Network security device which performs MAC address translation without affecting the IP address

US 5,757,924 A
Filed: 09/18/1995
Issued: 05/26/1998
Est. Priority Date: 09/18/1995
Status: Expired due to Fees

First Claim

Patent Images

1. A network security device which does no routing and is configured to protect at least one particular node, the node having a first media access control (MAC) address and an Internet address and which communicates via a network, comprising:

a. a first interface connected to the at least one particular node and having said first MAC address of the node;

b. a second interface connected to the network and having a second MAC address, andc. a processing circuit connected to said first and second interfaces, said processing circuit;

(1) for a packet received at said first interface from said one particular node and the packet having a header containing a source address that is the Internet address of the at least one particular node and said first MAC address of said one particular node, the circuit configured to replace the first MAC address contained in the received packet header with the second MAC address before said packet is transmitted into said network and leaving the Internet address unencrypted and its position in the packet header unchanged, and(2) for a packet received at said second interface from said network and the packet having a header containing a destination address that is the Internet address of the at least one particular node and said second MAC address of said second interface, the circuit configured to replace the second MAC address contained in the received packet header with said first MAC address of said at least one particular node before said packet is transmitted to the at least one particular node, and leaving the Internet address unencrypted and its position in the packet header unchanged.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security device is connected between a protected client and a network. The network security device negotiates a session key with any other protected client. Then, all communications between the two clients are encrypted. The inventive device is self-configuring and locks itself to the IP address of its client. Thus, the client cannot change its IP address once set and therefore cannot emulate the IP address of another client. When a packet is transmitted from the protected host, the security device translates the MAC address of the client to its own MAC address before transmitting the packet into the network. Packets addressed to the host, contain the MAC address of the security device. The security device translates its MAC address to the client'"'"'s MAC address before transmitting the packet to the client.

Citations

19 Claims

1. A network security device which does no routing and is configured to protect at least one particular node, the node having a first media access control (MAC) address and an Internet address and which communicates via a network, comprising:
- a. a first interface connected to the at least one particular node and having said first MAC address of the node;
  
  b. a second interface connected to the network and having a second MAC address, andc. a processing circuit connected to said first and second interfaces, said processing circuit;
  
  (1) for a packet received at said first interface from said one particular node and the packet having a header containing a source address that is the Internet address of the at least one particular node and said first MAC address of said one particular node, the circuit configured to replace the first MAC address contained in the received packet header with the second MAC address before said packet is transmitted into said network and leaving the Internet address unencrypted and its position in the packet header unchanged, and(2) for a packet received at said second interface from said network and the packet having a header containing a destination address that is the Internet address of the at least one particular node and said second MAC address of said second interface, the circuit configured to replace the second MAC address contained in the received packet header with said first MAC address of said at least one particular node before said packet is transmitted to the at least one particular node, and leaving the Internet address unencrypted and its position in the packet header unchanged.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The network security device of claim 1 wherein said first and second interfaces are Ethernet interfaces.
  - 3. The network security device of claim 1 wherein said processing circuit encrypts user data contained in said packet received from said at least one particular node, while said IP address contained in said header of said packet received from said at least one particular node remains unencrypted and the portion of said IP address in said header of said packet remains unchanged.
  - 4. The network security device of claim 3 wherein said packet is a TCP packet including a TCP packet header and the TCP packet header is encrypted.
  - 5. The network security device of claim 3 wherein said packet is a UDP packet including a UDP packet header and the UDP packet header is encrypted.
  - 6. The network security device of claim 3 wherein said processing circuit encrypts said user data using a session key and an encipherment function.
  - 7. The network security device of claim 1 wherein said network security device maintains a first database containing information indicating an IP address and a permanent public key for one or more nodes in said network.
  - 8. The network security device of claim 7 wherein said network security device maintains a second database indicating for one or more nodes in said network, an IP address, and a common session key with said at least one particular node.
  - 9. The network security device of claim 8 wherein one or more nodes in said second database are unsecured nodes.

10. A network security device configured to protect at least one particular node, the node having an Internet address and which communicates via a network, comprising:
- a. a first interface connected to the at least one particular node and having a first MAC address,b. a second interface connected to the network and having a second MAC address, andc. a processing circuit connected to said first and second interfaces, said processing circuit;
  
  (1) for a packet received at said first interface from said one particular node and the packet having a header including a source address that is the Internet address of the at least one particular node and said first MAC address, the circuit configured to translate the first MAC address in the received packet header into the second MAC address before said packet is transmitted into said network by said second network interface and leaving the Internet address of the received packet header unencrypted; and
  
  (2) for a packet received at said second interface from said network and the packet having a header including a destination address that is the Internet address of the at least one particular node and said second MAC address of said second interface, the circuit configured to translate the second MAC address in the received packet header into the first MAC address before said packet is transmitted to said at least one particular node and leaving the Internet address of the received packet header unencrypted.

11. A method for transmitting a packet into a network comprising the steps of:
- (1) generating a packet containing a first source MAC address of a first node, a first source IP address of said first node and a second IP address of a destination, and user data,(2) in a network security device which does no routing and is connected to said network and having said first IP address, translating said first source MAC address into a second MAC address of said network security device, encrypting said user data, while leaving said IP address of said destination unencrypted and in the same respective position in a header of said packet, wherein the step of encrypting comprises negotiating a session key common to said first node and second node, said negotiating step comprising;
  
  a. at said network security device, using a static public key of said second node, encrypting a dynamic public key of said first node and transmitting said dynamic public key of said first node to said second node,b. receiving from said second node a dynamic public key of said second node encrypted with a static public key of said first node and decrypting said dynamic public key of said second node with a static secret key of said first node at said network security device,c. at said network security device, generating said common session key from a dynamic secret key of said first host and said dynamic public key of said first node and said dynamic public key of said second node; and
  
  (3) transmitting said packet into said network.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11 wherein said first node maintains a static database containing information which identifies static public keys of other nodes in said network and from which said network security device obtains said static public key of said second node.
  - 13. The method of claim 12 wherein said network security device maintains a dynamic database including an indicator of said common session key.

14. A method for transmitting a packet into a network comprising the steps of:
- (1) generating a packet whose header contains a first source media access control (MAC) address of a host, an IP address of a destination, and user data,(2) in a network security device which does no routing and is connected to said network, translating said first MAC address of said host into a second MAC address of said network security device and retaining the IP address of said destination unencrypted and in its respective position in said header, and(3) transmitting said packet into said network.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14 further comprising the step of in said network security device encrypting said user data, while leaving said IP address of said destination unencrypted and retaining said IP address of said destination in its respective position in said header.
  - 16. The method of claim 14 wherein said user data includes a TCP packet.
  - 17. The method of claim 14 wherein said user data includes a UDP packet.

18. A method for transmitting a packet into a network comprising the steps of:
- (1) generating a packet having a header containing a first MAC address, an IP address of a destination, and user data,(2) in a network security device which does no routing and is connected to said network, translating said first MAC address into a second MAC address of said network security device,(3) encrypting the user data and not the IP address and retaining as unchanged said IP address and its position in said header, and(4) transmitting said packet into said network.

19. A network security device connected between:
- (1) a node having an Internet address and (2) a communication network, the device comprising;
  
  (a) a first interface connected to at least one node, the first interface having a first media access control (MAC) address;
  
  (b) a second interface connected to the communication network and having a second MAC address;
  
  (c) a processor connected to the first and second interfaces, the processor configured to;
  
  (1) receive a packet from the first interface, the packet having a transport layer header, a network layer header, and the first MAC address;
  
  the processor configured to replace the first MAC address with the second MAC address in the received packet, to encrypt the received transport layer header, and to not encrypt the received network layer header; and
  
  to transmit the packet to the second interface; and
  
  (2) receive a packet from the second interface, the packet having an encrypted transport layer header, an unencrypted network layer header, and the second MAC address;
  
  the processor configured to replace the second MAC address with the first MAC address in the received packet, decrypt the packet including the transport layer header, and to transmit the packet to the first interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Broadband Capital Corporation (CommScope Holding Company, Inc.)
Original Assignee
Digital Secured Networks Technologies Incorporated
Inventors
Friedman, Aharon, Levy, Ben Zion
Primary Examiner(s)
Tarcza, Thomas H.
Assistant Examiner(s)
Laufer, Pinchus M.

Application Number

US08/529,497
Time in Patent Office

981 Days
Field of Search

380/21, 380/49, 395/187.01
US Class Current

713/151
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/068   using time-dependent keys, ...

H04L 63/164   at the network layer

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/40   Network security protocols

Network security device which performs MAC address translation without affecting the IP address

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Network security device which performs MAC address translation without affecting the IP address

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links