Secure unrestricted network for innovation

US 10,193,857 B2
Filed: 09/28/2015
Issued: 01/29/2019
Est. Priority Date: 06/30/2015
Status: Active Grant

First Claim

Patent Images

1. A dual network computing system comprising:

a workstation comprising;

a first computing system communicably coupled with a first data storage system within a first network, the first computing system is configured to access or transmit first network data;

a second computing system communicably coupled with a second data storage system within a second network, wherein the second network does not communicate outbound data to the first network;

a keyboard;

a video display;

a graphical user interface pointing device; and

a keyboard video, and graphical user interface pointing device (KVGUIPD) switch that is coupled to the first and second computing systems, the KVGUIPD switch selectively couples the keyboard, the video display, and the graphical user interface pointing device with either said first or said second computing systems, said KVGUIPD switch comprises a mechanical switch that enables coupling of the keyboard, the video display, and the graphical user interface pointing device with either the first or second computing systems while electrically isolating the first and second computing systems from each other;

a data transport server communicably coupled to the first data storage system and the second data storage system, the data transport server including a first network interface configured to receive first network data from the first data storage data system, wherein the first storage system further include a data or file synchronization system or program that automatically replicates the first network data selected for storage on the first data storage system to the data transport server when the first network data is selected for said storage to the first data storage system using the first computing system, wherein the data transport server further includes, and a second network interface configured to transmit data unidirectionally from the data transport server to the second data storage system, wherein the data transport server further includes a purging module, the purging module configured to scan for one or more predefined data elements from the first network data received from the first data storage system, the purging module is further configured to purge said one or more matching data elements from the first network data if detected, wherein the purging module outputs in remaining first network data elements, wherein the data transport server further comprises a second network interface configured to transmit the purging module outputs of remaining first network data elements unidirectionally from the data transport server; and

a first data link providing unidirectional data communication from the data transport server'"'"'s second network interface to the second data storage system, wherein the second network interface and the first data link is implemented using a physical and logical one-way interface/data transport link with the second storage system;

the data transport server includes logic that overrides a purging function of the purging module when the data transport server verifies at least one authentication factor associated with one or more of the first plurality of data to determine whether the one or more of the first plurality of data originated from a trusted source; and

wherein the one or more of the first plurality of data include a binary data file and the at least one authentication factor includes a digital signature associated with at least one of the binary data file;

a second data blocking device communicably coupled to an encryption device, wherein the second data blocking device is configured to block first network data not selected for storage in the first data storage system via the first computing system from entering the second network comprising a closed network portion of the dual network computing system, and the second data routing device is communicably coupled to the encryption device, wherein the encryption device encrypts data transmitted by the second data routing device;

wherein the encryption device and the second data blocking device are configured to enable encrypted isolation between first network data not selected for storage in the first data storage system via the first computing system that is external to the second network'"'"'s closed network portion and data internal to the closed network portion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates to a system and method for transporting data within a dual network computing system including a first workstation communicably coupled to a first storage device, and a second workstation communicably coupled to a second storage device, wherein the first storage device cannot be accessed by the second workstation, and the second storage device cannot be accessed by the first workstation. The system and method further includes a data transport server communicably coupled to the first storage device and the second storage device, wherein the data transport server is configured to be in unidirectional communication with the first storage device and in unidirectional communication with the second storage device, the data transport server being configured to purge one or more data elements from data accessed from the first storage device and transport remaining data elements to the second storage device, and the second workstation is configured to access the remaining data elements from the second storage device.

45 Citations

17 Claims

1. A dual network computing system comprising:
- a workstation comprising;
  
  a first computing system communicably coupled with a first data storage system within a first network, the first computing system is configured to access or transmit first network data;
  
  a second computing system communicably coupled with a second data storage system within a second network, wherein the second network does not communicate outbound data to the first network;
  
  a keyboard;
  
  a video display;
  
  a graphical user interface pointing device; and
  
  a keyboard video, and graphical user interface pointing device (KVGUIPD) switch that is coupled to the first and second computing systems, the KVGUIPD switch selectively couples the keyboard, the video display, and the graphical user interface pointing device with either said first or said second computing systems, said KVGUIPD switch comprises a mechanical switch that enables coupling of the keyboard, the video display, and the graphical user interface pointing device with either the first or second computing systems while electrically isolating the first and second computing systems from each other;
  
  a data transport server communicably coupled to the first data storage system and the second data storage system, the data transport server including a first network interface configured to receive first network data from the first data storage data system, wherein the first storage system further include a data or file synchronization system or program that automatically replicates the first network data selected for storage on the first data storage system to the data transport server when the first network data is selected for said storage to the first data storage system using the first computing system, wherein the data transport server further includes, and a second network interface configured to transmit data unidirectionally from the data transport server to the second data storage system, wherein the data transport server further includes a purging module, the purging module configured to scan for one or more predefined data elements from the first network data received from the first data storage system, the purging module is further configured to purge said one or more matching data elements from the first network data if detected, wherein the purging module outputs in remaining first network data elements, wherein the data transport server further comprises a second network interface configured to transmit the purging module outputs of remaining first network data elements unidirectionally from the data transport server; and
  
  a first data link providing unidirectional data communication from the data transport server'"'"'s second network interface to the second data storage system, wherein the second network interface and the first data link is implemented using a physical and logical one-way interface/data transport link with the second storage system;
  
  the data transport server includes logic that overrides a purging function of the purging module when the data transport server verifies at least one authentication factor associated with one or more of the first plurality of data to determine whether the one or more of the first plurality of data originated from a trusted source; and
  
  wherein the one or more of the first plurality of data include a binary data file and the at least one authentication factor includes a digital signature associated with at least one of the binary data file;
  
  a second data blocking device communicably coupled to an encryption device, wherein the second data blocking device is configured to block first network data not selected for storage in the first data storage system via the first computing system from entering the second network comprising a closed network portion of the dual network computing system, and the second data routing device is communicably coupled to the encryption device, wherein the encryption device encrypts data transmitted by the second data routing device;
  
  wherein the encryption device and the second data blocking device are configured to enable encrypted isolation between first network data not selected for storage in the first data storage system via the first computing system that is external to the second network'"'"'s closed network portion and data internal to the closed network portion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The dual network computing system of claim 1, wherein the purging module is configured to produce the remaining first network data by purge actions by removing:
    - the one or more data elements that comprise executable file or program; and
      
      removing the one or more data elements that comprise data elements that are configured to at least one of
      
           1) degrade functionality of the dual network computing system,
      
           2) cause unauthorized access to the dual network computing system, or
      
           3) exfiltrate data from the dual network computing system.
  - 3. The dual network computing system of claim 2, wherein the purging module is configured to purge by:
    - removing the one or more data elements that comprise data file types including at least one of EXE file type, APP file type, INS file type, IPA file type, PIF file type, RUN file type, VB file type, VBS file type, VBE file type, WS file type or WSF file type.
  - 4. The dual network computing system of claim 1, further including a first data routing device communicably coupled to the first computing system and communicably coupled to the first data storage system, wherein the first data routing device enables data communication between the first computing system and the first data storage system.
  - 5. The dual network computing system of claim 4, further including a first data blocking device communicably coupled to the first data routing device, wherein the first data blocking device is configured to block data from entering an open network portion.
  - 6. The dual network computing system of claim 1, further including a second data routing device communicably coupled to the second computing system and communicably coupled to the second data storage system, wherein the second data routing device enables data communication between the second computing system and the second data storage data system.
  - 7. The dual network computing system of claim 1, wherein the second network'"'"'s closed network portion further includes a control server having a plurality of nodes, wherein each node is configured to host at least one of a plurality of virtual computing environments.
  - 8. The dual network computing system of claim 7, wherein the second computing system includes at least one of an operating system partition and a data partition, and the operating system partition is configured to host at least one of a plurality of operating systems.
  - 9. The dual network computing system of claim 8, further including a plurality of interconnected second computing systems wherein each second computing systems each respectively includes an operating system partition configured to host at least one of a plurality of operating systems and the control server is configured to distribute updates to the operating systems resident on each of the plurality of interconnected second computing systems.
  - 10. The dual network computing system of claim 1, wherein the first computing system is in data communication with the first data storage system, such that data accessed by the first computing system may be stored in the first data storage system.
  - 11. The dual network computing system of claim 1, wherein the data transport server includes logic that overrides a purging function of the purging module when the data transport server verifies at least one authentication factor associated with one or more data files comprising the first network data selected for storage on the first data storage system from the first computing system to determine whether the one or more data files originated from a trusted source and therefore will not be purged or removed from the first network data by the purging module.

12. A method of operating a dual network computing system comprising the steps of:
- providing a workstation comprising;
  
  a first computing system communicably coupled with a first data storage system within first network, the first computing system is configured to access or transmit first network data;
  
  a second computing system communicably coupled with a second data storage system within a second network, wherein the second network does not communicate outbound data to the first network;
  
  a keyboard;
  
  a video display;
  
  a graphical user interface pointing device; and
  
  a keyboard video, and graphical user interface pointing device (KVGUIPD) switch that is coupled to the first and second computing systems, the KVGUIPD switch selectively couples the keyboard, the video display, and the graphical user interface pointing device with either said first or said second computing systems, said KVGUIPD switch comprises a mechanical switch that enables coupling of the keyboard, the video display, and the graphical user interface pointing device with either the first or second computing systems while electrically isolating the first and second computing systems from each other from each other;
  
  providing a data transport server communicably coupled to the first data storage system and the second data storage system, the data transport server including a first network interface configured to receive first network data from the first data storage data system, wherein the first storage system further include a data or file synchronization system or program that automatically replicates the first network data selected for storage on the first data storage system to the data transport server when the first network data is selected for said storage to the first data storage system using the first computing system, wherein the data transport server further includes a second network interface configured to transmit data unidirectionally from the data transport server to the second data storage system, wherein the data transport server further includes a purging module, the purging module configured to scan for one or more predefined data elements from the first network data received from the first data storage system, the purging module is further configured to purge said one or more matching data elements from the first network data if detected, wherein the purging module outputs remaining first network data elements, wherein the data transport server further comprises a second network interface configured to transmit the purging module outputs of remaining first network data elements unidirectionally from the data transport server;
  
  providing a first data link providing unidirectional data communication from the data transport server'"'"'s second network interface to the second data storage system, wherein the second network interface and the first data link is implemented using a physical and logical one-way interface/data transport link with the second storage system;
  
  providing, by the first computing system, a first plurality of data comprising the first network data to the first data storage data system device from a source within the first network comprising an open network section;
  
  scanning, by the purging module, the first plurality of data communicated from the first storage device to the data transport server;
  
  following the scanning step, identifying, by the purging module, one or more said one or more first data elements to be purged from the first plurality of data provided to the first data storage system;
  
  following the identifying step, purging, by the purging module, the one or more identified one or more first data elements wherein purging includes isolating remaining one or more second data elements from the identified one or more first data elements to create said remaining first network data elements;
  
  the data transport server includes logic that overrides a purging function of the purging module when the data transport server verifies at least one authentication factor associated with one or more of the first plurality of data to determine whether the one or more of the first plurality of data originated from a trusted source; and
  
  wherein the one or more of the first plurality of data include a binary data file and the at least one authentication factor includes a digital signature associated with at least one of the binary data file;
  
  transporting, by the data transport server, said remaining first network data elements remaining one or more second data elements from the data transport server to the second data storage system wherein said transporting is accomplished by way of the first data link; and
  
  a second data blocking device communicably coupled to an encryption device, wherein the second data blocking device is configured to block first network data not selected for storage in the first data storage system via the first computing system from entering the second network comprising a closed network portion of the dual network computing system, and the second data routing device is communicably coupled to the encryption device, wherein the encryption device encrypts data transmitted by the second data routing device;
  
  wherein the encryption device and the second data blocking device are configured to enable encrypted isolation between first network data not selected for storage in the first data storage system via the first computing system that is external to the second network'"'"'s closed network portion and data internal to the closed network portion;
  
  accessing, by the second computing system coupled to the second network defining a closed network, the remaining first network data elements transported to the second data storage system.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, further including a step of encrypting the first plurality of data after providing the first plurality of data to the first data storage system, wherein encrypting is accomplished by way of an encryption module within the data transport server.
  - 14. The method of claim 12, wherein the steps of scanning, identifying and purging the one or more data elements occurs automatically by the purging module after the first plurality of data is provided to the second data storage system.
  - 15. The method of claim 14, wherein the step of purging the data includes at least one of:
    - removing the one or more of the one or more first data elements that are executable data elements; and
      
      removing the one or more data elements that are configured to at least one of
      
           1) degrade functionality of the second network portion of the dual network computing system,
      
           2) cause unauthorized access to the second network portion of the dual network computing system, or
      
           3) exfiltrate data from the second network portion of the dual network computing system.
  - 16. The method of claim 15, further including the steps of providing, by the first computing system, one or more of the first plurality of data to the first data storage system, and verifying, by the data transport server, at least one authentication factor associated with the one or more of the first plurality of data to determine whether the one or more of the first plurality of data originated from a trusted source.
  - 17. The method of claim 16, wherein the data transport server automatically deletes the one or more of the first plurality of data provided by the first computing system when the data transport server determines that the one or more of the first plurality of data did not originate from a trusted source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
the united states of america as represented by the secretary of the navy
Original Assignee
the united states of america as represented by the secretary of the navy
Inventors
Griffith, John B.
Primary Examiner(s)
Zarrineh, Shahriar

Application Number

US14/868,241
Publication Number

US 20170004318A1
Time in Patent Office

1,219 Days
Field of Search

713153
US Class Current
CPC Class Codes

G06F 21/85   interconnection devices, e....

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/105   Multiple levels of security

H04L 63/18   using different networks or...

Secure unrestricted network for innovation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Secure unrestricted network for innovation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links