GB2503245A - Secure connection between computer networks using unidirectional links - Google Patents

Secure connection between computer networks using unidirectional links Download PDF

Info

Publication number
GB2503245A
GB2503245A GB1210922.9A GB201210922A GB2503245A GB 2503245 A GB2503245 A GB 2503245A GB 201210922 A GB201210922 A GB 201210922A GB 2503245 A GB2503245 A GB 2503245A
Authority
GB
United Kingdom
Prior art keywords
network interface
data
network
machine
content checker
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1210922.9A
Other versions
GB201210922D0 (en
Inventor
Simon Robert Wiseman
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Everfox Ltd
Original Assignee
Deep Secure Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Deep Secure Ltd filed Critical Deep Secure Ltd
Priority to GB1210922.9A priority Critical patent/GB2503245A/en
Publication of GB201210922D0 publication Critical patent/GB201210922D0/en
Priority to ES13735362.9T priority patent/ES2655675T3/en
Priority to PCT/GB2013/051590 priority patent/WO2013190289A1/en
Priority to EP13735362.9A priority patent/EP2865156B1/en
Priority to US14/409,639 priority patent/US9413717B2/en
Publication of GB2503245A publication Critical patent/GB2503245A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Bioethics (AREA)
  • Technology Law (AREA)

Abstract

Apparatus for connecting two or more computer networks having two or more network interface machines 201, 202, 203 each arranged to be connected to a respective computer network with a bidirectional communications link 105, 106, 107 enabling the network interface machine to receive data from and transmit data to the respective computer network. The network interface machines are connected together with at least one content checker 210, 211 to enable data to be transmitted from one network interface machine to another, and arranged such that data transmitted from one network interface machine to another network interface machine must pass via a content checker. Each network interface machine is arranged to transmit flow control data to another network interface machine to regulate transmission of data between the two network interface machines. The network interface machines may be connected to the content checkers only by unidirectional communications links 219, 220. In further embodiments content checkers of differing characteristics may be used in series (Figure 3) or may be used in a ring-like formation (Figure 5). The content checking may be checking for confidential/sensitive information such as being passed between differing security level networks or checking for damaging/malicious content. The interface machines act as a proxy for their respective networks. The flow control information may include ACK/NACK type signalling, ready to receive indications or requests for further data transmission.

Description

I
Apparatus And Method For Connectinu Computer Networks
Technical Field of the Invention
The present invention relates to an apparatus and method for connecting computer networks, and in particular for providing a secure connection between computer networks.
Background to the Invention
It is often necessary to control the flow of data into or out of a computer network in order to protect the nctwork and data stored on the network. For example, where two connected networks store data with different security classifications it is desired to 1 0 prevent data stored on the network with a higher security classification from being transferred to the network with a lower security classification. Whilst data from the network with the lower security classification may in principle be transferred to the network with the higher security classification, it may be desirable to ensure that data is not transferred which could affect the integrity of data stored on the network with the higher classification or otherwise harm that network.
One way to protect computer networks is the use of so called data diodes, as disclosed in US5703562. A data diode provides a unidirectional data connection, so that data can be restricted to flow only in to or out of a network. Whilst this is useful in protecting confidentiality or integrity of information stored by the network, preventing two way communication with the network causes problems.
One problem is that of controlling the flow of data through the data diode. The receiving part of the diode cannot inform the transmitting part of the optimal rate at which to send data, and it is not possible to automatically recover from transmission errors or failures of the receiving logic because the receiving logic cannot inform the sending logic of any problems.
Another problem is that a data diode necessarily has equipment either side ofthe unidirectional link it provides which requires management, in that it must be configured and will need to report activity for sccurity monitoring purposes. However if thc equipment each side of the link is connected to a management system, this provides a bypass of the unidirectional link that could introduce bidirectional communication between the two networks. Thc only way the unidirectional propcrty can bc retained is to use separate management systems for each side of the diode, which is expensive to provide and error prone in operation.
A related problem is that the management system itself is typically a sensitive system that requires protcction from the data networks and communications equipment it is managing. The data diode being managed offers no protection for the management system, so further equipment is needed to do this. This additional equipment may include a data diode, in which case it too must be managed without introducing a bypass of the data diode. To avoid this recursion, it is usual for such equipment to be managed from several points with a resultant increase in the scale of management overheads.
In order to address problems caused by imposing unidirectional flow of data between networks, but retain network security, it has been proposed to connect two networks with two separate unidirectional data connections arranged to transmit data in opposite directions between the networks. Each connection comprises a content checker, arranged in series between a pair of data diodes which respectively limit the transmission of data into and out of the content checker. The function of the content checkers is to allow only acceptable data to be transmitted from one network to the other, and the security of the connection relies principally on the content checkers. The data diodes provide protection to the content checkers.
Whilst this arrangement allows for controlled bidirectional communication between nctworks it is still far from ideal. Although applications running on each network can communicate with each other, to do so they must coordinate to provide the required flow control and error recovery. For example a first application running on a computer on a first network may need to send data to a second application running on a computer on a second, connected, network. The first application can send data via a unidirectional link, but must then listen for an acknowledgement message sent from the second application via the second, opposed, unidirectional link before sending a further message. This approach is in contrast to standard computer network communications protocols which are arranged in a stack with flow control and error recovery typically implemented at multiple levels of the stack. As a result, applications need not concern themselves with flow control and error recovery as this is handled by the network stack.
Requiring applications to implement custom protocols for flow control and error recovery, at the application level, is burdensome and limits the usefulness of the approach.
Nor does this approach enable equipment either side of the data diodes to be managed by a single system without bypassing the data diodes and/or the content checkers.
Embodiments of the present invention have been made in consideration of these problems.
Summary of the Invention
According to an aspect of the present invention there is provided apparatus for connecting two or more computer networks, the apparatus comprising two or more network interface machines each arranged to be connected to a respective computer network with a bidirectional communications link enabling the network interface machine to receive data from and transmit data to the computer network, the network interface machines being connected together with at least one content checker, to enable data to be transmitted from one network interface machine to another, and arranged such that data transmitted from one network interface machine to another network interface machine must pass via a content checker, each network interface machine being arranged to transmit flow control data to another network interface machine thereby to regulate transmission of data between the two network interface machines.
Thus, control of the flow of data between the network interface machines can be managed by the network interface machines through the transmission of flow control data, which is also checked by the or each content checker, without using resources from connected networks or applications between which data is being transferred.
The or each content checker may only pass data only if the data will not damage the integrity of or availability of services offered by its recipient. Alternatively or additionally the or each content checker may not pass information which will cause a damaging revelation.
Another aspect of the invention provides a method of providing bidirectional communication between two or more computer networks using the apparatus, the method comprising the steps of:
S
connecting each network to a respective network interface machine with a bidirectional communications link; receiving data from one network at a first network interface machine; passing the received data to a second network interface machine via at least one content checker; delivering data received by the second network interface machine to another network to which it is connected via a bidirectional communications link; and passing flow control data between at least the first and second network interface machines via at least one content checker to regulate the transmission of data between the machines.
The network interface machines may be arranged to communicate with the respective computer networks using a bidirectional protocol stack.
Each network interface machine may be connected to a content checker by way of a unidirectional communications link enabling data to be transmitted from the network interface machine to the content checker, but not received by the network interface machine from the content checker. The unidirectional communications link may be formed by a transmitter comprised in each network interface machine, connected via a conduit to a receiver comprised in a content checker.
Each network interface machine may be connected to a different content checker byway ofaunidirectional communications link enabling data to be transmitted from the content checker to the network interface machine, but not received by the content checker from the network interface machine Two or more network interface machines may be connected to the same content checker by respective unidirectional links which enable data to be transmitted from the network intcrfacc machines to thc contcnt chcckcr. A contcnt checker may be connected to two or more network interface machines by respective unidirectional communications links which enable data to be transmitted from the content checker to a selected one, or both of, the connected network interface machines.
Three or more network interface machines and the same number of content checkers may be provided, the content checkers being connected to each other by way of unidirectional communications links in a ring formation, and each network interface machine being connected to one content checker with a unidirectional communications link enabling it to transmit data to the content checker, and to another content checker with a unidirectional communications link enabling it to receive data from the content checker. With this arrangement each content checker may be connected by respective oppositely configured unidirectional communications links to onlytwo network interface machines.
Two or more differently configured content checkers may be connected in series by unidirectional communications links such that data received by the first content checker in the series must pass via each other content checker before onward transmission to another component.
The apparatus may comprise at least three network interface machines, one of which is designated as a management network interface machine and is configured to pass control and management information between a network to which it is connected via a bidirectional communications link, and each of the other network interface machines of the apparatus. Thus all network interface machines can communicate with a single management machinc or network without compromising security.
The apparatus may be ananged such that at least one network interface machine can transmit data to any other network interface machine without that data passing through a third network interface machine.
Detailed Description of the Invention
In order that the invention may be more clearly understood embodiments thereof will now be described, by way of example only, with reference to the accompanying drawings, of which: Figure 1 is an overview of apparatus according to the invention; Figure 2 shows a first embodiment of connection apparatus; Figure 3 shows a second embodiment of connection apparatus; Figure 4 shows a third embodiment of connection apparatus; and Figure 5 shows a fourth embodiment of connection apparatus.
Referring to the drawings, figure 1 shows three computer networks, an external network 101, a protected network 102 and a management network 103, connected togetherbywayofconneetion apparatus 104 according to the invention. Each network, 101, 102 and 103, is connected to the connection apparatus 104 by way of a respective, conventional bidirectional communications link 105, 106, 107 supporting a conventional computer network communication protocol employing a bidirectional protocol stack, such as TCP/IP over Ethernet or Frame Relay. Each bidirectional link allows data to be transferred in either direction between the networks it connects and the connection apparatus 104. It may comprise any suitable connection formed by one or more suitable conduits such as electrical cables or optic fibres, and could employ two conduits which serve to pass data in only one direction arranged to pass data in respective opposite dircctions to establish a bidircctional link.
The connection apparatus allows only specified types of data to be transferred between the networks in order to protect integrity andior confidentiality of data stored on the networks, or otherwise protect the networks. References to data being stored on a particular network encompass data stored on one or more computer or other apparatus comprised in the network.
Figure 2 shows one embodiment of connection apparatus 104 suitable for use in the arrangement illustrated in figure 1. Referring to fIgure 2, the apparatus comprises first, second and third network interface machines 201, 202, 203 for connection respectively to external 101, protected 102 and management networks via bidirectional links 105, 106 and 107 enabling data to be transfcrrcd from each nctwork to its associated network interface machine and vice versa.
Each nctwork interface machine compriscs aprogrammcd computcr comprising appropriate software and!or hardware to implement the bidirectional protocol stack for communicating with a computer network via a bidirectional communications link. Each network interface machine could comprise one or more interconnected components. In particular, each network interface machine could be built from standard general purpose computer equipment such as an IntclTM or ArmTM processor, and run a commodity operating system such as MicrosoftTM Windows1 or LinuxTM. For establishing bi-directional communication with a computer network, the interface machines may comprise commodity computer networking devices such as Ethernet Network Interface Cards.
Application software running on these machines acts as a protocol proxy, terminating connections from client computers attached to a network to which the machines are connected, or making connections to server computers on the network. For email protocols applications such as the scndmail message transfer software could be used as the proxy. For web applications a web server such as Apachetm1 could be used.
Each interface machine also comprises a transmitter 204, 205, 206 for transmitting data, and a receiver 207, 208, 209 for receiving data. Any suitable transmitters and receiver may be used, but would typically be electrical or optical. Each network interface machine is arranged to transmit data received via the bidirectional communications link, and intcndcd for onward transmission to another device, via its transmitter so as to form a unidirectional data link to the other device, along with flow control data relating to the transmission of data between the network interface machines.
This flow control data could comprise, for example, an acknowledgement that data has been received from another network interface machine, or an indication that the machine is ready to receive more data. Each network interface machine is also arranged to transmit data received by its receiver from another device (thus forming a unidirectional data link to that device), and intended for onward transmission, via the bidirectional communications link and to transmit flow control data comprised in or relating to the rcccivcd data via its transmitter, such as for example an acknowledgement of receipt of data, or signal to request the transmission of further data.
Separate instances ofthe proxies run on each network interface machine and these communicate through additional software that exchanges data across the unidirectional links. The protocols used by this software could be based on standards such as Ethernet which naturally operate in a unidirectional fashion. The software could be written in any systems programming language such as C++.
The connection apparatus further comprises first and second content checker machines 210, 211. Each content checker machine may comprise a programmed computer. The content checkers may be constructed from general purpose computer hardware and commodity operating system, though this is likely to be installed in a minimal configuration to avoid introducing security vulnerabilities in unused software.
The protocol handling and content checking software can be written in C++.
Alternatively the content checker may be implemented using special purpose hardware such as that developed for implementing encryption units. These are typically a combination of dedicated extemal interfaces, processors and programmable logic components such as a suitably programmed Field Programmable Gate Array (FGPA).
The function of the content checking is then split up with its interfacing functionality implemented by logic surrounding the interfaces, its protocol handling functionality implemented in software running on the processors and its data validation function implemented in further processors or in logic within an FPGA component.
The first content checker 211 machine comprises two receivers 212, 213 and a single transmitter 214. The second content checker machine 211 comprises two transmitters 215, 216 and a single reeeiver2l7.
The first content checker machine 210 is operative to receive data at either of its two receivers, to check the data and to transmit only appropriate data ofthe received data via its transmitter.
The second content checker machine 211 is operative to receive data at its receiver, to check thc data and to separate management data from other data and then to transmit only appropriate management data via one transmitter and only appropriate other data via the other transmitter.
Each transmitter of a network interface machine is connected via a suitable conduit 219, such as an electrical cable or optical fibre, to a respective the receiver of a contcnt chcckcr machine thcrcby forming a unidirectional communications link bctwecn connected network interface and content checker machines allowing only transmission of data from each network interface machine to a content checker machine. Each receiver of a network interface machine is connected via a suitable conduit 220 to the transmitter of the other content checker machine to that which the transmitter of the network interface machine is connected, allowing only the transmission of data from that content checker machine to the connectcd network interface machine. Specifically, the transmitters of the first and third network interface machines are connected to the receivers of the first content checker machine and the transmitter ofthe second network interface machine is conncctcd to thc rcccivcr of thc sccond contcnt checker machine. Likcwisc the rcccivcrs of the first and third network interface machines are connected to the transmitters of the second content checker machine and the receiver of the second network interface machine is connected to the transmitter receiver of the first content checker machine.
The apparatus allows data to be passed between the three network interface machines, thereby allowing bidirectional communication between respective computer networks connected to the three network interface machines. Data passing between the network interface machines must always pass via a content checker which allows only appropriate data to pass and so serves to protect the networks from inappropriate data transfer, such as, for example, transmission of unwanted data such as a computer vims from the external network to the protected network and transmission of sensitive data from a protected network to an external network. The data communication links between the network interface machines and content checker machines are all unidirectionaL with each network interface machine transmitting data to one content checker machine and receiving data from another. These unidirectional links serve to protect the content checker machines, and those machines to which they pass data, from external attack that might target vulnerabilities in the receiver such as buffer overflows.
In use, when data, is to be transferred from an extemal network to a protected network it is received by the first network interface machine 201 which then transmits it, together with appropriate flow control data, to the second network interface machine 202, via the first content checker 210. The second network interface machine 202 sends relevant flow control data back in response to the first network interface machine 201 via the second content checker 211. Thus transmission of data received from the external network over the unidirectional path between the first and third network control machines is coordinated between the first and third network interface machines, overcoming the transmission problems with existing data diodes and without having to involve applications running on the networks in coordinating data transmission. Likewise, data can be transmitted from a protected network to the external network via the second content checker 211, with control data additionally passing from the first network interface machine 201 to the second network interface machine 202 via the first content checker machine 210.
The first and second network interface machines 201, 202 and content checker machines 210, 211 can also each transmit data to, and receive data from, the third network interface machine 203, and thereby exchange data with a management network.
Data to be transmitted to the third network interface machine 203 must be transmitted to that machine by the second content checker machine 211. Data from the first network interface 201 and first content checker machine 210 must pass to the second network interface machine 202 for transmission to the second content checker machine 211. Data to be received from the third network interface machine 203 is transmitted to the first content checker machine 210 from which it can, where desired, be passed on to the second network interface machine 202, from there to the second content checker machine 211 and from there to the first network interface machine 201.
Data sent to and received from a management network via the third network interface machine 202 may comprise information about the health ofthe source machine or details of the data it is handling. In addition, the first and second network interface machines 201, 202 can exchange data with the third network interface machine 203 relating to the flow of data between the network interface machines.
As all data sent to and received from a management network must pass though a content checker, a management network does not provide an unsafe connection between external and protected networks. Importantly, the third network interface machine 203 is connected to receive data directly from the second content checker 211 so that data received from a protected network by the second network interface machine can be transmitted to the third network management machine 203, and thence to a management network, without having to pass through the first network interface machine, which could be compromised owing to the connection to the external network.
The arrangement allows each machine to communicate with the other machines in order to effect bidirectional communication between an external network and a protected network, to provide logging information to, and to receive configuration commands from, a management network interface machine. The machines can also exchange messages relating to the flow control of their communication.
Thus the arrangement provides bidirectional communication between an external network and a protected network with the security advantages of using unidirectional links while being able to manage the inherent unreliability of unidirectional links and being able to operate and administer the equipment from a single point.
A variation on the arrangement shown in figure 2 is shown in figure 3, in which like numerals are used to identi' like components. The arrangement illustrated in figure 3 differs to that of figure 2 by the addition of a third content checker machine 221 connected in series between the first content checker machine 210 and the second network interface machine 202. The third content checker machine 221 has a receiver 222 connected by a conduit 223 to the transmitter of the first content checker machine 210, and a transmitter 224 connected by a conduit 225 to the receiver 208 of the second network interface machine 202 so that unidirectional communication paths are established from the first content checker machine 210 to the third content checker machine 221 and from the third content checker machine to the second network interface machine 202.
Provision of the additional content checker machine in the path of data to the second network interface machine provides the protected network to which that machine is conncctcd with an additional level of protcction against rccciving inappropriatc data or external attack. Ideally, the first and third content checker machines are made to different designs, so as to avoid common modes of failure. The probability that both content checker means will allow inappropriate data to pass or be disabled by an attacker is greatly reduced as compared to a single machine.
In any embodiment a single content checker machine could be replaced by two or more content checker machines connected in series by a unidirectional data connection.
Figure 4 shows another variation on the arrangement shown in figure 2, again with like reference numerals being used to identify like components. The arrangement of figure 2 has been altered to enable two external networks to communicate with a protected network, and management network by providing the first content checker machine 210 with a third receiver 225, and the second content machine 211 with a third transmitter 226, enabling a fourth network interface machine 227, connected by a bi-dircctional link 22S to a second cxternal network, to be conncctcd to thc first content checker 210 in the same fashion as, and in parallel to, the first network interface machine 201. Thus the fourth network interface machine 227 may communicate with the second and third interface machines 202, 203 in exactly the same way as the first network interface machine 201. Data can be transmitted between the two external networks by passing it via the second network interface machine, which, as it is connected to a protected network, can be trusted not to disclose or modify data inappropriately. In contrast, owing to the parallel connection, data may be transmitted between either of the external networks and the protected network without passing via a network connection machine which is connected to another external network. In this arrangement the second content checker machine 211 is arranged to selectively route information received for onward transmission to only either one of, or both of, the first and fourth network connection machines 201, 227.
Figure 5 shows a ifirther embodiment of network connection apparatus suitable for connecting mutually suspicious networks. In this arrangement, the same number of content checkers 501 is employed as network interface machines 502. Each content checker has two receivers 504, 508 and two transmitters 503,505. One transmitter 503 of each content checker is connected by a conduit to the receiver 504 of another content checker to form a ring around which data can pass in only one direction. The other transmitter 505 of each content checker is connected by a conduit to the receiver 506 of a network interface machine 502, and a transmitter 507 of that network interface machine is connected by a conduit to the receiver 508 of the next content checker in the ring, in the direction of data flow. Each network interface machine is connected to a network via a conventional bidirectional data link 509. In the illustrated example there are four network interface machines and four content checkers. One network interface machine may be connected to a management network and the others to mutually suspicious networks. A minimum of three network interface machines and content checkers can be connected in this way, and the arrangement can be sealed to include any greater number.
In this arrangement, in addition to all data passing between network interface machines passing via at least one content checker machine, data may pass from any one network interface machine to any other one network interface machine without passing via any other network interface machine.
Each content checker machine in this embodiment can selectively transmit data received to either or both of a network interface machine, and the next content checker in thc ring.
So, for example, data received from a network connected to the first network interface machine for transmission to the network connected to the third network interface machine will transmitted to the first, second and third content checkers in turn and from the third content checker to the third network interface machine. Flow control data may then be transmitted to from the third network interface machine via to the fourth content checker, and then back to the first network interface machine.
The above embodiments are described byway of example only. Many variations are possible without departing from the scope ofthe invention as defined in the appended claims.

Claims (21)

  1. CLAIMSI. Apparatus for connecting two or more computer networks, the apparatus comprising two or more network interface machines each arranged to be connected to a respective computer network with a bidirectional communicalions link cnabling the network interface machine to receive data from and transmit data to the computer network, the network interface machines being connected together with at least one content checker, to enable data to be transmitted from one network interface machine to another, and arranged such that data transmitted from one network interface machine to another network interface machine must pass via a content checker, each network interface machine being arranged to transmit flow control data to another network interface machine thereby to regulate transmission of data between the two network interface machines.
  2. 2. Apparatus as claimed in claim 1 wherein the network interface machines are arranged to communicate with a computer network using a bidirectional protocol stack.
  3. 3. Apparatus as claimed in either claim I or 2 wherein each network interface machine is connected to a content checker by way of a unidirectional communications link enabling data to be transmitted from the nctwork interface machine to the content checker, but not received by the network intertItce machine from the content checker.
  4. 4. Apparatus as claimed in claim 3 wherein the unidirectional communications link is formed by a transmitter comprised in each network interface machine, connected via a conduit to a receiver comprised in a content checker.
  5. 5. Apparatus as claimed in claim 3 or 4 wherein each network interface machine is connected to a different content checker by way of a unidirectional communications link enabling data to be transmitted from the content checker to the network interface machine, but not received by the content checker from the network interface machine.
  6. 6. Apparatus as claimed in any preceding claim wherein two or more network interface machines are connected to the same content checker by respective unidirectional links which enable data to be transmitted from the network interface machines to the content checker.
  7. 7. Apparatus as claimed in any preceding claim wherein a content checker is connected to two or more network interface machines by respective unidirectional communications links which enable data to be transmitted from the content checker to a selected on, or both of the connected network interface machines.
  8. 8. Apparatus as claimed in any preceding claim having three or more network interface machines and the same or a greater number of content checkers, the content checkers being connected to each other by way of unidirectional communications links in a ring formation and each network interface machine being connected to one content checker with a unidirectional communications link enabling it to transmit data to the content checker, and to another content checker with a unidirectional communications link enabling it to receive data from the content checker.
  9. 9. Apparatus as claimed in claimS wherein each content checker is connected by respective oppositely configured unidirectional communications links to no more than two network interface machines.
  10. 10. Apparatus as claimed in any preceding claim wherein two or more differently configured content checkers arc connected in series by two or more unidirectional communications links such that data received by the first content checker in the series must pass via each other content checker before onward transmission to another component.
  11. II. Apparatus as claimed in any preceding claim comprising at least three network interface machines, one of which is designated as a management network interfitce machine and is configured to pass control and management infbrmation between a network to which it is connected via a bidirectional communications link and each of the other network interfltce machines of the apparatus.
  12. 12. Apparatus as claimed in any pmceding claim arranged such that at least one network interface machine can transmit data to any other network interfltce machine without that data passing through any third network interface machine.
  13. 13. A plurality of computer networks connected together by apparatus as claimed in any preceding claim, each network being connected to a respective network interface machine by a bidirectional communications link.
  14. 14. A method of providing bidirectional communication between two or more computer networks, the method comprising the steps of: providing apparatus according to any of claims Ito 12; connecting each network to a respective network interface machine with a bidirectional communications link; receiving data from one network at a first network interface machine; passing the received data to a second network interface machine via at least one content checker; delivering data received by the second network interface machine to a network to which it is connected via a bidirectional communications link; and passing flow control data between at least the first and second network interface machines via at least one content checker to regulate the transmission of data between the machines.
  15. 15. A method as darned in claim 14 wherein the data received and/or delivered via a bidirectional communications link is received and/or fransmitted using a bidirectional protocol stack.
  16. 16. A method as claimed in either claim 14 or 15 wherein the data passed between network interface machines is passed via at least one unidirectional communications link.
  17. 17. A method as claimed in claim 16 wherein data passed between network interface machines is passed via a first unidirectional communications link to a content checker and via a second unidirectional communications link from the content checker to a receiving network connection machine.
  18. 18. A method as claimed in any of claims 14 to 17 wherein the or each content checker only passes data only if the data will not damage the integrity of or availability of scrviccs offcrcd by its rccipicnt.
  19. 19. A method as claimed in any of claims 14 to 18 wherein the or each content checker will not pass information which will causc a damaging rcvclation.
  20. 20. Apparatus substantially as herein described with reference to the accompanying drawings.
  21. 21. A method of providing bidirectional communication between two or more computer networks substantially as hcrcin dcscribcd with rcfcrcncc to the accompanying drawings.
GB1210922.9A 2012-06-20 2012-06-20 Secure connection between computer networks using unidirectional links Withdrawn GB2503245A (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
GB1210922.9A GB2503245A (en) 2012-06-20 2012-06-20 Secure connection between computer networks using unidirectional links
ES13735362.9T ES2655675T3 (en) 2012-06-20 2013-06-19 Device and procedure for connecting computer networks
PCT/GB2013/051590 WO2013190289A1 (en) 2012-06-20 2013-06-19 Apparatus and method for connecting computer networks
EP13735362.9A EP2865156B1 (en) 2012-06-20 2013-06-19 Apparatus and method for connecting computer networks
US14/409,639 US9413717B2 (en) 2012-06-20 2013-06-19 Apparatus and method for connecting computer networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1210922.9A GB2503245A (en) 2012-06-20 2012-06-20 Secure connection between computer networks using unidirectional links

Publications (2)

Publication Number Publication Date
GB201210922D0 GB201210922D0 (en) 2012-08-01
GB2503245A true GB2503245A (en) 2013-12-25

Family

ID=46641211

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1210922.9A Withdrawn GB2503245A (en) 2012-06-20 2012-06-20 Secure connection between computer networks using unidirectional links

Country Status (1)

Country Link
GB (1) GB2503245A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015185926A1 (en) * 2014-06-06 2015-12-10 Bae Systems Plc Secured network bridge
FR3030806A1 (en) * 2014-12-17 2016-06-24 Thales Sa CONFIGURABLE ELECTRONIC DATA TRANSFER SYSTEM AND CONFIGURATION METHOD THEREOF
WO2016181119A1 (en) * 2015-05-11 2016-11-17 Xtera Communications, Inc Optical networking
DE102019208709A1 (en) * 2019-06-14 2020-12-17 Siemens Mobility GmbH Computer system and method for operating a computer system
US10998977B2 (en) 2015-11-20 2021-05-04 Neptune Subsea Ip Limited System and method of optical fiber communication

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0959586A2 (en) * 1998-05-18 1999-11-24 Spearhead Technologies Ltd. System and method for securing a computer communication network
US20020112181A1 (en) * 2000-12-12 2002-08-15 Smith Mark Elwin Multilevel secure network access system
EP1631914A2 (en) * 2003-05-19 2006-03-08 Network Security Technologies, Inc. Method and system for providing secure one-way transfer of data
EP1721234A1 (en) * 2004-03-01 2006-11-15 Qinetiq Limited Threat mitigation in computer networks
US7675867B1 (en) * 2006-04-19 2010-03-09 Owl Computing Technologies, Inc. One-way data transfer system with built-in data verification mechanism
EP2193470A1 (en) * 2007-08-24 2010-06-09 The Boeing Company Method and apparatus for simultaneous viewing of two isolated data sources
US20100290476A1 (en) * 2009-05-18 2010-11-18 Tresys Technology, Llc One-Way Router
US7992209B1 (en) * 2007-07-19 2011-08-02 Owl Computing Technologies, Inc. Bilateral communication using multiple one-way data links
WO2012012266A2 (en) * 2010-07-19 2012-01-26 Owl Computing Technologies. Inc. Secure acknowledgment device for one-way data transfer system

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0959586A2 (en) * 1998-05-18 1999-11-24 Spearhead Technologies Ltd. System and method for securing a computer communication network
US20020112181A1 (en) * 2000-12-12 2002-08-15 Smith Mark Elwin Multilevel secure network access system
EP1631914A2 (en) * 2003-05-19 2006-03-08 Network Security Technologies, Inc. Method and system for providing secure one-way transfer of data
EP1721234A1 (en) * 2004-03-01 2006-11-15 Qinetiq Limited Threat mitigation in computer networks
US7675867B1 (en) * 2006-04-19 2010-03-09 Owl Computing Technologies, Inc. One-way data transfer system with built-in data verification mechanism
US7992209B1 (en) * 2007-07-19 2011-08-02 Owl Computing Technologies, Inc. Bilateral communication using multiple one-way data links
EP2193470A1 (en) * 2007-08-24 2010-06-09 The Boeing Company Method and apparatus for simultaneous viewing of two isolated data sources
US20100290476A1 (en) * 2009-05-18 2010-11-18 Tresys Technology, Llc One-Way Router
WO2012012266A2 (en) * 2010-07-19 2012-01-26 Owl Computing Technologies. Inc. Secure acknowledgment device for one-way data transfer system

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2015270231B2 (en) * 2014-06-06 2018-04-19 Bae Systems Plc Secured network bridge
WO2015185926A1 (en) * 2014-06-06 2015-12-10 Bae Systems Plc Secured network bridge
US10218715B2 (en) 2014-06-06 2019-02-26 Bae Systems Plc Secured network bridge
FR3030806A1 (en) * 2014-12-17 2016-06-24 Thales Sa CONFIGURABLE ELECTRONIC DATA TRANSFER SYSTEM AND CONFIGURATION METHOD THEREOF
EP3040873A1 (en) * 2014-12-17 2016-07-06 Thales Configurable electronic system of transfer of data and associated configuration method
WO2016181119A1 (en) * 2015-05-11 2016-11-17 Xtera Communications, Inc Optical networking
CN107852242A (en) * 2015-05-11 2018-03-27 海王星海底Ip有限公司 Optical-fiber network
US10320484B2 (en) 2015-05-11 2019-06-11 Neptune Subsea Ip Limited Optical networking with support for unidirectional optical links
US10404374B1 (en) 2015-05-11 2019-09-03 Neptune Subsea Ip Limited Optical networking with support for unidirectional optical links
CN107852242B (en) * 2015-05-11 2020-08-04 海王星海底Ip有限公司 Optical network, optical network device and method for configuring optical network
US10998977B2 (en) 2015-11-20 2021-05-04 Neptune Subsea Ip Limited System and method of optical fiber communication
DE102019208709A1 (en) * 2019-06-14 2020-12-17 Siemens Mobility GmbH Computer system and method for operating a computer system
US11757781B2 (en) 2019-06-14 2023-09-12 Siemens Mobility GmbH Devices and methods for operating a computing system comprising a data relay

Also Published As

Publication number Publication date
GB201210922D0 (en) 2012-08-01

Similar Documents

Publication Publication Date Title
CA2951173C (en) Secured network bridge
AU2018389883B2 (en) Device and method for transmitting data between a first and a second network
GB2503245A (en) Secure connection between computer networks using unidirectional links
US10966004B2 (en) Hardware-enforced one-way information flow control device
US10998975B2 (en) Hardware-enforced one-way information flow control device
US9413717B2 (en) Apparatus and method for connecting computer networks
EP2767057B1 (en) Process installation network intrusion detection and prevention
US20130166677A1 (en) Role-based access control method and apparatus in distribution system
CN109660565A (en) A kind of isolation gap equipment and implementation method
CN103516458A (en) Communications apparatus, system and method with error mitigation
US11595410B2 (en) Fragmented cross-domain solution
KR20210131962A (en) System and method for supporting between heterogeneous networks communication using unidirectional communication
CN108134802A (en) A kind of system and method that data are encrypted or are decrypted
CN109005182A (en) A kind of computer network management system
CN115529148A (en) Message processing method, device, equipment, system and readable storage medium

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)