A PACKET FORWARDING APPARATUS
FIELD OF THE INVENTION
The present invention relates to a packet forwarding apparatus, a routing process executed by the apparatus, a process for generating a routing table for use by the apparatus, and a routing table for use by the apparatus.
BACKGROUND
Local area networks requiring access to an insecure network such as the Internet are usually protected from the insecure network by a firewall. As shown in Figure 1, a firewall 102 is a device that is placed between two networks 104, 106, and restricts access from one network to the other, in particular from an insecure, typically public, network 104 to a relatively secure, typically private, network 106. Network traffic from the insecure network 104 is typically directed to the firewall 102 by a router 107.
In many cases, it is desired to provide network services such as email, web, domain name, and file serving services to the insecure network 104. These services can be provided by respective network servers in the private local area network 106, such as a web server 108, a public file server 109, and an email server 110. In such cases, the firewall 102 between these network servers 108 to 110 and the insecure network 104 protects them from certain forms of attack. However, various forms of network traffic are allowed past the firewall 102 in order for the network servers 108 to 110 to provide the appropriate services to the insecure network 104. Although this intermediate level of security is necessary to provide access to these servers 108 to 112, the private network 106 typically includes additional systems such as a private file server 112, other servers 111, and desktop computer systems 114 that should be isolated from the insecure network 104 as much as possible in order to provide an appropriate degree of security. Consequently, a second firewall device 202 can be used to provide a higher level of security to the private network 106, and
the network servers 108 to 110 are provided in an intermediate network segment 204 between the two firewalls 102, 202, as shown in Figure 2. The intermediate network segment 204 can provide services to both the insecure network 104 and the private network 106, and is therefore also referred to as the service provision network 204. In this configuration, the first firewall 102 provides an intermediate level of security to allow the necessary network access to the public servers 108 to 110 in the intermediate service provision network 204, and the second firewall 202 provides a higher level of security to the private network 106, protecting the private file server 112, the desktop systems 114, and the other servers 111 from attacks originating in the insecure network 104 or indeed the public servers 108 to 110 themselves, should any of these be successfully attacked.
Moreover, the firewalls 102, 202 themselves may be vulnerable to attack from the insecure network 104, the public servers 108 to 110, or even the private network 106, compromising the security of the private network 106 and the network systems 111, 112, 114 on the private network 106.
A further difficulty of such an arrangement arises from the challenge of correctly configuring and managing each firewall device. The need to maintain the two separate firewalls 102, 202 increases the likelihood of configuration errors which could compromise the security of the private network 106.
It is desired to provide a packet forwarding apparatus, a routing process, a process for generating a routing table, and a routing table that alleviate one or more difficulties of the prior art, or at least provide a useful alternative.
SUMMARY OF THE INVENTION
In accordance with the present invention, there is provided a packet forwarding apparatus, including at least two autonomous packet forwarding components having respective external interfaces for connection to respective external networks, and respective internal interfaces for connection to a network internal to said apparatus and interconnecting said at
least two packet forwarding components, the internal interfaces being addressable only by link layer addresses or addresses in a subnet of a loopback network.
The present invention also provides a packet forwarding apparatus, including at least two packet forwarding components having respective external interfaces for connection to respective external networks, and respective internal interfaces for interconnecting said at least two packet forwarding components, said internal interfaces being addressable only internally to said apparatus.
The present invention also provides a routing process, including: receiving a data packet including a destination address; determining an address of a network corresponding to said destination address; and determining a link layer address of a next-hop node corresponding to the address of said network, said next-hop node only being assigned a link layer address.
The present invention also provides a routing table for use in selecting a next-hop node for a received network packet, each entry of said routing table including an address of a destination network and a link layer address of a next-hop node for said destination network.
The present invention also provides a process for generating a routing table, including: generating, at a network component having a first network interface and a second network interface, said first network interface having a network layer address and a link layer address, and said second network interface having only a link layer address, an announcement message including a network layer address of a network connected to said first network interface, and said link layer address of said second network interface.
BRIEF DESCRIPTION OF THE DRAWINGS
Preferred embodiments of the present invention are hereinafter described, by way of example only, with reference to the accompanying drawings, wherein:
Figure 1 is a block diagram of a first prior art network configuration having a firewall connected between an insecure communications network and a private communications network;
Figure 2 is a block diagram of a second prior art network configuration having two firewalls connected between the insecure communications network and a private communications network, and providing an intermediate network for providing services to the other networks;
Figure 3 is a block diagram of a preferred embodiment of a packet forwarding apparatus connected between three communications networks;
Figure 4 is a block diagram of a network interface module (NIM) of the packet forwarding apparatus; Figure 5 is a schematic diagram illustrating network packet flows in one configuration of the packet forwarding apparatus having four NIMs;
Figure 6 is a schematic diagram of an alternative embodiment of a packet forwarding apparatus;
Figure 7 is a schematic diagram of a NIM of yet a further alternative embodiment of a packet forwarding apparatus;
Figure 8 is a block diagram of the packet forwarding apparatus connected between an insecure network, a private network, and a service provision network; and
Figure 9 is a flow diagram of a routing process executed by the packet forwarding apparatus.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
As shown in Figure 3, a packet forwarding apparatus 300 includes three network interface modules (NIMs) 302, 304, 306, interconnected by an interconnect 308. The network modules 302, 304, 306 are connected to respective communications networks 310, 312, 314. Alternatively, if there is no requirement for attaching the third network 314, the third NIM 306 can be omitted if desired.
As shown in Figure 4, each of the NIMs 302 to 306 includes a network interface connection (NIC) 402 for connection to a network 402 external to the packet forwarding apparatus 300, and an interconnect connection interface (ICI) 404 for connection to the interconnect 308. A packet processor 406 processes network packets received from one of the interfaces 402, 404, and forwards packets to the other interface, as described below. In order to enhance security, the ICIs 404 of the NIMs 302 to 306 are not addressable from outside the packet forwarding apparatus 300, as described below. A storage device 408 is used to store log files containing statistics and other data derived from the traffic received by the NIM. A configuration manager 410 on each NIM 302 to 306 provides a single user interface that allows a user to configure and manage the entire packet forwarding apparatus 300, including all of the NIMs 302 to 306.
Each of the NIMs 302 to 306 operates as an autonomous packet forwarding device, executing packet forwarding and routing processes independently of the other NIMs, and configured and administered as an independent entity. As described below, each NIM discovers the presence of the other NIMs in the packet forwarding apparatus 300 by way of communication across the interconnect 308 using discovery processes analogous to those used by standard networked computer systems to discover peers on a network. The advantage of this distributed processing arrangement is that any compromise or failure of any one NIM does not necessarily impact the other NIMs, which would not be the case if the NIMs were operating in a centralised environment; as part of a single operating system environment, for example.
In the described embodiments, the interconnect 308 is Ethernet. However, it will be apparent that the interconnect 308 can be any one of a variety of alternative networks, including an optical network using optical fibres, for example, with appropriate substitution of the ICI 404. It will also be apparent that the interconnect 308 can include an intelligent device capable of switching network traffic between the NIMs 302 to 306, or a hub. In the case of an Ethernet network, an otherwise standard Ethernet switch or hub can be used, modified as described below. Each of the NIMs 302 to 306 is assigned only one IP address: that for its external network port or NIC 402. The ICI 404 used for communication between the NIMs 302 to 306 is not assigned an IP address, as described below.
Modern communications networks transmit packets of information using a layered structure of protocols to separate the technical aspects of communication embodied in the lowest protocol layers from the higher layers used by applications and high level transport protocols. For example, networks based on the Internet Protocol (IP) use an Internet layer as a third layer over two lower protocol layers. The lowest layer is a physical or hardware layer and the second layer is a link or medium access control (MAC) layer for communication over a shared network link. In an Ethernet link, a source node transmits link layer frames including a unique link layer (i.e., layer 2), MAC, or hardware address to address a particular to a destination node on the shared link. A link layer frame begins with a 14-byte frame header, followed by a 46-1500-byte data payload, followed by a 4-byte cyclic redundancy check (CRC). The frame header comprises 6-byte link layer destination and source addresses and a 2-byte type field that identifies the protocol type of the data payload. A type of 0x0800 identifies an IP protocol payload. In the case of IP, the payload includes an IP datagram, including an IP header providing the Internet layer (i.e., layer 3) IP addresses of the source and destination nodes.
A node on a local area or wide area network can generally send an IP packet to any other node on the network by sending IP packets with a destination address set to the IP address assigned to the desired node. Unless the destination node shares the same network segment as the sending or source node, the IP packets are sent in a series of hops between nodes
topologically located between the source and destination nodes. Each network segment connecting two nodes has its own network address, and each node maintains a routing table that associates the IP addresses of nodes on the same network segment with addresses of network segments accessible through those nodes, and the respective network masks for those network segments.
For example, Table 1 represents a prior art routing table having two interfaces connected to external networks. A first interface has been assigned an IP address of 10.0.0.1 and is connected to a network with an IP address of 10.0.0.0. A second interface has been assigned an IP address of 10.0.0.254 and is the default gateway to other networks (i.e., if no other match is found), as indicated by the 'default gateway' network address and network mask value of 0.0.0.0.
Table 1
When a node receives an IP datagram destined for a node on another network segment, the node that received the IP datagram determines the next hop node using its routing table. The destination IP address of the datagram is combined with a network mask (e.g., 255.255.255.0) from the routing table using a bitwise AND operation to determine a corresponding network segment address. If the resulting network address matches the network address in the routing table (e.g., 10.0.0.0), then the corresponding next hop address provides the IP address of the next hop node (or gateway) for the packet. The corresponding layer 2 or MAC address of the next hop node is determined using the current node's address resolution protocol (ARP) or hardware address table, as shown in Table 2, which provides a mapping between IP addresses and link layer addresses for nodes on the same network segment. The ARP table is maintained by receiving ARP
replies from nodes on the same network segment. Consequently, the link layer addresses of nodes on a network segment are only known to nodes on that segment, and it is only possible to communicate with a node on another segment using a layer 3 address, such as an IP address in the case of an IP network.
Table 2
Prior art systems such as the firewall system shown in Figure 2 use standard Ethernet/IP to communicate between the firewalls 102, 202. Accordingly, IP addresses are assigned to the internal interfaces of the firewalls 102, 202, which are therefore potentially vulnerable to attack from the insecure and private networks 104, 106.
In contrast, each ICI 04 of the packet forwarding apparatus 300 is not assigned any address other than a link layer address. Consequently, the ICIs 404 are not addressable from outside the packet forwarding apparatus 300. That is, a network packet cannot be addressed from outside the packet forwarding apparatus 300 in such a way that any of the ICIs 404 is the packet's addressee or final destination, as the ICIs 404 do not have a network layer address, and link layer addressing only applies to each individual physical connection between two systems - i.e. it is not possible to target ICIs 404 via their link layer address from outside of system 300.
The ICIs 404 are therefore protected from direct attacks from the insecure network 104 and/or the private network 106 because any IP datagram originating from outside the packet forwarding apparatus 300 and received by the ICI 404 of one of the NIMs 302 to 306 is passed on to the output processing of ICI 402, where it will be either forwarded or dropped.
In a first preferred embodiment, each NIM is a standard computer system, such as an Intel™-based server with two standard Ethernet ports and executing a Unix™ operating system. However, the packet forwarding apparatus 300 could alternatively be a blade server that has one external network port for a network cable and another port on the backplane that joins all the blades together, where each NIM is a single blade. The packet processing and routing processes are implemented as software modules stored in nonvolatile storage (e.g., magnetic disk) associated with the packet forwarding apparatus 300. However, it will be apparent that at least parts of the packet processes can be alternatively implemented by dedicated hardware components, such as application-specific integrated circuits (ASICs), as described below.
Because IP addresses are not assigned to the ICIs 404, the networking software of each NIM (and any switches or hubs included in the interconnect 308) is modified from the standard arrangement so that the routing process matches a destination IP address in an IP datagram with the link layer address of the appropriate NIM directly, without requiring an IP address or an ARP table. Thus the routing table used by the packet forwarding apparatus 300 to deliver packets from one NIM to another NIM includes only a hardware or MAC layer address for each ICI, as shown in Table 3.
Table 3
The packet forwarding apparatus 300 executes a routing process, as shown in Figure 9. At steps 902 and 904, a network packet is received and its destination network layer (IP) address determined. The first entry in the routing table is then selected at step 906. If the result of a bitwise AND operation on the packet's destination address and the network
mask ('netmask') in the selected entry is not equal to the network layer (IP) address of that entry (step 908), then the process loops back to select the next routing table entry at step 906. If, however, the result does match, then the link (MAC) layer address in the selected entry is selected at step 910. This address is the link layer address of the ICI 404 of the NIM whose NIC 402 is connected to the network whose network layer (IP) address matched the result of the bitwise AND operation. The selected link layer address is then included in an Ethernet frame that is generated from the packet at step 912, and at step 914 the frame is then transmitted on the interconnect 308 for receipt by the NIM. If no match is found, then the link layer address of the default route NIM is selected at step 918. The default route is indicated by a routing table entry including a network address that is 0.0.0.0.
In addition to forwarding IP datagrams received from external networks, the NEVIs 302 to 306 communicate using a management protocol to send and receive management information. For example, each of the NIMs 302 to 306 uses this protocol to announce routing information on a periodic basis. Each announcement contains a list of all the destination network addresses the NIM provides connectivity for, providing they all fit within the transmitted frame. If the complete list of announcements does not fit in a single frame, then one or more further, continuation frames are sent containing the remaining data. Receipt of this routing announcement from a particular NIM indicates that that NIM is active and "alive". If no such announcement is seen in a period of time that is longer than the configured interval for announcing such information, then the other NIMs consider the last received announcement to be stale and it is discarded. The configuration of any applications (e.g., email, DNS, proxying, etc) on the NIMs 302 to 306 is also performed using the internal NIM protocol.
For communication across Ethernet, two new protocol type codes are used so that the packets cannot be confused with ordinary IP traffic: one for control messages (Ether--,ntroi) and one for data (IP) messages (Etherdata) • The control messages form two groups: those related to the configuration of the packet forwarding apparatus 300, and those related to obtaining other types of information from a NIM (statistics, etc.) and their
management. It will be apparent that an IP datagram forwarded over the interconnect 308 from an external network is never treated in a manner that allows it to be processed as control data. Various methods are undertaken in the software to prevent access to the network by any applications in a manner that would allow them to send messages from one NIM to another NIM, as, for example, a hacker might attempt to do in order to subvert/break into/bypass another NIM if the hacker gained control over one of them. For example, the operating system kernel of each NIM is modified to prevent low-level access to the network, so that Ethernet frames cannot be generated and sent directly by a user process, and packet sniffing applications cannot be executed in user space, with other various security mechanisms used to prevent ad-hoc access to the Interconnect network between the NIMs. Access to the network is restricted to sending and receiving TCP, UDP, and ICMP packets.
For example, the control protocol provides a default route announcement from the first NIM 302 for an IPv4 network is as follows: Ethercontrol (Network Advertisement
(Network o.o.o.o/o, MAC 02:00:00:01:01:35)). similarly, the second NIM 304 might announce Ethercontroi (Network Advertisement (Network 10 . 0 . 0 .0 /8 , MAC
04:01 :51 :F3:00:03 ) ) , providing the IP address of the private network 106. Each NIM uses the information it learns from other NIMs to build its own routing table. The routing table comprises entries that include a network address (used as the lookup key), a network mask, and the next hop address. The next hop address is either a layer 2 or 3 network address, depending on whether layer 3 loopback addresses are being used by the NIMs 302 to 306 for internal communication. In the above example, the routing table of the first NIM 302 would then include an entry associating the link layer address of the second NIM 304 with the network address 10.0.0.0/8. The first NIM 302 would be used for the default route.
As a further example, in order to start a TCP connection from a host of the second network 312 to a web server in the first network 310, the following messages are typical of those that would be exchanged between the first NIM 302 and the second NIM 304: The second NIM 304: Etherdata(IP(l 0.43.1.6,203.15.66.3)TCP(SYN,DPORT=80))
The first NIM 302: Etherdata(IP(203.15.66.3,10.43.1.6)TCP(SYN-ACK,SPORT=80))
Further packets in this TCP session are exchanged in a similar manner.
The packets carrying announcements from each NIM 302, 304, 306 have the following structure:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +—+—+—+—+—+—+—+—+—+—+—+—+—+—+—+—+ I mac address | mac address | type | len | +—+—+—+—+—+—+—+—+—+—+—+—+—+—+—+—+ I cmd I num. | mac address | ip address |
As an example of the exchange between NIMs, the "type" field is set to 0x7878, the "len" (length) field is set to the length of the data following the "type" field (16), the "cmd" field is set to a value that other NIMs understand to mean "add an ip-address/mac address pair to the routing table"(say, 1) and the "num" field provides the number of mac-address/ip- address pairs (in this example, 1).
For added security, the NIMs 302 to 306 can be configured with a shared secret that is used, along with the contents of the data being sent in each control message, to generate a hash value using a one-way hashing function such as MD5 or SHA-1 appended to the control message. NIMs receiving such messages use the hash value to determine that the message has been correctly sent and received, protecting against generic communication errors and fraudulent messages. To further improve security, public key cryptography can be used, whereby each of the NIMs 302 to 306 has the public keys for all the other NIMs and uses its private key to encrypt messages sent to the other NIMs individually, rather than broadcasting.
From a management perspective, although the NIMs 302 to 306 in the packet forwarding apparatus 300 operate independently of each other as autonomous entities, the configuration manager modules 410 of the NIMs 302 to 306 allow them to be managed
collectively as part of the entire system 300 rather than as separate entities. The packet forwarding apparatus 300 thus appears as a single piece of hardware so far as management is concerned by virtue of data exchange between the NIMs 302, 304, 306. However, it is also possible to interact with each at an individual level if desired by establishing a command session from a master NIM to another NIM.
A typical manner in which the apparatus 300 is administered is to select a NIM, such as the first NIM 302, as the primary component or master NIM through which to interact with the apparatus 300 when initialising the apparatus 300 for use. Thereafter, further management activity by an administrator is undertaken through the first NIM 302 with the other NIMs 304, 306, acting as slave devices and being configured by the first NIM 302 through the exchange of control messages over the interconnect 308. Configuration commands provided to the master NIM are used by the master NIM to generate and send slave configuration messages to one or more of the slave NIMs.
This arrangement also makes the packet forwarding apparatus 300 more robust, because if the master NIM detects that one or more of the slave NIMs has failed or is acting suspiciously, the master NIM can attempt to disable those NIMs, and can effectively eliminate them from packet forwarding and routing processes by removing the routing table entries for those NIMs from the master NIMs routing table, and instructing any other slave NIMs to do the same. The master NIM can then generate an alert message to alert an administrator to the status of the disabled NIMs. Upon receiving such an alert, the administrator can then investigate the problem further. If additional NIMs are added to the packet forwarding apparatus 300, the administrator can disconnect the network from the NICs of the disabled NIMs, and connect them to the NICs of any spare NIMs. Alternatively, the master NIM can be configured to automatically select the spare NIMs and configure them to perform the functions of the disabled NIMs, and inform the administrator that the appropriate network cables can be disconnected from the disabled NIMs and connected to the newly configured NIMs.
In an alternative embodiment, two or more layer 3 loopback network addresses are used for the internal interconnection interfaces between two NIMs, rather than using link layer communications. Host addresses 127.0.0.x are reserved for loopback interfaces, with network 127,x.x.x being regarded as a loopback network. A loopback interface is a virtual network interface that loops back to the source node. A packet sent to a loopback interface is never sent out on a physical network, but is simply looped back to the network input queue on the same host. A node's loopback interface is therefore not addressable from outside the node itself, because loopback addresses cannot be used on a physical network. In this embodiment, the loopback network 127.x.x.x is subnetted to allow addresses within it to be used as addresses in the interconnect 308, and the ICI 404 on each of the NIMs 302 to 306 is assigned an IP address in that subnet. As an example, the netmask of the loopback interface for each NIM 302 to 306 would become 255.255.255.0 - its IP address is 127.0.0.1 — as would that for each ICI 404. However, an ICI 404 has an IP address in a different subnet, such as 127.0.1.0/24, of 127.0.1.1. Other NIMs have different addresses on the same subnet (e.g., 127.0.1.2, 127.0.1.3, and so on, as required).
In this embodiment, the ICIs 404 are not addressable from the insecure network 104 or the private network 106 for a number of reasons. Consider an IP packet with a destination address in the standard loopback network (i.e., 127.x.x.x). When sent from a remote node of the insecure network 104, such a packet will not match any entry in the routing tables of that node or any intermediate nodes, and will therefore be continually forwarded on the default route of each node. This assumes that the packet address does not match an address assigned to the loopback interface of any node, in which case the packet would not be forwarded because it would be handled locally. Thus the packet is unlikely to ever reach the packet forwarding apparatus 300. Also, because the destination address is an illegal address for an IP packet outside a host, the packet will be dropped or filtered by a node, as described in RFC 1122.
Moreover, even if a hacker compromised a host on the same external network segment as a NIM and sent an IP packet with a destination address of 127.0.1.x, corresponding to an address assigned to an ICI 404 on the interconnect 308, the packet will not be forwarded
on the interconnect 308 because each NIM is configured to drop packets with addresses of 127.x.x.x received at the NIM's external NIC 402. The same applies if the packet originated from the private network 106, the packet was not dropped, and the default route included the packet forwarding apparatus 300.
This embodiment provides much of the same functionality as the preferred embodiment based on link layer addresses, but at the expense of providing an attackable point if an attacker should compromise a NIM because it would then be possible to target applications that use TCP/IP on other NIMs.
In addition to the above, the packet processor 406 of each NIM 302, 304, 306 can optionally execute standard packet filtering and/or proxy processing processes on network packets received from one of the interfaces 402, 404. Thus each of the NIMs 302 to 306 can optionally perform security validation on all packets received and transmitted, and any packets that are not dropped are forwarded to the other interface. This allows the packet forwarding apparatus 300 to define a protected zone 802, including a server network 804 for providing network services to an insecure network 806 connected to the first NIM 302 and a private network 808 connected to the second NIM 304. The third NIM 306 provides a path to publicly accessible servers in the server network 804, including the web server 108, the public file server 109, and the email server 110.
The physical construction of the interconnect 308 can, through its wiring, be a part of the embodiment of the security policy. For example, in a network with separate transmit and receive connections, the transmit pin(s) from ICI 404 on each of the first and second NIMs 302 and 304 can be connected only to the receive pin(s) of the third NIM 306, and the transmit pin(s) of the third NIM 306 can be connected to the receive pin(s) of the first and second NIMs 302 and 304, making it impossible for data to be transmitted from the first NIM 302 to the second NIM 304 directly.
Furthermore, the storage device 408 in each NIM 302, 304, 306 can also allow each NIM 302, 304, 306 to perform more complex roles, such as acting as an email gateway or cache.
Alternatively, if there is no requirement for attaching an additional network such as the server network 312, the third NIM 306 can again be omitted if desired. However, additional NIMs, such as the third NIM 306, can also be used to provide additional security by configuring other NIMs, such as the first NIM 302 and/or the third NIM 304, to pass traffic through all three NIMs 302 to 306 for packet filtering, as described below. Each of the NIMs 302 to 306 can also provide VPN (Virtual Private Network) or other gateway functionality, such as providing DNS (Domain Name System), mail filtering, etc, if desired. A packet passing through the packet forwarding apparatus 300 passes through the security policies of at least two of the NIMs 302 to 306 before exiting the system 300.
The packet forwarding apparatus 300 can be provided with additional NIMs to control packet flows through the system 300 in a variety of ways. For example, Figure 5 shows a packet forwarding apparatus 500 with a fourth NIM 502 in addition to the three NIMs 302 to 306 shown in Figure 3. The packet forwarding apparatus 500 is configured to direct packets flowing through the packet forwarding apparatus 500 to pass through three NIMs (i.e., 302, 304, and either 502 or 306, depending on the packet direction); there is no direct connectivity between the insecure network 104 and the private network 106. In addition, although the web server 108, public file server 109, and email server 110 can be accessed from both the insecure network 104 and the private network 106, they cannot be accessed from the other network 504 connected to the fourth NIM 502.
Although each of the NIMs 302 to 306 of the packet forwarding apparatus 300 has been described above as being based on a standard computer system with two network interfaces, it is preferable that the entire packet forwarding apparatus be provided in a single housing or chassis containing all of the NIMs 302 to 306 and the interconnect 308. This can be achieved by installing the major components of each computer system in a single chassis and sharing a single power supply.
In a further alternative embodiment, NIMs are provided as components on one or more removable cards for placement in a single computer system, whereby the NIMs communicate over a bus of the computer system rather than over a network. However, as
in the embodiments described above, the NIMs still operate autonomously, and in particular, operate independently of the operating system of the host computer system; the NIMs do not use any part of the host computer system for RAM, CPU or storage. For example, NIMs can be provided on a single removable card 602 for installation in a computer system, as shown in Figure 6. In this embodiment, the PCI card 602 includes a first NIM 604 connected to the insecure network 104 through a first NIC 606, and a second NIM 608 connected to the private network 106 through a second NIC 610. A third NIM 612 provides access to a protected zone. Each NIM 604, 608, 612 includes random access memory (RAM) 614, a microprocessor 616, and a non-volatile storage device 618 such as flash memory. The NIMs 604, 608, 612 are interconnected by an interconnect 620 on the card 602. The card's PCI bus connection 622 provides the external interface to the third NIM 612. The computer providing the interface can also provide network services from the protected zone. It will be apparent that any number of NIMs can be provided on a single card, subject to physical space limitations.
In yet a further embodiment, one or more NIMs are provided as a single hardware component, such as an ASIC. For example, Figure 7 shows a schematic diagram of a single chip NIM 700 including a network interface com ection (NIC) 702, a CPU 704, random access memory 706, non-volatile storage 708, and an interconnect connection interface 710.
In yet another further embodiment, each NIM can be provided in its own virtual machine executed by a single host computer. The virtual machines could be provided by software products such as VMWare, available from http ://www. vm ware . com . Each VMWare instance provides one NIM. VMWare's networking services can be used to provide the interconnect required for internal communication between NIMs.
Although embodiments of the invention have been described above in terms of IP version 4 network protocols and addresses, it will be apparent that other network protocols and addresses (including IP version 6) can alternatively be used.
Furthermore, although embodiments of the invention have been described as being connected between one or more communications networks, it will be apparent that one or more of the NIMs can be alternatively connected to a corresponding single system, host or node.
Many modifications will be apparent to those skilled in the art without departing from the scope of the present invention as herein described with reference to the accompanying drawings.