Security system for network address translation systems

US 7,583,668 B1
Filed: 08/09/2006
Issued: 09/01/2009
Est. Priority Date: 11/03/1995
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus configured to provide network connections between nodes on a local network and nodes outside the local network, the apparatus comprising:

a first processor;

memory in communication with the first processor; and

a firewall specifying at least one security criterion and configured to protect the local network from packets that pose a security risk;

wherein the apparatus is operable to;

perform network address translation of network layer addresses associated with packets exchanged between nodes on the local network and nodes outside the local network;

generate a network address translation list including at least one translation, each specifying a local network layer address of a local node and an associated global unique network layer address;

match IP addresses in packets against IP addresses specified in the local network layer address or the associated global unique network layer address of the at least one translation in the network address translation list.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for providing perform network address translation of network layer addresses of packets exchanged between nodes on a local network and nodes outside the local network. This allows local hosts in an enterprise network to share global IP addresses from a limited pool of such addresses available to the enterprise. The translation may be accomplished by replacing the source address in headers on packets destined for the Internet and by replacing destination address in headers on packets entering the local enterprise network from the Internet. Packets arriving from the Internet are screened by an adaptive security algorithm. According to this algorithm, packets are dropped and logged unless they are deemed nonthreatening.

70 Citations

View as Search Results

16 Claims

1. An apparatus configured to provide network connections between nodes on a local network and nodes outside the local network, the apparatus comprising:
- a first processor;
  
  memory in communication with the first processor; and
  
  a firewall specifying at least one security criterion and configured to protect the local network from packets that pose a security risk;
  
  wherein the apparatus is operable to;
  
  perform network address translation of network layer addresses associated with packets exchanged between nodes on the local network and nodes outside the local network;
  
  generate a network address translation list including at least one translation, each specifying a local network layer address of a local node and an associated global unique network layer address;
  
  match IP addresses in packets against IP addresses specified in the local network layer address or the associated global unique network layer address of the at least one translation in the network address translation list.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus as recited in claim 1, wherein at least one entry of the address translation list includes information defining a connection between said local node of the local network and a foreign host outside the local network.
  - 3. The apparatus as recited in claim 1, further comprising a collection of global IP addresses available to hosts on the local network.
  - 4. The apparatus as recited in claim 1, further comprising an outside interface connected to an external network and an inside interface connected to the local network.
  - 5. The apparatus as recited in claim 1, wherein the apparatus is a network device including a plurality of ports for communication with at least one network medium, and associated logic controlling communications through the ports.
  - 6. The apparatus as recited in claim 1, wherein the at least one security criterion includes, when a packet indicates that a data connection is to be opened, determining whether a control connection exists for the data connection.

7. An method for providing network connections between nodes on a local network and nodes outside the local network, the method comprising:
- performing network address translation of network layer addresses associated with packets exchanged between nodes on the local network and nodes outside the local network;
  
  generating, using a first computer-based processing unit, a network address translation list including at least one translation, each specifying a local network layer address of a local node and an associated global unique network layer address; and
  
  matching IP addresses in packets against IP addresses specified in the local network layer address or the associated global unique network layer address of the at least one translation in the network address translation list.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7 further comprising:
    - identifying at least one security criterion for protecting the local network from packets that pose a security risk.
  - 9. The method as recited in claim 7, wherein at least one entry of the address translation list includes information defining a connection between said local node of the local network and a foreign host outside the local network.
  - 10. The method as recited in claim 7, further comprising:
    - providing a collection of global IP addresses which are available to hosts on the local network.
  - 11. The method as recited in claim 7 further comprising:
    - determining whether a control connection exists for a data connection when a packet indicates that the data connection is to be opened.

12. A system for providing network connections between nodes on a local network and nodes outside the local network, the system comprising:
- at least one processor;
  
  memory;
  
  means for performing network address translation of network layer addresses associated with packets exchanged between nodes on the local network and nodes outside the local network;
  
  means for generating a network address translation list including at least one translation, each specifying a local network layer address of a local node and an associated global unique network layer address; and
  
  means for matching IP addresses in packets against IP addresses specified in the local network layer address or the associated global unique network layer address of the at least one translation in the network address translation list.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12 further comprising:
    - means for identifying at least one security criterion for protecting the local network from packets that pose a security risk.
  - 14. The system as recited in claim 12, wherein at least one entry of the address translation list includes information defining a connection between said local node of the local network and a foreign host outside the local network.
  - 15. The system as recited in claim 12, further comprising:
    - means for providing a collection of global IP addresses which are available to hosts on the local network.
  - 16. The system as recited in claim 12 further comprising:
    - means for determining whether a control connection exists for a data connection when a packet indicates that the data connection is to be opened.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Mayes, John C., Coile, Brantley W.
Primary Examiner(s)
Pham; Chi H.
Assistant Examiner(s)
HOM, SHICK C

Application Number

US11/502,021
Time in Patent Office

1,119 Days
Field of Search

None
US Class Current

370/389
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/2514   between local and global IP...

H04L 61/2557   Translation policies or rules

H04L 63/0227   Filtering policies mail mes...

Security system for network address translation systems

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Security system for network address translation systems

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links