Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network
First Claim
Patent Images
1. A security gateway comprising:
- a first logical interface to a first network;
a second logical interface to a second network;
a physical interface to an untrusted network through which a logical connection can be established to hosts, including hosts in a protected network; and
a processor that is configure toperform source network address translation (SNAT) on packets that arrive at the first logical interface which are destined to the second network or to a host coupled to the untrusted network that is outside the protected network, and to communicate the SNAT processed packets to their respective destinations,refuse to establish communication to a host on the first network for a device on the second network,perform SNAT on packets that arrive at the second logical interface and that are destined to a host on the untrusted network that is outside the protected network, and to communicate the SNAT-processed packets to their destination, andsend via the untrusted network, by use of an IPSec tunnel, packets that arrive at the first logical interface and that are destined to the protected network.
1 Assignment
0 Petitions
Accused Products
Abstract
A security gateway provides a secure connection among one or more networks and a protected resource network. One of the local networks may be connected to the remote private network via a VPN IPsec tunnel. The networks may be local networks that share resources without compromising the security of the protected resource network. The local networks may have access to an untrusted network such as the Internet, sharing a single connection through the security gateway. Dynamic source network address translation is used to permit access from the network connected to the protected resource network to other, less trusted networks while concealing the actual IP addresses of hosts within that network.
213 Citations
17 Claims
-
1. A security gateway comprising:
-
a first logical interface to a first network; a second logical interface to a second network; a physical interface to an untrusted network through which a logical connection can be established to hosts, including hosts in a protected network; and a processor that is configure to perform source network address translation (SNAT) on packets that arrive at the first logical interface which are destined to the second network or to a host coupled to the untrusted network that is outside the protected network, and to communicate the SNAT processed packets to their respective destinations, refuse to establish communication to a host on the first network for a device on the second network, perform SNAT on packets that arrive at the second logical interface and that are destined to a host on the untrusted network that is outside the protected network, and to communicate the SNAT-processed packets to their destination, and send via the untrusted network, by use of an IPSec tunnel, packets that arrive at the first logical interface and that are destined to the protected network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
Specification