One-Way Router

US 20100290476A1
Filed: 05/18/2009
Published: 11/18/2010
Est. Priority Date: 05/18/2009
Status: Active Grant

First Claim

Patent Images

1. A method for routing network traffic using a one-way router, comprising:

receiving network traffic from one or more network traffic sources;

establishing one or more source sessions with the one or more network traffic sources;

selectively transmitting one or more synthetic destination application responses to the one or more network traffic sources via the one or more source sessions;

transmitting the network traffic through one or more one-way data diodes each corresponding to the one or more source sessions;

establishing one or more destination sessions with one or more network traffic destinations, the one or more destination sessions each isolated from the one or more source sessions by a corresponding one of the one or more one-way data diodes;

transmitting network traffic from the one or more one-way data diodes to the one or more network traffic destinations via the one or more destination sessions;

receiving one or more destination responses from the one or more network traffic destinations responsive to the network traffic; and

selectively transmitting one or more synthetic source application responses to the one or more network traffic destinations.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A one-way router combines benefits of a network diode and router, and thus can route data between networks of varying confidentiality and/or integrity in a secure, one-way fashion. Secure routing is provided transparently so that the router is compatible with standard network applications by synthesizing responses for standard network protocols to provide many-to-many network connections while preventing bidirectional data flow. Separate network stacks are provided for each connected network, and the network stacks are separated from each other by data diodes that enforce one-way data flow. The one-way router can be implemented in hardware or software, and provides architectural flexibility to customize levels of assurance, performance, reliability, and cost.

Citations

20 Claims

1. A method for routing network traffic using a one-way router, comprising:
- receiving network traffic from one or more network traffic sources;
  
  establishing one or more source sessions with the one or more network traffic sources;
  
  selectively transmitting one or more synthetic destination application responses to the one or more network traffic sources via the one or more source sessions;
  
  transmitting the network traffic through one or more one-way data diodes each corresponding to the one or more source sessions;
  
  establishing one or more destination sessions with one or more network traffic destinations, the one or more destination sessions each isolated from the one or more source sessions by a corresponding one of the one or more one-way data diodes;
  
  transmitting network traffic from the one or more one-way data diodes to the one or more network traffic destinations via the one or more destination sessions;
  
  receiving one or more destination responses from the one or more network traffic destinations responsive to the network traffic; and
  
  selectively transmitting one or more synthetic source application responses to the one or more network traffic destinations.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein establishing one or more source sessions comprises selectively transmitting, to the one or more network traffic sources, one or more synthetic destination transport responses responsive to the network traffic and formatted as though originating from the one or more network traffic destinations.
  - 3. The method of claim 1, wherein the one or more synthetic destination application responses are formatted as though originating from the one or more network traffic destinations.
  - 4. The method of claim 1, wherein establishing one or more destination sessions comprises selectively transmitting, to the one or more network traffic destinations, one or more synthetic source transport responses formatted as though originating from one or more network traffic sources.
  - 5. The method of claim 1, wherein the one or more synthetic source application responses are responsive to the one or more destination responses and formatted as though originating from the one or more network traffic sources.
  - 6. The method of claim 1, wherein selectively transmitting the one or more synthetic destination application responses and the one or more synthetic source application responses comprises synthesizing simulated responses for standard protocols used by the one or more network traffic sources and destinations while preventing bi-directional data flow through the one-way router between the one or more network traffic sources and destinations.

7. A system for routing network traffic, comprising:
- a receiver configured to receive and process network traffic from one or more network traffic sources, the receiver comprising one or more transport destination synthesizers configured to selectively generate one or more synthetic destination transport responses;
  
  one or more application destination synthesizers configured to receive the network traffic from the receiver and selectively transmit to the receiver one or more synthetic destination application responses, the receiver being configured to transmit the one or more synthetic destination application responses to the one or more network traffic sources;
  
  one or more data diodes, each of which is coupled to a corresponding one of the one or more application destination synthesizers and configured to selectively provide one-way passage of the network traffic from the corresponding one of the one or more application destination synthesizers;
  
  one or more application source synthesizers corresponding to the one or more application destination synthesizers, each of the one or more application source synthesizers coupled to a corresponding one of the one or more data diodes and configured to receive the network traffic from the one or more data diodes; and
  
  a sender configured to receive the network traffic from the one or more application source synthesizers, the sender comprising one or more transport source synthesizers configured to selectively generate one or more synthetic source transport responses,wherein the sender is further configured to (i) transmit the one or more synthetic source transport responses to the one or more network traffic destinations, (ii) receive one or more destination responses from the corresponding one or more network traffic destinations, and (iii) transmit the one or more destination responses to the one or more application source synthesizers,wherein the one or more application source synthesizers are further configured to selectively generate and transmit, to the sender, one or more synthetic source application responses, andwherein the sender is further configured to transmit, to the corresponding one or more network traffic destinations, the network traffic and the one or more synthetic source application responses from the one or more application source synthesizers.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 8. The system of claim 7, wherein the one or more synthetic destination transport responses are responsive to a transport-layer of the network traffic and formatted as though originating from the one or more network traffic destinations to establish one or more source sessions with the one or more network traffic sources.
  - 9. The system of claim 7, wherein the one or more synthetic destination application responses are responsive to an application-layer of the network traffic and formatted as though originating from the one or more network traffic destinations.
  - 10. The system of claim 7, wherein the one or more synthetic source transport responses are responsive to a transport-layer of the network traffic and formatted as though originating from one or more network traffic sources to establish one or more destination sessions with the one or more network traffic destinations.
  - 11. The system of claim 7, wherein the one or more synthetic source application responses are responsive to an application-layer of the one or more destination responses and formatted as though originating from the one or more network traffic sources.
  - 12. The system of claim 7, wherein the receiver and the one or more application destination synthesizers comprise a receiver network stack, and the sender and the one or more application source synthesizers comprise a sender network stack.
  - 13. The system of claim 12, wherein the receiver network stack further comprises a receiver TCP/IP stack and the sender network stack further comprises a sender TCP/IP stack.
  - 14. The system of claim 12, further comprising one or more additional network stacks, configured to interface with one or more additional networks, and corresponding to at least one of (i) the receiver network stack and (ii) the sender network stack.
  - 15. The system of claim 7, wherein the one or more synthetic destination transport responses and the one or more synthetic source transport responses are responsive to a network-layer of the network traffic.
  - 16. The system of claim 7, wherein the system is configured to appear transparent to the one or more network traffic sources and the one or more network traffic destinations.
  - 17. The system of claim 16, wherein the system is configured to appear transparent from network to application layers in a TCP/IP stack.
  - 18. The system of claim 7, wherein the one or more data diodes are implemented using at least one of (i) one or more software diodes and (ii) one or more hardware diodes.
  - 19. The system of claim 7, wherein the system is configured to allow support of chat traffic and streaming of multimedia network traffic.

20. A tangible computer-readable medium having stored thereon, computer-executable instructions that, if executed by a computing device, cause the computing device to perform a method for routing network traffic using a one-way router, comprising:
- receiving network traffic from one or more network traffic sources;
  
  selectively transmitting one or more synthetic destination transport responses and one or more synthetic destination application responses to the one or more network traffic sources, responsive to the network traffic;
  
  selectively transmitting one or more synthetic source transport responses to one or more network traffic destinations;
  
  transmitting the network traffic through one or more one-way data diodes to the one or more network traffic destinations;
  
  receiving one or more destination responses from the one or more network traffic destinations responsive to the network traffic; and
  
  selectively transmitting one or more synthetic source application responses to the one or more network traffic destinations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OWL Cyber Defense Solutions LLC
Original Assignee
Tresys Technology LLC (OWL Cyber Defense Solutions LLC)
Inventors
Sellers, Charles D., Brindle, Joshua J.

Granted Patent

US 8,068,504 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/401
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 63/0209   Architectural arrangements,...

H04L 63/08   for authentication of entit...

One-Way Router

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

One-Way Router

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links