SINGLE COMPUTER-BASED VIRTUAL CROSS-DOMAIN SOLUTIONS
First Claim
1. A one-way cross-domain system for transferring information from a client in a first security domain to a server in a second separate security domain, comprising:
- a server computer configured to run a first virtual machine and a second virtual machine, the first virtual machine completely separate from the second virtual machine;
a first network interface card installed in the server computer for coupling to the client in the first security domain;
a second network interface card installed in the server computer for coupling to the server in the second separate security domain;
a one-way transmit card installed in the server computer, the one-way transmit card having an external output;
a one-way receive card installed in the server computer, the one-way receive card having an external input;
an external communications link having a first end coupled only to the external output of the one-way transmit card and a second end coupled only to the external input of the one-way receive card;
wherein the one-way transmit card is configured to only communicate with the one-way receive card via the external communications link;
wherein the first virtual machine is configured to only communicate with the first network interface card and the one-way transmit card, the first virtual machine configured to receive information from the client via the first network interface card and to forward the received information to the one-way transmit card;
wherein the second virtual machine is configured to only communicate with the one-way receive card and the second network interface card, the second virtual machine configured to receive the information forwarded from the first virtual machine via the one-way transmit card, the external communications link, and the one-way receive card and to forward the received information to the server in the second separate security domain via the second network interface card; and
wherein the client is only communicatively coupled to the server via the first network interface card, the first virtual machine, the transmit card, the external communications link, the receive card, the second virtual machine and the second network interface card.
6 Assignments
0 Petitions
Accused Products
Abstract
Three embodiments of one-way cross-domain systems for transferring information from a client in a first security domain to a server in a second separate security domain are disclosed. In addition, three embodiments of bilateral cross-domain systems for transferring first information from a client in a first security domain to a server in a second separate security domain and second information from the server in the second separate security domain to the client in the first security domain are also disclosed. Each of the one-way and bilateral cross-domain systems is based upon a single computer server which employs a number of virtual machines to implement send and receive servers. The single computer server also implements one (for the one-way cross-domain systems) or two (for the bilateral cross-domain systems) virtual one-way data links in either virtual machines or within the hypervisor portion of the operating system.
8 Citations
20 Claims
-
1. A one-way cross-domain system for transferring information from a client in a first security domain to a server in a second separate security domain, comprising:
-
a server computer configured to run a first virtual machine and a second virtual machine, the first virtual machine completely separate from the second virtual machine; a first network interface card installed in the server computer for coupling to the client in the first security domain; a second network interface card installed in the server computer for coupling to the server in the second separate security domain; a one-way transmit card installed in the server computer, the one-way transmit card having an external output; a one-way receive card installed in the server computer, the one-way receive card having an external input; an external communications link having a first end coupled only to the external output of the one-way transmit card and a second end coupled only to the external input of the one-way receive card; wherein the one-way transmit card is configured to only communicate with the one-way receive card via the external communications link; wherein the first virtual machine is configured to only communicate with the first network interface card and the one-way transmit card, the first virtual machine configured to receive information from the client via the first network interface card and to forward the received information to the one-way transmit card; wherein the second virtual machine is configured to only communicate with the one-way receive card and the second network interface card, the second virtual machine configured to receive the information forwarded from the first virtual machine via the one-way transmit card, the external communications link, and the one-way receive card and to forward the received information to the server in the second separate security domain via the second network interface card; and wherein the client is only communicatively coupled to the server via the first network interface card, the first virtual machine, the transmit card, the external communications link, the receive card, the second virtual machine and the second network interface card. - View Dependent Claims (2, 3)
-
-
4. A one-way cross-domain system for transferring information from a client in a first security domain to a server in a second separate security domain, comprising:
-
a server computer configured to run a first virtual machine, a second virtual machine, and a third virtual machine, each of the virtual machines completely separate from each other virtual machine; a first network interface card installed in the server computer for coupling to the client in the first security domain; a second network interface card installed in the server computer for coupling to the server in the second separate security domain; wherein the first virtual machine is configured to only communicate with the first network interface card and the second virtual machine, the first virtual machine configured to receive information from the client via the first network interface card and to forward the received information to the second virtual machine; wherein the second virtual machine is configured to only communicate with the first virtual machine and the third virtual machine, the second virtual machine configured to receive information from the first virtual machine and to forward the received information to the third virtual machine, the second virtual machine configured to be unable to receive any information from the third virtual machine and to be unable to send any information to the first virtual machine; wherein the third virtual machine is configured to only communicate with the second virtual machine and the second network interface card, the third virtual machine configured to receive the information forwarded from the first virtual machine via the second virtual machine and to forward the received information to the server in the second separate security domain via the second network interface card; and wherein the client is only communicatively coupled to the server via the first network interface card, the first virtual machine, the second virtual machine, the third virtual machine and the second network interface card. - View Dependent Claims (5, 6)
-
-
7. A one-way cross-domain system for transferring information from a client in a first security domain to a server in a second separate security domain, comprising:
-
a server computer configured to run a first virtual machine and a second virtual machine, the first virtual machine completely separate from the second virtual machine, the first virtual machine and the second virtual machine controlled by a hypervisor, the server computer also configured to provide a hypervisor-based one-way link having an input and an output, the hypervisor-based one-way link configured to transfer information received at the input to the output and to be incapable of transferring any information from the output to the input; a first network interface card installed in the server computer for coupling to the client in the first security domain; a second network interface card installed in the server computer for coupling to the server in the second separate security domain; wherein the first virtual machine is configured to only communicate with the first network interface card and the input of the hypervisor-based one-way link, the first virtual machine configured to receive information from the client via the first network interface card and to forward the received information to the input of the hypervisor-based one-way link; wherein the second virtual machine is configured to only communicate with the output of the hypervisor-based one-way link and the second network interface card, the second virtual machine configured to receive the information forwarded from the first virtual machine via the hypervisor-based one-way link and to forward the received information to the server in the second separate security domain via the second network interface card; and wherein the client is only communicatively coupled to the server via the first network interface card, the first virtual machine, the hypervisor-based one-way link, the second virtual machine and the second network interface card. - View Dependent Claims (8, 9)
-
-
10. A bilateral cross-domain system for transferring first information from a client in a first security domain to a server in a second separate security domain and second information from the server in the second separate security domain to the client in the first security domain, comprising:
-
a server computer configured to run a first virtual machine, a second virtual machine, a third virtual machine and a fourth virtual machine, each of the virtual machines completely separate from each of the other virtual machines; a first network interface card installed in the server computer for coupling to the client in the first security domain; a second network interface card installed in the server computer for coupling to the server in the second separate security domain; a first one-way transmit card installed in the server computer, the first one-way transmit card having an external output; a first one-way receive card installed in the server computer, the first one-way receive card having an external input; a first external communications link having a first end coupled only to the external output of the first one-way transmit card and a second end coupled only to the external input of the first one-way receive card; a second one-way transmit card installed in the server computer, the second one-way transmit card having an external output; a second one-way receive card installed in the server computer, the second one-way receive card having an external input; a second external communications link having a first end coupled only to the external output of the second one-way transmit card and a second end coupled only to the external input of the second one-way receive card; wherein the first one-way transmit card is configured to only communicate with the first one-way receive card via the first external communications link; wherein the second one-way transmit card is configured to only communicate with the second one-way receive card via the second external communications link; wherein the first virtual machine is configured to only communicate with the first network interface card, the second one-way receive card and the second virtual machine, the first virtual machine configured to receive the first information from the client via the first network interface card and to forward the received first information to the second virtual machine, the first virtual machine configured to receive the second information from the second one-way receive card via the second external communications link and the second one-way transmit card and to forward the received second information to the client via the first network interface card; wherein the second virtual machine is configured to only communicate with the first virtual machine and the first one-way transmit card, the second virtual machine configured to receive the first information forwarded from the first virtual machine and to forward the received first information to the first one-way transmit card; wherein the third virtual machine is configured to only communicate with the first one-way receive card and the fourth virtual machine, the third virtual machine configured to receive the first information from the first one-way receive card via the first external communications link and the first one-way transmit card and to forward the received first information to the fourth virtual machine; and wherein the fourth virtual machine is configured to only communicate with the third virtual machine, the second one-way transmit card and the second network interface card, the fourth virtual machine configured to receive the first information forwarded from the third virtual machine and to forward the received first information to the server in the second separate security domain via the second network interface card, the fourth virtual machine configured to receive the second information from the server in the second separate security domain via the second network interface card and to forward the received second information to the second one-way transmit card. - View Dependent Claims (11, 12)
-
-
13. A bilateral cross-domain system for transferring first information from a client in a first security domain to a server in a second separate security domain and second information from the server in the second separate security domain to the client in the first security domain, comprising:
-
a server computer configured to run a first virtual machine, a second virtual machine, a third virtual machine, a fourth virtual machine, a fifth virtual machine and a sixth virtual machine, each of the virtual machines completely separate from each of the other virtual machines; a first network interface card installed in the server computer for coupling to the client in the first security domain; a second network interface card installed in the server computer for coupling to the server in the second separate security domain; wherein the first virtual machine is configured to only communicate with the first network interface card, the second virtual machine and the fourth virtual machine, the first virtual machine configured to receive the first information from the client via the first network interface card and to forward the received first information to the fourth virtual machine, the first virtual machine configured to receive the second information from the second virtual machine and to forward the received second information to the client in the first security domain via the first network interface card; wherein the second virtual machine is configured to only communicate with the first virtual machine and the third virtual machine, the second virtual machine configured to receive the second information from the third virtual machine and to forward the received second information to the first virtual machine, the second virtual machine configured to be unable to receive any information from the first virtual machine and to be unable to send any information to the third virtual machine; wherein the third virtual machine is configured to only communicate with the second virtual machine, the second network interface card and the sixth virtual machine, the third virtual machine configured to receive the first information forwarded from the first virtual machine via the fourth virtual machine, the fifth virtual machine and the sixth virtual machine and to forward the received first information to the server in the second separate security domain via the second network interface card, the third virtual machine configured to receive the second information from the server in the second separate security domain via the second network interface card and to forward the received second information to the second virtual machine; wherein the fourth virtual machine is configured to only communicate with the first virtual machine and the fifth virtual machine, the fourth virtual machine configured to receive the first information forwarded from the first virtual machine and to forward the received first information to the fifth virtual machine; wherein the fifth virtual machine is configured to only communicate with the fourth virtual machine and the sixth virtual machine, the fifth virtual machine configured to receive the first information from the first virtual machine and to forward the received first information to the sixth virtual machine, the fifth virtual machine configured to be unable to receive any information from the sixth virtual machine and to be unable to send any information to the fourth virtual machine; and wherein the sixth virtual machine is configured to only communicate with the fifth virtual machine and the third virtual machine, the sixth virtual machine configured to receive the first information from the fifth virtual machine and to forward the received first information to the third virtual machine. - View Dependent Claims (14, 15, 17)
-
-
18. A bilateral cross-domain system for transferring first information from a client in a first security domain to a server in a second separate security domain and second information from the server in the second separate security domain to the client in the first security domain, comprising:
-
a server computer configured to run four virtual machines, each of the virtual machines completely separate from each other virtual machine, each of the virtual machines controlled by a hypervisor, the server computer also configured to provide a first hypervisor-based one-way link having an input and an output and a second hypervisor-based one-way link having an input and an output, each of the hypervisor-based one-way links configured to transfer information received at the input to the output and to be incapable of transferring any information from the output to the input; a first network interface card installed in the server computer for coupling to the client in the first security domain; a second network interface card installed in the server computer for coupling to the server in the second separate security domain; wherein the first virtual machine is configured to only communicate with the first network interface card, the third virtual machine and the output of the first hypervisor-based one-way link, the first virtual machine configured to receive the first information from the client via the first network interface card and to forward the received first information to the third virtual machine, the first virtual machine configured to receive the second information from the output of the first hypervisor-based one-way link and to forward the received second information to the client via the first network interface card; wherein the second virtual machine is configured to only communicate with the input of the first hypervisor-based one-way link, the fourth virtual machine and the second network interface card, the second virtual machine configured to receive the first information forwarded from the first virtual machine via the fourth virtual machine, the second hypervisor-based one-way link and the third virtual machine and to forward the received first information to the server in the second separate security domain via the second network interface card, the second virtual machine configured to receive the second information from the server via the second one-way network interface card and to forward the received second information to the input of the first hypervisor-based one-way link; wherein the third virtual machine is configured to only communicate with the first virtual machine and the input of the second hypervisor-based one-way link, the third virtual machine configured to receive the first information from the first virtual machine and to forward the received first information to the input of the second hypervisor-based one-way link; and wherein the fourth virtual machine is configured to only communicate with the output of the second hypervisor-based one-way link and the second virtual machine, the fourth virtual machine configured to receive the first information from the output of the second hypervisor-based one-way link and to forward the received first information to the second virtual machine. - View Dependent Claims (19, 20)
-
Specification