Wireless Network Security Mechanism Including Reverse Network Address Translation
First Claim
1. A wireless network system, comprisinga wireless access point operative toestablish wireless connections with a plurality of mobile stations, wherein each mobile station includes a unique link layer address;
- a network address configuration server operative to provide unique network addresses to the mobile stations;
a network address configuration proxy operative toproxy transactions between a first mobile station in the plurality of mobile stations and the network address configuration server;
intercept an address assignment message from the network address configuration server to the first mobile station, wherein the address assignment message contains an internal network address for the first mobile station;
replace the internal network address in the address assignment message with a virtual network address; and
forward the modified address assignment message to the first mobile station;
a VPN server operative toestablish a VPN session with the first mobile station, wherein the mobile station uses the virtual network address as the outer network address during the VPN session; and
assign the internal network address generated by the network address configuration server as the inner network address used by the first mobile station during the VPN session; and
a reverse address translation layer operative tointermediate the VPN session between the VPN server and the first mobile station; and
replace, as to packets sourced from the first mobile station, the virtual network address used by the mobile station as the outer network address with the internal network address corresponding to the first mobile station.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatuses and systems directed to preventing unauthorized access to internal network addresses transmitted across wireless networks. According to the invention, mobile stations are assigned virtual client network addresses that are used as the outer network addresses in a Virtual Private Network (VPN) infrastructure, as well as unique internal network addresses used as the inner network addresses. In one implementation, the virtual client network addresses have little to no relation to the internal network addressing scheme implemented on the network domain. In one implementation, all clients or mobile stations are assigned the same virtual client network address. A translation layer, in one implementation, intermediates the VPN session between the mobile stations and a VPN server to translate the virtual client network addresses to the internal network addresses based on the medium access control (MAC) address corresponding to the mobile stations. In this manner, the encryption inherent in the VPN infrastructure prevents access to the internal network addresses assigned to the mobile stations.
7 Citations
23 Claims
-
1. A wireless network system, comprising
a wireless access point operative to establish wireless connections with a plurality of mobile stations, wherein each mobile station includes a unique link layer address; -
a network address configuration server operative to provide unique network addresses to the mobile stations; a network address configuration proxy operative to proxy transactions between a first mobile station in the plurality of mobile stations and the network address configuration server; intercept an address assignment message from the network address configuration server to the first mobile station, wherein the address assignment message contains an internal network address for the first mobile station; replace the internal network address in the address assignment message with a virtual network address; and forward the modified address assignment message to the first mobile station; a VPN server operative to establish a VPN session with the first mobile station, wherein the mobile station uses the virtual network address as the outer network address during the VPN session; and assign the internal network address generated by the network address configuration server as the inner network address used by the first mobile station during the VPN session; and a reverse address translation layer operative to intermediate the VPN session between the VPN server and the first mobile station; and replace, as to packets sourced from the first mobile station, the virtual network address used by the mobile station as the outer network address with the internal network address corresponding to the first mobile station. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An apparatus, comprising:
-
a processor; a memory; and one or more code modules operative to cause the processor to; intercept an address assignment message from a network address configuration server to a mobile station, wherein the mobile station has a unique link layer address, wherein the network address configuration server is operative to provide internal network addresses to requesting mobile stations, and wherein the address assignment message contains an internal network address for the mobile station; associate, in a data structure stored in the memory, the unique link layer address of the mobile station with the internal network address provided by the network address configuration server in the address assignment message; replace the internal network address in the address assignment message with a virtual network address; forward the modified address assignment message to the mobile station; intermediate a VPN session between the VPN server and the mobile station;
wherein the VPN session involves the exchange of encapsulated packets comprising an encapsulating VPN header including an outer network address corresponding to the mobile station, andreplace, as to packets sourced from the mobile station, the virtual network address used by the mobile station as the outer network address in the encapsulating VPN headers with the internal network address corresponding to the mobile station. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method comprising:
-
intercepting an address assignment message transmitted from a network address configuration server to a mobile station; associating, in a data structure, a unique link layer address of the mobile station with an internal network address in the address assignment message; replacing the internal network address in the address assignment message with a virtual network address; forwarding the modified address assignment message to the mobile station; intermediating a VPN session between a VPN server and the mobile station;
wherein the VPN session involves the exchange of encapsulated packets comprising an encapsulating VPN header including an outer network address corresponding to the mobile station, andmodifying the network address for the mobile station in the encapsulated packets by mapping between the virtual network address used by the mobile station as the outer network address in the encapsulating VPN headers and the internal network address corresponding to the mobile station.
-
Specification