Security system for network address translation systems

US 7,113,508 B1
Filed: 05/31/2002
Issued: 09/26/2006
Est. Priority Date: 11/03/1995
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus for passing a packet between a local network and a node outside of the local network, the apparatus comprising:

means for receiving the packet;

means for identifying a first network layer address on the packet that matches a second network layer address in an address translation list specifying combinations of IP addresses of hosts on the local network with globally unique IP addresses from a pool of globally unique IP addresses available for use by the hosts on the local network;

means for translating the first network layer address on the packet to a corresponding third network layer address specified in the translation list, wherein a non-globally unique IP address of the host is translated to one of said globally unique IP addresses available from the pool when the packet is sent from the local network and one of said globally unique IP addresses identified as one from the pool is translated to said non-globally unique IP address of the host when the packet is directed to the local network; and

means for matching the packet against at least one security criterion.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for translating local IP addresses to globally unique IP addresses. This allows local hosts in an enterprise network to share global IP addresses from a limited pool of such addresses available to the enterprise. The translation is accomplished by replacing the source address in headers on packets destined for the Internet and by replacing destination address in headers on packets entering the local enterprise network from the Internet. Packets arriving from the Internet are screened by an adaptive security algorithm. According to this algorithm, packets are dropped and logged unless they are deemed nonthreatening. DNS packets and certain types of ICMP packets are allowed to enter local network. In addition, FTP data packets are allowed to enter the local network, but only after it has been established that their destination on the local network initiated an FTP session.

40 Citations

View as Search Results

14 Claims

1. An apparatus for passing a packet between a local network and a node outside of the local network, the apparatus comprising:
- means for receiving the packet;
  
  means for identifying a first network layer address on the packet that matches a second network layer address in an address translation list specifying combinations of IP addresses of hosts on the local network with globally unique IP addresses from a pool of globally unique IP addresses available for use by the hosts on the local network;
  
  means for translating the first network layer address on the packet to a corresponding third network layer address specified in the translation list, wherein a non-globally unique IP address of the host is translated to one of said globally unique IP addresses available from the pool when the packet is sent from the local network and one of said globally unique IP addresses identified as one from the pool is translated to said non-globally unique IP address of the host when the packet is directed to the local network; and
  
  means for matching the packet against at least one security criterion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus as recited in claim 1, wherein the means for receiving the packet is configured to be located at an interface of the local network.
  - 3. The apparatus as recited in claim 2, wherein the interface is located between the local network and the Internet.
  - 4. The apparatus as recited in claim 1, wherein the means for translating the matching first network layer address on the packet to a corresponding third network layer address comprises a network layer address translation system.
  - 5. The apparatus as recited in claim 1, wherein the first network layer address is a destination network layer address on the packet when the packet is directed to the local network or a source network layer address on the packet when the packet is sent from the local network.
  - 6. The apparatus as recited in claim 1, wherein the first network layer address is a globally unique destination network layer address on the packet and the packet is directed to the local network, and wherein the globally unique destination network layer address is translated to a network layer address of a host on the local network.
  - 7. The apparatus as recited in claim 1, wherein the first network layer address is a source network layer address on the packet and the packet is sent from the local network, and wherein the source network layer address is translated to a globally unique network layer address.
  - 8. The apparatus as recited in claim 1, wherein the at least one security criterion includes:
    - (a) determining that the packet indicates that a data connection is to be opened, and(b) determining whether a control connection exists for the data connection.
  - 9. The apparatus as recited in claim 1, further comprising forwarding the packet to a destination if it meets the at least one security criterion.

10. An apparatus for passing packets between a local network and nodes outside of the local network, the apparatus comprising:
- means for receiving a packet;
  
  means programmable to identify a first network layer address on the packet that matches a second network layer address in a means for storing combinations of IP addresses of hosts on the local network with corresponding globally unique IP addresses;
  
  means programmable to translate the first network layer address on the packet to a third network layer address, wherein at least one of the first and third network layer addresses is a globally unique IP address from at least two globally unique IP addresses allocated to the local network; and
  
  means using at least one security criterion for protecting the local network from packets that pose a security risk.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The apparatus as recited in claim 10, wherein the means programmable to translate the first network layer address on the packet to the third network layer address comprises a network layer address translation system.
  - 12. The apparatus as recited in claim 10, wherein the means for storing combinations of IP addresses of hosts on the local network with corresponding globally unique IP addresses is an address translation list.
  - 13. The apparatus as recited in claim 10, wherein the means for storing combinations of IP addresses of hosts on the local network with corresponding globally unique IP addresses comprises at least one dynamic translation slot.
  - 14. The apparatus as recited in claim 10, wherein the means for storing combinations of IP addresses of hosts on the local network with corresponding globally unique IP addresses comprises at least one dynamic translation slot and at least one static translation slot.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Coile, Brantley W., Mayes, John C.
Primary Examiner(s)
Rao, Seema S.
Assistant Examiner(s)
HOM, SHICK C

Application Number

US10/160,831
Time in Patent Office

1,579 Days
Field of Search

370/389, 370/395.52, 370/395.6, 370/401, 370/402, 370/465, 370/466, 370/467, 370/469, 370/474, 370/475, 709/219, 709/238, 709/245
US Class Current

370/389
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/2514   between local and global IP...

H04L 61/2557   Translation policies or rules

H04L 63/0227   Filtering policies mail mes...

Security system for network address translation systems

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Security system for network address translation systems

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links