Understanding NAT and Firewalls
Key Points
- NAT (Network Address Translation) converts private internal IP addresses to public internet addresses, conserving the limited pool of globally routable IPs.
- An apartment‑building analogy illustrates that while apartment numbers (private IPs) can repeat, the street address (public IP) uniquely identifies a location worldwide.
- NAT devices are typically implemented in routers that bridge internal networks to the internet, translating traffic from internal to external address spaces.
- Firewalls are often integrated with NAT routers to enforce security policies, controlling which inbound and outbound traffic is allowed between the private network and the public internet.
Sections
- Explaining NAT with Apartment Analogy - The speaker defines Network Address Translation, explains why private IP ranges are needed, and uses an apartment‑building metaphor to illustrate how internal addresses map to unique external internet addresses.
- NAT Explained with Mail Analogy - The speaker uses a house‑mail metaphor to describe how a NAT device translates internal IP addresses to public ones and tracks responses back to the originating apartment.
- Lock, Guard, and Inspector Firewalls - The speaker uses an apartment analogy to contrast simple lock‑based (static) firewalls, stateful firewalls that track source‑destination sessions, and application firewalls that inspect deeper into the traffic.
- Call to Action Closing - The speaker invites viewers to submit questions and encourages them to like the video and subscribe for more similar content.
Full Transcript
# Understanding NAT and Firewalls **Source:** [https://www.youtube.com/watch?v=2llWuivdS7w](https://www.youtube.com/watch?v=2llWuivdS7w) **Duration:** 00:09:23 ## Summary - NAT (Network Address Translation) converts private internal IP addresses to public internet addresses, conserving the limited pool of globally routable IPs. - An apartment‑building analogy illustrates that while apartment numbers (private IPs) can repeat, the street address (public IP) uniquely identifies a location worldwide. - NAT devices are typically implemented in routers that bridge internal networks to the internet, translating traffic from internal to external address spaces. - Firewalls are often integrated with NAT routers to enforce security policies, controlling which inbound and outbound traffic is allowed between the private network and the public internet. ## Sections - [00:00:00](https://www.youtube.com/watch?v=2llWuivdS7w&t=0s) **Explaining NAT with Apartment Analogy** - The speaker defines Network Address Translation, explains why private IP ranges are needed, and uses an apartment‑building metaphor to illustrate how internal addresses map to unique external internet addresses. - [00:03:06](https://www.youtube.com/watch?v=2llWuivdS7w&t=186s) **NAT Explained with Mail Analogy** - The speaker uses a house‑mail metaphor to describe how a NAT device translates internal IP addresses to public ones and tracks responses back to the originating apartment. - [00:06:11](https://www.youtube.com/watch?v=2llWuivdS7w&t=371s) **Lock, Guard, and Inspector Firewalls** - The speaker uses an apartment analogy to contrast simple lock‑based (static) firewalls, stateful firewalls that track source‑destination sessions, and application firewalls that inspect deeper into the traffic. - [00:09:15](https://www.youtube.com/watch?v=2llWuivdS7w&t=555s) **Call to Action Closing** - The speaker invites viewers to submit questions and encourages them to like the video and subscribe for more similar content. ## Full Transcript
Hi, my name's Frank Chodacki.
I'm part of the IBM Cloud team,
and I'm here to explain some basic network concepts
that are pretty ubiquitous, or universally used,
and the terms are "NAT" and "firewall".
Let's start off with NAT.
NAT stands for Network Address Translation.
It's described in an IETF RFC 1918
and what NAT-ing really does is allows us to translate
internet addresses to private address space.
Private address space is really there because there's only a finite number
of internet TCP/IP addresses.
So, to cover this topic,
I always find it's better to use analogies
and we are going to use the apartment analogy
to describe what an internal network
or TCP/IP range is versus an external TCP/IP range.
So, over here we have our apartment buildings,
we have apartment building #1, we have apartment building #2.
And, within those apartment buildings,
we have apartment 1, 2, 3, 4, etc.
And over in apartment building #2 ...
well, lo and behold: we have the same apartment numbers!
The only thing that really differentiates apartment 1 in building #2 and
apartment 1 in building #1, is their street address.
So, much like an internet TCP/IP address,
the street address is uniquely addressable across the world.
So, we have apartment #1 is, let's say, 123 1st Street.
And apartment #2 is 157 2nd Second street.
So, those addresses, the street address, is uniquely addressable across the world
or, as the apartments themselves, the apartment numbers are not unique.
So, that really describes difference between
an internal 1918 TCP/IP address and an external address.
Well, how do you get between those two things?
You get there by something called NAT,
Network Address Translation.
NAT is typically used to translate an IP address
from one range, or multiple IP addresses from one range,
to an IP address on some other range.
It's commonly used between private internal networks
and an internet IP address because those are finite
and subsequently, they can be very expensive to purchase or to use.
So, in the case of apartment #1,
we have a device that does our NAT-ing.
And the second part of this topic is firewalls.
A NAT device typically goes along with the firewall function
and is usually employed in some kind of a routing device.
A routing device connects two or more computer networks.
So, we're just gonna put our firewall down here,
and both are apartments here,
so NAT and firewall.
So, let's say someone in apartment #2 wants to communicate
or send a letter, a mail (remember those, mail?),
over to Company1.net
and he wants to send it from his street address
to the company one street address
or let's just say, from his internal IP address to a public IP address,
or an internet IP address.
What he would do is send that out to the NAT-ing device
which is akin to, let's say you have a home router, or routing device
that's the first device your traffic's going to hit.
The NAT, Network Address Translation, part of that
is going to convert that internal address to a real internet address.
Which is what?
It's this 123 1st Street.
That traffic is gonna traverse from 123 1st Street,
so it's like sending mail with the return address being 123 1st Street,
over to Company1.net.
As soon as Company1.net sends a response
it's going to not send it to apartment #2,
it's actually going to send it to 123 1st Street.
It's going to send a response back, and
what's going to happen is the NAT-ing device actually keeps track of what's going out
and the corresponding response.
And it knows that the response to 123 1st Street,
let's say it's the person's name, they put their name on the letter going out,
it converts that to an internal address
which happens to be apartment #2, it knows that person lives in apartment #2.
Here's the key:
company one doesn't know that that person lives apartment #2,
all it knows is 123 1st Street,
essentially obscuring the final address of that person.
So, by that, it's kind of a security advice
because it protects that person
it's akin to a security device.
Now, that by itself is typically not enough.
On the same device will have a firewall function.
What's a firewall function?
A firewall function is known as a security device service appliance
that actually monitors the network communication
between the source some source and some destination
typically deployed across two different networks.
That's not always the case, but in this analogy we're gonna just say
the firewall is there between the internal network
and the external network
and notice we have deployed with our NAT device.
So, in a typical firewall
we'll have something called a "stateless" firewall,
and all a stateless firewall is, it's just like a lock on the door.
So, if we put a lock over here,
and we put a lock over here. All that says is,
"I'm a person that wishes to get into the apartment. I have a key, and I'll open the door and go in".
Well, it's not a bad way to go and it keeps most people out of the apartment building
that don't live there,
but somebody can tailgate and they can go in behind
the traffic maybe figure out the key,
there's a couple of different ways.
It's a decent firewall,
but as things get more sophisticated it's not enough.
So, the next type of firewall that came up was called "stateful".
So, stateful firewall does this:
now we've hired a security guard,
here's our security guard, he's a cool dude.
He's sitting at that the front desk.
So, as traffic tries to enter the apartment building
maybe they have a key,
he looks at the person and says, "Where are you going?"
"I'm going to apartment to apartment 4."
OK, so now that traffic's allowed to apartment 4.
Doesn't ask what the person's doing there or anything else,
just allows the traffic.
So, really a stateful firewall
understands the source and destination of the traffic
and it actually monitors the conversation
between that source and destination
and does a little bit more
being a traffic cop between those two, source and destination.
So, the last thing we're gonna look at
is something called an "application firewall".
An application firewall is something that looks deeper the conversation.
So, now we have our traffic cop over here and what he's doing is
now, rather than just asking what apartment you're going to,
he's going to ask what your purpose is.
So, think of it this way
it actually looks deeper into the conversation,
if we're talking about web service traffic,
it makes sure that's really web type traffic
that's being communicated from the source and destination
- not just some other type of traffic
that could be, let's say, some kind of malicious traffic.
So, in other words it's analogous to this:
I have a person trying to get to apartment #2
and that person says that they're there to deliver a pizza
when really they're trying to do door-to-door sales.
So, the security cop
or security guard, in this case, would figure that out
and not allow the person access to their apartment.
And those are the basics of NAT-ing and firewalling.
Thank you for watching this video.
If you have any questions please drop us a line.
If you would like to see more videos like this in the future
be sure to "LIKE" and subscribe.