Policy based network address translation
First Claim
Patent Images
1. A method of performing policy-based network address translation in a system for protecting a network segment, the method comprising:
- identifying an originating user of a first packet in a flow;
identifying a network resource that is a destination of the first packet in the flow;
selecting at least one predefined network address translation map based at least in part on the originating user and the network resource, wherein the map includes a plurality of user addresses corresponding to network resources; and
using the selected at least one predefined network address translation map to modify addresses in at least one packet in the flow.
13 Assignments
0 Petitions
Accused Products
Abstract
A system and method is described for providing policy-based Network Address Translation (NAT) configurations wherein each user/resource policy within a network protection device may use a different set of address translation mappings.
-
Citations
16 Claims
-
1. A method of performing policy-based network address translation in a system for protecting a network segment, the method comprising:
-
identifying an originating user of a first packet in a flow;
identifying a network resource that is a destination of the first packet in the flow;
selecting at least one predefined network address translation map based at least in part on the originating user and the network resource, wherein the map includes a plurality of user addresses corresponding to network resources; and
using the selected at least one predefined network address translation map to modify addresses in at least one packet in the flow. - View Dependent Claims (2, 3, 4)
-
-
5. A device for performing policy-based network address translation in a system for protecting a network segment, the device comprising:
-
a flow identifier to identify a source and a destination of the first packet of a flow;
a map selector, connected to the flow identifier, to select a network address translation map based on a policy associated with the source and the destination of the first packet of the flow;
an address translator that uses the selected network address translation map to perform appropriate address translations.
-
-
6. A network protection system comprising:
-
a gateway connecting a private network to a public network, the gateway being in communication with at least one network resource in the private network and at least one user in the public network; and
a network address translation function, operating within the gateway, that translates addresses of packets from the at least one user to the at least one network resource and from the at least one network resource to the at least one user based on the identification of the at least one user and the at least one network resource.
-
-
7. A method of performing policy-based network address translation, the method comprising:
-
identifying flow identification data for a first packet flow, wherein the flow identification data includes an originating user; and
using a network address translation map to translate at least a portion of the flow identification data, wherein the map includes a plurality of user addresses that correspond to at least one common network resource, wherein the translation is based at least in part of the originating user. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. In a device for protecting a network segment, a method of performing policy-based network address translation, the method comprising:
-
receiving a first packet flow;
identifying flow identification data for the first packet flow, including data corresponding to an originating user and a destination resource;
selecting at least one network address translation map based at least in part on the originating user and the destination resource, wherein the map includes a plurality of user addresses that correspond to the destination resource;
using the selected at least one network address translation map to translate at least a part of the flow identification data for the first packet flow; and
forwarding the first packet flow having the translated flow identification data to the destination resource.
-
-
15. A device for performing policy-based network address translation in a system for protecting a network segment, the device comprising:
-
a flow identifier to identify a flow;
a map selector, connected to the flow identifier, to select a network address translation map based on a policy associated with the flow;
an address mapper that uses the selected network address translation map to find appropriate address translations; and
an address translator that uses the address translations from the address mapper to modify addresses in at least one packet in the flow.
-
-
16. A network protection system comprising:
-
a gateway connecting a private network to a public network, the gateway being in communication with at least one user in the private network and at least one network resource in the public network; and
a network address translation function, operating within the gateway, that translates addresses of packets from the at least one user to the at least one network resource and from the at least one network resource to the at least one user based on the identification of the at least one user and the at least one network resource.
-
Specification