1. Field of the Invention
The present invention relates to the field of data transmission and communication and in particular, to systems and methods for the securely proxying data over computer networks.
2. Description of Related Art
It is almost routine for computers today to be connected to other computers by means of a network. Networks allow computers to communicate with each other and with other network elements and devices. Networking allows computers to share resources such as files and printers, and increase the overall reliability and availability of a computer system. A Local Area Network (“LAN”) may connect computers (“hosts”) located in close physical proximity, such as in a building. On the other hand, a Wide Area Network (“WAN”) connects computer systems that are geographically remote. In some situations, it may be more convenient to group hosts by means of a logical relationship for example, by department, type of user, or primary application. A Virtual LAN (“VLAN”) is a group of PCs, servers, and other network resources that behave as if they were connected to a single network segment. Hosts belonging to a VLAN appear to be on the same LAN, regardless of their actual physical location.
VLANs are useful in organizations in which users move between units, or the organizational structure allows members of a work unit to be located in different physical locations. VLANs let dispersed unit members share common resources, and be part of a single broadcast domain, so that traffic generated by users in a unit stays confined to that unit. If users are highly mobile and move between offices, the network administrator can use VLAN techniques to keep users within a broadcast group no matter where they connect to the network.
A network administrator can define several VLANs and restrict access to each VLAN to prevent users from accessing unauthorized resources. VLANs also provide a security benefit by limiting potential damage from a rogue or compromised host since the compromised host can only reach the remainder of the VLAN; hosts elsewhere on the network are essentially invisible.
There are a number of different methods for implementing VLANs. The simplest method is to define VLAN membership by groups of ports on a switch. For example, ports on a switch may be grouped to form a VLAN and segmented from other ports that do not belong to the VLAN. This concept can be extended to allow the VLAN to span multiple switches, so that a VLAN group is then defined by a switch/port identifier. Division of the ports into individual VLAN groups requires a switch capable of port configuration. Typically, programming individual ports is commonly supported in VLAN capable chips. This capability allows software to configure the ports on a switch into groups selected by a user or using a pre-defined allocation. Another approach is to define VLAN memberships based on Medium Access Control (“MAC”) addresses. Since MAC addresses are hard coded into a host's network interface card (“NIC”), VLANs based on MAC addresses allow end-stations to be plugged into different physical locations on the network while retaining their VLAN group membership.
In both approaches discussed above, communication between port groups on a single switch requires data from one port group to be sent out of the device to an external router, which then forwards the data to the other port group. In certain environments the use, configuration and management, and expense of external routers to allow communication between groups is neither feasible nor practical. Thus, small standalone network switches are preferred for these environments. While such switches may provide the capability to create VLAN groups, they offer no support for communication between the groups because packets are never routed from LAN to LAN. Switches generally route data packets from the LAN to WAN or WAN to LAN. There is no mechanism for routing packets received on a LAN back to a LAN, which is required if the VLAN groups are to communicate. In addition, for security reasons, such devices must also be capable of restricting and controlling the types of packets that may be communicated between port groups. Therefore, there is a need for a system and a method to support communication across VLAN groups in a secure manner, without the use of routers and through the switch device itself.