MULTI-LEVEL SECURITY SYSTEMS
First Claim
1. A computer-implemented method of providing multi-level security systems, comprising steps of:
- defining, for each of a plurality of different security classifications to be used by a first multi-level security (“
MLS”
) system when sending outbound packets to a second MLS system, a unique source address; and
for each of the outbound packets sent from the first MLS system to the second MLS system, performing steps of;
determining, by the first MLS system, a particular one of the security classifications that applies to the outbound packet;
locating, by the first MLS system, the unique source address defined for the determined particular one;
replacing, the first MLS system, a source address in a packet header of the outbound packet with the located unique source address, thereby conveying the security classification that applies to the outbound packet through the source address in the packet header; and
sending, by the first MLS system responsive to the replacing step, the outbound packet to the second MLS system.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed for improving multi-level security (“MLS”) in computing systems. Communication between MLS systems in the prior art requires explicitly tagging each packet with its security classification. The packet tags comprise variable-length bit patterns inserted into packet headers. This results in a number of drawbacks, including increased path length and code complexity, as well as reduced interoperability. An MLS system according to the present invention simulates a cluster or collection of single-level security systems, and thereby avoids packet tagging. For each security classification used by an MLS system, a distinct source address is defined. This source address is used for outbound packets having that security classification, such that the packet'"'"'s source address implicitly identifies the packet'"'"'s security classification.
27 Citations
21 Claims
-
1. A computer-implemented method of providing multi-level security systems, comprising steps of:
-
defining, for each of a plurality of different security classifications to be used by a first multi-level security (“
MLS”
) system when sending outbound packets to a second MLS system, a unique source address; and
for each of the outbound packets sent from the first MLS system to the second MLS system, performing steps of;
determining, by the first MLS system, a particular one of the security classifications that applies to the outbound packet;
locating, by the first MLS system, the unique source address defined for the determined particular one;
replacing, the first MLS system, a source address in a packet header of the outbound packet with the located unique source address, thereby conveying the security classification that applies to the outbound packet through the source address in the packet header; and
sending, by the first MLS system responsive to the replacing step, the outbound packet to the second MLS system. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7-11. -11. (canceled)
-
12. A system for providing multi-level security systems, comprising:
-
a unique source address defined for each of a plurality of different security classifications to be used by a first multi-level security (“
MLS”
) system when sending outbound packets to a second MLS system; and
means for processing each of the outbound packets sent from the first MLS system to the second MLS system, further comprising;
means for determining, by the first MLS system, a particular one of the security classifications that applies to the outbound packet;
means for locating, by the first MLS system, the unique source address defined for the determined particular one;
means for replacing, by the first MLS system, a source address in a packet header of the outbound packet with the located unique source address classification that applies to the outbound packet through the source address in the packet header; and
means for sending, by the first MLS system responsive to operation of the means for replacing, the outbound packet to the second MLS system. - View Dependent Claims (13, 14)
-
-
15-16. -16. (canceled)
-
17. A computer program product for providing multi-level security systems, the computer program product embodied on one or more computer-usable storage media and comprising computer-usable program code for:
-
defining, for each of a plurality of different security classifications to be used by a first multi-level security (“
MLS”
) system when sending outbound packets to a second MLS system, a unique source address; and
processing each of the outbound packets sent from the first MLS system to the second MLS system, further comprising;
determining, by the first MLS system, a particular one of the security classifications that applies to the outbound packet;
locating, by the first MLS system, the unique source address defined for the determined particular one;
the outbound packet through the source address in the packet header; and
replacing, by the first MLS system, a source address in a packet header of the outbound packet with the located unique source address, thereby conveying the security classification that applies to the outbound packet through the source address in the packet header; and
sending, by the first MLS system responsive to the replacing, the outbound packet to the second MLS system. - View Dependent Claims (18, 19, 20)
-
-
21-23. -23. (canceled)
Specification