
	 with the default homepage URL, you would have 50 copies of the same 
	 Netscape WWW page coming over the WAN link for each respective computer.  
	 With a caching proxy server, only one copy would be downloaded by the 
         proxy server and then the proxied machines would get the WWW page from 
         the cache.  Not only does this save bandwidth on the Internet 
         connection, it will be MUCH MUCH faster for the internal proxied 
         machines.



MASQ:	 IP Masq is available on Linux and a few ISDN routers such
 or	 as the Zytel Prestige128, Cisco 770, NetGear ISDN routers, etc.
1:Many
 NAT	 
		Pro: 	+ Only (1) IP address needed (cheap)
			+ Doesn't require special application support
			+ Uses firewall software so your network can become
			  more secure

		Con:	- Requires a Linux box or special ISDN router
			  (though other products might have this..  )
			- Incoming traffic cannot access your internal LAN
			  unless the internal LAN initiates the traffic or
			  specific port forwarding software is installed.
			  Many NAT servers CANNOT provide this functionality.
			- Special protocols need to be uniquely handled by
			  firewall redirectors, etc.  Linux has full support
			  for this (FTP, IRC, etc.) capabilty but many routers
			  do NOT (NetGear DOES). 

	 Masq or 1:Many NAT is similar to a proxy server in the sense that the 
	 server will perform IP address translation and fake out the remote server 
	 (WWW for example) as if the MASQ server made the request instead of an 
	 internal machine.  
	
	 The major difference between a MASQ and PROXY server is that MASQ servers
	 don't need any configuration changes to all the client machines.  Just 
	 configure them to use the linux box as their default gateway and everything 
	 will work fine.  You WILL need to install special Linux modules for things 
	 like RealAudio, FTP, etc. to work)!  

	 Also, many users operate IP MASQ for TELNET, FTP, etc. *AND* also setup a 
	 caching proxy on the same Linux box for WWW traffic for the additional 
	 performance.


NAT:	 NAT servers are available on Windows 95/NT, Linux, Solaris, and some 
	 of the better ISDN routers (not Ascend)	 

		Pro: 	+ Very configurable
			+ No special application software needed

		Con:	- Requires a subnet from your ISP (expensive)

	 Network Address Translation is the name for a box that would have a pool of 
	 valid IP addresses on the Internet interface which it can use.  Whenever the
	 Internal network wanted to go to the Internet, it associates an available 
	 VALID IP address from the Internet interface to the original requesting 
	 PRIVATE IP address.  After that, all traffic is re-written from the NAT 
	 public IP address to the NAT private address.  Once the associated PUBLIC 
	 NAT address becomes idle for some pre-determined amount of time, the 
	 PUBLIC IP address is returned back into the public NAT pool.  

	 The major problem with NAT is, once all of the free public IP addresses are
	 used, any additional private users requesting Internet service are out of
	 luck until a public NAT address becomes free.

For an excellent and very comprehensive description of the various forms of NAT, please see:

Here is another good site to learn about NAT, although many of the URLs are old but still valid:

    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Four fake Google haxbots hit YOUR WEBSITE every day
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
The Barnaby Jack Few Knew: Celebrated Hacker Saw Spotlight as 'Necessary Evil'
What I Learned from Edward Snowden at the Hacker Conference
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.