SYSTEM AND METHOD FOR PROVIDING NETWORK AND COMPUTER FIREWALL PROTECTION WITH DYNAMIC ADDRESS ISOLATION TO A DEVICE
First Claim
1. A security system comprising:
- a communication interface configured to transmit an outgoing data packet with an external outgoing header to an external network and to receive an incoming data packet with an external incoming header from the external network, the external outgoing header including an external internet protocol (IP) address as a source address of the outgoing data packet, the external incoming header including the external IP address as a destination address of the incoming data packet;
an address translation engine configured to;
receive the outgoing data packet with an internal outgoing header from an internal device, the internal outgoing header identifying an internal IP address of the internal device as the source address of the outgoing data packet;
receive from the communication interface the incoming data packet with the external incoming header, the internal device including a particular application associated with the outgoing data packet and with the incoming data packet;
translate the internal IP address of the outgoing data packet to the external IP address and assist in forming the external outgoing header based on the external IP address;
translate the external IP address of the incoming data packet to the internal IP address and assist in forming an internal incoming header based on the internal IP address; and
store association of the internal IP address and the external IP address to assist with address translation; and
a hybrid firewall configured to;
receive a particular application identifier associated with the particular application from the internal outgoing header of the outgoing data packet;
select one of several application-level security evaluations based on the particular application identifier determined based on the incoming data packet;
perform a network-level security evaluation and the one of the several application-level security evaluations on the incoming data packet; and
allow the incoming data packet to pass to the particular application if the network-level security evaluation and the one of the several application-level security evaluations do not identify malicious code in the incoming data packet.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.
-
Citations
20 Claims
-
1. A security system comprising:
-
a communication interface configured to transmit an outgoing data packet with an external outgoing header to an external network and to receive an incoming data packet with an external incoming header from the external network, the external outgoing header including an external internet protocol (IP) address as a source address of the outgoing data packet, the external incoming header including the external IP address as a destination address of the incoming data packet; an address translation engine configured to; receive the outgoing data packet with an internal outgoing header from an internal device, the internal outgoing header identifying an internal IP address of the internal device as the source address of the outgoing data packet; receive from the communication interface the incoming data packet with the external incoming header, the internal device including a particular application associated with the outgoing data packet and with the incoming data packet; translate the internal IP address of the outgoing data packet to the external IP address and assist in forming the external outgoing header based on the external IP address; translate the external IP address of the incoming data packet to the internal IP address and assist in forming an internal incoming header based on the internal IP address; and store association of the internal IP address and the external IP address to assist with address translation; and a hybrid firewall configured to; receive a particular application identifier associated with the particular application from the internal outgoing header of the outgoing data packet; select one of several application-level security evaluations based on the particular application identifier determined based on the incoming data packet; perform a network-level security evaluation and the one of the several application-level security evaluations on the incoming data packet; and allow the incoming data packet to pass to the particular application if the network-level security evaluation and the one of the several application-level security evaluations do not identify malicious code in the incoming data packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A security method, comprising:
-
receiving by a security system an outgoing data packet with an internal outgoing header from an internal device, the security system being different than the internal device, the internal outgoing header identifying an internal internet protocol (IP) address of the internal device as a source address of the outgoing data packet, the internal outgoing header including an application identifier associated with a particular application that caused generation of the outgoing data packet; translating the internal IP address of the outgoing data packet to an external IP address; storing the internal IP address and the external IP address; forming the external outgoing header based on the external IP address, the external outgoing header including the external IP address as the source address of the outgoing data packet; transmitting the outgoing data packet with the external outgoing header to an external network; receiving an incoming data packet with an external incoming header from the external network, the external incoming header including the external IP address as a destination address of the incoming data packet; translating the external IP address of the incoming data packet to the internal IP address; forming an internal incoming header based on the internal IP address; obtaining the application identifier based on the external incoming header; selecting a particular application-level security evaluation from several application-level security evaluations based on the application identifier; performing by the security system a network-level security evaluation and the particular application-level security evaluation on the incoming data packet; and allowing the incoming data packet to pass to the particular application if the network-level security evaluation and the particular application-level security evaluation do not identify malicious code in the incoming data packet. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification