System and method for multi-level security on a network

US 7,607,011 B1
Filed: 07/16/2004
Issued: 10/20/2009
Est. Priority Date: 07/16/2004
Status: Active Grant

First Claim

Patent Images

1. A method of communicating information in a system having multi-level security requirements, the method comprising:

receiving a packet having unencrypted data at an Ethernet switch, the packet comprising a header portion and a data portion;

transmitting the packet to a node from the Ethernet switch based on a media access control address and data received by the Ethernet switch;

routing the packet to a host from the node based on an Internet Protocol Address in the packet, the host including a number of virtual hosts, each virtual host having a unique Internet Protocol Address, a protected address space, an application in an application partition and a protocol stack;

processing the packet at the host such that data from the packet is maintained in the protected address space associated with the virtual host;

adding an application partition to a multi-cast group based on a node table; and

wherein the data portion comprises at least one of a low level security data and a high level data;

wherein the virtual hosts are separated by an operating system kernel;

wherein the node comprises an Ethernet node, the Ethernet node comprises a verified high assurance processor;

wherein the verified high assurance processor is configured to comply with the multi-level security requirements of the system by controlling the transmission of the unencrypted data to a predetermined virtual host;

wherein data from the application in the application partition is unreadable by another application in a different application partition;

wherein the verified high assurance processor is further configured to conduct a control check on the received packet using the node table, the node table including a source verification table;

wherein the verified high assurance processor uses the source verification table to ensure the source of the packet matches an expected remote Internet Protocol Address; and

wherein the verified high assurance processor uses the node table to perform a configuration check on the system components using a trusted application and to dynamically reconfigure information flow in the system components in the event of component damage.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of communicating information in a system having multi-level security requirements includes receiving a packet having unencrypted data, routing the packet to a host, and processing the packet at the host such that data from the packet is maintained in the protected address space associated with the host. The host includes a number of virtual hosts, each having a unique internet protocol (IP) address, a protected address space, and a protocol stack.

65 Citations

View as Search Results

13 Claims

1. A method of communicating information in a system having multi-level security requirements, the method comprising:
- receiving a packet having unencrypted data at an Ethernet switch, the packet comprising a header portion and a data portion;
  
  transmitting the packet to a node from the Ethernet switch based on a media access control address and data received by the Ethernet switch;
  
  routing the packet to a host from the node based on an Internet Protocol Address in the packet, the host including a number of virtual hosts, each virtual host having a unique Internet Protocol Address, a protected address space, an application in an application partition and a protocol stack;
  
  processing the packet at the host such that data from the packet is maintained in the protected address space associated with the virtual host;
  
  adding an application partition to a multi-cast group based on a node table; and
  
  wherein the data portion comprises at least one of a low level security data and a high level data;
  
  wherein the virtual hosts are separated by an operating system kernel;
  
  wherein the node comprises an Ethernet node, the Ethernet node comprises a verified high assurance processor;
  
  wherein the verified high assurance processor is configured to comply with the multi-level security requirements of the system by controlling the transmission of the unencrypted data to a predetermined virtual host;
  
  wherein data from the application in the application partition is unreadable by another application in a different application partition;
  
  wherein the verified high assurance processor is further configured to conduct a control check on the received packet using the node table, the node table including a source verification table;
  
  wherein the verified high assurance processor uses the source verification table to ensure the source of the packet matches an expected remote Internet Protocol Address; and
  
  wherein the verified high assurance processor uses the node table to perform a configuration check on the system components using a trusted application and to dynamically reconfigure information flow in the system components in the event of component damage.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the verified high assurance processor comprises an Internet Protocol router software.
  - 3. The method of claim 1, wherein the protocol stack is a TCP/UDP-IP protocol stack.
  - 4. The method of claim 1, wherein processing the packet at the host comprises processing the packet using the protocol stack at one of the virtual hosts.

5. A system for communicating information having multi-level security requirements, the system comprising:
- a node configured to receive a packet having unencrypted data from an Ethernet switch, the packet comprising a header portion and a data portion, the node further configured to route the packet to a host in a network based on an Internet Protocol Address in the packet, the host including a number of software applications, separate and protected address spaces, and protocol stacks;
  
  an operating system kernel, the operating system kernel including a number of virtual hosts, wherein the number of virtual hosts are operable to process the packet using the protocol stack at the virtual host and process data in the protected address space associated with the virtual host;
  
  wherein the node is configured to add an application partition to a multi-cast group based on a node table;
  
  wherein the data portion comprises at least one of a low level security data and a high level security data;
  
  wherein the virtual hosts are separated by the operating system kernel;
  
  wherein the node comprises an Ethernet node, the Ethernet node comprises a verified high assurance processor;
  
  wherein the verified high assurance processor is configured to comply with the multi-level security requirements of the system by controlling the transmission of the unencrypted data to a predetermined virtual host;
  
  wherein the verified high assurance processor is further configured to conduct a control check on the received packet using the node table, the node table including a source verification table;
  
  wherein the verified high assurance processor uses the source verification table to ensure the source of the packet matches an expected remote Internet Protocol Address; and
  
  wherein the verified high assurance processor uses the node table to perform a configuration check on the system components using a trusted application and to dynamically reconfigure information flow in the system components in the event of a component damage.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The system of claim 5, wherein the verified high assurance processor comprises an Internet Protocol router software.
  - 7. The system of claim 5, wherein the virtual host includes a unique Internet Protocol Address.
  - 8. The system of claim 5, wherein the number of virtual hosts have a number of Internet Protocol Addresses associated therewith.
  - 9. The system of claim 5, further comprising a high assurance switch configured to receive the packet from a network and route the packet to the node based on information in the packet.

10. A system for communicating information having multi-level security requirements, the system comprising:
- means for receiving a packet having unencrypted data at a host from a node based on an Internet Protocol Address in the packet, the packet comprising a header portion and a data portion, the host including a number of software applications, a protected address space, and a protocol stack;
  
  means for processing the packet at the host such that data from the packet is maintained in the protected address space associated with the host;
  
  means for adding an application partition to a multi-cast group based on a node table; and
  
  wherein the data portion comprises at least one of a low level security data and a high level security data;
  
  wherein virtual hosts are separated by an operating system kernel, the virtual hosts comprising applications in application partitions;
  
  wherein the means for receiving the packet having unencrypted data comprises an Ethernet node, the Ethernet node comprises a verified high assurance processor;
  
  wherein the verified high assurance processor is configured to comply with the multi-level security requirements of the system by controlling the transmission of the unencrypted data to a predetermined virtual host;
  
  wherein data from an application in a virtual host is unreadable by another application in a different application partition;
  
  wherein the verified high assurance processor is further configured to conduct a control check on the received packet using the node table, the node table including a source verification table;
  
  wherein the verified high assurance processor uses the source verification table to ensure the source of the packet matches an expected remote Internet Protocol Address; and
  
  wherein the verified high assurance processor uses the node table to perform a configuration check on the system components using a trusted application and to dynamically reconfigure information flow in the system components in the event of a component damage.
- View Dependent Claims (11, 12, 13)
- - 11. The system of claim 10, further comprising means for routing the packet to the host.
  - 12. The system of claim 10, wherein the means for processing establishes a socket connection including a number of application partitions.
  - 13. The system of claim 12, wherein the protected address space prevents data in one application partition from being read from another application partition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Collins, Inc. (Raytheon Technologies Corporation d/b/a RTX)
Original Assignee
Rockwell Collins, Inc. (Raytheon Technologies Corporation d/b/a RTX)
Inventors
Shelton, Greg L., Johnson, Tony L.
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
GERGISO, TECHANE

Application Number

US10/893,288
Time in Patent Office

1,922 Days
Field of Search

713/166, 709/238, 718/1
US Class Current

713/166
CPC Class Codes

H04L 63/101 Access control lists [ACL]

H04L 63/105 Multiple levels of security

System and method for multi-level security on a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

65 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for multi-level security on a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links