The present application relates generally to computer networks and, more particularly, to methods, systems and computer program products for controlling network access.
Private networks, such as networks used by businesses and other entities, are typically connected to public networks, such as the Internet, as such private networks may include servers that provide various retail or other e-commerce services to Internet users. Such internet-connected networks are often subject to attack from unauthorized users. Such attacks may compromise confidential information or consume server resources.
A variety of techniques have been devised for protecting such devices. For example, a device protecting a network may maintain a “whitelist” of internet addresses that are allowed to access the server. However, such whitelists may need to be updated (often manually) as users move from one location to another. Other techniques for protection include “port knocking,” in which a coded sequence of TCP (transmission control protocol) SYN (synchronize) requests to specific ports to authenticate a user, and “single packet authorization” (SPA), in which a specially coded packet authenticates a user and data.
Some access control techniques involve the use of firewalls. Typical firewall devices inspect and filter traffic before making a decision on what to do with a packet. They commonly have two interfaces, an internal interface and an external interface. The external interface may communicate with a router connected to the Internet, while the internal interface may communicate with a local router or private network. Packets received at the external interface are generally passed or rejected according to criteria associated with the firewall. For authorized packets, the firewall typically performs network address translation (NAT) and routes the modified authorized packets towards their destinations. A “transparent” firewall foregoes such routing operations by filtering at the data link layer instead of the network layer, acting like a network bridge rather than a router. Transparent firewalls are also referred to as in-line, shadow, stealth or bridging firewalls.