US20210209280A1 - Secure one-way network gateway - Google Patents

Secure one-way network gateway Download PDF

Info

Publication number
US20210209280A1
US20210209280A1 US17/212,610 US202117212610A US2021209280A1 US 20210209280 A1 US20210209280 A1 US 20210209280A1 US 202117212610 A US202117212610 A US 202117212610A US 2021209280 A1 US2021209280 A1 US 2021209280A1
Authority
US
United States
Prior art keywords
data
secure
network gateway
field
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US17/212,610
Inventor
Steven Staubly
Michael T. Tsao
Brian Kane
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Owl Cyber Defense Solutions LLC
Original Assignee
Owl Cyber Defense Solutions LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Owl Cyber Defense Solutions LLC filed Critical Owl Cyber Defense Solutions LLC
Priority to US17/212,610 priority Critical patent/US20210209280A1/en
Assigned to OWL CYBER DEFENSE SOLUTIONS, LLC reassignment OWL CYBER DEFENSE SOLUTIONS, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KANE, BRIAN, STAUBLY, STEVEN, TSAO, MICHAEL T.
Publication of US20210209280A1 publication Critical patent/US20210209280A1/en
Assigned to OWL CYBER DEFENSE SOLUTIONS, LLC reassignment OWL CYBER DEFENSE SOLUTIONS, LLC MERGER AND CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: OWL CYBER DEFENSE SOLUTIONS, LLC, TRESYS TECHNOLOGY, LLC
Assigned to BANK OF AMERICA, N.A., AS ADMINISTRATIVE AGENT reassignment BANK OF AMERICA, N.A., AS ADMINISTRATIVE AGENT NOTICE OF GRANT OF SECURITY INTEREST IN PATENTS Assignors: OWL CYBER DEFENSE SOLUTIONS, LLC
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/30Circuit design
    • G06F30/34Circuit design for reconfigurable circuits, e.g. field programmable gate arrays [FPGA] or programmable logic devices [PLD]
    • G06F30/347Physical level, e.g. placement or routing
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0423Input/output
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0813Configuration setting characterised by the conditions triggering a change of settings
    • H04L41/082Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25252Microprocessor

Definitions

  • This disclosure relates to a secure one-way network gateway, and more particularly to a secure one-way network gateway providing data filtering and implemented using one or more field-programmable gate arrays.
  • Such environments may include a highly secure network used to communicate confidential or secret information, and one or more less secure networks that do not process confidential or secret information.
  • Such highly secure networks may have strict limitations on the type of data that can be imported thereto or exported therefrom.
  • the data within a highly secure network may be subject to differing security requirements.
  • a one-way network gateway is used to transfer data from a highly secure network (the source network) to a less secure network (the destination network), or vice versa.
  • a one-way network gateway is preferably hardware-based in order to ensure that data may only pass from the source network to the destination network and to prevent data or any signal whatsoever from passing from the destination network to the source network.
  • the one-way network gateway may receive information at the input via a particular protocol, e.g., User Datagram Protocol (UDP).
  • UDP User Datagram Protocol
  • the one-way network gateway may include a filter that filters the files or other data received at the input to prevent any malware or other harmful files from passing to the destination network and/or to ensure that only approved files received at the input on the source network are passed to the output on the destination network.
  • a typical one-way network gateway includes a source-side server coupled to a destination-side server only via a hardware-enforced one-way link.
  • the hardware-enforced one-way link may comprise a fiber optic link, with the fiber coupled only to a transmitter in the source side server at a first end thereof and to a receiver in the destination-side server at a second end thereof.
  • This one-way link architecture ensures that nothing can be transferred from the destination-side server to the source-side server because there is no data path at all in the reverse direction.
  • One drawback of this type of one-way network gateway is that two servers are required, which can be costly.
  • Field configurable devices such as field programmable gate arrays (FPGAs) may be substituted for servers in a one-way network gateway to provide a less expensive solution.
  • FPGAs are typically configured using data that is supplied to the FPGA device after the FPGA device is installed in a system. For example, the configuration data is typically loaded into the FPGA device from an external memory each time the system is powered on. Because the processing performed by each FPGA device may need to be updated from time to time (e.g., to update filter parameters), external access is required to each such external memory. However, this external access path must be kept completely isolated from the data path to ensure that there is on ability to gain access to any data passing from the source network to the destination network and to ensure that there is no ability to insert malware of any type into the data path via this external access path.
  • FIG. 1 is a block diagram of a first embodiment of a secure one-way network gateway according to the present disclosure.
  • FIG. 2 is a block diagram of a second embodiment of a secure one-way network gateway according to the present disclosure
  • Gateway 100 transmits data from a source network coupled to an input (RJ45 interface 110 ) to a destination network coupled to an output (RJ45 interface 112 ) while preventing any information whatsoever from passing from the destination network to the source network.
  • Gateway 100 may be powered via a separate USB power interface 160 .
  • a first RJ45 interface 110 is provided as an input for connection to source network (not shown).
  • a PHY (physical interface) circuit 120 is coupled to receive input data from RJ45 interface 110 .
  • PHY circuit 120 implements the physical layer functions of the OSI model and acts as the input side network interface for gateway 100 .
  • PHY circuit 120 is preferably chosen to provide a one Gigabyte Ethernet interface for communication via UDP packets.
  • a field-programmable device 130 forms a data flow path from an input coupled to first PHY circuit 120 to an output coupled to a second PHY circuit 122 .
  • FPGA 130 is coupled to receive data from the output of PHY circuit 120 .
  • FPGA 130 is a single-chip solution having red black separation capability, as is known in the art.
  • FPGA 130 has two portions, source side portion 131 and destination side portion 132 separated by a boundary 133 .
  • FPGA 130 is configured to implement a one-way link 135 that allows source side portion 131 to pass data to destination side portion 132 , but prevents destination side portion 132 from passing any data whatsoever to source side portion.
  • Source side portion 131 is configured to receive data on an input from PHY circuit 120 , implement a filter on such data (optionally), and to pass the filtered data via the one-way link 135 to the destination side portion 132 .
  • Destination side portion 132 is configured to receive data via the one-way link 135 and to forward the received data on an output to PHY circuit 122 .
  • PHY circuit 122 receives data from the output of FPGA 130 and formats it for transmission via a destination side network coupled to RJ45 interface 112 .
  • an FPGA is typically configured using data loaded into the FPGA device from memory each time the gateway is powered on.
  • an external memory is provided to store the FPGA configuration data and in others the FPGA may include an internal memory that stores the FPGA configuration data.
  • a separate processor 140 preferably an ARM processor
  • Management interface 150 provides an external link which allows the FPGA configuration data to be updated. This is required, for example, to update the filter parameters used by the filter implemented in source side portion 131 of FPGA 130 .
  • ARM processor 140 may include an internal memory 141 for storing the FPGA configuration data in cases where the FPGA 130 does not include such an internal memory.
  • a user can connect an external computer to management interface 150 via a conventional (e.g., USB) protocol and transmit an updated FPGA configuration data set to ARM processor 140 for storage in the internal memory 141 of the ARM processor 140 .
  • a conventional (e.g., USB) protocol can connect an external computer to management interface 150 via a conventional (e.g., USB) protocol and transmit an updated FPGA configuration data set to ARM processor 140 for storage in the internal memory 141 of the ARM processor 140 .
  • the updated FPGA configuration data set is stored in the internal memory 141 of the ARM processor 140 , it will be loaded into FPGA 130 upon the next power cycle of gateway 100 .
  • FPGA 130 When FPGA 130 includes an internal memory 136 for storing the FPGA configuration data set, ARM processor 140 is configured to receive the updated FPGA configuration set from an external computer via management interface 150 and to forward it for storage in the internal memory 136 of FPGA 130 . In a similar manner, FPGA 130 will be updated based on the updated FPGA configuration set upon the next power cycle of gateway 100 .
  • Management interface 150 is separate from the input RJ45 interface 110 and the output RJ45 interface 112 and can only communicate to ARM processor 140 . In this manner, the management interface 150 is completely isolated from the data path formed by FPGA 130 after configuration, ensuring that no malware of any sort can be inserted into the data flow path of FPGA 130 via management interface 150 and that there can be no ability to access any data within the data flow path of FPGA 130 via management interface 150 .
  • a gateway 200 for providing a secure one-way network gateway shown in FIG. 2
  • two separate FPGAs 230 and 232 are provided, instead of a single FPGA providing red black separation as in the first embodiment.
  • Gateway 200 transmits data from a source network coupled to an input (RJ45 interface 110 ) to a destination network coupled to an output (RJ45 interface 112 ) while preventing any information whatsoever from passing from the destination network to the source network.
  • FPGA 230 provides the functionality provided by source side portion 131 in FIG. 1 .
  • FPGA 230 receives data on an input from PHY circuit 120 , implements a filter on such data (optionally), and passes the filtered data to an input of FPGA 232 via a one-way link 235 .
  • One-way link 235 can be any known type of link that creates a hardware-enforced one-way data path, e.g., an optical isolator.
  • FPGA 232 provides the functionality provided by destination side portion 132 in FIG. 1 .
  • FPGA 232 receives data via the one-way link 235 and forward the received data on an output to PHY circuit 122 .
  • processor 240 (preferably an ARM processor) operates in a similar manner as ARM processor 140 in FIG. 1 , but is required to manage two separate sets of FPGA configuration data, one for FPGA 230 and another for FPGA 232 .
  • ARM processor 240 may include an internal memory 241 for storing the two sets of FPGA configuration data in cases where FPGA 230 and 232 do not include such an internal memory.
  • a user can connect an external computer to management interface 150 via a conventional (e.g., USB) protocol and transmit updated FPGA configuration data sets to ARM processor 140 for storage in the internal memory 241 of the ARM processor 140 .
  • a conventional (e.g., USB) protocol can connect an external computer to management interface 150 via a conventional (e.g., USB) protocol and transmit updated FPGA configuration data sets to ARM processor 140 for storage in the internal memory 241 of the ARM processor 140 .
  • FPGA 230 and FPGA 232 each includes an internal memory 231 , 233 for storing the associated FPGA configuration data set
  • ARM processor 240 is configured to receive updated FPGA configuration sets from an external computer via management interface 150 and to forward each updated configuration data set for storage in the internal memory 231 , 233 of the appropriate one of FPGA 230 and FPGA 232 .
  • FPGA 230 and FPGA 232 will be updated based on the associated updated FPGA configuration set upon the next power cycle of gateway 200 .
  • gateway 200 provides a secure one-way network gateway in which the management interface 150 is completely isolated from the data flow path formed by FPGA 230 , one-way link 235 , and FPGA 232 after configuration, ensuring that no malware of any sort can be inserted into that data flow path via management interface 150 and that there can be no ability to access any data within that data flow path via management interface 150 .

Abstract

A secure one-way network gateway for transmitting data from a source network to a destination network is disclosed. An input circuit is for coupling to a source network and an output circuit is for coupling to an output network. A memory stores configuration data. Either a single field-programmable device or a pair of field-programmable devices coupled via a one-way link are inserted between the input circuit and the output circuit. The configuration data is loaded into the device(s) to program the device(s) to pass data from the input circuit to the output circuit, to optionally filter the data, and to prevent any data from passing from the output circuit to the input circuit. A processor is coupled to only the memory and a separate management interface. The processor receives updated configuration data via the management interface and replaces the configuration data in the memory with the updated configuration memory.

Description

    FIELD
  • This disclosure relates to a secure one-way network gateway, and more particularly to a secure one-way network gateway providing data filtering and implemented using one or more field-programmable gate arrays.
    • BACKGROUND
  • Many organizations have processing and communication environments which include different networks subject to differing levels of security. Such environments may include a highly secure network used to communicate confidential or secret information, and one or more less secure networks that do not process confidential or secret information. Such highly secure networks may have strict limitations on the type of data that can be imported thereto or exported therefrom. In addition, the data within a highly secure network may be subject to differing security requirements.
  • In some cases, a one-way network gateway is used to transfer data from a highly secure network (the source network) to a less secure network (the destination network), or vice versa. A one-way network gateway is preferably hardware-based in order to ensure that data may only pass from the source network to the destination network and to prevent data or any signal whatsoever from passing from the destination network to the source network. The one-way network gateway may receive information at the input via a particular protocol, e.g., User Datagram Protocol (UDP). The one-way network gateway may include a filter that filters the files or other data received at the input to prevent any malware or other harmful files from passing to the destination network and/or to ensure that only approved files received at the input on the source network are passed to the output on the destination network. A typical one-way network gateway includes a source-side server coupled to a destination-side server only via a hardware-enforced one-way link. The hardware-enforced one-way link may comprise a fiber optic link, with the fiber coupled only to a transmitter in the source side server at a first end thereof and to a receiver in the destination-side server at a second end thereof. This one-way link architecture ensures that nothing can be transferred from the destination-side server to the source-side server because there is no data path at all in the reverse direction. One drawback of this type of one-way network gateway is that two servers are required, which can be costly.
  • Field configurable devices, such as field programmable gate arrays (FPGAs), may be substituted for servers in a one-way network gateway to provide a less expensive solution. However, FPGAs are typically configured using data that is supplied to the FPGA device after the FPGA device is installed in a system. For example, the configuration data is typically loaded into the FPGA device from an external memory each time the system is powered on. Because the processing performed by each FPGA device may need to be updated from time to time (e.g., to update filter parameters), external access is required to each such external memory. However, this external access path must be kept completely isolated from the data path to ensure that there is on ability to gain access to any data passing from the source network to the destination network and to ensure that there is no ability to insert malware of any type into the data path via this external access path.
  • Accordingly, there is a need for a secure one-way network gateway based on field-programmable devices which isolates the data path from the external access path.
  • The features, functions, and advantages of the present disclosure can be achieved independently in various embodiments of the present disclosure or may be combined in yet other embodiments in which further details can be seen with reference to the following description and drawings.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The following detailed description, given by way of example and not intended to limit the present disclosure solely thereto, will best be understood in conjunction with the accompanying drawings in which:
  • FIG. 1 is a block diagram of a first embodiment of a secure one-way network gateway according to the present disclosure; and
  • FIG. 2 is a block diagram of a second embodiment of a secure one-way network gateway according to the present disclosure
    •  DETAILED DESCRIPTION
  • In the present disclosure, like reference numbers refer to like elements throughout the drawings, which illustrate various exemplary embodiments of the present disclosure.
  • Referring now to FIG. 1, a first embodiment of a secure one-way network gateway 100 is shown. Gateway 100 transmits data from a source network coupled to an input (RJ45 interface 110) to a destination network coupled to an output (RJ45 interface 112) while preventing any information whatsoever from passing from the destination network to the source network. Gateway 100 may be powered via a separate USB power interface 160. A first RJ45 interface 110 is provided as an input for connection to source network (not shown). A PHY (physical interface) circuit 120 is coupled to receive input data from RJ45 interface 110. PHY circuit 120 implements the physical layer functions of the OSI model and acts as the input side network interface for gateway 100. PHY circuit 120 is preferably chosen to provide a one Gigabyte Ethernet interface for communication via UDP packets.
  • A field-programmable device 130, preferably a FPGA, forms a data flow path from an input coupled to first PHY circuit 120 to an output coupled to a second PHY circuit 122. FPGA 130 is coupled to receive data from the output of PHY circuit 120. FPGA 130 is a single-chip solution having red black separation capability, as is known in the art. FPGA 130 has two portions, source side portion 131 and destination side portion 132 separated by a boundary 133. FPGA 130 is configured to implement a one-way link 135 that allows source side portion 131 to pass data to destination side portion 132, but prevents destination side portion 132 from passing any data whatsoever to source side portion. Source side portion 131 is configured to receive data on an input from PHY circuit 120, implement a filter on such data (optionally), and to pass the filtered data via the one-way link 135 to the destination side portion 132. Destination side portion 132 is configured to receive data via the one-way link 135 and to forward the received data on an output to PHY circuit 122. PHY circuit 122 receives data from the output of FPGA 130 and formats it for transmission via a destination side network coupled to RJ45 interface 112.
  • As explained above, an FPGA is typically configured using data loaded into the FPGA device from memory each time the gateway is powered on. As known in the art, in some designs an external memory is provided to store the FPGA configuration data and in others the FPGA may include an internal memory that stores the FPGA configuration data. In gateway 100, a separate processor 140 (preferably an ARM processor) is provided as a buffer between management interface 150 and FPGA 130. Management interface 150 provides an external link which allows the FPGA configuration data to be updated. This is required, for example, to update the filter parameters used by the filter implemented in source side portion 131 of FPGA 130.
  • ARM processor 140 may include an internal memory 141 for storing the FPGA configuration data in cases where the FPGA 130 does not include such an internal memory. In this case, a user can connect an external computer to management interface 150 via a conventional (e.g., USB) protocol and transmit an updated FPGA configuration data set to ARM processor 140 for storage in the internal memory 141 of the ARM processor 140. Once the updated FPGA configuration data set is stored in the internal memory 141 of the ARM processor 140, it will be loaded into FPGA 130 upon the next power cycle of gateway 100.
  • When FPGA 130 includes an internal memory 136 for storing the FPGA configuration data set, ARM processor 140 is configured to receive the updated FPGA configuration set from an external computer via management interface 150 and to forward it for storage in the internal memory 136 of FPGA 130. In a similar manner, FPGA 130 will be updated based on the updated FPGA configuration set upon the next power cycle of gateway 100.
  • Two connections are shown between ARM processor 140 and FPGA 130 in order to demonstrate that FPGA 130 has two distinct portions (source side portion 131 and destination side portion 132) as discussed above. Management interface 150 is separate from the input RJ45 interface 110 and the output RJ45 interface 112 and can only communicate to ARM processor 140. In this manner, the management interface 150 is completely isolated from the data path formed by FPGA 130 after configuration, ensuring that no malware of any sort can be inserted into the data flow path of FPGA 130 via management interface 150 and that there can be no ability to access any data within the data flow path of FPGA 130 via management interface 150.
  • In a second embodiment of a gateway 200 for providing a secure one-way network gateway shown in FIG. 2, two separate FPGAs 230 and 232 are provided, instead of a single FPGA providing red black separation as in the first embodiment. Gateway 200 transmits data from a source network coupled to an input (RJ45 interface 110) to a destination network coupled to an output (RJ45 interface 112) while preventing any information whatsoever from passing from the destination network to the source network. FPGA 230 provides the functionality provided by source side portion 131 in FIG. 1. FPGA 230 receives data on an input from PHY circuit 120, implements a filter on such data (optionally), and passes the filtered data to an input of FPGA 232 via a one-way link 235. One-way link 235 can be any known type of link that creates a hardware-enforced one-way data path, e.g., an optical isolator. FPGA 232 provides the functionality provided by destination side portion 132 in FIG. 1. FPGA 232 receives data via the one-way link 235 and forward the received data on an output to PHY circuit 122.
  • In the FIG. 2 embodiment, processor 240 (preferably an ARM processor) operates in a similar manner as ARM processor 140 in FIG. 1, but is required to manage two separate sets of FPGA configuration data, one for FPGA 230 and another for FPGA 232. In particular, ARM processor 240 may include an internal memory 241 for storing the two sets of FPGA configuration data in cases where FPGA 230 and 232 do not include such an internal memory. In this case, a user can connect an external computer to management interface 150 via a conventional (e.g., USB) protocol and transmit updated FPGA configuration data sets to ARM processor 140 for storage in the internal memory 241 of the ARM processor 140. Once the updated FPGA configuration data sets are stored in the internal memory 241 of the ARM processor 140, each such data set will be loaded into the appropriate one of FPGA 230 and FPGA 232 upon the next power cycle of gateway 200.
  • When FPGA 230 and FPGA 232 each includes an internal memory 231, 233 for storing the associated FPGA configuration data set, ARM processor 240 is configured to receive updated FPGA configuration sets from an external computer via management interface 150 and to forward each updated configuration data set for storage in the internal memory 231, 233 of the appropriate one of FPGA 230 and FPGA 232. In a similar manner, FPGA 230 and FPGA 232 will be updated based on the associated updated FPGA configuration set upon the next power cycle of gateway 200.
  • As with the first embodiment, gateway 200 provides a secure one-way network gateway in which the management interface 150 is completely isolated from the data flow path formed by FPGA 230, one-way link 235, and FPGA 232 after configuration, ensuring that no malware of any sort can be inserted into that data flow path via management interface 150 and that there can be no ability to access any data within that data flow path via management interface 150.
  • Although the present invention has been particularly shown and described with reference to the preferred embodiments and various aspects thereof, it will be appreciated by those of ordinary skill in the art that various changes and modifications may be made without departing from the spirit and scope of the invention. It is intended that the appended claims be interpreted as including the embodiments described herein, the alternatives mentioned above, and all equivalents thereto.

Claims (10)

What is claimed is:
1. A secure one-way network gateway for transmitting data from a source network to a destination network, comprising:
an input circuit for coupling to the source network;
an output circuit for coupling to an output network;
a memory for storing configuration data;
a field-programmable device coupled between the input circuit and the output circuit, the field-programmable device configured to load the configuration data from the memory, the configuration data for programming the field-programmable device to pass data from the input circuit to the output circuit and to prevent any data from passing from the output circuit to the input circuit; and
a processor coupled to only the memory and a separate management interface, the processor configured to receive updated configuration data via the management interface and to replace the configuration data in the memory with the updated configuration memory.
2. The secure one-way network gateway of claim 1, wherein the field-programmable device is a field programmable gate array.
3. The secure one-way network gateway of claim 1, wherein the input circuit is a physical interface circuit.
4. The secure one-way network gateway of claim 1, wherein the output circuit is a physical interface circuit.
5. The secure one-way network gateway of claim 1, wherein the configuration data for the field-programmable device programs the field-programmable device to filter the data based on filter parameters before passing the filtered data to the output circuit.
6. The secure one-way network gateway of claim 5, wherein the updated configuration data includes updated filter parameters.
7. The secure one-way network gateway of claim 1, wherein the configuration data for the field-programmable device programs the field-programmable device to have a first portion and a second portion, the first portion coupled to the input circuit and the second portion coupled to the output circuit, the first portion capable of passing data to the second portion but not to receive data from the second portion, the second portion capable of receiving data from the second portion but not to pass data to the first portion.
8. The secure one-way network gateway of claim 1, wherein the memory is within the field-programmable device.
9. The secure one-way network gateway of claim 1, wherein the memory is within the processor.
10. The secure one-way network gateway of claim 1, wherein the processor is an Advanced RISC (Reduced Instruction Set Computer) Machine (ARM) processor.
US17/212,610 2019-04-23 2021-03-25 Secure one-way network gateway Pending US20210209280A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/212,610 US20210209280A1 (en) 2019-04-23 2021-03-25 Secure one-way network gateway

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201962837321P 2019-04-23 2019-04-23
US16/854,131 US10990737B2 (en) 2019-04-23 2020-04-21 Secure one-way network gateway
US17/212,610 US20210209280A1 (en) 2019-04-23 2021-03-25 Secure one-way network gateway

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US16/854,131 Continuation US10990737B2 (en) 2019-04-23 2020-04-21 Secure one-way network gateway

Publications (1)

Publication Number Publication Date
US20210209280A1 true US20210209280A1 (en) 2021-07-08

Family

ID=72917228

Family Applications (2)

Application Number Title Priority Date Filing Date
US16/854,131 Active US10990737B2 (en) 2019-04-23 2020-04-21 Secure one-way network gateway
US17/212,610 Pending US20210209280A1 (en) 2019-04-23 2021-03-25 Secure one-way network gateway

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US16/854,131 Active US10990737B2 (en) 2019-04-23 2020-04-21 Secure one-way network gateway

Country Status (1)

Country Link
US (2) US10990737B2 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10938913B2 (en) 2015-04-09 2021-03-02 Web Sensing, Llc Hardware turnstile
US10990737B2 (en) * 2019-04-23 2021-04-27 Owl Cyber Defense Solutions, Llc Secure one-way network gateway
US11575652B2 (en) 2020-12-18 2023-02-07 BlackBear (Taiwan) Industrial Networking Security Ltd. Communication system and communication method for one-way transmission
US11496233B2 (en) 2020-12-23 2022-11-08 BlackBear (Taiwan) Industrial Networking Security Ltd. Communication system and communication method for one-way transmission
US11477048B2 (en) 2021-01-15 2022-10-18 BlackBear (Taiwan) Industrial Networking Security Ltd. Communication method for one-way transmission based on VLAN ID and switch device using the same
CN112953947A (en) * 2021-02-24 2021-06-11 上海企翔智能科技有限公司 One-way data transparent transmission method of single-chip microcomputer security gateway
US11611409B2 (en) 2021-06-14 2023-03-21 BlackBear (Taiwan) Industrial Networking Security Ltd. Communication system and communication method for reporting compromised state in one-way transmission

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7562162B2 (en) * 2007-04-25 2009-07-14 At&T Intellectual Property I, L.P. Systems and methods for distributed computing utilizing a smart memory apparatus
US20130152206A1 (en) * 2011-12-07 2013-06-13 Owl Computing Technologies, Inc. Method and apparatus for preventing unauthorized access to information stored in a non-volatile memory
US8516580B2 (en) * 2011-04-27 2013-08-20 Owl Computing Technologies, Inc. Method and system for processing a file to identify unexpected file types
US20140207939A1 (en) * 2013-01-23 2014-07-24 Owl Computing Technologies, Inc. System and method for enabling the capture and securing of dynamically selected digital information
US20140304371A1 (en) * 2013-04-04 2014-10-09 Owl Computing Technologies, Inc. Secure one-way interface for a network device
US9088558B2 (en) * 2013-08-21 2015-07-21 Owl Computing Technologies, Inc. Secure one-way interface for OPC data transfer
US20200019375A1 (en) * 2018-07-13 2020-01-16 Achronix Semiconductor Corporation Efficient fpga multipliers
US20200028511A1 (en) * 2018-07-20 2020-01-23 Xilinx, Inc. Hierarchical partial reconfiguration for programmable integrated circuits
US10990737B2 (en) * 2019-04-23 2021-04-27 Owl Cyber Defense Solutions, Llc Secure one-way network gateway
US11144652B1 (en) * 2019-12-19 2021-10-12 Xilinx, Inc. Secure update of programmable integrated circuits in data center computing environments

Family Cites Families (50)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5703562A (en) 1996-11-20 1997-12-30 Sandia Corporation Method for transferring data from an unsecured computer to a secured computer
US20030204422A1 (en) * 2002-04-30 2003-10-30 Hans-Linhard Reich Systems and methods for facilitating fulfillment of regulatory requirements
US7394288B1 (en) * 2004-12-13 2008-07-01 Massachusetts Institute Of Technology Transferring data in a parallel processing environment
US7694331B2 (en) 2005-04-01 2010-04-06 Nokia Corporation Phone with secure element and critical data
US20060293057A1 (en) 2005-06-24 2006-12-28 Mazerski Thomas M System and method for secure web-based mobile phone parental controls
US8255108B2 (en) * 2005-08-31 2012-08-28 Spx Corporation Dynamic file system creation for scan tools
US7675867B1 (en) 2006-04-19 2010-03-09 Owl Computing Technologies, Inc. One-way data transfer system with built-in data verification mechanism
US8068415B2 (en) 2007-04-18 2011-11-29 Owl Computing Technologies, Inc. Secure one-way data transfer using communication interface circuitry
US8352450B1 (en) 2007-04-19 2013-01-08 Owl Computing Technologies, Inc. Database update through a one-way data link
US8139581B1 (en) 2007-04-19 2012-03-20 Owl Computing Technologies, Inc. Concurrent data transfer involving two or more transport layer protocols over a single one-way data link
US7941526B1 (en) 2007-04-19 2011-05-10 Owl Computing Technologies, Inc. Transmission of syslog messages over a one-way data link
US7992209B1 (en) 2007-07-19 2011-08-02 Owl Computing Technologies, Inc. Bilateral communication using multiple one-way data links
US9305189B2 (en) 2009-04-14 2016-04-05 Owl Computing Technologies, Inc. Ruggedized, compact and integrated one-way controlled interface to enforce confidentiality of a secure enclave
US8068504B2 (en) * 2009-05-18 2011-11-29 Tresys Technology, Llc One-way router
WO2012012266A2 (en) 2010-07-19 2012-01-26 Owl Computing Technologies. Inc. Secure acknowledgment device for one-way data transfer system
US8270963B1 (en) 2010-10-01 2012-09-18 Viasat, Inc. Cross domain notification
US9113499B2 (en) 2010-10-01 2015-08-18 Viasat, Inc. Multiple domain smartphone
US8204480B1 (en) 2010-10-01 2012-06-19 Viasat, Inc. Method and apparatus for secured access
US9081520B2 (en) 2010-12-22 2015-07-14 Owl Computing Technologies, Inc. Remote print file transfer and spooling application for use with a one-way data link
US20120304290A1 (en) 2011-02-28 2012-11-29 Mcphail Lon Daniel Cyber isolation, defense, and management of a inter-/intra- enterprise network
TWI430684B (en) 2011-10-18 2014-03-11 Quanta Comp Inc Combinatorial mobile hotspot device and network service provision method, network access device and wireless service power supply device thereof
US9678921B2 (en) 2012-03-21 2017-06-13 Owl Computing Technologies, Llc Method and apparatus for data transfer reconciliation
US9736121B2 (en) 2012-07-16 2017-08-15 Owl Cyber Defense Solutions, Llc File manifest filter for unidirectional transfer of files
US9503501B2 (en) 2012-09-17 2016-11-22 Salesforce.Com, Inc. Cross domain in-browser proxy
US9065878B2 (en) 2012-09-27 2015-06-23 Owl Computing Technologies, Inc. System and method for providing a remote virtual screen view
WO2014058993A2 (en) 2012-10-12 2014-04-17 Becton, Dickinson And Company Case with embedded electronics to provide interface between glucose sensor and smartphone
US8938795B2 (en) 2012-11-19 2015-01-20 Owl Computing Technologies, Inc. System for real-time cross-domain system packet filtering
US8887276B2 (en) 2012-11-21 2014-11-11 Owl Computing Technologies, Inc. System for providing a secure video display
US8997202B2 (en) 2012-12-06 2015-03-31 Owl Computing Technologies, Inc. System for secure transfer of information from an industrial control system network
US8776254B1 (en) * 2013-01-23 2014-07-08 Owl Computing Technologies, Inc. System and method for the secure unidirectional transfer of software and software updates
US9712543B2 (en) 2013-01-23 2017-07-18 Owl Cyber Defense Solutions, LLP System for remotely monitoring status information of devices connected to a network
US9306953B2 (en) 2013-02-19 2016-04-05 Owl Computing Technologies, Inc. System and method for secure unidirectional transfer of commands to control equipment
US9094401B2 (en) 2013-02-19 2015-07-28 Owl Computing Technologies, Inc. Secure front-end interface
US9286225B2 (en) * 2013-03-15 2016-03-15 Saratoga Speed, Inc. Flash-based storage system including reconfigurable circuitry
US8898227B1 (en) 2013-05-10 2014-11-25 Owl Computing Technologies, Inc. NFS storage via multiple one-way data links
US9380023B2 (en) 2013-05-13 2016-06-28 Owl Computing Technologies, Inc. Enterprise cross-domain solution having configurable data filters
US9380064B2 (en) 2013-07-12 2016-06-28 Owl Computing Technologies, Inc. System and method for improving the resiliency of websites and web services
US9641499B2 (en) 2013-07-12 2017-05-02 Owl Computing Technologies, Llc One-way interface for PI to PI data transfer
CN104348777B (en) 2013-07-24 2019-04-09 腾讯科技(深圳)有限公司 The access control method and system of a kind of mobile terminal to third-party server
KR101502860B1 (en) 2013-09-04 2015-03-17 대영이앤비 주식회사 Ice maker
US9680794B2 (en) 2013-09-04 2017-06-13 Owl Computing Technologies, Llc Secure one-way interface for archestra data transfer
CN104519386B (en) * 2013-09-27 2018-03-27 思科技术公司 Media request is realized by one-way set-top box
US9436825B2 (en) 2014-03-25 2016-09-06 Owl Computing Technologies, Inc. System and method for integrity assurance of partial data
US9311329B2 (en) 2014-06-05 2016-04-12 Owl Computing Technologies, Inc. System and method for modular and continuous data assurance
US9575987B2 (en) 2014-06-23 2017-02-21 Owl Computing Technologies, Inc. System and method for providing assured database updates via a one-way data link
FR3026207B1 (en) 2014-09-22 2018-08-17 Prove & Run SECURE DISPLAY TERMINAL
US9880869B2 (en) 2015-01-13 2018-01-30 Owl Cyber Defense Solutions, Llc Single computer-based virtual cross-domain solutions
US9853918B2 (en) 2015-03-24 2017-12-26 Owl Cyber Defense Solutions, Llc One-way network interface
US10171422B2 (en) 2016-04-14 2019-01-01 Owl Cyber Defense Solutions, Llc Dynamically configurable packet filter
FR3051578B1 (en) 2016-05-19 2018-05-25 Continental Automotive France NEAR FIELD COMMUNICATION DEVICE HAVING TWO NFC ZONES

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7562162B2 (en) * 2007-04-25 2009-07-14 At&T Intellectual Property I, L.P. Systems and methods for distributed computing utilizing a smart memory apparatus
US8516580B2 (en) * 2011-04-27 2013-08-20 Owl Computing Technologies, Inc. Method and system for processing a file to identify unexpected file types
US20130152206A1 (en) * 2011-12-07 2013-06-13 Owl Computing Technologies, Inc. Method and apparatus for preventing unauthorized access to information stored in a non-volatile memory
US8646094B2 (en) * 2011-12-07 2014-02-04 Owl Computing Technologies, Inc. Method and apparatus for preventing unauthorized access to information stored in a non-volatile memory
US20140207939A1 (en) * 2013-01-23 2014-07-24 Owl Computing Technologies, Inc. System and method for enabling the capture and securing of dynamically selected digital information
US20140304371A1 (en) * 2013-04-04 2014-10-09 Owl Computing Technologies, Inc. Secure one-way interface for a network device
US9088558B2 (en) * 2013-08-21 2015-07-21 Owl Computing Technologies, Inc. Secure one-way interface for OPC data transfer
US20200019375A1 (en) * 2018-07-13 2020-01-16 Achronix Semiconductor Corporation Efficient fpga multipliers
US20200028511A1 (en) * 2018-07-20 2020-01-23 Xilinx, Inc. Hierarchical partial reconfiguration for programmable integrated circuits
US10990737B2 (en) * 2019-04-23 2021-04-27 Owl Cyber Defense Solutions, Llc Secure one-way network gateway
US11144652B1 (en) * 2019-12-19 2021-10-12 Xilinx, Inc. Secure update of programmable integrated circuits in data center computing environments

Also Published As

Publication number Publication date
US20200342153A1 (en) 2020-10-29
US10990737B2 (en) 2021-04-27

Similar Documents

Publication Publication Date Title
US10990737B2 (en) Secure one-way network gateway
US7948921B1 (en) Automatic network optimization
US7792046B2 (en) Ethernet switch-based network monitoring system and methods
US9088558B2 (en) Secure one-way interface for OPC data transfer
US10966004B2 (en) Hardware-enforced one-way information flow control device
US11212219B1 (en) In-band telemetry packet size optimization
US20160094369A1 (en) Unidirectional Relay Device
US10998975B2 (en) Hardware-enforced one-way information flow control device
US10110715B2 (en) Providing efficient routing of an operations, administration and maintenance (OAM) frame received at a port of an ethernet switch
ES2918423T3 (en) Procedure and provision for the non-reactive transmission of data between networks
CN103209191A (en) Method for realizing physical partition of internal and external networks
US11853813B2 (en) Cloud based cross domain system—CDS with disaggregated parts
EP3433980A1 (en) Communication network
CA3122556A1 (en) Communication method for one-way transmission based on vlan id and switch device using the same
EP3180705B1 (en) End point secured network
EP3298745B1 (en) Small form-factor pluggable module
US20060047784A1 (en) Method, apparatus and system for remotely and dynamically configuring network elements in a network
US20210400125A1 (en) Online application layer processing of network layer timestamps
FR3053863A1 (en) ONBOARD COMMUNICATION NETWORK OF A VEHICLE
EP3675441A1 (en) Switch for an avionics communication system and avionics communication system comprising such a switch
JP7193760B2 (en) Communication device and communication method
FR3034272A1 (en) COMMUNICATION NETWORK AND COMMUNICATION NODE OF A COMMUNICATION NETWORK
US20100306326A1 (en) Method for transmitting application messages between computor networks

Legal Events

Date Code Title Description
AS Assignment

Owner name: OWL CYBER DEFENSE SOLUTIONS, LLC, CONNECTICUT

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:STAUBLY, STEVEN;TSAO, MICHAEL T.;KANE, BRIAN;SIGNING DATES FROM 20210323 TO 20210325;REEL/FRAME:055721/0373

STPP Information on status: patent application and granting procedure in general

Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

AS Assignment

Owner name: OWL CYBER DEFENSE SOLUTIONS, LLC, MARYLAND

Free format text: MERGER AND CHANGE OF NAME;ASSIGNORS:OWL CYBER DEFENSE SOLUTIONS, LLC;TRESYS TECHNOLOGY, LLC;REEL/FRAME:060978/0964

Effective date: 20200723

AS Assignment

Owner name: BANK OF AMERICA, N.A., AS ADMINISTRATIVE AGENT, NORTH CAROLINA

Free format text: NOTICE OF GRANT OF SECURITY INTEREST IN PATENTS;ASSIGNOR:OWL CYBER DEFENSE SOLUTIONS, LLC;REEL/FRAME:063489/0047

Effective date: 20201228

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER