Firewall providing enhanced network security and user transparency
First Claim
1. A virtual private network comprising:
- a first private network including a first firewall interposed between the first private network and a public network;
a second private network including a second firewall interposed between the second private network and the public network;
the first and second firewalls being configured to provide an encrypted path for traffic flowing between the first and second firewalls; and
wherein a dedicated domain name server is associated with each of the first and second firewalls for establishing DNS mappings for the virtual private network.
0 Assignments
0 Petitions
Reexamination
Accused Products
Abstract
The present invention provides a firewall that achieves maximum network security and maximum user convenience. The firewall employs “envoys” that exhibit the security robustness of prior-art proxies and the transparency and ease-of-use of prior-art packet filters, combining the best of both worlds. No traffic can pass through the firewall unless the firewall has established an envoy for that traffic. Both connection-oriented (e.g., TCP) and connectionless (e.g., UDP-based) services may be handled using envoys. Establishment of an envoy may be subjected to a myriad of tests to “qualify” the user, the requested communication, or both. Therefore, a high level of security may be achieved. The usual added burden of prior-art proxy systems is avoided in such a way as to achieve fall transparency—the user can use standard applications and need not even know of the existence of the firewall. To achieve full transparency, the firewall is configured as two or more sets of virtual hosts. The firewall is, therefore, “multi-homed,” each home being independently configurable. One set of hosts responds to addresses on a first network interface of the firewall. Another set of hosts responds to addresses on a second network interface of the firewall. In one aspect, programmable transparency is achieved by establishing DNS mappings between remote hosts to be accessed through one of the network interfaces and respective virtual hosts on that interface. In another aspect, automatic transparency may be achieved using code for dynamically mapping remote hosts to virtual hosts in accordance with a technique referred to herein as dynamic DNS, or DDNS.
28 Citations
15 Claims
-
1. A virtual private network comprising:
-
a first private network including a first firewall interposed between the first private network and a public network; a second private network including a second firewall interposed between the second private network and the public network; the first and second firewalls being configured to provide an encrypted path for traffic flowing between the first and second firewalls; and wherein a dedicated domain name server is associated with each of the first and second firewalls for establishing DNS mappings for the virtual private network. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A virtual private network comprising:
-
a first firewall means interposed between first private network and a public network means; a second firewall means interposed between a second private network and the public network; means for providing an encrypted path for traffic flowing between the first and second firewall means; and means for establishing DNS mappings for the virtual private network associated with each of the first and second firewalls means. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A virtual private network comprising:
-
a first firewall interposed between a first private network and a public network; a second firewall interposed between a second private network and the public network; an encrypted path for traffic flowing between the first and second firewalls; and a dedicated domain name server associated with each of the first and second firewalls for establishing DNS mappings for the virtual private network. - View Dependent Claims (12, 13, 14, 15)
-
Specification