Wireless network security mechanism including reverse network address translation
First Claim
1. In a wireless network system comprising an access point providing wireless service to a mobile station and a Virtual Private Network (VPN) server operative to establish a VPN session with the mobile station, a method comprisingintercepting an address assignment message from a network address configuration server to the mobile station, wherein the mobile station has a unique link layer address, wherein the network address configuration server is operative to provide internal network addresses to requesting mobile stations, and wherein the address assignment message contains an internal network address for the mobile station;
- associating, in a data structure, the unique link layer address of the mobile station with the internal network address provided by the network address configuration server in the address assignment message;
replacing the internal network address in the address assignment message with a virtual network address; and
forwarding the modified address assignment message to the mobile station;
intermediating a VPN session between the VPN server and the mobile station;
wherein the VPN session involves the exchange of encapsulated packets comprising an encapsulating VPN header including an outer network address corresponding to the mobile station, and wherein as to packets sourced from the mobile station, replacing the virtual network address used by the mobile station as the outer network address in the encapsulating VPN headers with the internal network address corresponding to the mobile station.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatuses and systems directed to preventing unauthorized access to internal network addresses transmitted across wireless networks. According to the invention, mobile stations are assigned virtual client network addresses that are used as the outer network addresses in a Virtual Private Network (VPN) infrastructure, as well as unique internal network addresses used as the inner network addresses. In one implementation, the virtual client network addresses have little to no relation to the internal network addressing scheme implemented on the network domain. In one implementation, all clients or mobile stations are assigned the same virtual client network address. A translation layer, in one implementation, intermediates the VPN session between the mobile stations and a VPN server to translate the virtual client network addresses to the internal network addresses based on the medium access control (MAC) address corresponding to the mobile stations. In this manner, the encryption inherent in the VPN infrastructure prevents access to the internal network addresses assigned to the mobile stations.
108 Citations
9 Claims
-
1. In a wireless network system comprising an access point providing wireless service to a mobile station and a Virtual Private Network (VPN) server operative to establish a VPN session with the mobile station, a method comprising
intercepting an address assignment message from a network address configuration server to the mobile station, wherein the mobile station has a unique link layer address, wherein the network address configuration server is operative to provide internal network addresses to requesting mobile stations, and wherein the address assignment message contains an internal network address for the mobile station; -
associating, in a data structure, the unique link layer address of the mobile station with the internal network address provided by the network address configuration server in the address assignment message; replacing the internal network address in the address assignment message with a virtual network address; and forwarding the modified address assignment message to the mobile station; intermediating a VPN session between the VPN server and the mobile station;
wherein the VPN session involves the exchange of encapsulated packets comprising an encapsulating VPN header including an outer network address corresponding to the mobile station, and wherein as to packets sourced from the mobile station, replacing the virtual network address used by the mobile station as the outer network address in the encapsulating VPN headers with the internal network address corresponding to the mobile station. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
Specification
-
- Resources
-
Current AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
Original AssigneeCisco Systems, Inc.
-
InventorsWang, Jing, Vakil, Sumit, Tashjian, Robert W.
-
Primary Examiner(s)Meky; Moustafa M
-
Assistant Examiner(s)SALL, EL HADJI MALICK
-
Application NumberUS10/979,409Time in Patent Office1,617 DaysField of Search709/229, 709/249, 709/203, 709/219, 709/224, 709/245, 455/403, 455/410, 455/411, 455/424, 726/15US Class Current709/200CPC Class CodesH04L 12/4641 Virtual LANs, VLANs, e.g. v...H04L 61/2539 Hiding addresses; Keeping a...H04L 61/5014 using dynamic host configur...H04L 63/0272 Virtual private networksH04W 88/08 Access point devices
