SYSTEM AND METHOD FOR PROVIDING NETWORK AND COMPUTER FIREWALL PROTECTION WITH DYNAMIC ADDRESS ISOLATION TO A DEVICE
2 Assignments
0 Petitions
Accused Products
Abstract
A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.
8 Citations
19 Claims
-
1. (canceled)
-
2. A security system comprising:
-
a communication interface configured to transmit an outgoing data packet with an external outgoing header to an external network and to receive an incoming data packet with an external incoming header from the external network, the external outgoing header including a public internet protocol (IP) address as a source address of the outgoing data packet, the external incoming header including the public IP address as a destination address of the incoming data packet; an address translation engine configured to; receive the outgoing data packet with an internal outgoing header from an internal device, the internal outgoing header identifying an internal IP address of the internal device as the source address of the outgoing data packet; receive from the communication interface the incoming data packet with the external incoming header, the internal device including a particular application associated with the outgoing data packet and with the incoming data packet; translate the internal IP address of the outgoing data packet to the public IP address and assist in forming the external outgoing header based on the public IP address; translate the public IP address of the incoming data packet to the internal IP address and assist in forming an internal incoming header based on the internal IP address; and store association of the internal IP address and the public IP address to assist with address translation; and a hybrid firewall configured to; perform a network-level security evaluation and one of several application-level security evaluations on the incoming data packet; receive a particular application identifier associated with the particular application from the internal outgoing header of the outgoing data packet; select one of the several application-level security evaluations based on the application identifier determined based on the incoming data packet; and allow the incoming data packet to pass to the particular application if the network-level security evaluation and the one of the several application-level security evaluations determine that there is no malicious code in the incoming data packet. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A security method, comprising:
-
receiving by a security system an outgoing data packet with an internal outgoing header from an internal device, the security system being different than the internal device, the internal outgoing header identifying an internal internet protocol (IP) address of the internal device as the source address of the outgoing data packet, the internal outgoing header including an application identifier associated with a particular application that caused generation of the outgoing data packet; translating the internal IP address of the outgoing data packet to a public IP address; removing the application identifier from the outgoing data packet; storing the internal IP address, the public IP address, and the application identifier; forming the external outgoing header based on the public IP address, the external outgoing header including the public IP address as a source address of the outgoing data packet; transmitting the outgoing data packet with the external outgoing header to an external network; receiving an incoming data packet with an external incoming header from the external network, the external incoming header including the public IP address as a destination address of the incoming data packet; translating the public IP address of the incoming data packet to the internal IP address; forming an internal incoming header based on the internal IP address; retrieving the application identifier; selecting a particular application-level security evaluation from several application-level security evaluations based on the application identifier; performing by the security system a network-level security evaluation and the particular application-level security evaluation on the incoming data packet; and allowing the incoming data packet to pass to the particular application if the network-level security evaluation and the particular application-level security evaluation determine that there is no malicious code in the incoming data packet. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
Specification