As consumers, small businesses, and telecommuting employees expand the use of high-speed networking connections (such as DSL service or cable-TV based data service) in their homes and offices, networked computers become inviting targets to network intruders. Typically, those computers are connected to a public network all or most of the time, yet are not maintained by professional administrators. There is therefore a need to provide secure and reliable, yet flexible and usable network security to such consumers.
One system directed to solving this problem is the first-generation Moat, a security gateway developed within AT&T Corporation primarily for providing a secure connection between a home network and a secure remote corporate network. See J. Denker, S. Bellovin, H. Daniel, N. Mintz, T. Killian & M. Plotnik; Moat: A Virtual Private Network Appliance and Services Platform; Proc. LISA '99: 13th Systems Administration Conference, USENIX Assoc. 1999, the contents of which is hereby incorporated by reference in this disclosure.
The term “remote network,” as used herein, denotes a network that is accessed from a given location through a communications link such as the public switched telephone network or the open Internet. Conversely, a network that is “local” to a given location may be reached from that location without using a communications link. For example, a network reachable from a given location using Ethernet or another LAN technology is a local network at that location. The term “network” as used herein shall encompass connecting hardware such as cables routers and interfaces, as well as the connected hosts.
The first generation Moat utilizes a secure, IPsec-based VPN (virtual private network) tunnel to transmit data between the home network and the corporate network. The VPN tunnel provides a strong cryptographic, secure, private, and authenticated connection into a remote network, such as a corporate (firewall protected) network. See S. Kent & R. Atkinson, Security Architecture for the Internet Protocol, Request for Comments (Proposed Standard) 2401, Internet Engineering Task Force, November 1999, the contents of which is hereby incorporated by reference in this disclosure. In the case of Moat, the VPN tunnel gives some (or all) machines behind the Moat security gateway IP-level access to the resources on the corporate network, while all traffic between the corporate network and the home machines is encrypted and authenticated so it cannot be snooped or otherwise tampered with. The first generation Moat system, however, provides for only a single network on its protected side. Furthermore, all packets traveling into and out of the protected network traverse the tunnel and the corporate network, adding significant delay to simple Internet requests, and making those Internet requests dependent on the functioning of the corporate network. While this is arguably a simple configuration from a security standpoint, users demand more flexibility and efficiency.
Advanced packet routing capabilities have become available as part of the Linux operating system. Those capabilities allow flexible packet routing and network address and port translation. Source network address translation (SNAT) (or IP masquerading) refers to dynamically replacing the source address and/or port of packets with another IP address and/or port, as part of the routing process. Destination network address translation (DNAT) refers to dynamically replacing the destination address and/or port of packets with another IP address and/or port, also as part of the routing process.
In both cases (SNAT and DNAT), the Linux kernel automatically reverses the translation for reply packets. For example, a rule may be established to translate the source address (SNAT) of a client request bound for host A on the open Internet. Reply packets received from host A will contain a destination address that is the translated source address of the client request. That destination address will automatically be translated to the actual address of the client.
In addition to Moat, several other security products exist for providing a connection between a home machine and a secure corporate network. For example, Watchguard Corporation of Seattle, Wash. markets a Firebox® line (see http://www.watchguard.com/products/firebox.asp) that provides for a single home network connected to the Internet and to a secure corporate network through a VPN tunnel. Network address translation is used to hide the internal IP addresses from the external network and to allow internal hosts with unregistered IP addresses to function as Internet-reachable servers. No capability is provided for a separate home network.
There is therefore a need for a security gateway for the home or small business that can utilize a VPN IP tunnel to provide a secure connection from a work network of machines used for business purposes to a secure corporate network, while allowing that work network to share resources with a home network in a secure manner. The work network desirably also shares the same Internet connection with the home network without having access to the corporate network and without compromising the security of the corporate network. The work network may furthermore require access to two or more corporate networks without allowing access between the corporate networks. In homes where both spouses occasionally telecommute to different companies, there is a similar need to guarantee that there is no network connectivity between the two corporate networks introduced by a VPN solution. Where individuals or small businesses wish to host their own web sites or to host their email locally, there is furthermore a need to provide a secure and limited connection from the open Internet to a host residing behind the security gateway.