GB2502780A - Network access via public IP addresses and device ports - Google Patents

Network access via public IP addresses and device ports Download PDF

Info

Publication number
GB2502780A
GB2502780A GB201209930A GB201209930A GB2502780A GB 2502780 A GB2502780 A GB 2502780A GB 201209930 A GB201209930 A GB 201209930A GB 201209930 A GB201209930 A GB 201209930A GB 2502780 A GB2502780 A GB 2502780A
Authority
GB
United Kingdom
Prior art keywords
public
communications
address
network
group
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB201209930A
Other versions
GB201209930D0 (en
GB2502780B (en
Inventor
Christopher Spencer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
GLOBAL REACH CORP Ltd
Original Assignee
GLOBAL REACH CORP Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by GLOBAL REACH CORP Ltd filed Critical GLOBAL REACH CORP Ltd
Priority to GB1209930.5A priority Critical patent/GB2502780B/en
Publication of GB201209930D0 publication Critical patent/GB201209930D0/en
Publication of GB2502780A publication Critical patent/GB2502780A/en
Application granted granted Critical
Publication of GB2502780B publication Critical patent/GB2502780B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2557Translation policies or rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2517Translation of Internet protocol [IP] addresses using port numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • H04L61/2528Translation at a proxy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities

Abstract

A Network Policy Controller (NPC, 4) allows clients (2, 3) in a private network (1) access to a public network (6) by mapping a clients private IP address (2, 3, fig. 2) to a public IP address in conjunction with a particular port on the device (9). The device stores the identity of the client associated with each port in memory (24, fig. 4), allowing the portal to direct packets to the correct destination. Groups of consecutively ordered ports may be reserved for different media (apps, audio, video etc.) and identified in a mapping table (fig. 5) solely by the first and last port in the group. Different public IP addresses may also correspond to different groups of clients within the private network.

Description

Improvements in and Relating to Network Communications The invention relates to the tracking of users access to a public network of computers, such as an/the Internet. In particular, though not exclusively, the invention relates to controlling access to the World Wide Web.
Controlling the access of a user to a network, such as the Internet or a private intranet, is an essential element of modern network usage. It is common that network access may be controlled by a device known as a Network Policy Controller (NPC), or the like, which remotely maintains and administers the network access rights assigned to the machines (client computers) of individual users and/or rules which must be enforced if network access is to be granted to users. The NPC may also implement such access restrictions on the basis of those access rights and rules.
For example, a user of a client computer may wish to gain access to the Internet. Communications with the Internet require the use of a public IF address (Internet Protocol, such as TCP/IP) identifying the node (e.g. the NFC) via which the private network accesses the Internet. This IF address is typically used in IF communications to identify the source of a given communication (e.g. a datagram, packet etc.). Once an available public IF address has been acquired by the NFC device it may then permit communications between the client computer and the Internet and in doing so may use whichever of its communications ports it has currently available (or become available) through which to transmit and receive communications between the client device and the Internet. This process is typically repeated in respect of multiple client devices of the private network each concurrently accessing the Internet and each employing the same public IF address for the process. The result is that the use of ports is dynamic, ad hoc and means that port assignments are effectively random.
The invention is born of the realisation that the assignment of ports can be controlled to enable the identification of client devices which access the Internet using such ports.
At its most general, the invention is to map a private IP address of a client device in a private network, to the particular ports of the portal device (e.g. an NFC device) of the private network which are employed by the client device in communicating with the Internet. In this way, mere knowledge of the ports used by that device, permits the identification of the private IF address of the client device within the private network and, therefore the client device itself. This is particularly useful when it is required to identify a client device by externally back-tracking the Internet communications originating from the client device. It is possible to identify from Internet communications (e.g. datagrams, packets etc.) both the source IF address (a public IF address) of the portal device from which the communication originated and also the port number of that portal device from which the communication was transmitted. By recording the above map, one may use this obtainable data to uniquely identify the client device which used the particular port at a particular time. This can be very useful in identifying perpetrators of unauthorised or criminal activities performed in the Internet. The public IP address employed by the client device may also be recorded.
In a first aspect, the invention provides a computer implemented method for controlling the access to a public computer network from a client device within a private computer network comprising client devices each assigned a respective unique private IF address and a network access control device for communications between the private network and the public network. The method comprises using, by the network access control device, a public IF address of the private computer network in communications with the public computer network from a plurality of said client devices, wherein the public IF address is common to the plurality of client devices. The method includes using exclusively for each client device a different respective communications port or group of communications ports of the network access control device during the communications employing the public IP address between the respective client device and the public computer network thereby excluding the use of such respective communications port(s) by other said clients employing the public IF address. The method further includes recording in a memory device the identity of the respective communications port(s) retrievably in association with the identity of the respective client device. Optionally, the public IF address may also be so recorded. Preferably, the time and/or date or time period during which a given exclusive use occurred, and/or began, and/or ended.
In this way a map may be recorded identifying each client user of the internet using the public IP address employed, the private IP address assigned, the ports exclusively used and optionally the time, date or period of such use where transient.
Preferably, the method includes using of a different respective group of communications ports of the network access control device. Using a group enables greater throughput of Internet traffic to a client device. For example, a webpage rendered on a display of a client device may contain multiple webpage resources running concurrently, such as audio/video clips and applications etc. The different webpage resources may be communicated to the client device via different ports of the group of ports such that the presence of one resource does not impede the execution of another concurrently.
The communications ports of the group may have consecutively ordered port identities ranging from a first port identity to a last port identity. For example, the group of ports may comprise Fort No.100 to Fort No. 199 inclusive of all ports numbered between these two limits. The recording of the identity of the pods may comprise recording the first port identity (e.g. Port No. 100) and the last port identity (e.g. Port No. 199) thereby to identify all ports within the group without recording the identities of other ports within the group. This reduces the memory burden by enabling a potentially large number of port identities of a group to be recorded without requiring a record to be made of each port of the group.
The method may include using of a different respective group of communications ports of the network access control device wherein each group comprises the same number of ports. Thus, each group of ports may be a group of 100 pods (or any other number).
The method may include using, by the network access control device, a plurality of different public IF addresses of the private computer network in communications with the public computer network from a plurality of said client devices, wherein each different public IF address is common to a respective different plurality of client devices. For example, a first public IF address may be employed for use by a first group of client devices of the private network, and a second different public IF address may be employed by a second group of other client devices of the private network, and so on.
In a second aspect, the invention may provide an apparatus for controlling the access to a public computer network from a client device within a private computer network comprising client devices each assigned a respective unique private IP address. The apparatus may comprise a network access control device arranged to receive communications between the private network and the public network via a plurality of separate communications ports thereof, and a memory apparatus.
The memory apparatus may form a part of the network access control apparatus (e.g. internal memory) or be a remote memory apparatus. The network access control device is arranged to use a public IF address of the private computer network in communications with the public computer network from a plurality of said client devices, wherein the public IF address is common to the plurality of client devices; and to use exclusively for each client device a different respective said communications port or group of said communications ports during the communications employing the public IP address between the respective client device and the public computer network thereby excluding the use of such respective communications port(s) by other said client devices employing the public IP address; and to record in said memory apparatus the identity of the respective communications port(s) retrievably in association with the identity of the respective client device.
Optionally, the public IP address may be so recorded.
The network access control apparatus is preferably arranged to use a said different respective group of communications ports wherein the communications ports of the group have consecutively ordered port identities ranging from a first port identity to a last port identity. The recording preferably comprises recording the first port identity and the last port identity thereby to identify all ports within the group without recording the identities of other ports within the group.
The network access control apparatus is preferably arranged to use a said different respective group of communications ports wherein each group comprises the same number of ports.
The network access control device may be arranged to use a plurality of different public IF addresses of the private computer network in communications with the public computer network from a plurality of said client devices. Each different public IP address may be common to a respective different plurality of client devices.
A non-limiting example of a preferred embodiment of the invention will now be described with reference to the accompanying drawings of which: Figure 1 shows schematically a client device connected in communication with the Internet via a network policy controller (NPC) device for controlling communication with the Internet; Figure 2 schematically illustrates the mapping of multiple private IF addresses to a common public IF address and the assigning of different ranges of ports of the NFC exclusively to respective private IF addresses; Figure 3 schematically illustrates the sequence and flow of communications between the client device, NPC device, authentication device and Internet of Figure 1.
Figure 4 schematically illustrates elements of the NFC apparatus of Figure 1; Figure 5 schematically shows a mapping table according to the invention.
In the drawings, like items are assigned like reference symbols for consistency.
Figure 1 illustrates a private network (1) of client computers (2, 3, etc.) and a network policy controller (NFC, item 4) device for controlling the access of the plurality of client devices (2, 3) of the private network, to the Internet (4). The client devices form a part of a private network and each possesses a private IP address assigned to it by either by the NPC or by a separate network control server (not shown) for use in communications between clients/nodes within that private network.
The NPC device is arranged to intercept outgoing communications traffic (items 7, 8; e.g. datagrams) from client devices of the private network which is intended for a destination within the Internet. All outgoing Internet traffic is directed through the NPC device before reaching the Internet such that the NFC device serves as the Internet portal device of the private network.
For this purpose, the NFC is arranged to employ a public IF address (TOF/IF address) which serves as the public IF address of the NPC device and, therefore, of the private network it serves.
The NFC device is arranged to receive communications (7, 8, 9) between the private network and the Internet via a plurality of separate communications ports (5) thereof. It is arranged to use a public IF address of the private computer network (e.g. 85.234.129.100) in communications with the Internet from the plurality of client devices (2, 3). That public IP address is used in common with multiple of the plurality of client devices.
In particular, the NPC device is arranged to use exclusively for each client device a different respective group of communications ports (5) during the communications between the associated client device and the Internet thereby excluding the use of those ports by other client devices of the private network. The NPC device includes a memory unit (item 24, Figure 4) within which the NC device is arranged to record the identity of the respective communications ports (e.g. Forts: no. 100 to no. 199) retrievably in association with the private IF address (e.g. 10.101.1.1) of the respective client device and the public IF address (e.g. 85.234.129.100) employed by the NFC device in communications between the Internet and that client device. The NFC further records the start time, end time, and the date on which the communications in question took place. A mapping table is recorded and maintained by the NPC device and a simple example is schematically shown in Figure 5.
The NPC device is arranged to implement the following method steps illustrated sequentially in Figures 2 and 3, as follows: Step 1: a first client device (3) having private network address (10.101.1.1) seeks access (10) to the Internet (6) via the NFC device (4). A second client device (2) having private network address (10.101.1.2) seeks access (11) to the Internet (6) via the NPC device (4) concurrently. Other client devices (10.101.1.3, etc.) may seek Internet access concurrently; Step 2: the NFC device assigns (12) a common public IF address (85.234.129.100) of the private computer network for use in communications with the Internet by each of the first and second client devices; Step 3: the NPC device assigns (12) exclusively to each client device a different respective group of communications ports of the NFC device (ports 100 -199 for the first client; ports 200-299 for the second client; etc.) for Internet communications employing the same public IF address. This excludes the use of the assigned communications port by other client devices employing the same public IP address; Step 4: recording (13) in a mapping table (Figure 5) of the NPC device the port numbers of the respective communications pods retrievably in association with the private IF address of the respective client device and the public IF address it used. The time period and date of use is also recorded; Step 5: commencing (14, 15) access to the Internet via the first and second client devices, through the NPC device.
If all private network client devices employ the same public IF address, then it is not necessary to record the public IF address within the mapping table. However, where the NFC device uses multiple different public IF addresses concurrently or sequentially, then it is preferably to include the public IF addresses within the mapping table retrievably in association with the private IP addresses and assigned port numbers of associated with the client devices which used those public IF addresses.
Figure 2 shows such use of multiple public IF addresses in which a first three client devices (private IF addresses: 10.101.1.1, 10.101.1.2 and 10.101.1.3) employ public IF address 85.234.129.100 and are assigned port numbers 100-199, 200-299 and 300-399 respectively, whereas a second three client devices (private IF addresses: 10.101.1.50, 10.101.1.51 and 10.101.1.52) employ a different public IF address 85.234.129.101 but are still assigned port numbers 100-199,200-299 and 300- 399 respectively. Though the same groups of port numbers are employed as between the first and second group of client devices, the communications of those devices are made uniquely distinguishable by use of the different public IP addresses which distinguish the two groups of client devices as well as their distinct private IF addresses.
Figure 5 illustrates the elements and functional units of the client device, NFC device according to an embodiment of the invention. The NPC device (4) comprises an input/output (I/O) interface unit (25) for receiving and transmitting communications to and from the client devices of the private network.
The I/O unit is connected in communication to a control unit of the NPC device which in turn is connected in communication to a multitude of numbered Internet-facing input/output ports (20 21, 22) arranged for receiving and transmitting communications to and from the Internet. The ports may number from port number one consecutively up to port number 65534. The NFO device includes a memory unit arranged to receive private IF addresses, public IF addresses, port numbers/ranges and times/dates of port usage as input from the control unit, and to generate, maintain and store the mapping table described above (e.g. Figure 5).
The control unit is arranged to implement Step 2 to Step 5, described above, in response to Step 1.
Using this technique the invention may reduce the amount of public addresses needed to operate the public service, but still offering true accountability to who has what internal IP based on source port range.

Claims (10)

  1. CLAIMS: 1. A computer implemented method for controlling the access to a public computer network from a client device within a private computer network comprising client devices each assigned a respective unique private IP address and a network access control device for communications between the private network and the public network, the method comprising: using, by the network access control device, a public IP address of the private computer network in communications with the public computer network from a plurality of said client devices, wherein the public IF address is common to the plurality of client devices; using exclusively for each client device a different respective communications port or group of communications ports of the network access control device for said communications employing the public IP address between the respective client device and the public computer network thereby excluding the use of such respective communications port(s) by other said client devices employing the public IF address; and recording in a memory device the identity of the respective communications pod(s) retrievably in association with the identity of the respective client device.
  2. 2. The computer implemented method of any preceding claim including said using of a different respective group of communications pods of the network access control device wherein the communications pods of the group have consecutively ordered port identities ranging from a first pod identity to a last pod identity, and the recording comprises recording the first port identity and the last port identity thereby to identify all pods within the group without recording the identities of other pods within the group.
  3. 3. The computer implemented method of any preceding claim including said using of a different respective group of communications ports of the network access control device wherein each group comprises the same number of ports.
  4. 4. The computer implemented method of any preceding claim including using, by the network access control device, a plurality of different public IF addresses of the private computer network in communications with the public computer network from a plurality of said client devices, wherein each different public IF address is common to a respective different plurality of client devices.
  5. 5. Apparatus for controlling the access to a public computer network from a client device within a private computer network comprising client devices each assigned a respective unique private IP address, comprising: a network access control device arranged to receive communications between the private network and the public network via a plurality of separate communications ports thereof; and a memory apparatus; wherein the network access control device is arranged: to use a public IP address of the private computer network in communications with the public computer network from a plurality of said client devices, wherein the public IF address is common to the plurality of client devices; and to use exclusively for each client device a different respective said communications port or group of said communications ports for said communications employing the public IP address between the respective client device and the public computer network thereby excluding the use of such respective communications port(s) by other said client devices employing the public IF address; and to record in said memory apparatus the identity of the respective communications port(s) retrievably in association with the identity of the respective client device.
  6. 6. The apparatus of claim 5 in which the network access control apparatus is arranged to use a said different respective group of communications ports wherein the communications ports of the group have consecutively ordered port identities ranging from a first port identity to a last port identity, and the recording comprises recording the first port identity and the last port identity thereby to identify all ports within the group without recording the identities of other ports within the group.
  7. 7. The apparatus of any of claims 5 and 6 in which the network access control apparatus is arranged to use a said different respective group of communications ports wherein each group comprises the same number of ports.
  8. 8. The apparatus of any of claims 5 to 7 in which the network access control device is arranged to use a plurality of different public IF addressess of the private computer network in communications with the public computer network from a plurality of said client devices, wherein each different public IP address is common to a respective different plurality of client devices.
  9. 9. Apparatus substantially as disclosed in any one embodiment hereinbefore with reference to the accompanying drawings.
  10. 10. A method substantially as described hereinbefore with reference to the accompanying drawings.
GB1209930.5A 2012-06-05 2012-06-05 Improvements in and relating to network communications Active GB2502780B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1209930.5A GB2502780B (en) 2012-06-05 2012-06-05 Improvements in and relating to network communications

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1209930.5A GB2502780B (en) 2012-06-05 2012-06-05 Improvements in and relating to network communications

Publications (3)

Publication Number Publication Date
GB201209930D0 GB201209930D0 (en) 2012-07-18
GB2502780A true GB2502780A (en) 2013-12-11
GB2502780B GB2502780B (en) 2016-12-28

Family

ID=46582317

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1209930.5A Active GB2502780B (en) 2012-06-05 2012-06-05 Improvements in and relating to network communications

Country Status (1)

Country Link
GB (1) GB2502780B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230421478A1 (en) * 2022-06-28 2023-12-28 Zscaler, Inc. Egress Handling for Networks with Public Internet Protocol (IP) Address

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030093563A1 (en) * 2001-10-10 2003-05-15 Young Bruce Fitzgerald Method and system for implementing and managing a multimedia access network device
US20060013211A1 (en) * 2004-07-14 2006-01-19 Deerman James R Apparatus and method for mapping overlapping internet protocol addresses in layer two tunneling protocols
US20090316708A1 (en) * 2008-06-24 2009-12-24 Microsoft Corporation Techniques to manage a relay server and a network address translator
WO2012141998A1 (en) * 2011-04-11 2012-10-18 Alcatel Lucent Mapping private and public addresses

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030093563A1 (en) * 2001-10-10 2003-05-15 Young Bruce Fitzgerald Method and system for implementing and managing a multimedia access network device
US20060013211A1 (en) * 2004-07-14 2006-01-19 Deerman James R Apparatus and method for mapping overlapping internet protocol addresses in layer two tunneling protocols
US20090316708A1 (en) * 2008-06-24 2009-12-24 Microsoft Corporation Techniques to manage a relay server and a network address translator
WO2012141998A1 (en) * 2011-04-11 2012-10-18 Alcatel Lucent Mapping private and public addresses

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230421478A1 (en) * 2022-06-28 2023-12-28 Zscaler, Inc. Egress Handling for Networks with Public Internet Protocol (IP) Address

Also Published As

Publication number Publication date
GB201209930D0 (en) 2012-07-18
GB2502780B (en) 2016-12-28

Similar Documents

Publication Publication Date Title
Bhat et al. Edge computing and its convergence with blockchain in 5G and beyond: Security, challenges, and opportunities
Liu et al. Efficient naming, addressing and profile services in Internet-of-Things sensory environments
He et al. Next stop, the cloud: Understanding modern web service deployment in ec2 and azure
US20170104790A1 (en) Security policy based on risk
CN109314708A (en) Network accessibility detection control
CN105228140B (en) A kind of data access method and device
CN104809369B (en) Packet sets method, client, server and the system of equipment access rights
CN108881308A (en) A kind of user terminal and its authentication method, system, medium
CN102739684A (en) Portal authentication method based on virtual IP address, and server thereof
CN106453349B (en) Account login method and device
CN110138801A (en) File sharing method, device, system, server, terminal and storage medium
CN103997479B (en) A kind of asymmetric services IP Proxy Methods and equipment
CN103634111B (en) Single-point logging method and system and single sign-on client-side
CN108243266A (en) Canonical name processing method, configuration method and device
CN101982958A (en) Processing method and system for automatically setting network monitoring system
KR101601631B1 (en) Internet of things system having a user access control function based status of service device
US9325719B2 (en) Method and system for evaluating access granted to users moving dynamically across endpoints in a network
CN109617753A (en) A kind of platform management method, system and electronic equipment and storage medium
CN104468619A (en) Method and gateway for achieving dual-stack web authentication
CN106302400A (en) The processing method and processing device of access request
US9608960B2 (en) Systems and methods of geo-location based community of interest
CN103209107A (en) Method for realizing user access control
US20160182528A1 (en) Systems and methods of geo-location based community of interest
CN106027354B (en) The reflow method and device of VPN client
CN109743238B (en) Distributed access system

Legal Events

Date Code Title Description
732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20180531 AND 20180606