Network security device which performs MAC address translation without affecting the IP address
First Claim
1. A network security device which does no routing and is configured to protect at least one particular node, the node having a first media access control (MAC) address and an Internet address and which communicates via a network, comprising:
- a. a first interface connected to the at least one particular node and having said first MAC address of the node;
b. a second interface connected to the network and having a second MAC address, andc. a processing circuit connected to said first and second interfaces, said processing circuit;
(1) for a packet received at said first interface from said one particular node and the packet having a header containing a source address that is the Internet address of the at least one particular node and said first MAC address of said one particular node, the circuit configured to replace the first MAC address contained in the received packet header with the second MAC address before said packet is transmitted into said network and leaving the Internet address unencrypted and its position in the packet header unchanged, and(2) for a packet received at said second interface from said network and the packet having a header containing a destination address that is the Internet address of the at least one particular node and said second MAC address of said second interface, the circuit configured to replace the second MAC address contained in the received packet header with said first MAC address of said at least one particular node before said packet is transmitted to the at least one particular node, and leaving the Internet address unencrypted and its position in the packet header unchanged.
11 Assignments
0 Petitions
Accused Products
Abstract
A network security device is connected between a protected client and a network. The network security device negotiates a session key with any other protected client. Then, all communications between the two clients are encrypted. The inventive device is self-configuring and locks itself to the IP address of its client. Thus, the client cannot change its IP address once set and therefore cannot emulate the IP address of another client. When a packet is transmitted from the protected host, the security device translates the MAC address of the client to its own MAC address before transmitting the packet into the network. Packets addressed to the host, contain the MAC address of the security device. The security device translates its MAC address to the client'"'"'s MAC address before transmitting the packet to the client.
-
Citations
19 Claims
-
1. A network security device which does no routing and is configured to protect at least one particular node, the node having a first media access control (MAC) address and an Internet address and which communicates via a network, comprising:
-
a. a first interface connected to the at least one particular node and having said first MAC address of the node; b. a second interface connected to the network and having a second MAC address, and c. a processing circuit connected to said first and second interfaces, said processing circuit; (1) for a packet received at said first interface from said one particular node and the packet having a header containing a source address that is the Internet address of the at least one particular node and said first MAC address of said one particular node, the circuit configured to replace the first MAC address contained in the received packet header with the second MAC address before said packet is transmitted into said network and leaving the Internet address unencrypted and its position in the packet header unchanged, and (2) for a packet received at said second interface from said network and the packet having a header containing a destination address that is the Internet address of the at least one particular node and said second MAC address of said second interface, the circuit configured to replace the second MAC address contained in the received packet header with said first MAC address of said at least one particular node before said packet is transmitted to the at least one particular node, and leaving the Internet address unencrypted and its position in the packet header unchanged. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A network security device configured to protect at least one particular node, the node having an Internet address and which communicates via a network, comprising:
-
a. a first interface connected to the at least one particular node and having a first MAC address, b. a second interface connected to the network and having a second MAC address, and c. a processing circuit connected to said first and second interfaces, said processing circuit; (1) for a packet received at said first interface from said one particular node and the packet having a header including a source address that is the Internet address of the at least one particular node and said first MAC address, the circuit configured to translate the first MAC address in the received packet header into the second MAC address before said packet is transmitted into said network by said second network interface and leaving the Internet address of the received packet header unencrypted; and (2) for a packet received at said second interface from said network and the packet having a header including a destination address that is the Internet address of the at least one particular node and said second MAC address of said second interface, the circuit configured to translate the second MAC address in the received packet header into the first MAC address before said packet is transmitted to said at least one particular node and leaving the Internet address of the received packet header unencrypted.
-
-
11. A method for transmitting a packet into a network comprising the steps of:
-
(1) generating a packet containing a first source MAC address of a first node, a first source IP address of said first node and a second IP address of a destination, and user data, (2) in a network security device which does no routing and is connected to said network and having said first IP address, translating said first source MAC address into a second MAC address of said network security device, encrypting said user data, while leaving said IP address of said destination unencrypted and in the same respective position in a header of said packet, wherein the step of encrypting comprises negotiating a session key common to said first node and second node, said negotiating step comprising; a. at said network security device, using a static public key of said second node, encrypting a dynamic public key of said first node and transmitting said dynamic public key of said first node to said second node, b. receiving from said second node a dynamic public key of said second node encrypted with a static public key of said first node and decrypting said dynamic public key of said second node with a static secret key of said first node at said network security device, c. at said network security device, generating said common session key from a dynamic secret key of said first host and said dynamic public key of said first node and said dynamic public key of said second node; and (3) transmitting said packet into said network. - View Dependent Claims (12, 13)
-
-
14. A method for transmitting a packet into a network comprising the steps of:
-
(1) generating a packet whose header contains a first source media access control (MAC) address of a host, an IP address of a destination, and user data, (2) in a network security device which does no routing and is connected to said network, translating said first MAC address of said host into a second MAC address of said network security device and retaining the IP address of said destination unencrypted and in its respective position in said header, and (3) transmitting said packet into said network. - View Dependent Claims (15, 16, 17)
-
-
18. A method for transmitting a packet into a network comprising the steps of:
-
(1) generating a packet having a header containing a first MAC address, an IP address of a destination, and user data, (2) in a network security device which does no routing and is connected to said network, translating said first MAC address into a second MAC address of said network security device, (3) encrypting the user data and not the IP address and retaining as unchanged said IP address and its position in said header, and (4) transmitting said packet into said network.
-
-
19. A network security device connected between:
- (1) a node having an Internet address and (2) a communication network, the device comprising;
(a) a first interface connected to at least one node, the first interface having a first media access control (MAC) address; (b) a second interface connected to the communication network and having a second MAC address; (c) a processor connected to the first and second interfaces, the processor configured to; (1) receive a packet from the first interface, the packet having a transport layer header, a network layer header, and the first MAC address;
the processor configured to replace the first MAC address with the second MAC address in the received packet, to encrypt the received transport layer header, and to not encrypt the received network layer header; and
to transmit the packet to the second interface; and(2) receive a packet from the second interface, the packet having an encrypted transport layer header, an unencrypted network layer header, and the second MAC address;
the processor configured to replace the second MAC address with the first MAC address in the received packet, decrypt the packet including the transport layer header, and to transmit the packet to the first interface.
- (1) a node having an Internet address and (2) a communication network, the device comprising;
Specification