NETWORK SECURITY DEVICE WHICH
PERFORMS MAC ADDRESS TRANSLATION
WITHOUT AFFECTING THE IP ADDRESS
FIELD OF THE INVENTION
The present invention is directed to a network security device that is connected between a protected computer (the client) and a network and a method for utilizing the network security device. The network security device negotiates a session key with any other protected client. Then, all communications between the two clients are encrypted. The inventive device is self configuring and locks itself to the IP (Internet Protocol) address and MAC (Media Access Control) address of its client. The client cannot change its IP or MAC address once set. Thus, the inventive network security device does not allow a client to emulate another client by setting a false IP or MAC address.
BACKGROUND OF THE INVENTION A. Network Architecture
An internet communications network 100 is depicted in FIG. 1 including five transmit or backbone networks A.B. CD. and E and three stub networks R. Y. and Z. A "backbone" network is an intermediary network which conveys communicated data from one network to another network. A "stub" network is a terminal or endpoint network from which communicated data may only initially originate or ultimately be received. Each network, such as the stub network R. includes one or more interconnected subnetworks I. J. L and M. As used herein, the term "subnetwork" refers to a collection of one or more nodes, e.g.. (d).(a)(b. x.y).(q,v)(r.z). (s.u). (e,f,g),(hj).(jiJ).(m.n). and (o.p). interconnected by wires and switches for local internodal communication. Each subnetwork may be a local area network or LAN. Each subnetwork has one or more interconnected nodes which may be host computers ("hosts") u.v.wjt.y.z or routers a,b,c,d,e,f.gJi.i,j.kJ.m,n,o.p,qj'.s. A host is an endpoint node from which communicated data may initially originate or ultimately be received. A router is a node which serves solely as an intermediary node between two other nodes; the router receives communicated data from one node and retransmits the data to another node. Collectively, backbone networks, stub networks, subnetworks and nodes are referred to herein as "internet systems".
FIG. 2 shows a block diagram of a host or router node 10. As shown, the node may include a CPU 11, a memory 12 and one or more I/O ports (or network interfaces) 13-1, 13-2, .... 13-N connected to a bus 14. Illustratively, each I/O port
13-1,13-2 13-N is connected by wires, optical fibers.
and/or switches to the I/O port of another node. The I/O ports 13-1.13-2..... 13-N are for transmitting communicated data in the form of a bitstream organized into one or more packets to another node and for receiving a packet from another node. If the host 10 is a host computer attached to a subnetwork which is an Ethernet, then the host will have one I/O port which is an Ethernet interface. A host which initially generates a packet for transmission to another node is called the source node and a host which ultimately receives the packet is called a destination node. Communication is achieved by transferring packets via a sequence of nodes including the source node, zero or more intermediary nodes, and the destination node, in a bucket brigade fashion. For example a packet may be communicated from the node w to the node c. to the node d, to the node b. and to the node x.
An exemplary packet 40 is shown in FIG. 3A having a payload 41 which contains communicated data (i.e.. user
data) and a header 42 which contains control and/or address information. Typically, the header information is arranged in layers including an IP layer and a physical layer. The IP layer typically includes an IP source address, an IP
5 destination address, a checksum, and a hop count which indicates a number of hops in a multihop network. A physical layer header includes a MAC address (hardware address) of the source and a MAC address of the destination. The user data may include a TCP (Transfer Control
10 Protocol) packet including TCP headers or a UDP (User Data Protocol) packet including UDP headers. These protocols control among other things, the packetizing of information to be transmitted, the reassembly of received packets into the originally transmitted information, and the sched
15 uling of transmission and reception of packets (see e.g.. D. Commer, "Internetworking With TCP/IP". Vol. 1 (1991); D. Commer and D. Stevens, "Internetworking With TCP/IP", Vol. 2 (1991)).
In an exemplary internet protocol call IP, each node of the
20 Internet 100 is assigned an internet (IP) address which is unique over the entire internet 100 such as the internet address for the node y shown in FIG. 3B. See. Information Sciences Institute. RFC 791 "Internet Protocol". September. 1981. The IP addresses are assigned in a hierarchical fash
25 ion; the internet (IP) address of each node contains an address portion 31 indicating the network of the node, an address portion 32 indicating a particular subnetwork of the node, and a host portion 33 which identifies a particular host or router and discriminates between the individual nodes
30 within a particular subnetwork.
In an internet 100 which uses the IP protocol, the D? addresses of the source and destination nodes are placed in the packet header 42 by the source node. A node which receives a packet can identify the source and destination
35 nodes by examining these addresses. B. Encryption Techniques
Eavesdropping in a network, such as the network 100 of FIG. 1, can be thwarted through the use of a message encryption technique. A message encryption technique
40 employs an encipherment function which utilizes a number referred to as a session key to encipher data (i.e., message content). Only the pair of hosts in communication with each other have knowledge of the session key, so that only the proper hosts, as paired on a particular conversation, can
45 encrypt and decrypt digital signals. Two examples of encipherment functions are the National Bureau of Standards Data Encryption Standard (DES) (see e.g.. National Bureau of Standards, "Data Encryption Standard", F1PS-PUB-45. 1977) and the more recent Fast Encipherment Algorithm
50 (FEAL)(see e.g., Shimizu and S. Miyaguchi, "FEAL-Fast Data Encipherment Algorithm," Systems and Computers in Japan, Vol. 19, No. 7, 1988 and S. Miyaguchi. "The FEAL Cipher Family", Proceedings of CRYPTO '90. Santa Barbara, Calif.. August. 1990). Another encipherment func
55 tion is known as IDEA. One way to use an encipherment function is the electronic codebook technique. In this technique a plain text message m is encrypted to produce the cipher text message c using the encipherment function f by the formula c=f(m,sk) where sk is a session key. The
60 message c can only be decrypted with the knowledge of the session key sk to obtain the plain text message m=f(c.sk).
Session key agreement between two communications hosts may be achieved using public key cryptography. (See e.g.. U.S. Pat. Nos. 5.222.140, and 5,299.263).
65 Before discussing public key cryptographic techniques, it is useful to provide some background information. Most practical modern cryptography is based on two notorious