Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network

US 7,131,141 B1
Filed: 11/19/2001
Issued: 10/31/2006
Est. Priority Date: 07/27/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A security gateway comprising:

a first logical interface to a first network;

a second logical interface to a second network;

a physical interface to an untrusted network through which a logical connection can be established to hosts, including hosts in a protected network; and

a processor that is configure toperform source network address translation (SNAT) on packets that arrive at the first logical interface which are destined to the second network or to a host coupled to the untrusted network that is outside the protected network, and to communicate the SNAT processed packets to their respective destinations,refuse to establish communication to a host on the first network for a device on the second network,perform SNAT on packets that arrive at the second logical interface and that are destined to a host on the untrusted network that is outside the protected network, and to communicate the SNAT-processed packets to their destination, andsend via the untrusted network, by use of an IPSec tunnel, packets that arrive at the first logical interface and that are destined to the protected network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security gateway provides a secure connection among one or more networks and a protected resource network. One of the local networks may be connected to the remote private network via a VPN IPsec tunnel. The networks may be local networks that share resources without compromising the security of the protected resource network. The local networks may have access to an untrusted network such as the Internet, sharing a single connection through the security gateway. Dynamic source network address translation is used to permit access from the network connected to the protected resource network to other, less trusted networks while concealing the actual IP addresses of hosts within that network.

213 Citations

17 Claims

1. A security gateway comprising:
- a first logical interface to a first network;
  
  a second logical interface to a second network;
  
  a physical interface to an untrusted network through which a logical connection can be established to hosts, including hosts in a protected network; and
  
  a processor that is configure toperform source network address translation (SNAT) on packets that arrive at the first logical interface which are destined to the second network or to a host coupled to the untrusted network that is outside the protected network, and to communicate the SNAT processed packets to their respective destinations,refuse to establish communication to a host on the first network for a device on the second network,perform SNAT on packets that arrive at the second logical interface and that are destined to a host on the untrusted network that is outside the protected network, and to communicate the SNAT-processed packets to their destination, andsend via the untrusted network, by use of an IPSec tunnel, packets that arrive at the first logical interface and that are destined to the protected network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The apparatus of claim 1 where the processor is further configured to refuse to forward packets to the protected network from a host on the untrusted network or on the second network.
  - 3. The gateway of claim 1 where the first logical interface and the second logical interface are coupled to two distinct physical connection ports of the gateway.
  - 4. The gateway of claim 1 where the gateway is interposed between the internet and the set of the first and the second logical interfaces.
  - 5. The gateway of claim 1 where the first network and the second network are co-located.
  - 6. The gateway of claim 1 where the first network comprises at least one computer and the second network comprises at least one computer.
  - 7. The gateway of claim 1 where in performing SNAT, the processor inserts into outgoing packets an IP address that belongs to the gateway.
  - 8. The gateway of claim 1 where the processor operates pursuant to modifiable stored rules that allow at least some devices in the first network to establish a connection to hosts on the untrusted network that are outside the protected network.
  - 9. The gateway of claim 1 where the processor is further configured to refuse to establish a connection to the first network for a host on the second network or on the untrusted network.
  - 10. The gateway of claim 1 where the processor is further configured to decline to perform destination network address translations (DNAT) on packets destined to the first logical interface unless a connection was first established by the packets arriving to the gateway from via the first logical interface.
  - 11. The gateway of claim 1 where the SNAT operations are performed pursuant to packet handling rules stored in the gateway.
  - 12. The gateway of claim 11 where the packet handling rules are sensitive to identity of devices of the first network, having a capability for permitting access selected ones of the devices of the first network to gain access to a host in the untrusted network.
  - 13. The gateway of claim 1 where the processor is further configured to permit client on the untrusted network a limited access through the gateway to a server, when addressed to a preselected network port of a preselected address of the gateway, with the gateway performing destination network address translation (DNA) of the preselected port and address to the address of the server, where the preselected port and address are selected without regard to the address of the server in to which the limited access to initiate communication is granted.
  - 14. The gateway of claim 13 where the server is on the first network.
  - 15. The gateway of claim 13 where the server is on the protected network, and the passage of packets from the gateway to the server is via an IPSec tunnel.
  - 16. The gateway of claim 13 where the server is on the second network.
  - 17. The gateway of claim 1 further comprising a logical interface to a second protected network, and the processor is configured to send packets that arrive at the first logical interface which are destined to the second protected network to their destination via the untrusted network, by use of an IPSec tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Corporation (AT&T, Inc.)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Blewett, Charles Douglas, Hall, Robert J., Denker, John Stewart
Primary Examiner(s)
Barrón, Gilberto
Assistant Examiner(s)
LEMMA, SAMSON B

Application Number

US09/991,842
Time in Patent Office

1,807 Days
Field of Search

726/2, 726 12- 13, 726/15, 726/3, 709/229, 709/223, 713/201, 713/200, 713/153, 713/150
US Class Current

726/12
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/164   at the network layer

Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

213 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

213 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links