Hi John,
On Wed, 16 Mar 2005 19:21:38 -0800
"John Spence, CCSI, CCNA, CISSP" <jspence@native6.com> wrote:
This draft does a great job of summarizing why engineered network security
(NAP) is much better than side-effect security (NAT).
There are probably a few places to expand upon the discussion of proxy
servers within a NAP-based security program. NAT and proxies are not the
just the same thing at different levels of the ISO stack. NAT does simple
address translation, whereas proxy implementations - especially in larger
enterprises - do much more, including caching, L4-L7 security functions, and
policy enforcement. Proxies also do a great job of topology hiding.
<snip>
Unfortunately, proxys break the end-to-end argument, as they maintain
state within the network. If the proxy breaks, devices would not be able
to access the resources they may still have an IP layer path to. Proxys
are worth avoiding for the same reason NAT is.