In many operational environments, it is desirable to isolate network traffic conveyed on one communication network from network traffic conveyed on another communication network. For example, network traffic conveyed on a first communication network may need to be isolated from network traffic conveyed on a second communication network because the first communication network is private, and the second communication network is public. In another example, network traffic may need to be isolated in two communication networks that are both private. In another example, network traffic conveyed on one communication network may need to be isolated from network traffic conveyed on another communication network because the address space used to identify devices located within the first communication network may overlap with the address space used to identify devices located within the second communication network, e.g. the network addresses (e.g. Internet Protocol (IP) addresses) assigned to the devices located within a given communication network may be guaranteed to be unique only within that communication network, resulting in the possibility that a single network address may be assigned to both a first device located in a first communication network, and also to a second device located in the second communication network.
Technologies for isolating a communication network have included firewall network security systems (“firewalls”) that monitor and control incoming and outgoing network traffic for an isolated communication network, according to packet filtering rules associated with the isolated communication network. Such packet filtering rules may indicate which packets are allowed into the isolated communication network through the firewall, as well as which packets are allowed out of the isolated communication network through the firewall, based on information within the headers of individual packets. Packet header information used by a firewall to perform packet filtering may include the source and/or destination network address (e.g. IP address), communication protocol, and/or source and/or destination port number indicated in the packet header. Firewalls may also include network address translation (NAT) functionality, which allows devices located on an isolated communication network that is protected by the firewall to be assigned network addresses that are guaranteed to be unique only within the isolated communication network.
In certain circumstances, devices that are located within different isolated communication networks must operate together as if they are located within a single communication network. Such circumstances may arise, for example, when a communication protocol that was originally designed for use within a single communication network must be used for communications between devices that are located in multiple isolated communication networks. One example of a protocol that was originally designed for use within a single communication network is described in the Digital Imaging and Communications in Medicine (DICOM) standard. DICOM is a standard for communication and management of medical imaging and related data. DICOM enables interoperability between different types of medical imaging equipment by specifying a set of protocols that are to be followed by devices such as scanners, servers, workstations, printers, and/or picture archiving and communication systems (PACS). When the DICOM standard was first developed, devices that communicated using DICOM were typically located within a single communication network. For example, devices using the DICOM protocol to communicate with each other were likely to all be located within a single facility, such as a hospital. Accordingly, the DICOM standard assumes that communicating devices are located within a single communication network. In DICOM, an Application Entity is a system or program running on a system which is the end-point of DICOM communications. According to the DICOM standard, each DICOM Application Entity is identified by a locally unique Application Entity Title. Over time, the operational contexts in which DICOM conformant devices are used have become increasingly distributed, both in terms of geographic scope and organizational diversity. The devices that are used to obtain, store and view medical images, and that need to communicate medical images with each other using the communication protocols defined in the DICOM standard, are now often located in multiple geographically distinct facilities (e.g. separate hospitals and/or clinics), each of which i) has its own isolated (e.g. private) communication network, and ii) operates independently under the control of its own system administration team.