I’m excited to be back to explain some basic network concepts that are pretty ubiquitous and universally used—”NAT” and “firewall.”
I use the analogy of communication between apartment buildings and outside companies to go over network address translation (NAT), stateless firewalls, stateful firewalls, and application firewalls. I hope you enjoy!
Hi, my name’s Frank Chodacki. I’m part of the IBM Cloud team, and I’m here to explain some basic network concepts that are pretty ubiquitous or universally used, and the terms are “NAT” and “firewall.”
Let’s start off with NAT. NAT stands for “network address translation.” It’s described in an IETF RFC 1918.
And what NATing really does is allows us to translate internet addresses to private address space. Private address space is really there because there’s only a finite number of internet TCP IP addresses.
The apartment analogy
So, to cover this topic, I always find it’s better to use analogies, and we are going to use the apartment analogy to describe what an internal network or TCP IP range is versus an external TCP IP range.
So over here we have our apartment buildings—we have Apartment Building 1; we have Apartment Building 2. And within those apartment buildings, we have Apartment 1, 2, 3, 4, etc., etc.
And over in Apartment Building 2—well, lo and behold—we have the same apartment numbers, okay.
The only thing that really differentiates Apartment 1 in Building 2 and Apartment 1 in Building 1 is their street address. So, much like an internet TCP IP address, the street address is uniquely addressable across the world. So, we have Apartment 1 is let’s say 123 1st Street. And Apartment 2 is 157 2nd Street.
So, those addresses—the street addresses—uniquely addressable across the world whereas the apartments themselves, the apartment numbers, are not unique. So that really describes the difference between an internal 1918 TCP IP address and an external address.
Well, how do you get between those two things?
You get there by something called NAT—network address translation. NAT is typically used to translate an IP address from one range or multiple IP addresses from one range to an IP address on some other range.
It’s commonly used between private internal networks and an internet IP address because those are finite, and, subsequently, they can be very expensive to purchase or to use.
So, in the case of Apartment 1 we have a device that does our NATing.
And the second part of this topic is firewalls. A NAT device typically goes along with the firewall function and is usually employed in some kind of a routing device. A routing device connects two or more computer networks.
So, we’re just gonna put our firewall down here and in both are apartments here, so NAT and firewall.
Sending via NAT
So, let’s say someone in Apartment 2 wants to communicate or send a letter, a mail—remember those mail? Over to Company1.net and he wants to send it out over, you know, from his street address to the Company 1 street address—or, let’s just say, from his internal IP address to a public IP address or an internet IP address.
What he would do is send that out to the NATing device which is akin to—let’s say you have a home router or routing device; that’s the first device you’re traffic’s going to hit.
The NAT, network address translation, part of that is going to convert that internal address to a real internet address—which is what? It’s this 123 1st Street.
That traffic is gonna traverse from 123 1st Street, so it’s like sending mail with the return address being 123 1st Street over to Company1.net.
As soon as Company1.net sends a response it’s going to not send it to Apartment 2—it’s actually going to send it to 123 1st Street.
It’s going to send a response back, and what’s going to happen is the NATing device actually keeps track of what’s going out and the corresponding response. And it knows that the response to 123 1st Street—let’s say it’s the person’s name, they put their name on the letter going out—it knows it converts that to an internal address which happens to be Apartment 2, it knows that person lives in Apartment 2.
Here’s the key: Company 1 doesn’t know that that person lives Apartment 2. All it knows is 123 1st Street—essentially obscuring the final address of that person. So, by that, it’s kind of a security device because it protects that person; it’s akin to a security device.
Now, that by itself is typically not enough. On the same device, we’ll have a firewall function. What’s a firewall function? A firewall function is known as a security device, service appliance that actually monitors the network communication between some source and some destination, typically deployed across two different networks. That’s not always the case, but in this analogy, we’re gonna just say the firewall is there between the internal network and the external network, and notice we have it deployed on our NAT device.
So, in a typical firewall, we’ll have something called a stateless firewall.
And all a stateless firewall is, it’s just like a lock on the door. So, we put a lock over here, and we put a lock over here, well, all that says is: “I’m a person that wishes to get into the apartment I have a key and I’ll open the door and go in.”
Well, it’s not a bad way to go, and it keeps most people out of the apartment building that don’t live there, but somebody can tailgate and they can go in behind that behind the traffic—maybe figure out the key, there’s a couple different ways. It’s a decent firewall but as things get more sophisticated, it’s not enough.
So, the next type of firewall that came up was called stateful.
So, stateful firewall does this—now we’ve hired a security guard—here’s our security guard, he’s a cool dude.
He’s sitting at that the front desk. So, as traffic tries to enter the apartment building, maybe they have a key, he looks at the person and say’s “Where are you going?” – “I’m going to Apartment 4.”
Okay, so now the traffic’s allowed to Apartment 4. Doesn’t ask what the person’s doing there or anything else, just allows the traffic.
So, really, a stateful firewall understands the source and destination of the traffic, and it actually monitors the conversation between that source and destination. And does a little bit more being a traffic cop between those two sources and destinations.
So, the last thing we’re gonna look at is something called an application firewall.
Application firewall is something that looks deeper the conversation. So now we have our traffic cop over here, and what he’s doing is, now rather than just asking what apartment you’re going to, he’s going to ask what your purpose is.
It actually looks deeper into the conversation; if we’re talking about web service traffic, and makes sure that’s really web-type traffic that’s being communicated from the source and destination, not just some other type of traffic that could be some kind of malicious traffic.
So, in other words, it’s analogous to—okay, I have a person trying to get to Apartment 2, and that person says that they’re there to deliver a pizza, when really you know they’re trying to do door-to-door sales. So, the security guard, in this case, would figure that out and not allow the person access to their apartment.