VIDEO – NAT and Firewall

5 min read

By: Frank Chodacki

Explaining some basic network concepts.

I'm excited to be back to explain some basic network concepts that are pretty ubiquitous and universally used—"NAT" and "firewall."

I use the analogy of communication between apartment buildings and outside companies to go over network address translation (NAT), stateless firewalls, stateful firewalls, and application firewalls. I hope you enjoy!

Learn more

Video Transcript

NAT and Firewall

Hi, my name's Frank Chodacki. I'm part of the IBM Cloud team, and I'm here to explain some basic network concepts that are pretty ubiquitous or universally used, and the terms are "NAT" and "firewall."

NAT

Let's start off with NAT. NAT stands for "network address translation." It's described in an IETF RFC 1918.

NAT stands for "network address translation." It's described in an IETF RFC 1918.

And what NATing really does is allows us to translate internet addresses to private address space. Private address space is really there because there's only a finite number of internet TCP IP addresses.

The apartment analogy

So, to cover this topic, I always find it's better to use analogies, and we are going to use the apartment analogy to describe what an internal network or TCP IP range is versus an external TCP IP range.

Apartment analogy

So over here we have our apartment buildings—we have Apartment Building 1; we have Apartment Building 2. And within those apartment buildings, we have Apartment 1, 2, 3, 4, etc., etc.

And over in Apartment Building 2—well, lo and behold—we have the same apartment numbers, okay.

Same apartment numbers

The only thing that really differentiates Apartment 1 in Building 2 and Apartment 1 in Building 1 is their street address. So, much like an internet TCP IP address, the street address is uniquely addressable across the world. So, we have Apartment 1 is let's say 123 1st Street. And Apartment 2 is 157 2nd Street.

Street addresses differ

So, those addresses—the street addresses—uniquely addressable across the world whereas the apartments themselves, the apartment numbers, are not unique. So that really describes the difference between an internal 1918 TCP IP address and an external address.

Well, how do you get between those two things?

You get there by something called NAT—network address translation. NAT is typically used to translate an IP address from one range or multiple IP addresses from one range to an IP address on some other range. 

It's commonly used between private internal networks and an internet IP address because those are finite, and, subsequently, they can be very expensive to purchase or to use.

So, in the case of Apartment 1 we have a device that does our NATing.

So, in the case of Apartment 1 we have a device that does our NATing.

And the second part of this topic is firewalls. A NAT device typically goes along with the firewall function and is usually employed in some kind of a routing device. A routing device connects two or more computer networks.

So, we're just gonna put our firewall down here and in both are apartments here, so NAT and firewall.

Firewall function

Sending via NAT

So, let's say someone in Apartment 2 wants to communicate or send a letter, a mail—remember those mail? Over to Company1.net and he wants to send it out over, you know, from his street address to the Company 1 street address—or, let's just say, from his internal IP address to a public IP address or an internet IP address.

What he would do is send that out to the NATing device which is akin to—let's say you have a home router or routing device; that's the first device you're traffic's going to hit.

Send it to the NAT device first.

The NAT, network address translation, part of that is going to convert that internal address to a real internet address—which is what? It's this 123 1st Street. 

That traffic is gonna traverse from 123 1st Street, so it's like sending mail with the return address being 123 1st Street over to Company1.net.

nat8

As soon as Company1.net sends a response it's going to not send it to Apartment 2—it's actually going to send it to 123 1st Street.

nat9

It's going to send a response back, and what's going to happen is the NATing device actually keeps track of what's going out and the corresponding response. And it knows that the response to 123 1st Street—let's say it's the person's name, they put their name on the letter going out—it knows it converts that to an internal address which happens to be Apartment 2, it knows that person lives in Apartment 2.

 Here's the key: Company 1 doesn't know that that person lives Apartment 2. All it knows is 123 1st Street—essentially obscuring the final address of that person. So, by that, it's kind of a security device because it protects that person; it's akin to a security device.

Firewall

Now, that by itself is typically not enough. On the same device, we'll have a firewall function. What's a firewall function? A firewall function is known as a security device, service appliance that actually monitors the network communication between some source and some destination, typically deployed across two different networks. That's not always the case, but in this analogy, we're gonna just say the firewall is there between the internal network and the external network, and notice we have it deployed on our NAT device.

Stateless firewall

So, in a typical firewall, we'll have something called a stateless firewall.

Stateless firewall

And all a stateless firewall is, it's just like a lock on the door. So, we put a lock over here, and we put a lock over here, well, all that says is: "I'm a person that wishes to get into the apartment I have a key and I'll open the door and go in."

A stateless firewall is like a lock on a door.

Well, it's not a bad way to go, and it keeps most people out of the apartment building that don't live there, but somebody can tailgate and they can go in behind that behind the traffic—maybe figure out the key, there's a couple different ways. It's a decent firewall but as things get more sophisticated, it's not enough.

Stateful firewall

So, the next type of firewall that came up was called stateful.

Stateful firewall

So, stateful firewall does this—now we've hired a security guard—here's our security guard, he's a cool dude.

Stateful firewall is like a security guard

He’s sitting at that the front desk. So, as traffic tries to enter the apartment building, maybe they have a key, he looks at the person and say’s “Where are you going?” - "I'm going to Apartment 4.”

nat13

Okay, so now the traffic's allowed to Apartment 4. Doesn't ask what the person's doing there or anything else, just allows the traffic.

So, really, a stateful firewall understands the source and destination of the traffic, and it actually monitors the conversation between that source and destination. And does a little bit more being a traffic cop between those two sources and destinations.

Application firewall

So, the last thing we're gonna look at is something called an application firewall.

Application firewall

Application firewall is something that looks deeper the conversation. So now we have our traffic cop over here, and what he's doing is, now rather than just asking what apartment you're going to, he's going to ask what your purpose is.

It actually looks deeper into the conversation; if we're talking about web service traffic, and makes sure that's really web-type traffic that's being communicated from the source and destination, not just some other type of traffic that could be some kind of malicious traffic.

So, in other words, it's analogous to—okay, I have a person trying to get to Apartment 2, and that person says that they're there to deliver a pizza, when really you know they're trying to do door-to-door sales. So, the security guard, in this case, would figure that out and not allow the person access to their apartment.

And those are the basics of NATing and firewall.

Be the first to hear about news, product updates, and innovation from IBM Cloud