WO2016189264A1 - Security gateway - Google Patents

Security gateway Download PDF

Info

Publication number
WO2016189264A1
WO2016189264A1 PCT/GB2015/051808 GB2015051808W WO2016189264A1 WO 2016189264 A1 WO2016189264 A1 WO 2016189264A1 GB 2015051808 W GB2015051808 W GB 2015051808W WO 2016189264 A1 WO2016189264 A1 WO 2016189264A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
computer
security gateway
logic blocks
input
Prior art date
Application number
PCT/GB2015/051808
Other languages
French (fr)
Inventor
Robert Johnston
Timothy Porter HODGES
Peter Richard TUSON
Original Assignee
Bae Systems Plc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB1509046.7A external-priority patent/GB2538952A/en
Application filed by Bae Systems Plc filed Critical Bae Systems Plc
Publication of WO2016189264A1 publication Critical patent/WO2016189264A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Definitions

  • the present invention relates to security gateways for controlling data flow between computers.
  • Data diodes have been used to provide information security when transferring data from secured networks to unsecured networks, and vice versa. Data diodes connected between different networks allow data to travel in only one direction between those two networks. For example, an unsecured network can receive data from the secured network via one or more data diodes, but the secured network cannot receive data from the unsecured network.
  • the present invention provides a security gateway for controlling data flow between a first computer and a second computer.
  • the security gateway comprises: a data input for receiving data from the first computer, a data output for sending data to the second computer, and one or more logic blocks arranged between the data input and the data output.
  • the one or more logic blocks are configured to allow the data to flow from the data input to the data output.
  • the one or more logic blocks are configured to prevent the data from flowing from the data output to the data input.
  • the one or more logic blocks may form a Field Programmable Gate
  • the security gateway may comprise a second input configured to receive delivery address information for the data.
  • the one or more logic blocks may be configured to, if the delivery address information for the data is the same as an address associated with the second computer, allow the data to flow from the data input to the data output.
  • the one or more logic blocks may be configured to, if the delivery address information for the data is different to the address associated with the second computer, prevent the data from flowing from the data input to the data output.
  • the security gateway may further comprise a first Message Transfer Agent located at the data input.
  • the first Message Transfer Agent may be configured to: receive the data from the first computer; using the received data, generate the delivery address information for the data; and send the generated delivery address information for the data to the one or more logic gates.
  • the security gateway may further comprise a switch having a first state and a second state, the first state being a state in which the switch allows the data to flow from the data input to the data output, the second state being a state in which the switch prevent the data from flowing from the data input to the data output.
  • the security gateway may further comprise a controller configured to compare the delivery address information for the data to the address associated with the second computer, and control the switch based on that comparison.
  • At least one of the switch and the controller may comprise one or more logic blocks.
  • the security gateway may further comprise a third input configured to receive information specifying an address associated with the second computer, and means for modifying a configuration of the one or more logic blocks based the received information specifying the address associated with the second computer.
  • the security gateway may further comprise a second Message Transfer Agent located at the data output. The second Message Transfer Agent may be configured to: generate the information specifying an address associated with the second computer; and send the generated information specifying an address associated with the second computer to the means for modifying the configuration of the one or more logic blocks.
  • the security gateway may further comprise a first Message Transfer Agent located at the data input.
  • the first Message Transfer Agent may be configured to: receive the data in a first data format from the first computer; convert the received data into a second data format, the second data format being different to the first data format; and send the data in the second data format to the one or more logic gates.
  • the security gateway may further comprise a second Message Transfer Agent located at the data output.
  • the second Message Transfer Agent may be configured to: receive the data in a second data format from the one or more logic blocks; convert the received data into a first data format, the first data format being different to the second data format; and output, for use by the second computer, the data in the first data format.
  • the second data format may be a Serial Line data format.
  • the security gateway may further comprise: a counter configured to determine an amount of data traffic through the one or more logic blocks; and means for controlling a flow of data through the one or more logic blocks using the determined amount of data traffic.
  • the means for controlling a flow of data through the one or more logic blocks may be configured to, if the determined amount of data traffic is less than a threshold amount, allow the data to flow from the data input to the data output.
  • the means for controlling a flow of data through the one or more logic blocks may be configured to, if the determined amount of data traffic is greater than or equal to than a threshold amount, prevent the data from flowing from the data input to the data output.
  • the present invention provides a system comprising a first computer, a second computer, and a security gateway connected between the first computer and the second computer.
  • the security gateway is in accordance with any of the above aspects.
  • the present invention provides a method for controlling data flow between a first computer and a second computer.
  • the method comprises: providing a data input for receiving data from the first computer; connecting the first computer to the data input; providing a data output for sending data to the second computer; connecting the second computer to the data output; arranging one or more logic blocks between the data input and the data output; causing data to flow through the one or more logic blocks from the data input to the data output; and preventing, by the one or more logic blocks, data from flowing from the data output to the data input.
  • Figure 1 is a schematic illustration (not to scale) showing a data communication system
  • Figure 2 is a schematic illustration (not to scale) showing a field programmable gate array
  • Figure 3 is a process flow chart showing certain steps of a process of transferring data through the data communication system
  • Figure 4 is a process flow chart showing certain steps of a process for programming the field programmable gate array
  • Figure 5 is a process flow chart showing certain steps of a process for transferring an email through the data communication system.
  • FIG. 1 is a schematic illustration (not to scale) showing an exemplary embodiment of a data communication system 100.
  • An embodiment of a method of transferring data through the data communication system 100 will be described in more detail later below with reference to Figures 3 to 5.
  • the data communication system 100 comprises a first user 102, a first computer 104, a first firewall 106, a first server computer 108 on which is running a first Message Transfer Agent (MTA) 1 10, a field programmable gate array (FPGA) 1 12, a second server computer 1 14 on which is running a second MTA 1 16, a second firewall 1 18, a second computer 120, and a second user 122.
  • MTA Message Transfer Agent
  • FPGA field programmable gate array
  • the first user 102 is a human operator of the first computer 104.
  • the first computer 104 is a secured computer that is connected to a secured network.
  • the first computer 104, and the secured network are isolated from all unsecured computers and unsecured communication networks, such as unsecured local area networks (LANs), unsecured wide area networks (WANs), and the Internet.
  • the first computer 104 may be any general purpose computer including, but not limited to, a desktop computer, a laptop computer, and a tablet computer.
  • the first computer 104 is capable of generating a communication signal, for example an electronic mail (email) message, for transmission to one or more other devices or other networks.
  • the first computer 104 is further capable of receiving communications from one or more other devices or other networks.
  • the first computer 104 is connected to the first firewall 106 by a first connection 124 such that data may be sent from the first computer 104 to the first firewall 106.
  • the first connection 124 is a wired connection.
  • the first firewall 106 is a network security system that controls data traffic coming from, and going to, the first computer 104.
  • the first firewall 106 controls this data traffic based on a predefined rule set.
  • the first firewall 106 provides a barrier between the secured first computer 104 and the downstream network that is assumed to be unsecured.
  • the first firewall 106 is a standalone hardware appliance. However, in other embodiments, the first firewall 106 is not a standalone appliance, for example, the first firewall 106 may be software running on general purpose computer such as the first computer 104.
  • the first firewall 106 is connected to the first MTA 1 10 by a second connection 126 such that data may be sent from the first firewall 106 to the first MTA 1 10.
  • the second connection 126 is a wired connection.
  • the first MTA 1 10 is software that runs on the first server computer 108. As described in more detail later below with reference to Figures 3 to 5, the first MTA 1 10 is configured to transfer data, for example email messages, from one computer to another.
  • the first MTA 1 10 is connected to the FPGA 1 12 by a third connection 128 such that data may be sent from the first MTA 1 10 to the FPGA 1 12.
  • the third connection 128 is a wired connection.
  • the FPGA 1 12 is described in more detail later below with reference to Figure 2.
  • the FPGA 1 12 is a programmable integrated circuit.
  • the FPGA 1 12 comprises an array of programmable logic blocks.
  • the logic blocks of the FPGA 1 12 are connected together by reconfigurable interconnects. By reconfiguring these interconnects, how the logic blocks of the FPGA 1 12 are connected together may be changed, i.e. programmed. Hence the operation of the FPGA 1 12 may be reconfigured.
  • the FPGA 1 12 may include one or more different types of logic block. Examples of different types of logic block that may be included in the FPGA 1 12 include, but are not limited to, logic blocks configured to perform complex combinational functions, simple logic gates like AND and XOR, and memory elements such as simple flip-flops or more complete blocks of memory.
  • each logic block of the FPGA 1 12 is configured to permit data to flow through that logic block in only one direction.
  • Each logic block of the FPGA 1 12 comprises a data input and a data output, and does not include
  • the FPGA 1 12 permits only one-way or unidirectional data communication between the secured first computer 104 and the unsecured second computer 120.
  • the FPGA 1 12 permits the unsecured second computer 120 (and hence the unsecured network) to receive data from the secured first computer 104, and prohibits or prevents the transmission of data from the unsecured second computer 120 to the secured first computer 104 (and hence the secured network).
  • the FPGA 1 12 is connected to the second MTA 1 16 by a fourth connection 130 such that data may be sent from the FPGA 1 12 to the second MTA 1 16.
  • the fourth connection 130 is a wired connection.
  • the FPGA 1 12 is further connected to the second MTA 1 16 by a fifth connection 132 such that data may be sent from the second MTA 1 16 to the FPGA 1 12.
  • the fifth connection 132 is a wired connection.
  • the second MTA 1 16 is software that runs on the second server computer 1 14. As described in more detail later below with reference to Figures 3 to 5, the second MTA 1 16 is configured to transfer data, for example electronic mail messages, from one computer to another. The second MTA 1 16 is further configured to send data, for example an address of the second MTA 1 16, to the FPGA 1 12 via the fifth connection 132, as described in more detail later below with reference to Figures 3 to 5.
  • the second MTA 1 16 is connected to the second firewall 1 18 by a sixth connection 134 such that data may be sent from the second MTA 1 16 to the second firewall 1 18.
  • the sixth connection 134 is a wired connection.
  • the second firewall 1 18 is a network security system that controls data traffic coming from, and going to, the second computer 120.
  • the second firewall 1 18 controls this data traffic based on a predefined rule set.
  • the second firewall 1 18 provides a barrier between the second computer 120 and other networks not trusted by the second computer 120.
  • the second firewall 1 18 is a standalone hardware appliance.
  • the second firewall 1 18 is not a standalone appliance, for example, the second firewall 1 18 may be software running on general purpose computer such as the second computer 120.
  • the second firewall 1 18 is connected to the second computer 120 by a seventh connection 136 such that data may be sent from the second firewall 1 18 to the second computer 120.
  • the seventh connection 136 is a wired connection.
  • the second computer 120 is an unsecured computer that is connected to an unsecured communication network, such as an unsecured LAN, an unsecured WAN, and/or the Internet.
  • the second computer 120 may be any general purpose computer including, but not limited, a desktop computer, a laptop computer, and a tablet computer.
  • the second computer 120 is capable of generating a communication signal, for example an electronic mail (email) message, for transmission to one or more other devices or other networks.
  • the second computer 120 is further capable of receiving communications from one or more other devices or other networks, for example, the second computer 120 capable of receiving an email sent by the first computer 104.
  • the second user 122 is a human operator of the second computer 120.
  • FIG. 2 is a schematic illustration (not to scale) showing further details of the FPGA 1 12.
  • the FPGA 1 12 comprises a plurality of interconnected modules, namely first register 200, a second register 202, a comparator 204, a shift register 206, a first decoder 208, a carriage return line feed (CRLF) decoder 210, a second decoder 212, a counter 214, and a switch 216.
  • Each of the modules 200-216 of the FPGA 1 12 comprise one or more logic blocks coupled together so as to provide the functionality of that module 200-216.
  • the logic blocks of the FPGA 1 12 are connected together by reconfigurable interconnects such that an operation of one or more of the modules 220-216, and/or the interoperation of the modules 200-216, may be reprogrammed.
  • the first register 200 is a memory or storage device configured to store received data.
  • the first register 200 is connected, via the fifth connection 132 to the second MTA 1 16 such that data, for example address information, sent from the second MTA 1 16 to the FPGA 1 12 is received by the first register 200.
  • the first register 200 is further connected to the comparator 204 such that data output by the first register 200 may be sent from the first register 200 to the comparator 204.
  • the second register 202 is a memory of storage device configured to store received data.
  • the second register 202 is connected, via the fifth connection 132 to the second MTA 1 16 such that data sent from the second MTA 1 16 to the FPGA 1 12 is received by the second register 202.
  • the second register 202 is further connected to the counter 214 such that the second register 202 defines a size of the counter 214.
  • the first and second registers 200, 202 may be defined using DIP (dual in-line package) switches.
  • the comparator 204 is configured to compare two or more inputs to each other, and perform an action based upon that comparison.
  • the comparator 204 is further connected to the shift register 206, the first decoder 208, and the CRLF decoder 210 such that the comparator 204 may receive, as inputs, data from the each of the shift register 206, the first decoder 208, and the CRLF decoder 210.
  • the comparator 204 is further connected to the counter 214 and the switch 216 such that an output of the comparator 204 may be sent from the comparator 204 to the counter 214 and the switch 216.
  • the shift register 206 is configured to store data as a "bit array".
  • the shift register 206 shifts the bit array stored in it by one position as new data is received by the shift array 206. In particular, at each transition of a clock input, the shift register 206 shifts in data present at its input, and shifts out a last bit in the stored bit array.
  • the shift register 206 may comprise a plurality of flip flops that share a common clock input. The flip-flops may be arranged as a chain.
  • the shift register 206 is connected, via the third connection 128 to the first MTA 1 10 such that data, for example an email communication, sent from the first MTA 1 10 to the FPGA 1 12 is received by the shift register 206.
  • the shift register 206 is further connected to the comparator 204, the first decoder 208, the CRLF decoder 210, and the second decoder 212 such that data output by the shift register 206 may be sent from the shift register 206 to the comparator 204, the first decoder 208, the CRLF decoder 210, and the second decoder 212.
  • the shift register 206 constructs a "word" for the comparator 204 and decoders 208-212.
  • the shift register 206 temporarily stores incoming serial data to facilitate operation of the comparator 204 and decoders 208-212.
  • the shift register 206 may be omitted.
  • the first decoder 208 is configured to decode data sent to the first decoder 208 from the shift register 206.
  • the first decoder 208 is configured to decode a first portion (e.g. a starting portion or "header") of an envelope that has been applied to digital content (e.g. an email message).
  • the first decoder 208 is further connected to the comparator 204 such that decoded data (for example, a delivery address for an email message that was encoded in the header of an envelope of that email message) may be sent from the first decoder 208 to the comparator 204.
  • the CRLF decoder 210 is configured to decode terminators included in the envelope.
  • the CRLF decoder 210 is connected to the comparator 4 such that an output from the CRLF decoder 210 may be sent from the CRLF decoder 210 to the comparator 204.
  • Alternative terminators may also be used.
  • the second decoder 212 is configured to decode data sent to the second decoder 212 from the shift register 206.
  • the second decoder 212 is configured to decode a second portion (e.g. an end portion or "footer") of an envelope that has been applied to digital content (e.g. an email message).
  • the second decoder 212 is further connected to the switch 216 such that decoded data may be sent from the second decoder 212 to the switch 216.
  • the counter 214 is connected, via the third connection 128 to the first MTA 1 10 such that data, for example an email communication, sent from the first MTA 1 10 to the FPGA 1 12 is received by the counter 214.
  • the counter 214 is further connected to the comparator 204, and the second register 202 such that the counter 214 may receive an input from the comparator 204, and the second register 214.
  • the counter 214 is configured to, using one or more of its received inputs, count an amount of data sent from the first computer 104 to the second computer 120. For example, for an email message sent from the first computer 104 to the second computer 120, the counter 214 may count the number of bits of information in that email message.
  • the counter 214 is further connected to the switch 216 such that the counter 214 may control the switch 216 depending upon the its data count. For example, in some embodiments, the counter 214 may switch the switch 216 to operate in its "data blocking" mode (which is described in more detail later below) if the data count counted by the counter 214 equals or exceeds a predefined threshold value.
  • the programmability of the FPGA 1 12 tends to allow for the programming of the counter 214 to any desired threshold value. In some embodiments, operation of the counter 214 is disabled.
  • the switch 216 is connected, via the third connection 128 to the first MTA 1 10 such that data, for example an email communication, sent from the first MTA 1 10 to the FPGA 1 12 is received by the switch 216.
  • the switch 216 is further connected to the comparator 204, the counter 214, and the second decoder 212 such that the switch 216 may receive an input from the comparator 204, the counter 214, and the second decoder 212.
  • the switch 216 may be controlled by one or more of received inputs.
  • the switch 216 may operate in one of two modes of operation, namely a first mode and a second.
  • the switch 216 may be switched from operating in its first mode of operation to operating in its second mode of operation, and vice versa.
  • Switching of the switch 216 may, for example, be controlled by the comparator 204.
  • the switch 216 In its first mode of operation, the switch 216 directs data received from the first MTA 1 10 (via the third connection 128) to the second MTA 1 16 (via the fourth connection 130).
  • the fourth connection 130 is at an output of the switch 216.
  • the switch 216 In its second mode of operation, the switch 216 prevents, i.e. blocks, the flow of data through it. In other words, when operating in its second mode, the switch 216 prevents data from being sent to the second MTA 1 16 via the fourth connection 130.
  • the second mode of operation of the switch 216 is its "data blocking" mode.
  • Apparatus (including the FPGA 1 12, the computers 104, 120, the server computers 108, 1 14, and the firewalls 106, 1 18) for implementing the above arrangement, and performing the method steps to be described later below, may be provided by configuring or adapting any suitable apparatus, for example one or more computers or other processing apparatus or processors, and/or providing additional modules.
  • the apparatus may comprise a computer, a network of computers, or one or more processors, for implementing instructions and using data, including instructions and data in the form of a computer program or plurality of computer programs stored in or on a machine readable storage medium such as computer memory, a computer disk, ROM, PROM etc., or any combination of these or other storage media.
  • Figure 3 is a process flow chart showing certain steps of a process of an embodiment of a method of transferring data through the data communication system 100.
  • the FPGA 1 12 is programmed to permit only one-way data transfer from the secured first computer 104 to the unsecured second computer 120, and the prevent data being transferred from the second computer 120 to the first computer 104.
  • step s2 The programming process performed at step s2 is described in more detail later below with reference to Figure 4.
  • step s4 an email message is sent from the secured first computer 104 to the unsecured second computer 120 via the FPGA 1 12.
  • the email transfer process performed at step s4 is described in more detail later below with reference to Figure 5.
  • Figure 4 is a process flow chart showing certain steps of a process for programming the FPGA 1 12 to only allow one-way data transfer from the first computer 104 to the second computer 120, and to the prevent data transfer in the opposite direction, as performed at step s2 of Figure 3.
  • the second MTA 1 16 sends a message to the FPGA 1 12 via the fifth connection 132.
  • This message includes an address of the second MTA 1 16.
  • the comparator 204 receives the message sent from the second MTA 1 16 via the fifth connection 132 and the first register 200.
  • the first register 200 may store variables received from the second MTA 1 16 e.g. until the variables are changed by the second MTA 1 16.
  • the comparator 204 may be programmed (or reprogrammed) by the received message sent by the second MTA 1 16.
  • the message sent by the second MTA 1 16 may reconfigure the interconnections of the logic blocks that form the comparator 204, thereby programming the comparator 204.
  • the message sent by the second MTA 1 16 may program the comparator 204 such that:
  • the comparator 204 controls the switch 216 to operate in its first mode
  • the comparator 204 controls the switch 216 to operate in its second mode.
  • the message sent by the second MTA 1 16 in effect provides comparison criteria against which the comparator 204 is to compare an email delivery address received from the first decoder.
  • the comparator 204 is configured to compare received email delivery address information with the address information specified in the message received from the second MTA 1 16 (i.e. the address of the second MTA 1 16).
  • the address of the second MTA 1 16 used to program the comparator 204 may be thought of as, and is hereinafter referred to as, the "programmed address" of the comparator 204.
  • step s12 the process of Figure 4 ends.
  • Figure 5 is a process flow chart showing certain steps of a process for transferring an email through the data communication system 100, as performed at step s4 of Figure 3.
  • the first user 102 composes an email using the first computer 104.
  • the first user 102 specifies the second computer 120 as the delivery address for the composed email, i.e. the address to which that email is to be delivered.
  • the first computer 104 sends the composed email to the first MTA 1 10 via the first connection 214, the first firewall 106, and the second connection 126.
  • the email is sent from the first computer 104 to the first MTA 1 10 in accordance with the Simple Mail Transfer Protocol (SMTP).
  • SMTP Simple Mail Transfer Protocol
  • the first MTA 1 10 applies an envelope to the received email so as to form a block of data which is hereinafter referred to as the "enveloped email".
  • the envelope comprises a header and a footer which are placed either side of the email message data.
  • the header comprises supplemental data that is positioned at the beginning of the enveloped email before the email message data.
  • the header specifies an address of the MTA that serves the computer to which the email message is to be delivered to, i.e. the address of the second MTA 1 16.
  • the footer comprises supplemental data that is positioned at the end of the enveloped email after the email message data.
  • the first MTA 1 10 sends the enveloped email to the FPGA 1 12 via the third connection 128.
  • the enveloped email is sent from the first MTA 1 10 to the FPGA 1 12 as a Serial Line communication, i.e. via a serial port through which information transfers in or out one bit at a time.
  • the enveloped email is sent from the first MTA 1 14 to the FPGA 1 12 in accordance with the Serial Line Internet Protocol (SLIP).
  • the enveloped email is exchanged using parallel data.
  • the shift register 206 receives the enveloped email as a
  • Serial Line communication and sends the enveloped email to the first decoder 208.
  • the first decoder 208 decodes the header of the envelope of the enveloped email to extract the address specified in that header.
  • the first decoder 208 extracts the address of the second MTA 1 16 from the enveloped email.
  • the envelope is removed by the FPGA 1 12 from the enveloped email to recover the email message data.
  • the first decoder 208 sends the extracted address to the comparator 204.
  • the comparator 204 receives the extracted address of the second MTA 1 16.
  • the comparator 204 determines whether or not the extracted address received from the first decoder 208 matches the programmed address of the comparator 204. In other words, the comparator compares the address information received from the first decoder 208 to the address information with which the comparator 204 was programmed at step s12, as described earlier above with reference to Figure 4.
  • step s36 If the comparator 204 determines that the address information received from the first decoder 208 is the same as the programmed address, the method proceeds to step s36.
  • step s42 Steps s42 and s44 of the process of Figure 5 will be described in more detail later below after a description of steps s36 to s40.
  • the comparator 204 controls the switch 1 16 to operate in the switch's first mode of operation.
  • the switch 216 directs the email message data (i.e. the email having the envelope removed) to the second MTA 1 16. The email is sent from the switch 216 to the second MTA 1 16 via the fourth connection 130.
  • the email is sent from the switch 216 to the second MTA 1 16 as a Serial Line communication.
  • the email is sent from the switch 216 to the second MTA 1 16 in accordance with the SLIP.
  • the enveloped email is exchanged using parallel data.
  • the second MTA 1 16 sends the email message to only the delivery address of that email.
  • the email message is only sent from the second MTA 1 16 to the second computer 120.
  • the email is sent from the second MTA 1 16 to the second computer 120 via the sixth connection 134, the second firewall 1 18, and the seventh connection 136.
  • the email is sent from the second MTA 1 16 to the second computer 120 in accordance with the SMTP.
  • the process of Figure 5 ends.
  • the comparator 204 determines that the address information received from the first decoder 208 is not the same as the programmed address
  • the comparator 204 controls the switch 1 16 to operate in the switch's second mode of operation.
  • the switch 216 prevents the email received from the first MTA 1 16 (via the third connection 128) from being sent to the second MTA 1 16. Thus, the email message is blocked by the FPGA 1 12.
  • step s44 the process of Figure 5 ends.
  • the MTAs and the FPGA advantageously provide a unidirectional security gateway with assured addressing between the secured computer network and the unsecured network.
  • the unidirectional security gateway tends to allow data transfer in only a single direction and from the secured computer network to the unsecured network. Data travel from the unsecured computer network to the unsecured network tends to be prevented. Thus, the secured computer network tends to be secured against receiving unwanted or malicious data from the unsecured network.
  • a secured network may be protected from attack from an unsecured public networks while publishing information to such unsecured networks.
  • the above described unidirectional security gateway tends to be physically smaller than conventional unidirectional networks. Furthermore, the above described unidirectional security gateway tends to be less costly (for example in terms of power consumption) to produce than conventional unidirectional networks.
  • the above described unidirectional security gateway tends to provide a communication protocol.
  • data output by unidirectional security gateway has the same format as input data. For example, an input Ethernet signal tends to be output by the above described unidirectional security gateway as an Ethernet signal.
  • a "protocol break" is provided by the above described unidirectional security gateway.
  • the format of the data is changed, and then changed back again, between the input and the output of the gateway.
  • input Ethernet data is transferred to Serial Line data and back again as is travels through the gateway. This advantageously tends to provide for improved data security compared to conventional unidirectional networks.
  • a "technology break" is provided by the above described unidirectional security gateway.
  • the FPGA of the above described gateway is a hardware appliance through which data flows. This advantageously tends to provide for improved data security compared to many conventional unidirectional networks.
  • the above described unidirectional security gateway is programmable. It tends to be possible to reprogram the FPGA to change the address of an MTA or unsecured network to which data is permitted to travel.
  • the above described unidirectional security gateway tends to provide for the delivery of addressed data to the designated address(es). Furthermore, the delivery of addressed data to another address, i.e. a non-designated address, tends to be prevented.
  • multiple unidirectional security gateways can be implemented, for example in parallel, to assure the delivery of addressed data to the designated address(es) to multiple unsecured networks.
  • data travels through the unidirectional security gateway in only one direction from the secured computer network to the unsecured network.
  • data travels through the unidirectional security gateway in only direction from an unsecured computer or network of computers to a secured computer or network of computers.
  • secure data can be advantageously prevented from being distributed to an unsecure network, for example the Internet.
  • data travels through the unidirectional security gateway in only one direction from a secured computer or network of computers to a different or the same secured computer or network of computers.
  • data travels through the unidirectional security gateway in only one direction from an unsecured computer or network of computers to a different or the same unsecured computer or network of computers.
  • data travels from a single secured computer network to a single unsecured network.
  • data travels from multiple separate secured computer or network of computers to a single unsecured computer or network of computers.
  • data travels from a single secured computer or network of computers to multiple separate unsecured computer or network of computers.
  • data travels from multiple separate secured computer or network of computers to multiple separate unsecured computer or network of computers.
  • the comparator is programmed with a single "programmed address", and controls the switch based on a comparison of that programmed address with a delivery address of input data.
  • the switch has two modes of operation, namely the first mode in which data is permitted to flow to its single possible destination, and the second mode in which data travel is blocked.
  • the comparator may be programmed with multiple different "programmed addresses". The comparator may control the switch based on which of the multiple programmed addresses match a delivery address of input data.
  • the switch may have more than two modes of operation. For example, the switch may have a mode of operation in which data travel is blocked and, in addition, may have, for each possible destination to which the data may be delivered, a further mode in which data is permitted to flow to that destination and only that destination.
  • the switch may be switchable, for example by the comparator of the FPGA, between its modes of operation in similar fashion to that described above.
  • multiple comparators and/or multiple switches may be implemented.
  • a separate comparator and switch pair is provided for each of the multiple possible destinations to which the data travelling through the unidirectional security gateway may be delivered.
  • data travels in only a single direction from the first computer to the second computer.
  • a further unidirectional security gateway may be arranged to allow some data to travel in the opposite direction.
  • a first unidirectional security gateway may be arranged between the first and second computers and configured to allow for unidirectional data flow from the first computer to the second computer.
  • a second unidirectional security gateway may be arranged between the first and second computers and configured to allow for unidirectional data flow from the second computer to the first computer.
  • the second unidirectional security gateway may allow the second computer to send a receipt to the first computer in response to receiving data from the first computer.
  • the counter of a FPGA may be implemented to limit the amount of data sent between computers.
  • a counter in the second unidirectional security gateway may be implemented to limit the size of the response sent from the second computer to the first computer.
  • the counter may be configured to switch the associated switch to its "block" mode if the amount of data flowing through the second unidirectional security gateway exceeds a predefined threshold.
  • the first computer may be protected from receiving large amounts of data.
  • an email message is sent between the first and second computers.
  • a different type of data or communication is sent between the computers or networks of computers.
  • Such communications may include, for example, audio data, image data, video data, text data, and other data that can be communicated between computer devices or networks.
  • the data transferred through the unidirectional gateway may include any combination of binary bits.
  • the data is a single byte.
  • the data includes one or more files of information.
  • the data may contain encrypted information or unencrypted information.
  • the data may include parity bits, checksums, error detection codes, error correction codes, etc.

Abstract

Disclosed is a security gateway for controlling data flow between a first computer (104) and a second computer (120), the security gateway comprising: a data input for receiving data from the first computer (104); a data output for sending data to the second computer (120); and one or more logic blocks arranged between the data input and the data output. The one or more logic blocks are configured to allow the data to flow from the data input to the data output. The one or more logic blocks are configured to prevent the data from flowing from the data output to the data input.

Description

SECURITY GATEWAY
FIELD OF THE INVENTION
The present invention relates to security gateways for controlling data flow between computers.
BACKGROUND
In the field of communication technology, data is often communicated between different computer systems and/or devices that are connected to different communication networks.
When transferring data between different networks, it tends to be desirable that the transfer of data occurs in a secure manner.
Data diodes have been used to provide information security when transferring data from secured networks to unsecured networks, and vice versa. Data diodes connected between different networks allow data to travel in only one direction between those two networks. For example, an unsecured network can receive data from the secured network via one or more data diodes, but the secured network cannot receive data from the unsecured network.
SUMMARY OF THE INVENTION
In a first aspect, the present invention provides a security gateway for controlling data flow between a first computer and a second computer. The security gateway comprises: a data input for receiving data from the first computer, a data output for sending data to the second computer, and one or more logic blocks arranged between the data input and the data output. The one or more logic blocks are configured to allow the data to flow from the data input to the data output. The one or more logic blocks are configured to prevent the data from flowing from the data output to the data input. The one or more logic blocks may form a Field Programmable Gate
Array.
The security gateway may comprise a second input configured to receive delivery address information for the data. The one or more logic blocks may be configured to, if the delivery address information for the data is the same as an address associated with the second computer, allow the data to flow from the data input to the data output. The one or more logic blocks may be configured to, if the delivery address information for the data is different to the address associated with the second computer, prevent the data from flowing from the data input to the data output.
The security gateway may further comprise a first Message Transfer Agent located at the data input. The first Message Transfer Agent may be configured to: receive the data from the first computer; using the received data, generate the delivery address information for the data; and send the generated delivery address information for the data to the one or more logic gates.
The security gateway may further comprise a switch having a first state and a second state, the first state being a state in which the switch allows the data to flow from the data input to the data output, the second state being a state in which the switch prevent the data from flowing from the data input to the data output. The security gateway may further comprise a controller configured to compare the delivery address information for the data to the address associated with the second computer, and control the switch based on that comparison.
At least one of the switch and the controller may comprise one or more logic blocks.
The security gateway may further comprise a third input configured to receive information specifying an address associated with the second computer, and means for modifying a configuration of the one or more logic blocks based the received information specifying the address associated with the second computer. The security gateway may further comprise a second Message Transfer Agent located at the data output. The second Message Transfer Agent may be configured to: generate the information specifying an address associated with the second computer; and send the generated information specifying an address associated with the second computer to the means for modifying the configuration of the one or more logic blocks.
The security gateway may further comprise a first Message Transfer Agent located at the data input. The first Message Transfer Agent may be configured to: receive the data in a first data format from the first computer; convert the received data into a second data format, the second data format being different to the first data format; and send the data in the second data format to the one or more logic gates.
The security gateway may further comprise a second Message Transfer Agent located at the data output. The second Message Transfer Agent may be configured to: receive the data in a second data format from the one or more logic blocks; convert the received data into a first data format, the first data format being different to the second data format; and output, for use by the second computer, the data in the first data format.
The second data format may be a Serial Line data format. The security gateway may further comprise: a counter configured to determine an amount of data traffic through the one or more logic blocks; and means for controlling a flow of data through the one or more logic blocks using the determined amount of data traffic. The means for controlling a flow of data through the one or more logic blocks may be configured to, if the determined amount of data traffic is less than a threshold amount, allow the data to flow from the data input to the data output. The means for controlling a flow of data through the one or more logic blocks may be configured to, if the determined amount of data traffic is greater than or equal to than a threshold amount, prevent the data from flowing from the data input to the data output. In a further aspect, the present invention provides a system comprising a first computer, a second computer, and a security gateway connected between the first computer and the second computer. The security gateway is in accordance with any of the above aspects.
In a further aspect, the present invention provides a method for controlling data flow between a first computer and a second computer. The method comprises: providing a data input for receiving data from the first computer; connecting the first computer to the data input; providing a data output for sending data to the second computer; connecting the second computer to the data output; arranging one or more logic blocks between the data input and the data output; causing data to flow through the one or more logic blocks from the data input to the data output; and preventing, by the one or more logic blocks, data from flowing from the data output to the data input.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a schematic illustration (not to scale) showing a data communication system;
Figure 2 is a schematic illustration (not to scale) showing a field programmable gate array;
Figure 3 is a process flow chart showing certain steps of a process of transferring data through the data communication system; Figure 4 is a process flow chart showing certain steps of a process for programming the field programmable gate array; and
Figure 5 is a process flow chart showing certain steps of a process for transferring an email through the data communication system.
DETAILED DESCRIPTION
Figure 1 is a schematic illustration (not to scale) showing an exemplary embodiment of a data communication system 100. An embodiment of a method of transferring data through the data communication system 100 will be described in more detail later below with reference to Figures 3 to 5. The data communication system 100 comprises a first user 102, a first computer 104, a first firewall 106, a first server computer 108 on which is running a first Message Transfer Agent (MTA) 1 10, a field programmable gate array (FPGA) 1 12, a second server computer 1 14 on which is running a second MTA 1 16, a second firewall 1 18, a second computer 120, and a second user 122.
The first user 102 is a human operator of the first computer 104.
The first computer 104 is a secured computer that is connected to a secured network. The first computer 104, and the secured network, are isolated from all unsecured computers and unsecured communication networks, such as unsecured local area networks (LANs), unsecured wide area networks (WANs), and the Internet. The first computer 104 may be any general purpose computer including, but not limited to, a desktop computer, a laptop computer, and a tablet computer. The first computer 104 is capable of generating a communication signal, for example an electronic mail (email) message, for transmission to one or more other devices or other networks. The first computer 104 is further capable of receiving communications from one or more other devices or other networks.
The first computer 104 is connected to the first firewall 106 by a first connection 124 such that data may be sent from the first computer 104 to the first firewall 106. The first connection 124 is a wired connection.
The first firewall 106 is a network security system that controls data traffic coming from, and going to, the first computer 104. The first firewall 106 controls this data traffic based on a predefined rule set. The first firewall 106 provides a barrier between the secured first computer 104 and the downstream network that is assumed to be unsecured.
In this embodiment, the first firewall 106 is a standalone hardware appliance. However, in other embodiments, the first firewall 106 is not a standalone appliance, for example, the first firewall 106 may be software running on general purpose computer such as the first computer 104. The first firewall 106 is connected to the first MTA 1 10 by a second connection 126 such that data may be sent from the first firewall 106 to the first MTA 1 10. The second connection 126 is a wired connection.
The first MTA 1 10 is software that runs on the first server computer 108. As described in more detail later below with reference to Figures 3 to 5, the first MTA 1 10 is configured to transfer data, for example email messages, from one computer to another.
The first MTA 1 10 is connected to the FPGA 1 12 by a third connection 128 such that data may be sent from the first MTA 1 10 to the FPGA 1 12. The third connection 128 is a wired connection.
The FPGA 1 12 is described in more detail later below with reference to Figure 2. The FPGA 1 12 is a programmable integrated circuit. The FPGA 1 12 comprises an array of programmable logic blocks. The logic blocks of the FPGA 1 12 are connected together by reconfigurable interconnects. By reconfiguring these interconnects, how the logic blocks of the FPGA 1 12 are connected together may be changed, i.e. programmed. Hence the operation of the FPGA 1 12 may be reconfigured. The FPGA 1 12 may include one or more different types of logic block. Examples of different types of logic block that may be included in the FPGA 1 12 include, but are not limited to, logic blocks configured to perform complex combinational functions, simple logic gates like AND and XOR, and memory elements such as simple flip-flops or more complete blocks of memory. In this embodiment, each logic block of the FPGA 1 12 is configured to permit data to flow through that logic block in only one direction. Each logic block of the FPGA 1 12 comprises a data input and a data output, and does not include a bidirectional port.
As described in more detail later below with reference to Figures 3 to 5, in this embodiment, the FPGA 1 12 permits only one-way or unidirectional data communication between the secured first computer 104 and the unsecured second computer 120. In particular, the FPGA 1 12 permits the unsecured second computer 120 (and hence the unsecured network) to receive data from the secured first computer 104, and prohibits or prevents the transmission of data from the unsecured second computer 120 to the secured first computer 104 (and hence the secured network).
The FPGA 1 12 is connected to the second MTA 1 16 by a fourth connection 130 such that data may be sent from the FPGA 1 12 to the second MTA 1 16. The fourth connection 130 is a wired connection.
The FPGA 1 12 is further connected to the second MTA 1 16 by a fifth connection 132 such that data may be sent from the second MTA 1 16 to the FPGA 1 12. The fifth connection 132 is a wired connection.
The second MTA 1 16 is software that runs on the second server computer 1 14. As described in more detail later below with reference to Figures 3 to 5, the second MTA 1 16 is configured to transfer data, for example electronic mail messages, from one computer to another. The second MTA 1 16 is further configured to send data, for example an address of the second MTA 1 16, to the FPGA 1 12 via the fifth connection 132, as described in more detail later below with reference to Figures 3 to 5.
The second MTA 1 16 is connected to the second firewall 1 18 by a sixth connection 134 such that data may be sent from the second MTA 1 16 to the second firewall 1 18. The sixth connection 134 is a wired connection.
The second firewall 1 18 is a network security system that controls data traffic coming from, and going to, the second computer 120. The second firewall 1 18 controls this data traffic based on a predefined rule set. The second firewall 1 18 provides a barrier between the second computer 120 and other networks not trusted by the second computer 120.
In this embodiment, the second firewall 1 18 is a standalone hardware appliance. However, in other embodiments, the second firewall 1 18 is not a standalone appliance, for example, the second firewall 1 18 may be software running on general purpose computer such as the second computer 120.
The second firewall 1 18 is connected to the second computer 120 by a seventh connection 136 such that data may be sent from the second firewall 1 18 to the second computer 120. The seventh connection 136 is a wired connection.
The second computer 120 is an unsecured computer that is connected to an unsecured communication network, such as an unsecured LAN, an unsecured WAN, and/or the Internet. The second computer 120 may be any general purpose computer including, but not limited, a desktop computer, a laptop computer, and a tablet computer. The second computer 120 is capable of generating a communication signal, for example an electronic mail (email) message, for transmission to one or more other devices or other networks. The second computer 120 is further capable of receiving communications from one or more other devices or other networks, for example, the second computer 120 capable of receiving an email sent by the first computer 104.
The second user 122 is a human operator of the second computer 120.
Figure 2 is a schematic illustration (not to scale) showing further details of the FPGA 1 12.
In this embodiment, the FPGA 1 12 comprises a plurality of interconnected modules, namely first register 200, a second register 202, a comparator 204, a shift register 206, a first decoder 208, a carriage return line feed (CRLF) decoder 210, a second decoder 212, a counter 214, and a switch 216.
Each of the modules 200-216 of the FPGA 1 12 comprise one or more logic blocks coupled together so as to provide the functionality of that module 200-216. The logic blocks of the FPGA 1 12 are connected together by reconfigurable interconnects such that an operation of one or more of the modules 220-216, and/or the interoperation of the modules 200-216, may be reprogrammed.
The first register 200 is a memory or storage device configured to store received data. The first register 200 is connected, via the fifth connection 132 to the second MTA 1 16 such that data, for example address information, sent from the second MTA 1 16 to the FPGA 1 12 is received by the first register 200. The first register 200 is further connected to the comparator 204 such that data output by the first register 200 may be sent from the first register 200 to the comparator 204.
The second register 202 is a memory of storage device configured to store received data. The second register 202 is connected, via the fifth connection 132 to the second MTA 1 16 such that data sent from the second MTA 1 16 to the FPGA 1 12 is received by the second register 202. The second register 202 is further connected to the counter 214 such that the second register 202 defines a size of the counter 214.
The first and second registers 200, 202 may be defined using DIP (dual in-line package) switches.
As described in more detail later below with reference to Figures 3 to 5, the comparator 204 is configured to compare two or more inputs to each other, and perform an action based upon that comparison. In addition to being connected to the first register 200, the comparator 204 is further connected to the shift register 206, the first decoder 208, and the CRLF decoder 210 such that the comparator 204 may receive, as inputs, data from the each of the shift register 206, the first decoder 208, and the CRLF decoder 210. The comparator 204 is further connected to the counter 214 and the switch 216 such that an output of the comparator 204 may be sent from the comparator 204 to the counter 214 and the switch 216.
The shift register 206 is configured to store data as a "bit array". The shift register 206 shifts the bit array stored in it by one position as new data is received by the shift array 206. In particular, at each transition of a clock input, the shift register 206 shifts in data present at its input, and shifts out a last bit in the stored bit array. The shift register 206 may comprise a plurality of flip flops that share a common clock input. The flip-flops may be arranged as a chain.
The shift register 206 is connected, via the third connection 128 to the first MTA 1 10 such that data, for example an email communication, sent from the first MTA 1 10 to the FPGA 1 12 is received by the shift register 206. The shift register 206 is further connected to the comparator 204, the first decoder 208, the CRLF decoder 210, and the second decoder 212 such that data output by the shift register 206 may be sent from the shift register 206 to the comparator 204, the first decoder 208, the CRLF decoder 210, and the second decoder 212.
The shift register 206 constructs a "word" for the comparator 204 and decoders 208-212. In this embodiment, the shift register 206 temporarily stores incoming serial data to facilitate operation of the comparator 204 and decoders 208-212. However, in some embodiments, for example in which there are incoming parallel data streams, the shift register 206 may be omitted.
The first decoder 208 is configured to decode data sent to the first decoder 208 from the shift register 206. In particular, in this embodiment, as described in more detail later below with reference to Figures 3 to 5, the first decoder 208 is configured to decode a first portion (e.g. a starting portion or "header") of an envelope that has been applied to digital content (e.g. an email message). The first decoder 208 is further connected to the comparator 204 such that decoded data (for example, a delivery address for an email message that was encoded in the header of an envelope of that email message) may be sent from the first decoder 208 to the comparator 204.
The CRLF decoder 210 is configured to decode terminators included in the envelope. The CRLF decoder 210 is connected to the comparator 4 such that an output from the CRLF decoder 210 may be sent from the CRLF decoder 210 to the comparator 204. Alternative terminators may also be used.
The second decoder 212 is configured to decode data sent to the second decoder 212 from the shift register 206. In particular, in this embodiment, the second decoder 212 is configured to decode a second portion (e.g. an end portion or "footer") of an envelope that has been applied to digital content (e.g. an email message). The second decoder 212 is further connected to the switch 216 such that decoded data may be sent from the second decoder 212 to the switch 216.
The counter 214 is connected, via the third connection 128 to the first MTA 1 10 such that data, for example an email communication, sent from the first MTA 1 10 to the FPGA 1 12 is received by the counter 214. The counter 214 is further connected to the comparator 204, and the second register 202 such that the counter 214 may receive an input from the comparator 204, and the second register 214.
In this embodiment, the counter 214 is configured to, using one or more of its received inputs, count an amount of data sent from the first computer 104 to the second computer 120. For example, for an email message sent from the first computer 104 to the second computer 120, the counter 214 may count the number of bits of information in that email message.
The counter 214 is further connected to the switch 216 such that the counter 214 may control the switch 216 depending upon the its data count. For example, in some embodiments, the counter 214 may switch the switch 216 to operate in its "data blocking" mode (which is described in more detail later below) if the data count counted by the counter 214 equals or exceeds a predefined threshold value. Advantageously, the programmability of the FPGA 1 12 tends to allow for the programming of the counter 214 to any desired threshold value. In some embodiments, operation of the counter 214 is disabled.
The switch 216 is connected, via the third connection 128 to the first MTA 1 10 such that data, for example an email communication, sent from the first MTA 1 10 to the FPGA 1 12 is received by the switch 216. The switch 216 is further connected to the comparator 204, the counter 214, and the second decoder 212 such that the switch 216 may receive an input from the comparator 204, the counter 214, and the second decoder 212. The switch 216 may be controlled by one or more of received inputs. In this embodiment, the switch 216 may operate in one of two modes of operation, namely a first mode and a second. The switch 216 may be switched from operating in its first mode of operation to operating in its second mode of operation, and vice versa. Switching of the switch 216 may, for example, be controlled by the comparator 204. In its first mode of operation, the switch 216 directs data received from the first MTA 1 10 (via the third connection 128) to the second MTA 1 16 (via the fourth connection 130). The fourth connection 130 is at an output of the switch 216.
In its second mode of operation, the switch 216 prevents, i.e. blocks, the flow of data through it. In other words, when operating in its second mode, the switch 216 prevents data from being sent to the second MTA 1 16 via the fourth connection 130. The second mode of operation of the switch 216 is its "data blocking" mode.
Apparatus (including the FPGA 1 12, the computers 104, 120, the server computers 108, 1 14, and the firewalls 106, 1 18) for implementing the above arrangement, and performing the method steps to be described later below, may be provided by configuring or adapting any suitable apparatus, for example one or more computers or other processing apparatus or processors, and/or providing additional modules. The apparatus may comprise a computer, a network of computers, or one or more processors, for implementing instructions and using data, including instructions and data in the form of a computer program or plurality of computer programs stored in or on a machine readable storage medium such as computer memory, a computer disk, ROM, PROM etc., or any combination of these or other storage media.
Figure 3 is a process flow chart showing certain steps of a process of an embodiment of a method of transferring data through the data communication system 100.
At step s2, the FPGA 1 12 is programmed to permit only one-way data transfer from the secured first computer 104 to the unsecured second computer 120, and the prevent data being transferred from the second computer 120 to the first computer 104.
The programming process performed at step s2 is described in more detail later below with reference to Figure 4.
At step s4 an email message is sent from the secured first computer 104 to the unsecured second computer 120 via the FPGA 1 12. The email transfer process performed at step s4 is described in more detail later below with reference to Figure 5.
Thus, a method of transferring data through the data communication system 100 is provided. Figure 4 is a process flow chart showing certain steps of a process for programming the FPGA 1 12 to only allow one-way data transfer from the first computer 104 to the second computer 120, and to the prevent data transfer in the opposite direction, as performed at step s2 of Figure 3.
At step s8, the second MTA 1 16 sends a message to the FPGA 1 12 via the fifth connection 132. This message includes an address of the second MTA 1 16.
At step s10, the comparator 204 receives the message sent from the second MTA 1 16 via the fifth connection 132 and the first register 200. The first register 200 may store variables received from the second MTA 1 16 e.g. until the variables are changed by the second MTA 1 16.
At step s12, the comparator 204 may be programmed (or reprogrammed) by the received message sent by the second MTA 1 16.
In this embodiment, the message sent by the second MTA 1 16 may reconfigure the interconnections of the logic blocks that form the comparator 204, thereby programming the comparator 204.
The message sent by the second MTA 1 16 may program the comparator 204 such that:
- if the comparator 204 receives address information from the first decoder 208 that matches the address information specified in the received message from the second MTA 1 16 (i.e. the address of the second MTA 1 16), the comparator 204 controls the switch 216 to operate in its first mode; and
- if the comparator 204 receives address information from the first decoder 208 that does not match the address information specified in the received message from the second MTA 1 16 (i.e. the address of the second MTA 1 16), the comparator 204 controls the switch 216 to operate in its second mode.
The message sent by the second MTA 1 16 in effect provides comparison criteria against which the comparator 204 is to compare an email delivery address received from the first decoder.
In this embodiment, the comparator 204 is configured to compare received email delivery address information with the address information specified in the message received from the second MTA 1 16 (i.e. the address of the second MTA 1 16). The address of the second MTA 1 16 used to program the comparator 204 may be thought of as, and is hereinafter referred to as, the "programmed address" of the comparator 204.
After step s12, the process of Figure 4 ends.
Thus, a process for programming the FPGA 1 12 is provided.
Figure 5 is a process flow chart showing certain steps of a process for transferring an email through the data communication system 100, as performed at step s4 of Figure 3.
At step s20, the first user 102 composes an email using the first computer 104. In this embodiment, the first user 102 specifies the second computer 120 as the delivery address for the composed email, i.e. the address to which that email is to be delivered.
At step s22, the first computer 104 sends the composed email to the first MTA 1 10 via the first connection 214, the first firewall 106, and the second connection 126.
In this embodiment, the email is sent from the first computer 104 to the first MTA 1 10 in accordance with the Simple Mail Transfer Protocol (SMTP).
At step s24, the first MTA 1 10 applies an envelope to the received email so as to form a block of data which is hereinafter referred to as the "enveloped email".
In this embodiment, the envelope comprises a header and a footer which are placed either side of the email message data. The header comprises supplemental data that is positioned at the beginning of the enveloped email before the email message data. The header specifies an address of the MTA that serves the computer to which the email message is to be delivered to, i.e. the address of the second MTA 1 16. The footer comprises supplemental data that is positioned at the end of the enveloped email after the email message data.
At step s26, the first MTA 1 10 sends the enveloped email to the FPGA 1 12 via the third connection 128.
In this embodiment, the enveloped email is sent from the first MTA 1 10 to the FPGA 1 12 as a Serial Line communication, i.e. via a serial port through which information transfers in or out one bit at a time. In some embodiments, the enveloped email is sent from the first MTA 1 14 to the FPGA 1 12 in accordance with the Serial Line Internet Protocol (SLIP). In some embodiments, the enveloped email is exchanged using parallel data. At step s28, the shift register 206 receives the enveloped email as a
Serial Line communication, and sends the enveloped email to the first decoder 208.
At step s30, the first decoder 208 decodes the header of the envelope of the enveloped email to extract the address specified in that header. Thus, in this embodiment, the first decoder 208 extracts the address of the second MTA 1 16 from the enveloped email.
The envelope is removed by the FPGA 1 12 from the enveloped email to recover the email message data.
At step s32, the first decoder 208 sends the extracted address to the comparator 204. Thus, the comparator 204 receives the extracted address of the second MTA 1 16.
At step s34, the comparator 204 determines whether or not the extracted address received from the first decoder 208 matches the programmed address of the comparator 204. In other words, the comparator compares the address information received from the first decoder 208 to the address information with which the comparator 204 was programmed at step s12, as described earlier above with reference to Figure 4.
If the comparator 204 determines that the address information received from the first decoder 208 is the same as the programmed address, the method proceeds to step s36.
However, if the comparator 204 determines that the address information received from the first decoder 208 is not the same as the programmed address, the method proceeds to step s42. Steps s42 and s44 of the process of Figure 5 will be described in more detail later below after a description of steps s36 to s40.
At step s36, responsive to determining that the address information received from the first decoder 208 is the same as the programmed address, the comparator 204 controls the switch 1 16 to operate in the switch's first mode of operation. At step s38, as the switch 216 is operating in its first mode of operation, the switch 216 directs the email message data (i.e. the email having the envelope removed) to the second MTA 1 16. The email is sent from the switch 216 to the second MTA 1 16 via the fourth connection 130.
In this embodiment, the email is sent from the switch 216 to the second MTA 1 16 as a Serial Line communication. In some embodiments, the email is sent from the switch 216 to the second MTA 1 16 in accordance with the SLIP. In some embodiments, the enveloped email is exchanged using parallel data.
At step s40, the second MTA 1 16 sends the email message to only the delivery address of that email. Thus, in this embodiment, the email message is only sent from the second MTA 1 16 to the second computer 120. The email is sent from the second MTA 1 16 to the second computer 120 via the sixth connection 134, the second firewall 1 18, and the seventh connection 136.
In this embodiment, the email is sent from the second MTA 1 16 to the second computer 120 in accordance with the SMTP. After step s40, the process of Figure 5 ends. Returning now to the case where, at step s34, the comparator 204 determines that the address information received from the first decoder 208 is not the same as the programmed address, at step s42, responsive to determining that the address information received from the first decoder 208 is not the same as the programmed address, the comparator 204 controls the switch 1 16 to operate in the switch's second mode of operation.
At step s44, as the switch 216 is operating in its second mode of operation, the switch 216 prevents the email received from the first MTA 1 16 (via the third connection 128) from being sent to the second MTA 1 16. Thus, the email message is blocked by the FPGA 1 12.
After step s44, the process of Figure 5 ends.
Thus, a process for transferring an email through the data communication system 100 is provided.
The MTAs and the FPGA advantageously provide a unidirectional security gateway with assured addressing between the secured computer network and the unsecured network. The unidirectional security gateway tends to allow data transfer in only a single direction and from the secured computer network to the unsecured network. Data travel from the unsecured computer network to the unsecured network tends to be prevented. Thus, the secured computer network tends to be secured against receiving unwanted or malicious data from the unsecured network. Thus, for example, a secured network may be protected from attack from an unsecured public networks while publishing information to such unsecured networks.
Use of logic blocks in the FPGA of the unidirectional security gateway advantageously tend to assure unidirectional flow data as the logic blocks of the FPGA do not include bidirectional ports.
Advantageously, the above described unidirectional security gateway tends to be physically smaller than conventional unidirectional networks. Furthermore, the above described unidirectional security gateway tends to be less costly (for example in terms of power consumption) to produce than conventional unidirectional networks. Advantageously, the above described unidirectional security gateway tends to provide a communication protocol. In particular, data output by unidirectional security gateway has the same format as input data. For example, an input Ethernet signal tends to be output by the above described unidirectional security gateway as an Ethernet signal.
Advantageously, a "protocol break" is provided by the above described unidirectional security gateway. In particular, the format of the data is changed, and then changed back again, between the input and the output of the gateway. For example, input Ethernet data is transferred to Serial Line data and back again as is travels through the gateway. This advantageously tends to provide for improved data security compared to conventional unidirectional networks.
Advantageously, a "technology break" is provided by the above described unidirectional security gateway. The FPGA of the above described gateway is a hardware appliance through which data flows. This advantageously tends to provide for improved data security compared to many conventional unidirectional networks.
Advantageously, the above described unidirectional security gateway is programmable. It tends to be possible to reprogram the FPGA to change the address of an MTA or unsecured network to which data is permitted to travel. Advantageously, the above described unidirectional security gateway tends to provide for the delivery of addressed data to the designated address(es). Furthermore, the delivery of addressed data to another address, i.e. a non-designated address, tends to be prevented.
Advantageously, multiple unidirectional security gateways can be implemented, for example in parallel, to assure the delivery of addressed data to the designated address(es) to multiple unsecured networks.
It should be noted that certain of the process steps depicted in the flowcharts of Figures 3 to 5 and described above may be omitted or such process steps may be performed in differing order to that presented above and shown in Figures 3 to 5. Furthermore, although all the process steps have, for convenience and ease of understanding, been depicted as discrete temporally- sequential steps, nevertheless some of the process steps may in fact be performed simultaneously or at least overlapping to some extent temporally.
In the above embodiments, data travels through the unidirectional security gateway in only one direction from the secured computer network to the unsecured network. However, in other embodiments, data travels through the unidirectional security gateway in only direction from an unsecured computer or network of computers to a secured computer or network of computers. Thus, secure data can be advantageously prevented from being distributed to an unsecure network, for example the Internet. In some embodiments, data travels through the unidirectional security gateway in only one direction from a secured computer or network of computers to a different or the same secured computer or network of computers. In some embodiments, data travels through the unidirectional security gateway in only one direction from an unsecured computer or network of computers to a different or the same unsecured computer or network of computers.
In the above embodiments, data travels from a single secured computer network to a single unsecured network. However, in other embodiments, there is a different number of secured computers or networks of computers and/or a different number of unsecured computers or networks of computers. For example, in some embodiments, data travels from multiple separate secured computer or network of computers to a single unsecured computer or network of computers. In some embodiments, data travels from a single secured computer or network of computers to multiple separate unsecured computer or network of computers. In some embodiments, data travels from multiple separate secured computer or network of computers to multiple separate unsecured computer or network of computers.
In the above embodiments, there is only a single possible destination to which the data may be delivered, namely the second computer. In the above embodiments, the comparator is programmed with a single "programmed address", and controls the switch based on a comparison of that programmed address with a delivery address of input data. In the above embodiments, the switch has two modes of operation, namely the first mode in which data is permitted to flow to its single possible destination, and the second mode in which data travel is blocked.
However, in other embodiments, there are multiple possible destinations to which the data travelling through the unidirectional security gateway may be delivered.
In some embodiments, the comparator may be programmed with multiple different "programmed addresses". The comparator may control the switch based on which of the multiple programmed addresses match a delivery address of input data. In some embodiments, the switch may have more than two modes of operation. For example, the switch may have a mode of operation in which data travel is blocked and, in addition, may have, for each possible destination to which the data may be delivered, a further mode in which data is permitted to flow to that destination and only that destination. The switch may be switchable, for example by the comparator of the FPGA, between its modes of operation in similar fashion to that described above.
In some embodiments, multiple comparators and/or multiple switches may be implemented. For example, in some embodiments, a separate comparator and switch pair is provided for each of the multiple possible destinations to which the data travelling through the unidirectional security gateway may be delivered.
In the above embodiments, data travels in only a single direction from the first computer to the second computer. However, in other embodiments, a further unidirectional security gateway may be arranged to allow some data to travel in the opposite direction.
For example, a first unidirectional security gateway may be arranged between the first and second computers and configured to allow for unidirectional data flow from the first computer to the second computer. A second unidirectional security gateway may be arranged between the first and second computers and configured to allow for unidirectional data flow from the second computer to the first computer. For example, the second unidirectional security gateway may allow the second computer to send a receipt to the first computer in response to receiving data from the first computer. In some embodiments, the counter of a FPGA may be implemented to limit the amount of data sent between computers. For example, a counter in the second unidirectional security gateway may be implemented to limit the size of the response sent from the second computer to the first computer. For example, the counter may be configured to switch the associated switch to its "block" mode if the amount of data flowing through the second unidirectional security gateway exceeds a predefined threshold. Thus, the first computer may be protected from receiving large amounts of data.
In the above embodiments, an email message is sent between the first and second computers. However, in other embodiments, a different type of data or communication is sent between the computers or networks of computers. Such communications may include, for example, audio data, image data, video data, text data, and other data that can be communicated between computer devices or networks. The data transferred through the unidirectional gateway may include any combination of binary bits. In some embodiments, the data is a single byte. In some embodiments, the data includes one or more files of information. The data may contain encrypted information or unencrypted information. The data may include parity bits, checksums, error detection codes, error correction codes, etc.

Claims

1 . A security gateway for controlling data flow between a first computer (104) and a second computer (120), the security gateway comprising: a data input for receiving data from the first computer (104); a data output for sending data to the second computer (120); and one or more logic blocks arranged between the data input and the data output; wherein the one or more logic blocks are configured to allow the data to flow from the data input to the data output; and the one or more logic blocks are configured to prevent the data from flowing from the data output to the data input.
2. A security gateway according to claim 1 , wherein the one or more logic blocks form a Field Programmable Gate Array (1 12).
3. A security gateway according to claim 1 or 2, wherein the security gateway comprises a second input configured to receive delivery address information for the data; and the one or more logic blocks are configured to: if the delivery address information for the data is the same as an address associated with the second computer (120), allow the data to flow from the data input to the data output; and if the delivery address information for the data is different to the address associated with the second computer (120), prevent the data from flowing from the data input to the data output.
4. A security gateway according to claim 3, wherein: the security gateway further comprises a first Message Transfer Agent (1 10) located at the data input; the first Message Transfer Agent (1 10) is configured to: receive the data from the first computer (104); using the received data, generate the delivery address information for the data; and send the generated delivery address information for the data to the one or more logic gates.
5. A security gateway according to claim 3 or 4, the security gateway further comprising: a switch (216) having a first state and a second state, the first state being a state in which the switch (216) allows the data to flow from the data input to the data output, the second state being a state in which the switch (216) prevents the data from flowing from the data input to the data output; and a controller (204) configured to compare the delivery address information for the data to the address associated with the second computer (120), and control the switch (216) based on that comparison.
6. A security gateway according to claim 5, wherein at least one of the switch (216) and the controller (214) comprises one or more logic blocks.
7. A security gateway according to any of claims 1 to 6, the security gateway further comprising: a third input configured to receive information specifying an address associated with the second computer (120); and means for modifying a configuration of the one or more logic blocks based the received information specifying the address associated with the second computer (120).
8. A security gateway according to claim 7, wherein: the security gateway further comprises a second Message Transfer Agent (1 16) located at the data output; the second Message Transfer Agent (1 16) is configured to: generate the information specifying an address associated with the second computer (120); and send the generated information specifying an address associated with the second computer (120) to the means for modifying the configuration of the one or more logic blocks.
9. A security gateway according to any of claims 1 to 8, wherein: the security gateway further comprises a first Message Transfer Agent (1 10) located at the data input; and the first Message Transfer Agent (1 10) is configured to: receive the data in a first data format from the first computer (104); convert the received data into a second data format, the second data format being different to the first data format; and send the data in the second data format to the one or more logic gates.
10. A security gateway according to any of claims 1 to 9, wherein: the security gateway further comprises a second Message Transfer Agent (1 16) located at the data output; and the second Message Transfer Agent (1 16) is configured to: receive the data in a second data format from the one or more logic blocks; convert the received data into a first data format, the first data format being different to the second data format; and output, for use by the second computer (120), the data in the first data format.
1 1 . A security gateway according to claim 9 or 10, wherein the second data format is a Serial Line data format.
12. A security gateway according to any of claims 1 to 1 1 , the security gateway further comprising: a counter (214) configured to determine an amount of data traffic through the one or more logic blocks; and means for controlling a flow of data through the one or more logic blocks using the determined amount of data traffic.
13. A security gateway according to claim 12, wherein the means for controlling a flow of data through the one or more logic blocks is configured to: if the determined amount of data traffic is less than a threshold amount, allow the data to flow from the data input to the data output; and if the determined amount of data traffic is greater than or equal to than a threshold amount, prevent the data from flowing from the data input to the data output.
A system comprising: a first computer (104); a second computer (120); and a security gateway connected between the first computer (104) and the second computer (120), the security gateway being in accordance with any of claims 1 to 13.
15. A method for controlling data flow between a first computer (104) and a second computer (120), the method comprising: providing a data input for receiving data from the first computer (104); connecting the first computer (104) to the data input; providing a data output for sending data to the second computer (120); connecting the second computer (120) to the data output; arranging one or more logic blocks between the data input and the data output; causing data to flow through the one or more logic blocks from the data input to the data output; and preventing, by the one or more logic blocks, data from flowing from the data output to the data input.
PCT/GB2015/051808 2015-05-27 2015-06-22 Security gateway WO2016189264A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB1509046.7A GB2538952A (en) 2015-05-27 2015-05-27 Security gateway
EP15275143.4 2015-05-27
GB1509046.7 2015-05-27
EP15275143 2015-05-27

Publications (1)

Publication Number Publication Date
WO2016189264A1 true WO2016189264A1 (en) 2016-12-01

Family

ID=53502707

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2015/051808 WO2016189264A1 (en) 2015-05-27 2015-06-22 Security gateway

Country Status (1)

Country Link
WO (1) WO2016189264A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10834057B1 (en) 2020-06-08 2020-11-10 Science Applications International Corporation Reliable data transfer protocol for unidirectional network segments

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1953954A2 (en) * 2007-01-30 2008-08-06 Harris Corporation Encryption/decryption device for secure communications between a protected network and an unprotected network and associated methods
WO2009047556A1 (en) * 2007-10-10 2009-04-16 Bae Systems Plc Data diode
US20100290476A1 (en) * 2009-05-18 2010-11-18 Tresys Technology, Llc One-Way Router
US20150012998A1 (en) * 2013-07-03 2015-01-08 Cisco Technology, Inc. Method and apparatus for ingress filtering

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1953954A2 (en) * 2007-01-30 2008-08-06 Harris Corporation Encryption/decryption device for secure communications between a protected network and an unprotected network and associated methods
WO2009047556A1 (en) * 2007-10-10 2009-04-16 Bae Systems Plc Data diode
US20100290476A1 (en) * 2009-05-18 2010-11-18 Tresys Technology, Llc One-Way Router
US20150012998A1 (en) * 2013-07-03 2015-01-08 Cisco Technology, Inc. Method and apparatus for ingress filtering

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10834057B1 (en) 2020-06-08 2020-11-10 Science Applications International Corporation Reliable data transfer protocol for unidirectional network segments
US11411926B2 (en) 2020-06-08 2022-08-09 Science Applications International Corporation Reliable data transfer protocol for unidirectional network segments
US11870756B2 (en) 2020-06-08 2024-01-09 Science Applications International Corporation Reliable data transfer protocol for unidirectional network segments

Similar Documents

Publication Publication Date Title
US10938937B2 (en) Multi-datacenter message queue
EP3929758A1 (en) Stacked die network interface controller circuitry
US10630654B2 (en) Hardware-accelerated secure communication management
US10069800B2 (en) Scalable intermediate network device leveraging SSL session ticket extension
US9553847B2 (en) Virtual desktop accelerator with support for multiple cryptographic contexts
US20160149696A1 (en) Transparent Serial Encryption
US20070245413A1 (en) Trusted Cryptographic Switch
US9137139B2 (en) Sender-specific counter-based anti-replay for multicast traffic
US10826876B1 (en) Obscuring network traffic characteristics
CN107046495B (en) Method, device and system for constructing virtual private network
US11134066B2 (en) Methods and devices for providing cyber security for time aware end-to-end packet flow networks
US7529924B2 (en) Method and apparatus for aligning ciphered data
US10200155B2 (en) One-way data transmission apparatus, one-way data reception apparatus, and one-way data transmission/reception method using the same
GB2538952A (en) Security gateway
US20090161873A1 (en) Method and apparatus for key management in an end-to-end encryption system
WO2016189264A1 (en) Security gateway
Rao et al. An FPGA‐based reconfigurable IPSec AH core with efficient implementation of SHA‐3 for high speed IoT applications
Shreejith et al. Zero latency encryption with FPGAs for secure time-triggered automotive networks
EP3353977A1 (en) Encrypted data packet
ES2596533B1 (en) METHOD AND SECURITY SYSTEM IN REDUNDANT ETHERNET RINGS
CN114731292A (en) Low latency medium access control security authentication
US20230146633A1 (en) Systems and methods for secure communication between computing devices over an unsecured network
US20240121087A1 (en) Acknowledgement-based key retirement
Korona et al. High-performance FPGA architecture for data streams processing on example of IPsec gateway
CN116781248A (en) Encryption method, encryption device and key management system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15733871

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15733871

Country of ref document: EP

Kind code of ref document: A1