Electrical computers and digital processing systems: multicomput – Computer network managing – Computer network access regulating
Reexamination Certificate
2000-05-19
2004-04-06
Maung, Zarni (Department: 2154)
Electrical computers and digital processing systems: multicomput
Computer network managing
Computer network access regulating
C709S250000
Reexamination Certificate
active
06718385
ABSTRACT:
TECHNICAL FIELD
The present invention is generally directed to maintaining security in a computer network. More particularly, the invention is directed to a system that allows flow of information in one direction only: from a source network to a destination network, such as from a low-security network to a high-security network.
BACKGROUND OF THE INVENTION
Computers are often used to store sensitive information. Such information may include government-classified information and business-sensitive proprietary information. For example, government agencies construct and maintain networks of computers for storing and analyzing vast amounts of secret and top-secret classified data. Those government agencies attempt to maintain the security of their computer networks by electronically isolating those high-security networks from the rest of the world. The goal is to prevent both accidental and clandestine transfer of classified information from the high-security network to a non-secure or low-security network.
There are situations in which it is desirable for a computer connected to a high-security network to be able to access information that resides on a low-security network. For the computer on the high-security network to have such access to low-security information, the high-security network must be electronically connected to the low-security network. However, whenever a connection exists between a high-security network and a low-security network, a threat of the accidental or clandestine transfer of classified information to the low-security network also exists.
Therefore, there is a need for a system that connects a high-security network to a low-security network, that allows transfer of low-security information from the low-security network to the high-security network, and that prohibits transfer of high-security information from the high-security network to the low-security network
SUMMARY OF THE INVENTION
The foregoing and other needs are met by a system for controlling movement of information between a source network and a destination network, where the information includes source network information on the source network and destination network information on the destination network. The system includes a low-side network interface for receiving from the source network a low-side request relating to the information. The system also includes a low-side processor for analyzing the low-side request to determine whether the low-side request is allowable. If the low-side request is a request to write source network information to the destination network, the low-side processor generates an acknowledgment in response, so that the requested information transfer may proceed. However, if the low-side request is a request to read destination network information from the destination network, the low-side processor denies the low-side request.
If the low-side request is a request to write source network information to the destination network, the low-side network interface receives the acknowledgement from the low-side processor, sends the acknowledgement to the source network, receives source network information from the source network in response to the acknowledgement, and sends the source network information to a low-side intermediate network interface.
The low-side intermediate network interface sends the source network information across an intermediate network to a high-side intermediate network interface. The high-side intermediate network interface receives the source network information, and sends the source network information to a high-side network interface. The high-side network interface receives the source network information, and sends the source network information to the destination network.
The system also includes high-side processor that denies all information packets from the destination network received by the high-side network interface. In this manner, the high-side processor allows no information to flow from the destination network to the source network.
Thus, the invention provides a two-layered system that denies all requests to write or read destination network information, while allowing requests to write source network information. In this way, the invention prohibits the flow of destination network information from the destination network to the source network, while allowing source network information to flow to the destination network.
In another aspect, the invention provides a method for controlling movement of information between a source network and a destination network, where source network information resides on the source network and destination network information resides on the destination network. The method includes the steps of: (a) moving the source network information from the source network to a low-side processing system using a first information transfer protocol that precludes movement of destination network information from the low-side processing system to the source network; (b) moving the source network information from the low-side processing system to a high-side processing system across an intermediate network using a network transfer protocol that precludes movement of destination network information from the high-side processing system to the low-side processing system; and (c) moving the source network information from the high-side processing system to the destination network using a second information transfer protocol that precludes movement of destination network information from the destination network to the high-side processing system.
REFERENCES:
patent: 5311593 (1994-05-01), Carmi
patent: 5550984 (1996-08-01), Gelb
patent: 5623601 (1997-04-01), Vu
patent: 5692124 (1997-11-01), Holden et al.
patent: 5826014 (1998-10-01), Coley et al.
patent: 5864683 (1999-01-01), Boebert et al.
patent: 5913024 (1999-06-01), Green et al.
patent: 5974547 (1999-10-01), Klimenko
patent: 6128298 (2000-10-01), Wootton et al.
patent: WO 95/33239 (1995-12-01), None
patent: WO 96/30840 (1996-10-01), None
patent: WO 99/26121 (1999-05-01), None
Dave Bailey, Using Layering to Improve System Security, Oct. 1995, pp. 1-9, Galaxy Computer Services, Inc., Santa Fe, NM 87501.
Dave Bailey and Lara Baker, Analysis of Low to High Data Flow, May 1996, pp. 1-17, Galaxy Computer Services, Inc., Santa Fe, NM 87501.
Dave Bailey and Lara Baker, Old Paradigms Revisited: Applying the Reference Monitor, Mar. 1997, pp. 1-7, Galaxy Computer Services, Inc., Santa Fe, NM 87501.
Galaxy Computer Services, Inc., Secure Diode Security Features User's Guide, Dec. 29, 1997, pp. 1-7, Galaxy Computer Services, Inc., Santa Fe, NM 87501.
Galaxy Computer Services, Inc., Secure Diode Security Strategy, Feb. 5, 1998, pp. 1-8, Galaxy Computer Services, Inc., Santa Fe, NM 87501.
Galaxy Computer Services, Inc., Secure Diode Trusted Facility Manual, Feb. 5, 1998, pp. 1-9, Galaxy Computer Services, Inc., Santa Fe, NM 87501.
Galaxy Computer Services, Inc., Information Diode Price List, Sep. 1998, cover page and pp. 1-3, Galaxy Computer Services, Inc., Santa Fe, NM 87501.
Galaxy Computer Services, Inc., Final ASDN Secure Diode Project, Maintenance Concept, Apr. 12, 1999, cover page/table of contents and pp. 1-8, A-1 thru E-2, Galaxy Computer Services, Inc., Santa Fe, NM 87501.
Galaxy Computer Services, Inc., Final ADSN Secure Diode Project, Bench Stock, Apr. 12, 1999, cover page/table of contents and pp. 1-7, A-1 thru E-10, Galaxy Computer Services, Inc., Santa Fe, NM 87501.
Secure Diode, Technical Manual, May 25, 1999.
Galaxy Computer Services, Inc., Information Diode, Executive Summary, (no date), cover page and pp. 1-2, Galaxy Computer Services, Inc., Santa Fe, NM 87501.
Bailey David J.
Baker Lara H.
Galaxy Computer Services, Inc.
Luedeka Neely & Graham P.C.
Maung Zarni
LandOfFree
System for controlling movement of information using an... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System for controlling movement of information using an..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System for controlling movement of information using an... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3211452