Security system for network address translation systems
First Claim
1. An apparatus for passing a packet between a local network and a node outside of the local network, the apparatus comprising:
- means for receiving the packet;
means for identifying a first network layer address on the packet that matches a second network layer address in an address translation list specifying combinations of IP addresses of hosts on the local network with globally unique IP addresses from a pool of globally unique IP addresses available for use by the hosts on the local network;
means for translating the first network layer address on the packet to a corresponding third network layer address specified in the translation list, wherein a non-globally unique IP address of the host is translated to one of said globally unique IP addresses available from the pool when the packet is sent from the local network and one of said globally unique IP addresses identified as one from the pool is translated to said non-globally unique IP address of the host when the packet is directed to the local network; and
means for matching the packet against at least one security criterion.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and method are provided for translating local IP addresses to globally unique IP addresses. This allows local hosts in an enterprise network to share global IP addresses from a limited pool of such addresses available to the enterprise. The translation is accomplished by replacing the source address in headers on packets destined for the Internet and by replacing destination address in headers on packets entering the local enterprise network from the Internet. Packets arriving from the Internet are screened by an adaptive security algorithm. According to this algorithm, packets are dropped and logged unless they are deemed nonthreatening. DNS packets and certain types of ICMP packets are allowed to enter local network. In addition, FTP data packets are allowed to enter the local network, but only after it has been established that their destination on the local network initiated an FTP session.
40 Citations
14 Claims
-
1. An apparatus for passing a packet between a local network and a node outside of the local network, the apparatus comprising:
-
means for receiving the packet; means for identifying a first network layer address on the packet that matches a second network layer address in an address translation list specifying combinations of IP addresses of hosts on the local network with globally unique IP addresses from a pool of globally unique IP addresses available for use by the hosts on the local network; means for translating the first network layer address on the packet to a corresponding third network layer address specified in the translation list, wherein a non-globally unique IP address of the host is translated to one of said globally unique IP addresses available from the pool when the packet is sent from the local network and one of said globally unique IP addresses identified as one from the pool is translated to said non-globally unique IP address of the host when the packet is directed to the local network; and means for matching the packet against at least one security criterion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus for passing packets between a local network and nodes outside of the local network, the apparatus comprising:
-
means for receiving a packet; means programmable to identify a first network layer address on the packet that matches a second network layer address in a means for storing combinations of IP addresses of hosts on the local network with corresponding globally unique IP addresses; means programmable to translate the first network layer address on the packet to a third network layer address, wherein at least one of the first and third network layer addresses is a globally unique IP address from at least two globally unique IP addresses allocated to the local network; and means using at least one security criterion for protecting the local network from packets that pose a security risk. - View Dependent Claims (11, 12, 13, 14)
-
Specification