DESTINATION ADDRESS REWRITING TO BLOCK PEER-TO-PEER COMMUNICATIONS

摘要

Systems and methods for protecting a network including providing a mapping between internal addresses as seen by devices of the protected network and external addresses; providing devices with a mapped address for a destination in response to a lookup request; rewriting, at a gateway, destination addresses of packets exiting the protected network based on the mapping; and rewriting, at the destination-network gateway, source addresses of packets entering the protected network based on the mapping. Embodiments include a gateway coupled to a protected network, an external network, and a name server. The name server, in response to a hostname lookup request, configured to provide a network device with the internal address; and the gateway with a mapping including the internal address, the addresses of the device, and the hostname. The gateway configured to rewrite destination addresses of outbound packets, and source addresses of inbound packets, based on the mapping.

主权项

1. A method for protecting a network comprising:
receiving, at a name server, a domain lookup request for a destination outside the network from a device in the network; generating an internal address for the destination in response to the request; storing the internal address and an actual address of the destination as a mapping in a data store; providing the internal address to the device in response to the lookup request; replacing, at a network gateway based on the mapping, a destination address of an outbound packet having the internal address with the actual address of the destination; and replacing, at the network gateway based on the mapping, a source address of an inbound packet entering the protected network with the internal address; wherein, the internal address is different than the actual address of the destination.