FIG. 1 (prior art) is a diagram of an internetwork 1 including two local area networks (LANs) 2 and 3 connected by the Internet 4. A client 5 on LAN 2 wishes to retrieve a webpage 6 from a web server 7 on LAN 3. The client 5 makes a request for the webpage 6 through a filtering firewall 8.
FIG. 2 (prior art) is a diagram showing the Ethernet/IP/TCP protocol messages used to set up the connection between client 5 and web server 7 and to send the webpage 6. Firewall 8 provides a level of security for messages entering LAN 2 by filtering out certain of those messages based upon the content of Ethernet frames. Firewall 8 is generally unable, however, to analyze application level data as a unit, such as executable files received in multiple messages and Ethernet frames.
FIG. 3 (prior art) is a diagram of an internetwork 20, also including LANs 2 and 3 and Internet 4. In order to analyze application level data passing into LAN 2, a classic proxy 21 is used to send messages from client 5 through a gateway 22 and out of LAN 2. Client 5 makes a request for the webpage 6 to the classic proxy 21 instead of directly to the web server 7. Classic proxy 21, in turn, makes a new request for web page 6 to web server 7 on behalf of client 5. Web server 7 returns webpage 6 to classic proxy 21. Classic proxy 21 forwards the webpage 6 to client 5. Because the complete application level data in the form of webpage 6 is received onto classic proxy 21, application level anti-virus software 23 executing on the classic proxy 21 can analyze application level data, such as a complete execute file, and not forward the data to client 5 if a virus is detected.
FIG. 4 (prior art) is a diagram showing the Ethernet/IP/TCP protocol messages used to retrieve the webpage 6 through classic proxy 21. FIG. 4 illustrates how a first TCP connection is established between client 5 and classic proxy 21. A second TCP connection is established between classic proxy 21 and web server 7. Inserting classic proxy 21 into LAN 2 involves reconfiguring client 5, and all other clients of LAN 2, to send their requests, for example, for webpage 6, to classic proxy 21. Moreover, messages from different clients appear all to come from the source IP address of classic proxy 21, as opposed to the individual source IP address of the relevant client. Reconfiguring each client requires a degree of networking skill and effort that makes this solution undesirable.
FIG. 5 (prior art) is a diagram of an internetwork 30, also including LANs 2 and 3 and Internet 4. A transparent proxy 31 is used instead of classic proxy 21. FIG. 6 (prior art) shows the Ethernet/IP/TCP protocol messages between client 5 and gateway 22. Less reconfiguration is involved when employing transparent proxy 31 than for classic proxy 21 because client 5 receives messages containing the source IP address of the gateway 22, instead of the source IP address of the transparent proxy 31. Client 5 can, therefore, return response messages to the gateway 22 without being reconfigured to send them through the transparent proxy 31.
Unfortunately, “transparent” proxy 31 is not transparent with respect to 48-bit Ethernet hardware addresses, also called MAC addresses. Consider the example where transparent proxy 31 is inserted into LAN 2 between client 5 and gateway 22. Client 5 requests webpage 6 from web server 7. Before the webpage 6 can be communicated, a first TCP connection must be established between web server 7 and transparent proxy 31, and a second TCP connection must be established between transparent proxy 31 and client 5. When Ethernet frames are received onto client 5 across the second TCP connection, they contain the source MAC address of the transparent proxy 31 and not the source MAC address of the gateway 22. Note in FIG. 6 (prior art) that messages 32 through 36 from the transparent proxy 31 to client 5 have source MAC addresses of the transparent proxy 31 (SMAC=NOPQ). This hinders client 5 from gathering the MAC addresses of other devices on LAN 2.
Moreover, the messages that gateway 22 receives from transparent proxy 31 include the source MAC address, as well as the source IP address, of the transparent proxy 31. Therefore, “transparent” proxy 31 is not transparent to web server 7. Web server 7 sees only the transparent proxy 31 and does not distinguish among messages from individual clients. Note in FIG. 6 that messages 37 through 41 have the source MAC address (JKLM) and the source IP address (10.0.0.3) of the transparent proxy 31. Thus, because the original sender of messages coming from transparent proxy 31 cannot be determined from the source IP and MAC addresses, customizing services towards individual clients is more difficult. Moreover, client 5, and the other clients on LAN 2, must still be reconfigured to some extent to send requests to the MAC address of the transparent proxy 31. Expertise and effort are therefore required to operate and maintain a LAN network where clients communicate through a proxy, even where the proxy is a so-called “transparent” proxy. This is undesirable.