Explaining some basic network concepts.

I’m excited to be back to explain some basic network concepts that are pretty ubiquitous and universally used—”NAT” and “firewall.”

I use the analogy of communication between apartment buildings and outside companies to go over network address translation (NAT), stateless firewalls, stateful firewalls, and application firewalls. I hope you enjoy!

Learn more

Video Transcript

NAT and Firewall

Hi, my name’s Frank Chodacki. I’m part of the IBM Cloud team, and I’m here to explain some basic network concepts that are pretty ubiquitous or universally used, and the terms are “NAT” and “firewall.”


Let’s start off with NAT. NAT stands for “network address translation.” It’s described in an IETF RFC 1918.

And what NATing really does is allows us to translate internet addresses to private address space. Private address space is really there because there’s only a finite number of internet TCP IP addresses.

The apartment analogy

So, to cover this topic, I always find it’s better to use analogies, and we are going to use the apartment analogy to describe what an internal network or TCP IP range is versus an external TCP IP range.

So over here we have our apartment buildings—we have Apartment Building 1; we have Apartment Building 2. And within those apartment buildings, we have Apartment 1, 2, 3, 4, etc., etc.

And over in Apartment Building 2—well, lo and behold—we have the same apartment numbers, okay.

The only thing that really differentiates Apartment 1 in Building 2 and Apartment 1 in Building 1 is their street address. So, much like an internet TCP IP address, the street address is uniquely addressable across the world. So, we have Apartment 1 is let’s say 123 1st Street. And Apartment 2 is 157 2nd Street.

So, those addresses—the street addresses—uniquely addressable across the world whereas the apartments themselves, the apartment numbers, are not unique. So that really describes the difference between an internal 1918 TCP IP address and an external address.

Well, how do you get between those two things?

You get there by something called NAT—network address translation. NAT is typically used to translate an IP address from one range or multiple IP addresses from one range to an IP address on some other range. 

It’s commonly used between private internal networks and an internet IP address because those are finite, and, subsequently, they can be very expensive to purchase or to use.

So, in the case of Apartment 1 we have a device that does our NATing.

And the second part of this topic is firewalls. A NAT device typically goes along with the firewall function and is usually employed in some kind of a routing device. A routing device connects two or more computer networks.

So, we’re just gonna put our firewall down here and in both are apartments here, so NAT and firewall.

Sending via NAT

So, let’s say someone in Apartment 2 wants to communicate or send a letter, a mail—remember those mail? Over to Company1.net and he wants to send it out over, you know, from his street address to the Company 1 street address—or, let’s just say, from his internal IP address to a public IP address or an internet IP address.

What he would do is send that out to the NATing device which is akin to—let’s say you have a home router or routing device; that’s the first device you’re traffic’s going to hit.

The NAT, network address translation, part of that is going to convert that internal address to a real internet address—which is what? It’s this 123 1st Street. 

That traffic is gonna traverse from 123 1st Street, so it’s like sending mail with the return address being 123 1st Street over to Company1.net.

As soon as Company1.net sends a response it’s going to not send it to Apartment 2—it’s actually going to send it to 123 1st Street.

It’s going to send a response back, and what’s going to happen is the NATing device actually keeps track of what’s going out and the corresponding response. And it knows that the response to 123 1st Street—let’s say it’s the person’s name, they put their name on the letter going out—it knows it converts that to an internal address which happens to be Apartment 2, it knows that person lives in Apartment 2.

 Here’s the key: Company 1 doesn’t know that that person lives Apartment 2. All it knows is 123 1st Street—essentially obscuring the final address of that person. So, by that, it’s kind of a security device because it protects that person; it’s akin to a security device.


Now, that by itself is typically not enough. On the same device, we’ll have a firewall function. What’s a firewall function? A firewall function is known as a security device, service appliance that actually monitors the network communication between some source and some destination, typically deployed across two different networks. That’s not always the case, but in this analogy, we’re gonna just say the firewall is there between the internal network and the external network, and notice we have it deployed on our NAT device.

Stateless firewall

So, in a typical firewall, we’ll have something called a stateless firewall.

And all a stateless firewall is, it’s just like a lock on the door. So, we put a lock over here, and we put a lock over here, well, all that says is: “I’m a person that wishes to get into the apartment I have a key and I’ll open the door and go in.”

Well, it’s not a bad way to go, and it keeps most people out of the apartment building that don’t live there, but somebody can tailgate and they can go in behind that behind the traffic—maybe figure out the key, there’s a couple different ways. It’s a decent firewall but as things get more sophisticated, it’s not enough.

Stateful firewall

So, the next type of firewall that came up was called stateful.

So, stateful firewall does this—now we’ve hired a security guard—here’s our security guard, he’s a cool dude.

He’s sitting at that the front desk. So, as traffic tries to enter the apartment building, maybe they have a key, he looks at the person and say’s “Where are you going?” – “I’m going to Apartment 4.”

Okay, so now the traffic’s allowed to Apartment 4. Doesn’t ask what the person’s doing there or anything else, just allows the traffic.

So, really, a stateful firewall understands the source and destination of the traffic, and it actually monitors the conversation between that source and destination. And does a little bit more being a traffic cop between those two sources and destinations.

Application firewall

So, the last thing we’re gonna look at is something called an application firewall.

Application firewall is something that looks deeper the conversation. So now we have our traffic cop over here, and what he’s doing is, now rather than just asking what apartment you’re going to, he’s going to ask what your purpose is.

It actually looks deeper into the conversation; if we’re talking about web service traffic, and makes sure that’s really web-type traffic that’s being communicated from the source and destination, not just some other type of traffic that could be some kind of malicious traffic.

So, in other words, it’s analogous to—okay, I have a person trying to get to Apartment 2, and that person says that they’re there to deliver a pizza, when really you know they’re trying to do door-to-door sales. So, the security guard, in this case, would figure that out and not allow the person access to their apartment.

And those are the basics of NATing and firewall.

More from Cloud

Clients can strengthen defenses for their data with IBM Storage Defender, now generally available

2 min read - We are excited to inform our clients and partners that IBM Storage Defender, part of our IBM Storage for Data Resilience portfolio, is now generally available. Enterprise clients worldwide continue to grapple with a threat landscape that is constantly evolving. Bad actors are moving faster than ever and are causing more lasting damage to data. According to an IBM report, cyberattacks like ransomware that used to take months to fully deploy can now take as little as four days. Cybercriminals…

2 min read

Integrating data center support: Lower costs and decrease downtime with your support strategy

3 min read - As organizations and their data centers embrace hybrid cloud deployments, they have a rapidly growing number of vendors and workloads in their IT environments. The proliferation of these vendors leads to numerous issues and challenges that overburden IT staff, impede clients’ core business innovations and development, and complicate the support and operation of these environments.  Couple that with the CIO’s priorities to improve IT environment availability, security and privacy posture, performance, and the TCO, and you now have a challenge…

3 min read

Using advanced scan settings in the IBM Cloud Security and Compliance Center

5 min read - Customers and users want the ability to schedule scans at the timing of their choice and receive alerts when issues arise, and we’re happy to make a few announcements in this area today: Scan frequency: Until recently, the IBM Cloud® Security and Compliance Center would scan resources every 24 hours, by default, on all of the attachments in an account. With this release, users can continue to run daily scans—which is the recommended option—but they also have the option for…

5 min read

Modernizing child support enforcement with IBM and AWS

7 min read - With 68% of child support enforcement (CSE) systems aging, most state agencies are currently modernizing them or preparing to modernize. More than 20% of families and children are supported by these systems, and with the current constituents of these systems becoming more consumer technology-centric, the use of antiquated technology systems is archaic and unsustainable. At this point, families expect state agencies to have a modern, efficient child support system. The following are some factors driving these states to pursue modernization:…

7 min read