Security system for network address translation systems
First Claim
Patent Images
1. A method of passing a packet between a local network and nodes outside of the local network, the method comprising:
- receiving the packet;
identifying a first network layer address on the packet that matches a second network layer address in an address translation list specifying combinations of IP addresses of hosts on the local network with globally unique IP addresses from a pool of globally unique IP addresses available for use by the hosts on the local network;
translating the matching first network layer address on the packet to a corresponding third network layer address specified in the translation list wherein a non-globally unique IP address of the host is translated to one of said globally unique IP addresses available from the pool when the packet is sent from the local network and one of said globally unique IP addresses identified as one from the pool is translated to said non-globally unique IP address of the host when the packet is directed to the local network; and
matching the packet against at least one security criterion.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and method are provided for translating local IP addresses to globally unique IP addresses. This allows local hosts in an enterprise network to share global IP addresses from a limited pool of such addresses available to the enterprise. The translation is accomplished by replacing the source address in headers on packets destined for the Internet and by replacing destination address in headers on packets entering the local enterprise network from the Internet. Packets arriving from the Internet are screened by an adaptive security algorithm. According to this algorithm, packets are dropped and logged unless they are deemed nonthreatening. DNS packets and certain types of ICMP packets are allowed to enter local network. In addition, FTP data packets are allowed to enter the local network, but only after it has been established that their destination on the local network initiated an FTP session.
-
Citations
22 Claims
-
1. A method of passing a packet between a local network and nodes outside of the local network, the method comprising:
-
receiving the packet;
identifying a first network layer address on the packet that matches a second network layer address in an address translation list specifying combinations of IP addresses of hosts on the local network with globally unique IP addresses from a pool of globally unique IP addresses available for use by the hosts on the local network;
translating the matching first network layer address on the packet to a corresponding third network layer address specified in the translation list wherein a non-globally unique IP address of the host is translated to one of said globally unique IP addresses available from the pool when the packet is sent from the local network and one of said globally unique IP addresses identified as one from the pool is translated to said non-globally unique IP address of the host when the packet is directed to the local network; and
matching the packet against at least one security criterion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
(a) determining that the packet indicates that a data connection is to be opened, and (b) determining whether a control connection exists for the data connection.
-
-
9. The method of claim 1, further comprising forwarding the packet to a destination if it meets the at least one security criterion.
-
10. The method of claim 2, further comprising blocking transmission of the packet to its destination if it does not meet the at least one security criterion.
-
11. An apparatus configured to provide network connections between nodes on a local network and nodes outside the local network, the apparatus comprising:
-
a processor;
a memory in communication with the processor;
a collection of global IP addresses available to the nodes on the local network;
an address translation list including at least one translation, each specifying a local network layer address of a local node and an associated global unique network layer address; and
a firewall specifying at least one security criterion and configured to protect the local network from packets that pose a security risk, wherein at least one of the processor and the memory is configured to match IP addresses in packets against IP addresses of entries in the address translation list, wherein non-globally unique IP address of the local node is matched to a globally unique IP address available from the collection when the packet is sent from the local network and a globally unique IP address identified as one from the collection is matched to a non-globally unique IP address of the local node when the packet is directed to the local network. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A machine readable medium on which is stored instructions for passing a packet between a local network and nodes outside of the local network, the instructions specifying a method comprising:
-
receiving the packet;
identifying a first network layer address on the packet that matches a second network layer address in an address translation list specifying combinations of IP addresses of hosts on the local network with globally unique IP addresses from a pool of globally unique IP addresses available for use by the hosts on the local network;
translating the matching first network layer address on the packet to a corresponding third network layer address specified in the translation list, wherein a non-globally unique IF address of the host is translated to one of said globally unique IP addresses available from the pool when the packet is sent from the local network and one of said globally unique IP addresses identified as one from the pool is translated to said non-globally unique IP address of the host when the packet is directed to the local network, and matching the packet against at least one security criterion. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
Original AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
InventorsCoile, Brantley W., Mayes, John C.
-
Primary Examiner(s)Olms, Douglas
-
Assistant Examiner(s)HOM, SHICK C
-
Application NumberUS09/131,812Time in Patent Office1,625 DaysField of Search370/389, 370/392, 370/395, 370/401, 370/402, 370/466, 370/252, 370/349, 370/400, 370/465, 370/522, 370/352, 370/338, 370/397, 370/395.52, 371/37.01, 395/186, 395/187.01, 395/188.01, 380/49, 713/201, 713/200, 709/245, 709/249, 709/250US Class Current370/389CPC Class CodesH01R 2201/04 for network, e.g. LAN conne...H01R 31/005 Intermediate parts for dist...H04L 2101/663 Transport layer addresses, ...H04L 41/00 Arrangements for maintenanc...H04L 61/00 Network arrangements, proto...H04L 61/2514 between local and global IP...H04L 61/2564 for a higher-layer protocol...H04L 63/0254 Stateful filteringH04L 69/40 for recovering from a failu...H04L 9/40 Network security protocols
