US20070127430A1

Movatterモバイル変換

Info

Publication number: US20070127430A1
Application number: US11/671,931
Authority: US
Inventors: Joon Maeng
Original assignee: Individual
Current assignee: Tp Link Usa Corp; Cufer Asset Ltd LLC
Priority date: 2005-04-14
Filing date: 2007-02-06
Publication date: 2007-06-07
Also published as: US8041824B1; US20070127500A1

Abstract

A system, device, method and software for providing a visitor access to a public network are disclosed. In one form, a virtual visitor enabled local area network includes a visitor access point operable to provide a visitor access to a public network while connected to a local area network (LAN). The visitor access point is operable to protect the LAN using a virtual visitor network established between the visitor access point and a virtual visitor network gateway.

Description

FIELD OF THE DISCLOSURE

The disclosure relates generally to local area networking, and more particularly to a system, device, method and software for providing a visitor access to a public network.

BACKGROUND

Most enterprises do not allow visitors to access their private local area networks (LANs) due to security concerns creating difficult work environments when visitors need to access the Internet or remote access accounts via public networks. The primary reason enterprise network managers limit access is to protect their network, servers, systems, etc. from direct or indirect malignant attacks. As such, a visitor's productivity can be significantly affected if a visitor cannot access the Internet while visiting an enterprise. For example, consultants may not be able to efficiently advise their clients without having access to a public network while they are working with clients.

Currently, some conventional solutions are available including creating visitor accounts to provide a visitor access public access with significantly limiting access to the private LAN. Though effective, this usually requires client and server synchronized software to provide access and management of user names, passwords, access levels, etc. Such arrangements may be functional but leave a network vulnerable to outside attacks when a user accesses a public network and provides for continuous management and monitoring of network accounts. As such, there is a need for enterprises to provide visitors access to a public network from within their local area network without compromising the security of their own network or having to maintain user accounts, passwords, custom software, etc.

SUMMARY OF THE INVENTION

According to one aspect of the invention, a virtual visitor enabled local area network includes a visitor access point operable to provide a visitor access to a public network while connected to a local area network (LAN). The visitor access point is operable to protect the LAN using a virtual visitor network established between the visitor access point and a virtual visitor network gateway.

According to another aspect of the invention, a device for providing visitor access to a public network via a private local area network is provided. The device includes a visitor access port operable to enable a visitor to access a public network from within a private local area network (LAN) while protecting the private LAN from the visitor. The device further includes a communication interface operably coupled to the visitor access port and the private LAN and the communication interface is operable to communicate information between the visitor access port and a selective location within the private LAN.

According to a further aspect of the invention, a network enabled gateway operable to provide a visitor access to a public network from within a private local area network (LAN) is disclosed. The gateway includes a public network access interface operable to communicate processed virtual visitor network data packets to a public network that originate from within a private local area network (LAN). The gateway further includes a virtual network processor operable to process public network access data packets to provide virtual visitor network data packets for communication within the private LAN to provide a visitor access to the public network.

BRIEF DESCRIPTION OF THE DRAWINGS

Other advantages, features and characteristics of the invention, as well as methods, operation and functions of related elements of structure, and the combinations of parts and economies of manufacture, will become apparent upon consideration of the following description and claims with reference to the accompanying drawings, all of which form a part of the specification, wherein like reference numerals designate corresponding parts in the various figures, and wherein:

FIG. 1 illustrates a functional block diagram of a local area network incorporating a visitor access point according to one embodiment of the invention;

FIG. 2 illustrates a functional block diagram of a virtual visitor network (VVN) operable to provide a visitor access to a public network via a private local area network according to one embodiment of the invention;

FIG. 3A illustrates a functional block diagram of a virtual visitor network module for providing a user access to a public network via a private local area network according to one embodiment of the invention;

FIG. 3B illustrates a functional block diagram of a wireless enabled virtual visitor network module for providing a user access to a public network via a private local area network according to one embodiment of the invention;

FIG. 4 illustrates a functional block diagram of a virtual visitor network gateway according to one embodiment of the invention;

FIG. 5 illustrates a flow diagram of a method for processing data packets using a virtual visitor network module according to one embodiment of the invention;

FIG. 6 illustrates a functional block diagram for encapsulating visitor data packets within a private local area network according to one embodiment of the invention;

FIG. 7 illustrates a functional block diagram of network traffic within a private local area network having an access point for a visitor and an employee according to one embodiment of the invention;

FIG. 8 illustrates a functional block diagram of network for providing visitors and employees access to a public network using a wireless local area network according to one embodiment of the invention;

FIG. 9 illustrates a functional block diagram of a network employing wire line and wireless virtual visitor access points incorporated within an Ethernet based private local area network according to one embodiment of the invention;

FIG. 10 illustrates a flow diagram of a method for processing data packets using a virtual visitor network gateway according to one embodiment of the invention;

FIG. 11 illustrates a functional block diagram of an enterprise network incorporating a virtual visitor network employing a wireless private local area network according to one embodiment of the invention;

FIG. 12 illustrates a functional block diagram of a virtual network gateway operable to provide a virtual private network in the public network and a virtual visitor network within a private local area network according to one embodiment of the invention;

FIG. 13 illustrates a functional block diagram of a virtual network server for use in association with providing a visitor access to a public network from within a virtual private network enabled private local area network according to one embodiment of the invention;

FIG. 14 illustrates a functional block diagram of a virtual visitor network incorporated within a multi-protocol label switching enabled local area network according to one embodiment of the invention; and

FIG. 15 illustrates a functional block diagram of a single point virtual visitor network module operable to provide a visitor access to a public network from within a private local area network according to one embodiment of the invention.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 illustrates a functional block diagram of a local area network incorporating a visitor access point according to one embodiment of the invention. A local area network (LAN)102 includes at least onevisitor access point101 provided within local area network (LAN)102 and operable to allow a user to access apublic network103 such as the Internet.Local area network102 may include any type of network including, but not limited to, an Ethernet, ring network, token ring network, star network, bus network, asynchronous network, and the like.

Visitor access point

101 allows for a visitor that would normally not have access toLAN102 to accesspublic network103 when connected toLAN102. For example, a visitor may couple a computer system (not expressly shown) tovisitor access point101 and may require accessingpublic network103.Visitor access point101 advantageously allows for protection ofLAN102 while a user accessespublic network103 through encapsulating data packets communicated viavisitor access point101 andLAN102. In this manner, other network locations or nodes within LAN102 (not expressly shown) may be isolated from inquiries, data requests, snooping, malignant attacks, etc. initiated by a visitor or other agent when a visitor connects to LAN viavisitor access point101.

FIG. 2 illustrates a functional block diagram of a virtual visitor network (VVN) operable to provide a visitor access to a public network via a private local area network according to one embodiment of the invention. A private local area network, illustrated generally at200, includes a visitor (visitor's computer)201 communicatively coupled toprivate LAN200 via a virtual visitor network (VVN)module202 operable to allow a visitor to access apublic network206 via virtual visitor network (VVN)gateway208. A virtual visitor network (VVN)207 includes a virtual network provided withinprivate LAN200, which facilitatesvisitor201 accessingpublic network206.Private LAN200 further includes one ormore employee209 LAN access point(s)203 providing a user, such as an employee and guest having sufficient access rights, access toprivate LAN200 and one or more private LAN node(s)204 coupling one or more types of network devices such as servers, printers, fax machines, copiers, data storage devices, or any other type of equipment or device that may be coupled to a local area network. Thepublic network gateway205 may include a router, a firewall, and/or a network address translater (NAT) to process traffic between theprivate LAN200 and thepublic network206. VVN207 confines packets communicated betweenvisitor201 andpublic network206 to VVN207. VVNgateway208 typically does not handle traffic communicated betweenpublic network206 and anemployee209. In one embodiment, private local area network node(s)204 may include other user or employee systems that may be accessed or networked together. For example, a user coupled toprivate LAN200 via a valid userLAN access point203 may access another user's system via aprivate LAN node204.

During operation,visitor201 may accesspublic network206 through connecting to aVVN module202. VVNmodule202 detects thatvisitor201 is attempting to access network and initiates a process to isolatevisitor201 fromprivate LAN200 while allowingvisitor201 to access onlypublic network206. For example, VVNmodule202 processes data packets initiated by a visitor'scomputer system201 coupled to VVNmodule202 such that other locations withinprivate LAN200 ignore any unauthorized data or access requests to one or more locations withinprivate LAN200. VVNgateway208 identifies data packets communicated by VVNmodule202 and as data packets are communicated by VVNmodule202, VVNgateway208 receives the data packets and processes the data packets prior to communicating the data packets topublic network206. For example, VVNgateway208 modifies header information within the data packets to include a source address of VVNgateway208. As data packets are received frompublic network206 in response to data packets communicated by VVNgateway208, VVNgateway208 processes the data packet to provide a destination or IP address ofVVN module202 and communicates the data packet toVVN module202 usingprivate LAN200. As such, each packet is processed to encapsulate or isolate all other network locations withinprivate LAN200 from thevisitor201 requested data and communicated only tovisitor201 allowing avisitor201 to access apublic network206, such as the Internet, from within a private local area network without compromising security of a private local area network or having to manage or create visitor/user access accounts with limited access to network locations within a local area network. In one embodiment, VVNgateway208 and thepublic network gateway205 may be integrated into a single server or system operable to provide accessing topublic network206.

In another embodiment,VVN module202 may be used to allow an employee to accesspublic network206 viaVVN gateway208. In this manner, an employee that may not be able to access a private LAN node(s)204 or an employee LAN access point(s)203 may access onlypublic network206 viavirtual visitor network207 when connected toVVN module202.

FIG. 3A illustrates a functional block diagram of a virtual visitor network module for providing a user access to a public network via a private local area network according to one embodiment of the invention. A virtual visitor network module (VVN), illustrated generally asVVN module300, includes annetwork interface306 operable to coupleVVN module300 to aprivate LAN307 such as an Ethernet network via a wire line connection such as through copper connections, cable or coaxial based connections, fiber optic connections, etc.VVN module300 includes a network address translator (NAT)305 operable to resolve addresses contained within data packets and aDHCP server303 operable to assign dynamic IP addresses to visitor computers (not expressly shown). Arouter302 andnetwork switch301 provide for routing of information to various wire linevisitor access points308 for one or more visitors connecting toprivate LAN307.Router302 enables connection or coupling of two or more networks and functions as a sorter and interpreter as it resolves addresses and passes data streams or packets to a proper destination.Network switch301 may include a switch (e.g., Ethernet switch) operable to provide dedicated bandwidth or a hub operable to provide shared bandwidth to visitor access points308. Ifnetwork switch301 includes a hub,visitor access points308 only share bandwidth between access points without sharing bandwidth with other non-visitor access points that may be connected tonetwork switch301. Thoughnetwork interface306 is illustrated as a single access point operable to provide access toprivate LAN307, it should be understood thatVVN module300 may configured to accommodate more than one network address withinprivate LAN307.VVN module300 further includes a virtual visitor network (VVN)processor304 operable to process data packets communicated by one or more systems coupled tovisitor access points308 and desiring access to a public network, such as the Internet, viaprivate LAN307.

During operation,VVN module300 dynamically assigns a network IP address when a visitor connects tovisitor access points308 and performs a network addresstranslation using NAT305 when data is communicated using the assigned IP addresses.VVN processor304 processes data communicated betweenprivate LAN307 and visitor access point(s)308 to add and remove data packet header information for data packets and provide a unique network IP address that identifies a visitor when connected to one of visitor access point(s)308.VVN processor304 encapsulates data communicated viavisitor access points308 through isolating data packets to select or specific network addresses withinprivate LAN307. For example,VVN processor304 may provide a network destination address for only a network gateway (not expressly shown) provided within or in association withprivate LAN307 that allows for access to a public network. In this manner, no other locations or network addresses withinprivate LAN307 may be accessed by a computer system connected to one of visitor access point(s)308. As incoming data packets are communicated fromprivate LAN307 and received bynetwork interface306,network address translator305 translates the address information for the data packets andVVN processor304 verifies heading information and detects if data packets having IP addresses for a visitor coupled to one of visitor access point(s)308 have been received. If a visitor's data packet has been received,VVN processor304 restore the information androuter302 andnetwork switch301 processes and communicates the data packet to the appropriate visitor connected to avisitor access point308.

In one embodiment,VVN module300 may allow a visitor to use a network printer (not expressly shown) accessible byVVN module300. For example, a network printer may be coupled directly toVVN module300 andVVN module300 may include a print server (not expressly show) and a network printer connected toVVN module300 via, for example, one of visitor access point(s)308. In another embodiment, a network printer may be accessed by a visitor coupled to one of visitor access point(s) viaprivate LAN307. For example,VVN module300 may include a print server having network IP addresses for one or more network printers and may allow for access to a printer internal toprivate LAN307 without using a print server (not expressly shown) located withinprivate LAN307. In this manner, visitor originated data may be selectively communicated to a specific destination or IP address withinprivate LAN307 without jeopardizing network security and allowing a visitor to print a document.

FIG. 3B illustrates a functional block diagram of a wireless enabled virtual visitor access module for providing a user access to a public network via a private local are a network according to one embodiment of the invention. A wireless virtual visitor network module, illustrated generally aswireless VVN module310, includes anwireless network interface316 operable to couplewireless VVN module310 to aprivate LAN317 such as an Ethernet network via a wireless connection operable to communicated via wireless communication such as an 802.11-enabled wireless communication protocol including, but not limited to 802.11a, g, or b. Other types of wireless communication such as infrared laser communication, mobile or cellular wireless communication, near field communication and the like may also be employed.

Wireless VVN module

310 includes a network address translator (NAT)315 operable to translate addresses contained within data packets and aDHCP server313 operable to assign dynamic IP addresses to visitor computers wirelessly coupled towireless VVN module310 via wireless visitor access point(s)318. Arouter312 andwireless hub transceiver311 provide for routing of information to and from wireless visitor computers connected via wireless visitor access point(s)318 and further connected toprivate LAN317. Though illustrated as a single access point toprivate LAN317, it should be understood thatwireless VVN module310 may configured to accommodate more than one network address withinprivate LAN317.Wireless VVN module310 further includes a virtual visitor network (VVN)processor314 operable to process data packets communicated from one or more systems coupled to wireless visitor access point(s)318 and a VVN server (not expressly shown) and desiring access to a public network, such as the Internet, viaprivate LAN317.

During operation, a user may accessprivate LAN317 using a wireless-enabled computer system operable to connect to wireless visitor access point(s)318. For example,wireless VVN module310 may be placed proximal to a conference room, visitor center, etc. which may be frequently used by visitors.VVN module310 being wirelessly coupled toprivate LAN317 allows for flexible placement ofVVN module310 in various locations such thatVVN module310 may be operational without a user having to physically accesswireless VVN module310. However, in other embodiments,wireless VVN module310 may include one or more wire line connection ports or visitor access point allowing a user to connect directly towireless VVN module310.

Wireless VVN module

310 further allows for visitor's to have flexibility in being untethered towireless VVN module310. A visitor may accesswireless VVN module310 through performing a search on available wireless networks and, upon identifying a wireless signal or wirelessvisitor access point318 communicated bywireless hub transceiver311, a user may elect to connect towireless VVN module310 to accessprivate LAN317.

FIG. 4 illustrates a functional block diagram of a virtual visitor network gateway according to one embodiment of the invention. A virtual visitor network (VVN) gateway, illustrated generally at400, includes anetwork interface401 such as a Ethernet module operable to connect to aprivate LAN407, apublic network interface406 operable to communicate with apublic network403 such as the Internet.VVN gateway400 further includes aVVN processor404, arouter402 and a network address translator (NAT)405.VVN processor404 is operably associated with one or more virtual visitor network modules having virtual visitor network processors to process data packets communicated by a virtual visitor network provided withinprivate LAN407.NAT405 is used to bridge multiple VVN modules using a relatively small number of IP addresses inpublic network407.Router402 routes data packets in apublic network403 such as the Internet.

During operation,VVN gateway400 provides a visitor access to apublic network403 via aprivate LAN407 and manages communication of data betweenprivate LAN407 andpublic network403. As data packets are communicated from a VVN module located withinprivate LAN407,VVN gateway400 receives data packets viaLAN network interface401 and translates data packets to determine if the data packets were communicated from a VVN module. If a data packet was communicated from a VVN module,VVN processor404 converts the data packets into a standard IP data packet having standard IP protocols.VVN processor404 maintains a network address for the VVN module and when requested data packets are received frompublic network403 viapublic network interface406,VVN processor404 identifies the VVN module and converts the public data packets into to encapsulate the data packets and communicate the data packets to only the VVN module. In this manner, a visitor accessingprivate LAN407 may accesspublic network403 throughVVN gateway400.

FIG. 5 illustrates a flow diagram of a method of processing data packets using a virtual visitor network module according to one embodiment of the invention. The method may be employed within a program of instructions embodied within a computer readable medium, a memory device, encoded logic, or other devices, modules or systems operable to use a portion or all of the method illustrated inFIG. 5.

The method begins generally when a virtual visitor module, such asmodule VVN module202 illustrated inFIG. 2,VVN module300 illustrated inFIG. 3A,VVN module310 illustrated inFIG. 3B, or any other type of module operable to provide a virtual visitor network for enabling a visitor's computer system to access a public network from within a private LAN is connected to the private LAN. Data packets may be received from a visitor computer system (step500) or from a VVN gateway (step514). At500, a visitor computer transmits a data packet having an IP header and data to VVN module. VVN module receives a visitor'sdata packet500 andprocesses IP header501 of the data packet and replaces the source address with VVN module address assigned by a network server. For example, if a visitor's IP address is ‘192.16.1.1’ and VVN module address is ‘20.1.10.1’, VVN module's address would be provided instead of the visitor's IP address within the IP header.

Upon processing the IP header at501, the visitor's data packet including the IP header and the data may be processed according to aVVN protocol502. For example, a VVN protocol may include scrambling the information or data, or applying a security protocol, to make the data contained within the data packet meaningless to other network nodes, hosts, locations, etc. within a private network. Atstep503, VVN module then encapsulates the visitor's packet by adding a VVN header to indicate the method used in processing the visitor's packet and then adds a VVN IP header to indicate the VVN gateway address to direct the packets to VVN gateway. Packets are then communicated to theVVN gateway504.

Atstep514, when a data packet is received fromVVN gateway514 and operable to be processed by a VVN module, VVN module removes the VVP IP header and VVN header from thepacket513 from the data packet and processes thedata packet512 according to information specified in theVVN header512. For example, a data packet may be processed using a VVN protocol and may include de-scrambling the information or data, or applying a security protocol to restore data packets processed by VVN gateway. The IP header is then processed511 by replacing the destination address to include the visitor'sIP address511 and then communicates the data packet to thevisitor computer510.

FIG. 6 illustrates a functional block diagram for encapsulating visitor data packets within a private local area network according to one embodiment of the invention. A public network accessible by a private local area network (LAN) incorporating a virtual visitor network (VVN) is generally illustrated at600 and includes a visitor's computer orvisitor601 having an Internet Protocol (IP) address of “192.168.1.10” is coupled to a virtual visitor network (VVN)module602 having an IP address of “10.2.1.20” and virtual visitor network (VVN)gateway603 having an IP address of “10.2.1.15” within a private local area network (LAN)604. VVN gateway also has a public IP address such as 69.84.100.1. IP addresses within theprivate LAN604 are assigned internally and may not be visible from thepublic network605. Awebsite606 having a public IP address of “69.104.84.226” may be accessed using apublic network605 such as the Internet coupled toVVN gateway603. A visitorIP data packet611 is communicated betweenvisitor601 andVVN module602 as illustrated at “A”. Similarly, aVVN data packet614 is communicated betweenVVN module602 andVVN gateway603 as illustrated at “B”. AnIP data packet619 is communicated betweenVVN gateway603 andwebsite606 as illustrated at “C”.

During operation, a visitor may access apublic network605 via aprivate LAN604 through coupling a computer system at601 having an IP address of “192.168.1.10” toVVN module602. Anvisitor data packet611 communicated at “A” fromvisitor601 contains a source (Src) address=192.168.1.10 identifying the assigned IP address of the visitor's computer system and a destination (Dst) address=69.104.84.226 identifyingweb site606 requested by the visitor.VVN module602 detects a connection (either wireless or wire line) and translates the source IP address ofvisitor data packet611 to include a new IP address, such asVVN gateway603's IP address of “10.2.1.20”. For example,VVN module602 includes a network address translator and VVN processor (not expressly shown) that changes, converts, or appends visitor data packet61 l'sIP header612 to include aVVN IP header615 having a source (Src) IP address of “10.2.1.20” and a destination (Dst) address of “10.2.1.15”.IP header617 is modified to include a source (Src) IP address of “10.2.1.20” and a destination (Dst) address of “69.104.84.226”. Said another way, source data for visitor data packets are replaced with an IP address of a valid VVN module such as VVN module602 (e.g. “10.2.1.20”) and destination data for visitor data packets are replaced with an IP address of VVN gateway603 (e.g. “10.2.1.15”). In this manner, visitor data packets are confined betweenVVN gateway603 andVVN module602 employing a VVN protocol that isolatesvisitor data packets611 when communicated withinprivate LAN604 using a VVN protocol while retaining original source and destination information forvisitor601.

An exemplaryVVN data packet614 may include processing thevisitor data packet611 to include a VVN protocol having aVVN header616 and aVVN IP header615. One or more values may be provided withinVVN header616 to indicate a method or type of modification used to processvisitor data packets611. For example, a simple rearrangement of bits or data encryption methods may be used for processingvisitor data packets611 originating fromvisitor601. WhenVVN gateway603 receivesVVN packet614, it removesVVN IP header615 andprocesses VVN packets614 based on information stored withinVVN header616. For example, a decryption or other bit deciphering process may be used to restore the data packets to determine destination data to createIP data packet619.

In one embodiment,VVN gateway603 may include more than one IP address for use in communicating data packets. For example,VVN gateway603 may include an IP address for internal routing within private LAN604 (e.g. “10.2.1.15”) and an IP address communicating data via public network605 (e.g. “69.84.100.1”). As illustrated above,VVN gateway603 replacesVVN data packet614 to include an IP header with havingVVN gateway603's own IP address resulting inIP data packet619. When IP data packets are returned fromwebsite606,VVN gateway603 andVVN module602 used stored information maintained byVVN gateway603 andVVN module602 in association with a NAT to send a reply or return data packets tovisitor601. Processing ofIP data packets619 returned fromwebsite606 are modified in a reverse sequence to return data tovisitor601.

In one embodiment, avisitor data packet611 may be processed byVVN module602 to include only aVVN IP header615 without including any additional information withinVVN header616. In this manner, no additional processing, other then removing VVN IP header, will be required. In another embodiment,VVN header616 may not be provided as a part ofvisitor data packet611 and as such no additional processing would be required whenvisitor data packet611 is communicated toVVN gateway603 or returned toVVN module602.

In one embodiment, processingvisitor data packets611 using a VVN protocol provided byVVN module602 andVVN gateway603 renders thevisitor data packets611 useless when communicated to an un-intended device withinprivate LAN604. For example,VVN gateway603 andVVN module602 may be the only devices withinprivate LAN604 having knowledge of a VVN protocol used and other devices or systems connected toprivate LAN604 may not be able to restoreVVN packets614. As such, devices or systems withinprivate LAN604 may discard or ignoreVVN packets614 when received. In this manner,visitor data packets611 that originate from a visitor's system are communicated byvisitor601 and processed byVVN module602 to generateVVN packets614 which cannot cause security concerns withinprivate LAN604. Similarly,IP data packets619 that are returned frompublic network605 are processed byVVN gateway603 to producedVVN packets614 that can only be consumed byVVN module602 provided withinprivate LAN604.

In one embodiment, a security protocol such as IPsec, secure socket layer (SSL), may be used in combination with a VVN protocol. For example, a secure socket layer (SSL) protocol may be used prior to or after processing data packets based on a VVN protocol provided byVVN module602 and/orVVN gateway603. Through providing a security protocol or SSL betweenVVN module602 andVVN gateway603,VVN packets614 are confined to within a SSL-enabled channel established betweenVVN gateway603 andVVN module602.

In another embodiment,VVN gateway603 andVVN module602 may use either a dynamic IP addresses or a static IP addresses. For example, a DHCP server (not expressly shown) provided as a part ofprivate LAN604 may assign a dynamic address toVVN gateway603 and/orVVN module602. A DHCP server works in association with a client computer and enables individual computers on a network to obtain their configurations from a DHCP server. DHCP allows a network administrator to supervise and distribute IP addresses from a central server (not expressly shown) that automatically sends a new IP address when a computer is connected toprivate LAN604. For example, whenVVN module602 is initialized,VVN module602 registers withVVN gateway603 andVVN module602 andVVN gateway603 both agree on one or more processing methods or protocols for processingVVN packets614 to be communicated withinprivate LAN604.

FIG. 7 illustrates a functional block diagram of network traffic within a private local area network having an access point for a visitor and an employee according to one embodiment of the invention. A wireless network access point (AP) illustrated generally at701 includes an embedded virtual visitor network (VVN)module702 having aDHCP server703, a network address translator (NAT)704, arouter706 and aVVN processor705. Communication with a visitor's or employee's computer system is provided using awireless transceiver708 operable to communicate using an 802.11-based protocol. Other wireless transceivers and protocols may also be used.Ethernet interface707 provides communication to/from a private LAN (not expressly shown).

During use,network traffic711 includes bothVVN packets709 andemployee packets710 communicated through using embeddedVVN module702. For example, a user may select from one or more Service Set Identification (SSID's) transmitted bywireless transceiver708 forwireless access point701. In one form, an employee network SSID may be broadcast bywireless transceiver708 and an employee may enter a valid password to access an employee network within private LAN (not expressly shown). Similarly,wireless transceiver708 may broadcast a visitor SSID allowing a visitor to connect towireless access point701 using a visitor SSID.VVN module702 havingNAT704 androuter706 may then determine the source of a data packet (either employee or visitor) received bywireless transceiver708 and process based on the SSID a user connects (either employee or visitor) towireless access point701 accordingly. For example, all data packets communicated the visitor SSID would be processed byVVN processor705 to createVVN packets709 that may be communicated withinnetwork traffic711 of a private LAN. For example, dotted lines illustrated inFIG. 7 generally indicate data packets originating from a visitor are processed usingVVN module702 and provided withinnetwork traffic711 usingEthernet interface707. Additionally, data packets originating from an SSID for an employee are generally illustrated asemployee packets710 as a solid line traversing throughVVN module702 viawireless transceiver708 andEthernet interface707 and included withinnetwork traffic711.Employee packets710 traverse throughwireless access point701 without having to be processed byVVN processor705 to generateVVN packets709

FIG. 8 illustrates a functional block diagram of network for providing visitors and employees access to a public network using a wireless local area network according to one embodiment of the invention. A private local area network employing a wireless access point, illustrated generally at800, includes awireless access point803 having an embedded virtual visitor network module and operable to communicatively couple one ormore visitor systems801 and/oremployee systems802 to a private local area network (LAN)805.Private LAN805 further includes anetwork printer808,server809 and other types of network nodes. Firewall and network address translator (NAT)807 are coupled toprivate LAN805 and provide access to apublic network810 such as the Internet. Virtual visitor network (VVN)gateway806 works in association withwireless access point803 to provide a virtual visitor network (VVN)804.

During use, visitors may connect computers viawireless access point803 which may be a 802.11-enabled wireless access point employing Service Set Identification (SSID). SSID is a 32-character alphanumeric key uniquely identifying a wireless access point such aswireless access point803. In one embodiment,wireless access point803 may use two or more SSIDs to distinguish visitors from employees, valid users, etc. For example, one of the SSIDs may be labeled “VisitorNet” to allow visitors to connect to wireless access point. Similarly, another SSID may be labeled “EmployeeNet” to enable employees to connect towireless access point803.

FIG. 9 illustrates a functional block diagram of a network employing wire line and wireless virtual visitor access points incorporated within an Ethernet based private local area network according to one embodiment of the invention. A network, illustrated generally at900, includes an Ethernet-based privatelocal area network904 connecting several network nodes including afirst workstation910,second workstation911, andthird workstation909 which may include desktop computing systems, laptop computing systems, or any other type of system that may be connected to an Ethernet-based network.Network printer906,server907 and other types of network nodes are also connected and accessible viaprivate LAN904.Network900 further includes a firewall and virtualprivate network gateway903.Server907 may be a Domain Name Server (DNS), DHCP server, Enterprise Server, network storage or data server, or any other type of server.

Private LAN

904 further includes a virtualvisitor network switch913 configured as a switch and connectable to virtual visitor network (VVN)gateway902 operable to establish a first virtual visitor network (VVN)905 withinprivate LAN904 and a virtualvisitor network hub914 configured as a hub and connectable to (VVN)gateway902 and operable to establish a second virtual visitor network (VVN)912. A network hub or switch may be employed wherein a network hub is a device with shared bandwidth for all users and a network switch provides full bandwidth to individual user coupled toprivate LAN904. For example, virtualvisitor network switch913 and/or virtualvisitor network hub914 may be configured to support various communication data rates such as 10 Mbytes/Second, 100 Mbytes/Second, 1 GBytes/Second, etc.

Virtualvisitor network switch913 allows for wire line access of a firstvisitor computer system906 and secondvisitor computer system907. Avisitor printer908 is also coupled to virtualvisitor network switch913 and allows firstvisitor computer system906 and secondvisitor computer system907 to print documents without having to accessprivate LAN904. Virtualvisitor network switch913 may include logic to provide a print server however other embodiments may include utilizing a network nodes such as a print server located withinprivate LAN904. For example, virtualvisitor network switch913 may establish a VVN betweenVVN module913 and anetwork printer906.

Network

900 further allows visitors to accessprivate LAN904 using virtualvisitor network hub914 operable to provide a wireless-enabled network such as an 802.11-based network to connect a first wireless-enabledvisitor computer system916 and second wireless-enabledvisitor computer system915. Virtualvisitor network hub914 is provided in association with virtualvisitor network server902 and provides a visitor wireless access toprivate LAN904 through secondvirtual visitor network912.

During operation,first VVN905 andsecond VVN912 protect enterprise network orprivate LAN904 from visitors by confining and directing packets between a visitor's computer system to apublic network901 through use offirst VVN905 andsecond VVN912. A visitor may connect their computer to a virtualvisitor network switch913 or virtualvisitor network hub914 to access the Internet orpublic network901.First VVN905 andsecond VVN912 establish a virtual tunnel betweenVVN gateway902 andVVN switch913 andVVN Hub914.VVN gateway902 may have a direct connection to public network901 (e.g., Internet) or an indirect connection through a security device such as VPN /Firewall903 as shown inFIG. 8. In one embodiment,VVN gateway902 may be provided as an integral part of VPN/Firewall903, NAT, etc.

First VVN

905 andsecond VVN912 provide several advantages over conventional networks and allow for a simplified visitor access networking solution without having to add an additional private networks to an enterprise network for visitors which may require Information Technology (IT) managers to manage providing visitors access within an exiting enterprise network. For example, network managers will not be required to assign special network outlets or dedicate network ports in a switch, router, wall outlets, etc. for visitors. Such configurations may not guarantee protection of an enterprise network from hacking visitors. Additionally, network outlets are not easily movable and would need to be verified to insure that no visitor is accessing the enterprise network directly.

Additionally,VVN switch913 and/orVVN hub914 may be provided in various colors, such as bright yellow, red, etc., to be visually identifiable by a visitor. In one embodiment,VVN switch913 and/orVVN hub914 may be provided as modular device that may be connected to any network outlet withinprivate LAN904. For example, IT managers can provide a visitor a modular device incorporatingVVN switch913 and a visitor can simply plug or connectVVN switch913 to any available network outlet withinprivate LAN904 allowingVVN switch913 to be easily transferred as needed to various rooms, offices, conference rooms, etc. having network connections or ports forprivate LAN904. In this manner, when a visitor connects a computer, such as firstvisitor computer system906, tomodular VVN switch913,VVN gateway902 identifiesVVN switch913, and monitors and controlsVVN switch913 connected to a network outlet ofprivate LAN904. In this manner,VVN switch913 andVVN gateway902 confine a visitor's packets (not expressly shown) and prevent visitors from accessing other locations, devices, nodes, etc. withinprivate LAN904.

FIG. 10 illustrates a flow diagram of a method for processing data packets using a virtual visitor network gateway according to one embodiment of the invention. The method may be employed within a program of instructions embodied within a computer readable medium, a memory device, encoded logic, or other devices, modules or systems operable to use a portion or all of the method illustrated inFIG. 10. The method may be employed byVVN gateway208 illustrated inFIG. 2,VVN gateway400 illustrate inFIG. 4,VNS1300 illustrated inFIG. 13, or any other system operable to employ the method illustrated inFIG. 10.

Data packets may be received from a within a private LAN (step1100) or from a public network (step1114). Atstep1100, data packets are received from a VVN module located within a private LAN and the VVN IP header and VVN header of the data packet are removed1101. The VVN packet is processed1102 using a specification provided within the VVN header. Such processing results in providing the same data packet communicated by a visitor system and processed by a VVN module (not expressly shown). The IP header is processed1103 by replacing the source IP address (i.e. VVN module's IP address) with the VVN gateway'sIP address1103. Data packets are then communicated to a publicnetwork destination address1104.

Atstep1114, a data packet is received by a VVN gateway from a public network source and the data packet is processed1113 by modifying the IP header by replacing the destination address (e.g. VVN gateway) with the VVN module's address. The IP header and data received from a source in the public network are processed1112 which may include processing to add a security feature or scrambling the data contents of the data packet. Atstep1111, a VVN header is provided to indicate the method of processing used atstep1112 and a VVN IP header including a destination of address of the VVN module is also provided. Upon adding the VVN header and VVN IP header, data packets are then communicated to theVVN module1110.

FIG. 11 illustrates a functional block diagram of an enterprise network incorporating a virtual visitor network employing a wireless private local area network according to one embodiment of the invention. An enterprise network, illustrated generally at1100, may be coupled to apublic network1115 such as the Internet through aLAN gate way1102 employing a firewall and/or virtual private network.Enterprise network1100 further includes a virtual visitor network (VVN)gateway1103 coupled toLAN gateway1102 and provided in association with a wireless virtual visitor network (VVN)switch1105 and wireless virtual visitor network (VVN)hub1110 operable to provide one or more visitors access topublic network1115. For example, firstvisitor computer system1108 and secondvisitor computer system1109 may be connected towireless VVN switch1105 using wire-line connections. Additionally, thirdvisitor computer system1111 and fourthvisitor computer system1112 may be wirelessly connected towireless VVN hub1110.

During operation,wireless access point1104 communicates with each 802.11b enabled device operable to provide access toprivate LAN1101 via a wireless communications. For example,first computer system1107 andsecond computer system1107 may be employee systems and may include embedded 802.11b communication devices operable to communicate withaccess point wireless1104 provided as a part ofprivate LAN1101.Wireless VVN hub1110 does not include physical ports for visitors and may easily support many visitors relative towireless VVN switch1105 having only wireline connectivity.Wireless VVN switch1105 andwireless VVN Hub1110 may be wirelessly connected toprivate LAN1101 viawireless access point1104.Private LAN1101 may be an Ethernet-based network however other communication mediums and protocols, such as fiber, ATM, and the like may also be employed.Private LAN1101 further connects anenterprise server1114,network printer1113 and other network nodes providing users access to data storage, applications, etc.

Wireless devices illustrated inFIG. 11 may be provided as local wireless area network devices or systems that may operate using an 802.11x wireless standard where x=a, g, or b. Additionally,wireless VVN switch1105 may be provided as a client-based hub communication as an 802.11b enabled station coupled towireless access point1104. As such,wireless access point1104 need not contain a VVN module to connect communicate data packets within a virtual visitor network. For example, a VVN network may be established betweenwireless VVN switch1105 andVVN gateway1103 orwireless VVN hub1110 andVVN gateway1103, respectively.Wireless VVN Hub1110 andwireless VVN switch1105 are wirelessly coupled towireless access point1104 and may be configured to communicate using a different channels to avoid interference and/or conflicts. For example, a wirelessprivate LAN1117 may be provided viawireless access point1104 through enabling channel one (1) to allow firstemployee computer system1106, secondvalid computer system1107, andwireless VVN switch1105 andwireless VVN hub1110 to connect to wirelessprivate LAN1117. If a visitor attempts to directly accesswireless access point1104 withinprivate wireless LAN1117 using channel one (1),wireless access point1104 will reject the visitor as not being a registered or valid user. Additionally, whenwireless VVN hub1110 is accessingwireless access point1104 viachannel1,wireless VVN hub1110 uses a different channel, e.g., channel6, to communicate with

visitor computers

1111 and1112.

Enterprise network

1100 may also employ various types, configurations, and/or combinations of VVN hubs. For example,enterprise network1100 may employ a wireline only connection toprivate LAN1101 for visitors as illustrated, for example, inFIG. 3. Additionally,enterprise network1100 may employ a wire-line connection toprivate LAN1101 and wireless connection for visitors toprivate LAN1101 as illustrated inFIG. 9. Other embodiments may include providing a wireless connection toprivate LAN1101 and wire-line connection for visitors toprivate LAN1101 as illustrated bywireless VVN hub1105.Enterprise network1100 may also employ a wireless connection for both visitors and valid users or employees as illustrated inFIG. 8. As such, various combinations and levels of wireless and wire-line access topublic network1115 viaprivate LAN1101 may be provided withinenterprise network1100 while ensuring network integrity, security, and efficient access are provided.

In one embodiment, VVN modules may be communicatively coupled allowing visitors systems to communicate with each other. For example,VVN gateway1103 may manage users connectedwireless VVN hub1110 and/orwireless VVN switch1105 and may allow multiple users to have access each others system. In this manner, multiple visitors from the same company may be able to communicate withinenterprise network1100 thereby providing a private visitor LAN between visitors.

FIG. 12 illustrates a functional block diagram of a virtual network gateway operable to provide a virtual private network and a virtual visitor network within a private local area network according to one embodiment of the invention. An enterprise network, illustrated generally at1200, allows for users to access aprivate LAN1202 from both a public network1203 and from withinprivate LAN1202.Enterprise network1200 includes a virtual private network (VPN)client1213 operable to be coupled to aVPN server1204 which may be provided internal or external to a virtual network server (VNS)1201.Enterprise network1200 further includes a virtual visitor network (VVN)module1206 operably connected to a virtual visitor network (VVN)gateway1205 which may be provided internal or external toVNS1201.Private LAN1202 further includes a local area network based onEthernet1208 operable to connect multiple nodes such as first LAN node1209and asecond LAN node1210.VVN module1206 may also be connected toprivate LAN1202 viaEthernet1208.

During operation,enterprise network1200 may protect employees accessingprivate LAN1202 fromVPN client1213 when accessed via public network1203.VPN server1204 serves as a gateway that is located betweenprivate LAN1202 and public network1203. A virtual communication tunnel orVPN tunnel1215 is created using encryption to exchange data packets betweenVPN client1213 andVPN server1204. Through establishing aVPN tunnel1215, network attacks that originate from public network1203 are obviated and VPN data packets may be communicated securely withinprivate LAN1202. Enterprise network1203 further includes aVVN tunnel1216 created to protectprivate LAN1202 from network attacks that may originate from insideVVN tunnel1216 established betweenVVN gateway1205 andVVN module1206. VVN data packets are confined toVVN tunnel1216 and as such attacks that may originate from within aVVN tunnel1216 are confined toVVN gateway1205 andVVN module1206 and cannot escapeVVN tunnel1216.VPN tunnel1215 andVVN tunnel1216 are virtual networks which do not exist as physical entity in the physical network

FIG. 13 illustrates a functional block diagram of a virtual network server for use in association with providing a visitor access to a public network from within a virtual private network enabled private local area network according to one embodiment of the invention. A virtual network server (VNS) is illustrated generally at1300 and includes several modules and components including anetwork address translator1305, arouter1302, and afirewall1301.VNS1300 further includes a virtual private network (VPN)server1303 and a virtual visitor network (VVN)gateway1304.VPN server1303 andVVN gateway1304 provide access between private local area network (LAN)1308 and apublic network1307 and may be used within an enterprise network (not expressly shown). In some embodiments,VNS1300 may only includeVVN gateway1304 and/orVPN server1303 however in other embodiments VNS1300 may include each functional module or component illustrated. In some embodiments, other forms of protection may also be provided including a DHCP server, intrusion detection modules, servers or software provided as a part of, or in association with,VNS1300.

VNS

1300 is a comprehensive security device that provides support services for a business protectsprivate LAN1308 from intruders frompublic network1307, manages privacy withinprivate LAN1308, and protectsprivate LAN1308 while providing visitors and authorized users to access topublic network1307 from within the same network environment. During operation, a visitor may accessprivate LAN1308 via a visitor access point withinprivate LAN1308.Network address translator1305 androuter1302 resolve network traffic communicated fromprivate LAN1308 and determine header information and route traffic based on header and other information provided. For example, a data packet may include a destination or source address information communicated from a virtual visitor network module or hub (not expressly shown) and may be resolved byNAT1305 and provided toVVN gateway1304 for processing.VVN gateway1304 may extract a destination or website being requested withinpublic network1307 and any other processing information, and process data packets using processing information to restore data packets prior to forwarding topublic network1307 thereby allowing a visitor to access a public network from withinprivate LAN1308. When data packets are returned frompublic network1307, VNS1300 determines the computer system requesting the data (i.e. employee, visitor, etc.) and processes the data packets if required.

In some embodiments, VVn gateway orVNS1300 may include a VVN management application (not expressly shown) for managing or monitoring a visitor network(s) provided withinprivate LAN1308. For example, a VVN management application may be used to change, alter, or configure a virtual visitor network, add and delete VVN features, modify access rights for a VVN, create a VVN status report, create a VVN public access report, manage VVN modules, manage software versions, etc. For example, a VVN management application may keep track of usage within a VVN, monitor for intrusions, and provide alarm notifications when suspicious activities are detected, communicate software upgrades to VVN modules, etc. The VVN management function may be an integral part ofVNS1300 or may be provided as a part of a network server withinprivate LAN1308.

FIG. 14 illustrates a functional block diagram of a virtual visitor network incorporated within a multi-protocol label switching enabled local area network according to one embodiment of the invention. A Multi-Protocol Label Switching (MPLS) enabled LAN, illustrated generally at1400, includes a virtual visitor network (VVN)module1404 which may be used to connect firstvisitor computer system1405, secondvisitor computer system1406, and/orthird computer system1407 to an enterprise network employing a private LAN.VVN module1404 is connected to a virtual visitor network (VVN)gateway1402 using MPLS enabledLAN1400. MPLS communication protocol confines data packets betweenVVN gateway1402 andVVN module1404. MPLS is an Internet Engineering Task Force (IETF) standard that utilizes label switching to forward data packets through MPLS enablednetwork1400. A label is a small identifier placed within a data packet and inserted at an ingress router or a second label edge router (LER2)1408 and removed at an egress router or first label edge router (LER1)1410. A first label switching router (LSR1)1409, second label switching router (LSR2)1411, and third label switching router (LSR3)1403 communicate data packets between second label router (LER2)1408 and first label edge router (LER1)1410. For example, an LSR is a router provided within an MPLS network that participates in establishing Label Switched Paths (LSPs) using an appropriate label switching. A LER is a device that operates at the edge of network being accessed and interfaces an MPLS network. LERs support multiple ports and forward network traffic through a MPLS enabled network after establishing LSPs. LERs are used to assign and remove labels as data packets enter or exit an MPLS network.

During operation, as data packets transition through MPLS enablednetwork1400, label tables, or a Label Information Base (LIB) is consulted by each component,LER21408,LER11410,LSR11409,LSR21411, andLSR31403. For example, an inbound reference maintained by LIB is determined and an outbound interface, communication path or label-switching path (LSP), and outbound label are determined. A LSP includes a sequence of labels that identifies each node or LSR along a communication or transmission path from a source to a destination. An LSP is established either prior to data packets being transmitted or upon detection of a certain flow of data.

VVN module

1404 may be connected toLER21408 andVVN gateway1402 may be connected toVVN gateway1402 usingLER11410.LER21408 may establish an LSP forVVN module1404 to send data packets toVVN gateway1402. Similarly,LER11410 may set up an LSP forVVN gateway1402 to send data packets toVVN module1404. As such, an LSP for sending data packets toVVN gateway1402 fromVVN module1404 may be different from an LSP for sending data packets fromVVN gateway1402 toVVN module1404. In this manner, all data packets coming fromVVN module1404 are routed toVVN gateway1402 within MPLS network and all data packets fromVVN gateway1402 are directed toVVN module1404 via MPLS enabledprivate LAN1400. As such, MPLS enabledprivate LAN1400 escorts data packets or ensures a specific destination for visitor data packets may be achieved.

In some embodiments,LER11410 may be incorporated within or provided as a part ofVVN gateway1402. Similarly,LER21408 may be incorporated within or provided as a part ofVVN module1404. In this manner,VVN module1404 andVVN gateway1402 may establish an LSP for data packets. For example, when data packets are delivered fromVVN module1404 toVVN gateway1402,VVN module1404 may generate labels for data packets to be maintained with an LIB andVVN gateway1402 may delete labels from the LIB when data packets are received. Likewise, when data packets are communicated fromVVN gateway1402 toVVN module1404,VVN gateway1402 may create labels within an LIB andVVN module1404 may remove labels from the LIB. In this manner, one or more portions of an MSLP network may be provided as a part of a virtual visitor network to allow a visitor to access a public network from within a private network without compromising security of an enterprise network.

FIG. 15 illustrates a functional block diagram of a single point virtual visitor network module operable to provide a visitor access to a public network from within a private local area network according to one embodiment of the invention. A private local area network (LAN), illustrated generally at1500, includes a local area networkEthernet access point1501, operable to provide access to avisitor computer1503 using a singleport VVN module1502 operable to be coupled toLAN Ethernet1501. Singleport VVN module1502 may be implemented to allow a single individual to accessprivate LAN1500 and may be provided as a standalone module or as an accessory that may be provided as a part of, or incorporated within,visitor computer1503. For example, as a standalone module or device,VVN module1502 may use an AC adapter for power and singleport VVN module1502 may include only two communication ports (not expressly shown). One port connects toLAN Ethernet1501 and a second port to connect tovisitor computer1503. As such, only a single user may connect to single port VVN module andaccess LAN Ethernet1501.

During use, information or data packets communicated fromvisitor computer1503 may be processed to ensure that a virtual visitor network is maintained withinLAN Ethernet1501. SinglePort VVN module1502 may well suited for use within a hotel room or a multiple residential community where singleport VVN module1502 may be located as a permanent device within a specific room.

In another embodiment, singleport VVN module1502 may be a Universal Serial Bus (USB) enabled device that is powered byvisitor computer1503 when plugged into a USB port ofvisitor computer1503. For example, a visitor may plug-in USB enabled singleport VVN module1502 into a USB port ofvisitor computer1503. A network cable such as an RJ-45 cable provided in association with, or integrated as a part of, USB enabled singleport VVN module1502 may be coupled to a wall outlet ofLAN Ethernet1501. In this manner, singleport VVN module1502 may communicate with a VVN server (not expressly shown) without tethering users together to a multi-port VVN module thereby allowing visitors mobility within an enterprise premise and enabling visitors to use any LAN outlet withinprivate LAN1500.

Note that although an embodiment of the invention has been shown and described in detail herein, along with certain variants thereof, many other varied embodiments that incorporate the teachings of the invention may be easily constructed by those skilled in the art. Benefits, other advantages, and solutions to problems have been described above with regard to specific embodiments. However, the benefits, advantages, solutions to problems, and any element(s) that may cause any benefit, advantage, or solution to occur or become more pronounced are not to be construed as a critical, required, or essential feature or element of any or all the claims. Accordingly, the invention is not intended to be limited to the specific form set forth herein, but on the contrary, it is intended to cover such alternatives, modifications, and equivalents, as can be reasonably included within the spirit and scope of the invention.

Claims

1-33. (canceled)

34. A wireless access point comprising:

a first interface configured for connecting to a private network;

a second interface configured for connecting to at least one visitor; and

a virtual visitor network (VVN) processor, wherein the VVN processor is configured to encapsulate packets from the at least one visitor in order to provide network protection from the at least one visitor in the private network.

35. The wireless access point ofclaim 34, further comprising a dynamic host configuration protocol (DHCP) server.

36. The wireless access point ofclaim 34, further comprising a network address translator (NAT).

37. The wireless access point ofclaim 34, wherein the second interface comprises an 802.11 wireless interface.

38. The wireless access point ofclaim 34, wherein the VVN processor encapsulates packets with a first header and a second header, and wherein the second header comprises a source address and a destination address, and wherein the source address is the source device address, and wherein the destination address is the destination device address.

39. The wireless access point ofclaim 38, wherein the source device is allowing a visitor access to a public network.

40. The wireless access point ofclaim 38, wherein the destination device is transporting packets from the source device to the public network.

41. A network for providing network protection from at least one visitor in a private network, the network comprising:

a wireless access point that comprises:

a first interface configured for connecting to a private network;

a second interface configured for connecting to at least one visitor; and

42. The network ofclaim 41, further comprising a dynamic host configuration protocol (DHCP) server.

43. The network ofclaim 41, further comprising a network address translator (NAT).

44. The network ofclaim 41, wherein the second interface comprises an 802.11 wireless interface.

45. The network ofclaim 41, wherein the VVN processor encapsulates packets with a first header and a second header, and wherein the second header comprises a source address and a destination address, and wherein the source address is the source device address, and wherein the destination address is the destination device address.

46. The network ofclaim 45, wherein the source device is allowing a visitor access to a public network.

47. The network ofclaim 45, wherein the destination device is transporting packets from the source device to the public network.

48. A method for providing a wireless access point to at least one visitor and to provide network protection in a private network comprising:

connecting to a private network;

connecting to at least one visitor; and

using a virtual visitor network (VVN) processor, wherein the VVN processor is configured to encapsulate packets from the at least one visitor in order to provide network protection from the at least one visitor in the private network.

49. The method ofclaim 48, further comprising providing a dynamic host configuration protocol (DHCP) server.

50. The method ofclaim 48, further comprising providing a network address translator (NAT).

51. The method ofclaim 48, wherein the at least one visitor is connected using an 802.11 wireless interface.

52. The method ofclaim 48, wherein the VVN processor encapsulates packets with a first header and a second header, and wherein the second header comprises a source address and a destination address, and wherein the source address is the source device address, and wherein the destination address is the destination device address.

53. The method ofclaim 48, wherein the source device is allowing a visitor access to a public network.

54. The method ofclaim 48, wherein the destination device is transporting packets from the source device to the public network.