System and method for redirecting network traffic to provide secure communication
First Claim
1. A method of securing communication between an external network and a processor operating on an internal network, the method comprising the steps of:
- receiving a communication from an internal network host, the communication including a first destination address;
creating a session control block and storing therein the first destination address;
replacing the first destination address with a second destination address identifying a location of a communication security firewall;
routing the communication to the security firewall through a stack after the first destination address is replaced with the second destination address;
performing a security check to determine if the communication is authorized;
accessing the session control block to retrieve the first destination address;
replacing the second destination address with the first destination address if the communication is authorized;
if authorized, routing the communication to the processor operating on the external network; and
associating communication from an external host directed at the security firewall to the internal network host.
13 Assignments
0 Petitions
Accused Products
Abstract
A communication security system is described which uses a server to communicate to an unprotected network, such as the Internet. The system intercepts an IP packet prior to stack incursion and replaces the destination address with that of a firewall'"'"'s network interface address. Because of the modification to the IP header destination address, an IP header checksum is recalculated prior to presentation to the local stack. The system uses a shim to replace the destination address and store the original destination address. When a communication is authorized, the firewall performs a system call to retrieve the original destination address such that the data communication can be routed to the indented destination address.
350 Citations
20 Claims
-
1. A method of securing communication between an external network and a processor operating on an internal network, the method comprising the steps of:
-
receiving a communication from an internal network host, the communication including a first destination address;
creating a session control block and storing therein the first destination address;
replacing the first destination address with a second destination address identifying a location of a communication security firewall;
routing the communication to the security firewall through a stack after the first destination address is replaced with the second destination address;
performing a security check to determine if the communication is authorized;
accessing the session control block to retrieve the first destination address;
replacing the second destination address with the first destination address if the communication is authorized;
if authorized, routing the communication to the processor operating on the external network; and
associating communication from an external host directed at the security firewall to the internal network host. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of securing communication between an external network and a processor operating on an internal network, the method comprising the steps of:
-
receiving a communication from the external network, the communication including a first destination address, and a first header check sum;
using a shim located between a stack and a network interface adapter to identify an appropriate session control block;
identifying an IP address of an internal host using the identified session control block;
routing the communication to the security firewall through a TCP/IP stack;
performing a security check of the communication to determine if the communication is authorized; and
if the communication is authorized, routing the communication to the processor operating on the internal network. - View Dependent Claims (8)
replacing the second destination address with the first destination address; and
replacing a second header check sum with the first header check sum.
-
-
9. A data communication system comprising:
-
at least one internal work station coupled to an internal network; and
a processor coupled to the internal network and an external network for controlling communications therebetween, wherein the processor includes an address modifier to replace a first internal destination address included in an externally received data communication with a second destination address identifying a location of a communication security firewall, and store the first destination address for later retrieval. - View Dependent Claims (10, 11, 12)
-
-
13. A network interface computer coupled to first and second networks, the network interface computer comprising:
a processor for controlling data communication between the first and second networks, the processor is operable to receive a communication from the second network including a first destination address of a work station on the second network, replace the first destination address with a second destination address identifying a location of a communication security firewall operating on the processor, and route the communication to the security firewall where it can be determined if the communication is authorized, the processor is further operable to replace the second destination address with the first destination address if the communication is authorized, and route the communication to an internal receiver on the network. - View Dependent Claims (14, 15, 16)
-
17. Computer-readable medium having computer-executable instructions to a cause a computer connected to an internal and an external network to perform steps comprising:
-
receiving a communication from an external source via the external network, the communication includes both a header specifying a first destination address of an internal receiver on the internal network, and a header check sum;
using a network interface adapter, replacing the first destination address with a second destination address specifying a location of a communication security firewall;
storing the first destination address for later retrieval;
routing the communication to the security firewall through a TCP/IP stack;
performing a security check of the communication to determine if the communication is authorized;
replacing the second destination address with the first destination address if the communication is authorized;
replacing the header check sum after the first destination address is replaced; and
routing the communication to the internal receiver on the network.
-
-
18. A firewall for securing traffic between an internal and an external network, comprising:
-
a network interface;
a network driver connected to the network interface;
an application level proxy;
a protocol stack connected to the application level proxy; and
a network driver interface, connected to the protocol stack and the network driver, wherein the network driver interface includes means for modifying an address of network traffic to redirect the traffic up the protocol stack to the application level proxy. - View Dependent Claims (19, 20)
-
Specification