System and method for multi-level security on a network
First Claim
Patent Images
1. A method of communicating information in a system having multi-level security requirements, the method comprising:
- receiving a packet having unencrypted data at an Ethernet switch, the packet comprising a header portion and a data portion;
transmitting the packet to a node from the Ethernet switch based on a media access control address and data received by the Ethernet switch;
routing the packet to a host from the node based on an Internet Protocol Address in the packet, the host including a number of virtual hosts, each virtual host having a unique Internet Protocol Address, a protected address space, an application in an application partition and a protocol stack;
processing the packet at the host such that data from the packet is maintained in the protected address space associated with the virtual host;
adding an application partition to a multi-cast group based on a node table; and
wherein the data portion comprises at least one of a low level security data and a high level data;
wherein the virtual hosts are separated by an operating system kernel;
wherein the node comprises an Ethernet node, the Ethernet node comprises a verified high assurance processor;
wherein the verified high assurance processor is configured to comply with the multi-level security requirements of the system by controlling the transmission of the unencrypted data to a predetermined virtual host;
wherein data from the application in the application partition is unreadable by another application in a different application partition;
wherein the verified high assurance processor is further configured to conduct a control check on the received packet using the node table, the node table including a source verification table;
wherein the verified high assurance processor uses the source verification table to ensure the source of the packet matches an expected remote Internet Protocol Address; and
wherein the verified high assurance processor uses the node table to perform a configuration check on the system components using a trusted application and to dynamically reconfigure information flow in the system components in the event of component damage.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of communicating information in a system having multi-level security requirements includes receiving a packet having unencrypted data, routing the packet to a host, and processing the packet at the host such that data from the packet is maintained in the protected address space associated with the host. The host includes a number of virtual hosts, each having a unique internet protocol (IP) address, a protected address space, and a protocol stack.
65 Citations
13 Claims
-
1. A method of communicating information in a system having multi-level security requirements, the method comprising:
-
receiving a packet having unencrypted data at an Ethernet switch, the packet comprising a header portion and a data portion;
transmitting the packet to a node from the Ethernet switch based on a media access control address and data received by the Ethernet switch;routing the packet to a host from the node based on an Internet Protocol Address in the packet, the host including a number of virtual hosts, each virtual host having a unique Internet Protocol Address, a protected address space, an application in an application partition and a protocol stack; processing the packet at the host such that data from the packet is maintained in the protected address space associated with the virtual host; adding an application partition to a multi-cast group based on a node table; and wherein the data portion comprises at least one of a low level security data and a high level data; wherein the virtual hosts are separated by an operating system kernel; wherein the node comprises an Ethernet node, the Ethernet node comprises a verified high assurance processor; wherein the verified high assurance processor is configured to comply with the multi-level security requirements of the system by controlling the transmission of the unencrypted data to a predetermined virtual host; wherein data from the application in the application partition is unreadable by another application in a different application partition; wherein the verified high assurance processor is further configured to conduct a control check on the received packet using the node table, the node table including a source verification table; wherein the verified high assurance processor uses the source verification table to ensure the source of the packet matches an expected remote Internet Protocol Address; and wherein the verified high assurance processor uses the node table to perform a configuration check on the system components using a trusted application and to dynamically reconfigure information flow in the system components in the event of component damage. - View Dependent Claims (2, 3, 4)
-
-
5. A system for communicating information having multi-level security requirements, the system comprising:
-
a node configured to receive a packet having unencrypted data from an Ethernet switch, the packet comprising a header portion and a data portion, the node further configured to route the packet to a host in a network based on an Internet Protocol Address in the packet, the host including a number of software applications, separate and protected address spaces, and protocol stacks; an operating system kernel, the operating system kernel including a number of virtual hosts, wherein the number of virtual hosts are operable to process the packet using the protocol stack at the virtual host and process data in the protected address space associated with the virtual host; wherein the node is configured to add an application partition to a multi-cast group based on a node table; wherein the data portion comprises at least one of a low level security data and a high level security data; wherein the virtual hosts are separated by the operating system kernel; wherein the node comprises an Ethernet node, the Ethernet node comprises a verified high assurance processor; wherein the verified high assurance processor is configured to comply with the multi-level security requirements of the system by controlling the transmission of the unencrypted data to a predetermined virtual host; wherein the verified high assurance processor is further configured to conduct a control check on the received packet using the node table, the node table including a source verification table; wherein the verified high assurance processor uses the source verification table to ensure the source of the packet matches an expected remote Internet Protocol Address; and wherein the verified high assurance processor uses the node table to perform a configuration check on the system components using a trusted application and to dynamically reconfigure information flow in the system components in the event of a component damage. - View Dependent Claims (6, 7, 8, 9)
-
-
10. A system for communicating information having multi-level security requirements, the system comprising:
-
means for receiving a packet having unencrypted data at a host from a node based on an Internet Protocol Address in the packet, the packet comprising a header portion and a data portion, the host including a number of software applications, a protected address space, and a protocol stack; means for processing the packet at the host such that data from the packet is maintained in the protected address space associated with the host; means for adding an application partition to a multi-cast group based on a node table; and wherein the data portion comprises at least one of a low level security data and a high level security data; wherein virtual hosts are separated by an operating system kernel, the virtual hosts comprising applications in application partitions; wherein the means for receiving the packet having unencrypted data comprises an Ethernet node, the Ethernet node comprises a verified high assurance processor; wherein the verified high assurance processor is configured to comply with the multi-level security requirements of the system by controlling the transmission of the unencrypted data to a predetermined virtual host; wherein data from an application in a virtual host is unreadable by another application in a different application partition; wherein the verified high assurance processor is further configured to conduct a control check on the received packet using the node table, the node table including a source verification table; wherein the verified high assurance processor uses the source verification table to ensure the source of the packet matches an expected remote Internet Protocol Address; and wherein the verified high assurance processor uses the node table to perform a configuration check on the system components using a trusted application and to dynamically reconfigure information flow in the system components in the event of a component damage. - View Dependent Claims (11, 12, 13)
-
Specification