In conventional network environments, firewalls have played an increasingly important role in protecting resources residing on a private network, while allowing communication with and access to systems located on an unprotected network, such as, for example, the Internet. The firewall acts as a gatekeeper, configured to prevent attacks on a private network deriving from the unprotected network by providing a single connection with limited services.
In this regard, the firewall is able to secure a private network by allowing the network administrator to develop and implement a particular security policy. Some conventional firewalls are configured to implement access rules which are based on the association of the source IP address and the destination IP address. While this approach is effective for a static network environment, it is not effective for systems including conventional dynamic addressing, such as, for example, a Dynamic Host Configuration Protocol (DHCP) or a wi-fi network environment. In a typical dynamic IP environment, the user's information is not available on the LAN side, and, as such, no user-specific rules or decisions can be implemented.
Network Address Translation (NAT) firewalls have been developed to provide for the mapping of port numbers to allow multiple machines to share a single IP address. NAT is also used to provide mapping of private and public IP addresses. One can not have a pool of public IP addresses to be used for NAT whereby a single user or a group of users can be NATed by a specific IP address so as to identify themselves uniquely to an external server.
Furthermore, a conventional firewall is not able to identify a user. Even those firewalls which are adapted to include an authentication of the user are limited in that they are unable to apply user-specific rules to perform NATing. According to these systems, the user's identity is not part of the rule matching criteria considered by the firewall.
Accordingly, there is a need in the art for a method and system for a more robust network security system capable of considering a user's identity as part of the firewall rule matching criteria.