1. Field of the Invention
The present invention relates to the field of data communication. More specifically, the present invention relates to a method and apparatus for translating packet addresses based upon a user identifier in the data packet.
2. Related Art
In recent years organizations have come to rely heavily on the ability to communicate data electronically between members of the organization. Such communications typically include electronic mail and file sharing or file transfer. In a centralized, single site organization, these communications are most commonly facilitated by a local area network (LAN) installed and operated by the enterprise.
Preventing unauthorized access to data traversing an enterprise's LAN is relatively straightforward. As long as intelligent network management is maintained, unauthorized accesses to data traversing an enterprise's internal LAN can be prevented. It is when the enterprise spans multiple sites that security threats from the outside become a considerable problem.
For distributed enterprises that want to communicate data electronically several options exist today; but each has associated disadvantages. The first option is to interconnect the offices or various sites with dedicated, or private, communication connections, often referred to as leased lines. This is the traditional method that organizations use to implement a wide area network (WAN). The disadvantages of implementing an enterprise-owned and controlled WAN are obvious: they are expensive, cumbersome and frequently underutilized if they are configured to handle the peak capacity requirements of the enterprise. The obvious advantage is that the lines are dedicated for use by the enterprise and are therefore reasonably secure from eavesdropping or tampering by intermediate third parties.
An alternative to dedicated communication lines is for an enterprise to handle inter-site data distributions over the emerging public network space. In recent years, the Internet has evolved from being primarily a tool for scientists and academics into an efficient mechanism for global communications. The Internet provides electronic communications paths between millions of computers by interconnecting the various networks upon which those computers reside. It has become commonplace, even routine, for enterprises, even those in non-technical fields, to provide Internet access to at least some portion of the computers within the enterprises. For many businesses this facilitates communications with customers and potential business partners as well as to geographically distributed members of the organization.
Distributed enterprises have found that the Internet is a convenient mechanism for providing electronic communications between members of the enterprise. For example, two remote sites within an enterprise may each connect to the Internet through a local Internet Service Provider (ISP). This enables the various members of the enterprise to communicate with other sites on the Internet, including those within their own organization. A large disadvantage of using the Internet for intra-enterprise communications is that the Internet is a public network. The route by which data communication travel from point to point can vary on a per packet basis, and is essentially indeterminate. Furthermore, the data protocols for transmitting information over the constituent networks of the Internet are widely known, leaving electronic communications susceptible to interception and eavesdropping with packets being replicated at most intermediate hops. An even greater concern is the fact that communications can be modified in transit or even initiated by impostors. With these disconcerting risks, most enterprises are unwilling to subject their proprietary and confidential internal communications to the exposure of the public network space. For many organizations it is common today to not only have Internet access provided at each site, but also to maintain the existing dedicated communications paths for internal enterprise communications, with all of the attendant disadvantages described above.
To remedy this problem, organizations have begun to build "virtual private networks" (VPNs) on top of public networks, such as the Internet, to protect data transmitted over public networks. Virtual private network systems often rely on virtual private network units, which are in the path of all relevant data traffic between an enterprise site and the public network. To ensure secure data communications between members of the same VPN, a VPN unit implements a combination of techniques for data communication between members of the VPN. These techniques can include various combinations of compression, encryption and authentication.
A number of challenges exist in designing and building virtual private network systems. One challenge is to integrate effectively with existing network security mechanisms. Private local area networks (LANs) are often coupled to a public network through some type of gateway or bridge. In order to prevent unauthorized accesses from the public network, these private LANs often implement a "firewall" to filter communications with the public network so that only communications to recognized addresses on the public network are allowed to pass through the firewall.
A firewall can present a problem for a remote client attempting to connect to a VPN from an unknown network addresses. It may be possible to configure the firewall to allow messages from all possible addresses on the network (including the remote client's address) to pass through the firewall. However, allowing such configuration of a firewall creates security risks, because it may allow malicious users to pass a message through the firewall. Furthermore, it may not be possible to configure the firewall in this way, if the firewall already exists or was implemented by a third party.
What is needed is a method for allowing communications from a remote client to pass through a firewall without modifying the firewall.
Another challenge in building a virtual private network is to balance load between virtual private network units (VPN units). For performance reasons it is often advantageous to couple a private network to a public network through multiple VPN units. In this configuration, it is desirable to distribute the communication load across the multiple VPN units.
What is needed is a mechanism that facilitates load balancing across multiple VPN units that couple a private network to a public network.