Translating packet addresses based upon a user identifier
First Claim
1. A method for translating addresses for a data packet based upon a user identifier in the data packet in order to forward the data packet through a firewall, comprising:
- receiving the data packet sent by a user from a source node outside the firewall to a protected destination node within the firewall, the data packet including, a source address of the source node, a destination address of the protected destination node and the user identifier that identifies the user;
reading the user identifier from the data packet;
using the user identifier to determine communication privileges associated with the user;
replacing the source address in the data packet with a privileged address from a set of privileged addresses recognized by the firewall if the communication privileges allow the user to communicate with the protected destination node;
wherein the firewall is configured to allow only data packets from the set of privileged addresses to pass through the firewall; and
forwarding the data packet to the protected destination node through the firewall;
whereby the privileged address in the source field of the data packet allows the data packet to pass through the firewall.
19 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of the present invention includes a system that translates addresses in a data packet based upon a user identifier in the data packet. The system receives the data packet sent from a source node to a destination node by a user. This data packet includes a source address of the source node, a destination address of the destination node and the user identifier that identifies the user. The system uses the user identifier to look up communication privileges associated with the user. If the communication privileges allow the user to communicate with the destination node, the system replaces the source address in the data packet with a privileged address, and forwards the data packet to the destination node. In a variation on this embodiment, the privileged address is recognized by a system firewall so that it facilitates passage of the packet through firewall. In another variation, the privileged address specifies a return address of a given address translation unit and thereby facilitates load balancing across multiple address translation units. In a further variation, the system receives a reply packet from the destination node directed to the privileged address, and replaces the privileged address in the reply packet with the source address so that the reply packet is directed to the source node, before forwarding the reply packet to the source node. In another variation, receiving the reply packet includes acting as a proxy for the privileged address under the address resolution protocol. Another variation further includes authenticating, encrypting and optionally compressing the data packet.
421 Citations
25 Claims
-
1. A method for translating addresses for a data packet based upon a user identifier in the data packet in order to forward the data packet through a firewall, comprising:
-
receiving the data packet sent by a user from a source node outside the firewall to a protected destination node within the firewall, the data packet including, a source address of the source node, a destination address of the protected destination node and the user identifier that identifies the user; reading the user identifier from the data packet; using the user identifier to determine communication privileges associated with the user; replacing the source address in the data packet with a privileged address from a set of privileged addresses recognized by the firewall if the communication privileges allow the user to communicate with the protected destination node; wherein the firewall is configured to allow only data packets from the set of privileged addresses to pass through the firewall; and forwarding the data packet to the protected destination node through the firewall; whereby the privileged address in the source field of the data packet allows the data packet to pass through the firewall. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for translating addresses for a data packet based upon a user identifier in the data packet in order to forward the data packet through a firewall, comprising:
-
receiving the data packet sent by a user from a source node outside the firewall to a protected destination node within the firewall, the data packet including, a source address of the source node, a destination address of the protected destination node and the user identifier that identifies the user; reading the user identifier from the data packet; authenticating the data packet by looking up an authentication key for the data packet using the user identifier, and using the authentication key to authenticate the data packet; using the user identifier to determine communication privileges associated with the user; replacing the source address in the data packet with a privileged address from a set of privileged addresses recognized by the firewall if the communication privileges allow the user to communicate with the protected destination node; wherein the firewall is configured to allow only data packets from the set of privileged addresses to pass through the firewall; forwarding the data packet to the protected destination node through the firewall; whereby the privileged address in the source field of the data packet allows the data packet to pass through the firewall; receiving a reply packet from the protected destination node directed to the privileged address through the firewall; replacing the privileged address in the reply packet with the source address so that the reply packet is directed to the source node; and forwarding the reply packet to the source node. - View Dependent Claims (13)
-
-
14. An apparatus that translates addresses for a data packet based upon a user identifier in the data packet in order to forward the data packet through a firewall, comprising:
-
a packet receiving mechanism, for receiving the data packet sent by a user from a source node outside the firewall to a protected destination node within the firewall, the data packet including, a source address of the source node, a destination address of the protected destination node and the user identifier that identifies the user; a packet storage unit, coupled to the packet receiving mechanism, for storing the data packet; a communication privilege determination mechanism, in communication with the packet storage unit, that is configured to determines communication privileges associated with the user based upon the user identifier; a replacement mechanism, in communication with the packet storage unit, that replaces the source address in the data packet with a privileged address from a set of privileged addresses recognized by the firewall if the communication privileges allow the user to communicate with the protected destination node; wherein the firewall is configured to allow only data packets from the set of privileged addresses to pass through the firewall; and a packet forwarding unit, coupled to the packet storage unit, that forwards the data packet to the protected destination node through the firewall; whereby the privileged address in the source field of the data packet allows the data packet to pass through the firewall. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A program storage device storing instructions that when executed by a computer perform a method for translating addresses for a data packet based upon a user identifier in the data packet in order to forward the data packet through a firewall, the method comprising:
-
receiving the data packet sent by a user from a source node outside the firewall to a protected destination node within the firewall, the data packet including, a source address of the source node, a destination address of the protected destination node and the user identifier that identifies the user; reading the user identifier from the data packet; using the user identifier to determine communication privileges associated with the user; replacing the source address in the data packet with a privileged address from a set of privileged addresses recognized by the firewall if the communication privileges allow the user to communicate with the protected destination node; wherein the firewall is configured to allow only data packets from the set of privileged addresses to pass through the firewall; and forwarding the data packet to the protected destination node through the firewall; whereby the privileged address in the source field of the data packet allows the data packet to pass through the firewall.
-
Specification