One of the most utilized networks for interconnecting distributed computer systems is the Internet. The Internet allows user of computer systems to exchange data throughout the world. In addition, many private networks in the form of corporate or commercial networks are connected to the Internet. These private networks are typically referred to as an “intranet.” To facilitate data exchange, the intranet generally uses the same communications protocols as the Internet. These Internet protocols (IP) dictate how data is formatted and communicated. In addition, access to corporate networks or intranets can be controlled by network gateways, which can include a multi-layer SSL firewall system. The multi-layer SSL firewall system includes a networking architecture where the flow (associated streams of packets) is inspected both to and from the corporate network. The multi-layer SSL firewall systems are often referred to as a virtual private network (VPN) gateway, such as those sold by Array Networks of Milpitas, Calif.
As the popularity of the Internet grew, businesses turned to it as a means of extending their own networks. First came the intranet, which was a password-protected site designed for use only by company employees. Now, many companies are creating their own VPN (virtual private network) to accommodate the needs of remote employees and distant offices. The VPN is a generally a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as a leased line, a VPN uses “virtual” connections routed through the Internet from the company's private network to the remote site or employee.
Since the Internet has grown larger than anyone ever imagined and with the explosion of the Internet and the increase in home networks and business networks, the number of available IP addresses is simply not enough. The obvious solution is to redesign the address format to allow for more possible addresses. This is being developed (called IPv6), but will take several years to implement because it requires modification of the entire infrastructure of the Internet. However, the problem has been addressed with Network Address Translation (NAT), which allows a single device, such as a router, to act as an agent between the Internet (or “public network”) and a local (or “private”) network. The Network Address Translation systems allow a single, unique IP address to represent an entire group of computers.
In a typical configuration, a local network uses one of the designated “private” IP address subnets (such as 192.168.x.x, 10.x.x.x or 172.16.x.x-172.31.x.x), and a router on that network has a private address (such as 192.168.0.1) in that address space. The router is also connected to the Internet with a single “public” address (known as “overloaded” NAT) or multiple “public” addresses assigned by an ISP. As traffic passes from the local network to the Internet, the source address in each packet is translated on the fly from the private addresses to the public address(es). The router tracks basic data about each active connection (particularly the destination address and port). When a reply returns to the router, it uses the connection tracking data it stored during the outbound phase to determine where on the internal network to forward the reply. In addition, the TCP or UDP client port numbers can be used to demultiplex the packets in the case of an overloaded NAT, or a IP address and port number when multiple public addresses are available, on packet return. To a system on the Internet, the router itself appears to be the source/destination for this traffic.
There are only a few designated IP address space for private addresses. They are 10.x.x.x, 192.168.x.x, 172.16.x.x-172.31.x.x. Because of this, it is very common to have same or similar private networks inside every company. Traditionally VPN gateways are only equipped to handle private networks which are unique. This means one will not be able to connect to multiple networks of an enterprise which have same IP address(es) using one SSL VPN gateway.
Another trend is to have multiple Virtual VPN gateways within one physical VPN gateway. The one physical VPN gateway device can include multiple logical devices. In addition, each logical VPN gateway can be connected to an independent private network. However, this scenario poses privacy problems on top of the duplicate or overlapped IP address problem as discussed in the previous section. Since these private networks may belong to different enterprises altogether (e.g., in case of a service provider providing services to many enterprises using one physical SSL VPN gateway and multiple logical VPN gateways within), it is highly required that the traffic from one logical unit not be seen by the other logical units and vice-a-versa.
On approach to solve virtual routing has been the running of multiple virtual machines on shared hardware. However, this approach has several limitation including that the approach is not scalable, since it is very memory and CPU hungry. Typically, as you keep adding more virtual machines you will run out of resources quickly, and it is often difficult to have a centralized control, which can enforce the virtualization policy across the virtual machines. In addition, running multiple instances of Network Protocol stacks has been considered by some to be a better option, however, memory scalability is still an issue, and this approach requires very involved changes in the Operating System (OS) core to achieve the solution.
Thus, it can be appreciated that a system and method of converting an overlapping IP address into a non-overlapping or unique IP address without affecting Internet protocols within a VPN device as described herein can provide significant advantages over other virtualization solutions. Accordingly, it would be desirable to convert the overlapping IP address space of the private networks to a non-overlapping unique IP address space. The non unique IP address(es) space is then used within the VPN gateway (i.e., Array SSL VPN gateway). After the SSL VPN device does all the processing, the unique IP address(es) are again converted to the original overlapped IP address(es). This solves the problem of multiple private networks with overlapped IP addresses being connected to one physical device. In addition, it would be desirable to maintain a map of the relations between the overlapped IP address, the logical SSL VPN device, the non-overlapped IP address (or unique IP address) and the VLAN tag for privacy within the VPN network.
It can be appreciated that the conversion of the overlapping IP address space of the private networks to a non-overlapping unique IP address space provides several advantages over the previous approaches, including only one Network Protocol stack is running on the operating system, the amount of changes required in the Network subsystem are minimal, there is centralized control of virtualization policies, and most third party libraries can be used in the virtualized model without changes. In addition, the approach is very scalable in terms memory and CPU usage as the number of virtual systems supported increases.