Multi-level security network system
First Claim
1. A security device for connecting a host computer from a host bus to a network accessible to other host computers, the security device comprising a local bus, a network interface connecting said local bus to the network, and a two-port memory device connecting said local bus to the host bus including a first port coupled to said host bus, a second port coupled to said local bus, and a RAM connected between said first and second ports, said RAM storing information provided over said host bus in a host bus memory space and storing information provided over said local bus in a local bus memory space wherein information to be transferred from the host bus to the local bus is written to said host bus memory space and then transferred out of host bus memory space into local bus memory space in advance of security processing, said transferred information being invisible to said host bus, said security device further comprising a central processing unit connected with said local bus, said central processing unit having associated firmware, and a security device local RAM, said central processing unit transferring information out of said local bus memory space of said two-port memory device into said security device local RAM in accordance with a predetermined security policy.
19 Assignments
0 Petitions
Accused Products
Abstract
A network prevents unauthorized users from gaining access to confidential information. The network has various workstations and servers connected by a common medium and through a router to the Internet. The network has two major components, a Network Security Center (NSC) and security network interface cards or devices. The NSC is an administrative workstation through which the network security officer manages the network as a whole as well as the individual security devices. The security devices are interposed, between each of workstation, including the NSC, and the common medium and operate at a network layer (layer 3) of the protocol hierarchy. The network allows trusted users to access outside information, including the Internet, while stopping outside attackers at their point of entry. At the same time, the network limits an unauthorized insider to information defined in their particular security profile. The user may select which virtual network to access at any given time. The result is trusted access to multiple secure Virtual Private Networks (VPN), all from a single desktop machine.
564 Citations
22 Claims
- 1. A security device for connecting a host computer from a host bus to a network accessible to other host computers, the security device comprising a local bus, a network interface connecting said local bus to the network, and a two-port memory device connecting said local bus to the host bus including a first port coupled to said host bus, a second port coupled to said local bus, and a RAM connected between said first and second ports, said RAM storing information provided over said host bus in a host bus memory space and storing information provided over said local bus in a local bus memory space wherein information to be transferred from the host bus to the local bus is written to said host bus memory space and then transferred out of host bus memory space into local bus memory space in advance of security processing, said transferred information being invisible to said host bus, said security device further comprising a central processing unit connected with said local bus, said central processing unit having associated firmware, and a security device local RAM, said central processing unit transferring information out of said local bus memory space of said two-port memory device into said security device local RAM in accordance with a predetermined security policy.
- 7. A security device for connecting a host computer from a host bus to a computer-accessible network, the security device comprising a local bus, a network interface for connecting said local bus to the computer network, and a communication separation unit for connection between said local bus and said host bus, said communication separation unit including a first port coupled to said host bus, a second port coupled to said local bus, and a signal storage device interconnecting said first and second ports, said signal storage device storing signals provided over said host bus in a host bus memory space and over said local bus in a local bus memory space, wherein said signals are switchable between said host bus memory space and said local bus memory space with said switched signals from said host bus memory space being invisible to said host bus after being switched to said local bus memory space, said communication separation unit preventing pass-through of signals between said host bus and said computer-accessible network without transitory storage in said signal storage device, said security device further comprising security device processing means and a local RAM, said security device processing means for transferring signals between said local bus memory space of said signal storage device and said local RAM.
-
17. A security device for a multi-level secure network implementing security at a network layer (layer 3) of protocol hierarchy having a plurality of host computers accessible to users and connected to a computer network medium, said security device connectable between at least one host computer bus and the network medium, wherein said security device comprises a local bus, a network interface for connecting said local bus to the computer network medium, and a communication separation means for connection between said local bus and said host bus and for preventing direct pass-through of signals between said host bus and said local bus, said communication separation means including a memory device for storing information provided over said host bus in a memory space, and means for switching said information from said memory space to said local bus while making said switched information inaccessible to said host bus.
-
19. A security device for a multi-level secure network implementing security at a network layer (layer 3) of protocol hierarchy having a plurality of host computers accessible to users and connected to a computer network medium, said security device connectable between at least one host computer bus and the network medium, said security device comprising
a local bus, a local RAM, and a local processor; -
a network interface for connecting said local bus to the computer network medium and including a network processing means for transferring information between said local RAM and said network medium;
a communication separation means for connection between said local bus and said host bus and for preventing direct pass-through of information between said host bus and said local bus and for preventing direct access between said host bus and components within said security device, said communication separation means including a memory device for storing information provided over said host bus in a memory space, a first port interconnecting said host bus and said memory device, and a second port interconnecting said local bus and said memory device, said information transferrable from said memory space to said local bus while making the transferred information inaccessible to said host bus;
wherein said local processor processes information to be transferred between said host bus and said network medium in accordance with a predetermined security policy to determine whether communication between a host computer and the network medium is authorized, said local processor including means for accessing host bus information from said memory space of said communication separation means, processing said host bus information in accordance with said security policy, transferring the processed host bus information to said local RAM for access by said network processing means, accessing network medium information placed in said local RAM by said network processing means, processing said network medium information in accordance with said security policy, and transferring the processed network medium information to said communication separation means for access by said host bus. - View Dependent Claims (20, 21, 22)
-
Specification
-
- Resources
-
Current AssigneeAPI Cryptek, Inc. (API Technologies Corporation)
-
Original AssigneeCryptek Incorporated (API Technologies Corporation)
-
InventorsWilliams, Timothy C.
-
Primary Examiner(s)Decady, Albert
-
Assistant Examiner(s)KABAKOFF, STEPHEN ERIC
-
Application NumberUS09/129,879Time in Patent Office1,167 DaysField of Search713/151, 713/153, 713/154, 713/200-202, 713/192, 711/213-215, 710/52, 710/129, 709/213-215, 235/375-386, 235/435, 235/487US Class Current726/3CPC Class CodesH04L 63/0218 Distributed architectures, ...H04L 63/0272 Virtual private networksH04L 63/0428 wherein the data content is...H04L 63/105 Multiple levels of securityH04L 63/164 at the network layerH04L 63/20 for managing network securi...H04L 69/12 Protocol engines
