Security system for network address translation systems
First Claim
1. A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network, the method comprising the following steps:
- identifying a global IP destination address on an inbound packet arriving at the private network;
determining whether the global IP destination address corresponds to any local host on the private network by determining if a translation slot data structure exists for the global IP destination address, which translation slot associates the global IP destination address to a corresponding local IP address for a particular local host which has sent an outbound packet to an external network host on the external network within a defined time period;
if the inbound packet is found to be intended for the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period, determining whether the inbound packet meets defined security criteria;
if the inbound packet meets said security criteria, replacing the inbound packet'"'"'s global IP destination address with the corresponding local IP address for the particular local host to which the inbound packet was addressed; and
forwarding the inbound packet to the particular local host to which the inbound packet was addressed.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method are provided for translating local IP addresses to globally unique IP addresses. This allows local hosts in an enterprise network to share global IP addresses from a limited pool of such addresses available to the enterprise. The translation is accomplished by replacing the source address in headers on packets destined for the Internet and by replacing destination address in headers on packets entering the local enterprise network from the Internet. Packets arriving from the Internet are screened by an adaptive security algorithm. According to this algorithm, packets are dropped and logged unless they are deemed nonthreatening. DNS packets and certain types of ICMP packets are allowed to enter local network. In addition, FTP data packets are allowed to enter the local network, but only after it has been established that their destination on the local network initiated an FTP session.
794 Citations
42 Claims
-
1. A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network, the method comprising the following steps:
-
identifying a global IP destination address on an inbound packet arriving at the private network; determining whether the global IP destination address corresponds to any local host on the private network by determining if a translation slot data structure exists for the global IP destination address, which translation slot associates the global IP destination address to a corresponding local IP address for a particular local host which has sent an outbound packet to an external network host on the external network within a defined time period; if the inbound packet is found to be intended for the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period, determining whether the inbound packet meets defined security criteria; if the inbound packet meets said security criteria, replacing the inbound packet'"'"'s global IP destination address with the corresponding local IP address for the particular local host to which the inbound packet was addressed; and forwarding the inbound packet to the particular local host to which the inbound packet was addressed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A network address translation system for translating network addresses on packets sent from an external host on an external network to a local host on a private network, the private network having a plurality of local hosts at least some of which communicate with hosts on the external network, the network address translation system comprising:
-
an outside interface connected to the external network; an inside interface connected to the private network; and a translation slot data structure stored on the network address translation system, the translation slot specifying at least (i) a global IP address temporarily held by the local host, (ii) a local address fixed with local host, wherein the network address translation system creates the translation slot when the local host sends a packet to said external host and times out the translation slot after a defined time period has elapsed. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A network address translation system for translating network addresses on packets sent from an external network having a plurality of external hosts to a local host on a private network having a plurality of local hosts at least some of which communicate with hosts on the external network, the network address translation system comprising:
-
an outside interface connected to the external network; an inside interface connected to the private network; means for identifying a global IP destination address on an inbound packet arriving at the private network; means for determining if a translation slot data structure exists for the global IP destination address, which translation slot associates the global IP destination address with a corresponding local IP address of a particular local host on the private network, which particular local host has sent an outbound packet to an external network host within a defined time period; means for determining whether the inbound packet meets defined security criteria if the inbound packet is found to be addressed to the particular local host on the private network which has sent the outbound packet to the external network host within said defined time period; means for replacing the inbound packet'"'"'s global IP destination address with a corresponding local IP address for the particular local host to which the inbound packet was addressed; and means for forwarding the inbound packet to the particular local host to which the inbound packet was addressed. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. A method for translating network addresses on packets destined for local hosts on a private network from hosts on an external network, the method comprising:
-
identifying a first global IP destination address on an inbound packet arriving at the private network, which first global IP address is one of a collection of global IP addresses available to the local hosts on the private network; determining that the first global IP destination address corresponds to a particular local host on the private network by locating translation data specifying the first global IP destination address and associating it with a corresponding local IP address of the particular local host which has sent an outbound packet to an external network host on the external network within a defined time period, which outbound packet has had the local IP address replaced with the first global IP address; determining whether the inbound packet meets defined security criteria; if the inbound packet meets said security criteria, forwarding the inbound packet to the particular local host to which the inbound packet was addressed. - View Dependent Claims (37, 38)
-
-
39. A network address translation system for translating network addresses on packets sent from an external host on an external network to a local host on a private network, the private network having a plurality of local hosts at least some of which communicate with hosts on the external network, the network address translation system comprising:
-
an outside interface connected to the external network; an inside interface connected to the private network; and a memory on which is stored (a) a collection of global IP addresses available to the local hosts on the private network, and (b) translation data associating at least (i) a global IP address temporarily held by the local host and (ii) a local IP address fixed with the local host. - View Dependent Claims (40, 41, 42)
-
Specification