Multi-level security systems
First Claim
1. A computer-implemented method of providing multi-level security systems, comprising:
- defining, for each of a plurality of security classifications to be used by a multi-level security (“
MLS”
) system when sending outbound packets to at least one communication partner system, a unique source address; and
for each of the outbound packets sent from the MLS system, using the unique source address defined for a particular one of the security classifications which is associated with the outbound packet as a source address in the outbound packet, thereby conveying the security classification of each of the outbound packets through the source address used in the outbound packet, further comprising;
determining the security classification associated with the outbound packet;
determining the unique source address defined for the determined security classification;
replacing a source address field of a packet header of the outbound packet with the determined unique source address; and
forwarding the outbound packet for transmission to one of the at least one communication partner system.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques are disclosed for multi-level security (“MLS”) in computing systems. Communication between MLS systems in the prior art requires explicitly tagging each packet with its security classification. The packet tags comprise variable-length bit patterns inserted into packet headers. This results in a number of drawbacks, including increased path length and code complexity, as well as reduced interoperability. An MLS system according to the present invention simulates a cluster or collection of single-level security systems, and thereby avoids packet tagging. For each security classification used by an MLS system, a distinct source address is defined. This source address is used for outbound packets having that security classification, such that the packet'"'"'s source address implicitly identifies the packet'"'"'s security classification.
13 Citations
15 Claims
-
1. A computer-implemented method of providing multi-level security systems, comprising:
-
defining, for each of a plurality of security classifications to be used by a multi-level security (“
MLS”
) system when sending outbound packets to at least one communication partner system, a unique source address; andfor each of the outbound packets sent from the MLS system, using the unique source address defined for a particular one of the security classifications which is associated with the outbound packet as a source address in the outbound packet, thereby conveying the security classification of each of the outbound packets through the source address used in the outbound packet, further comprising; determining the security classification associated with the outbound packet; determining the unique source address defined for the determined security classification; replacing a source address field of a packet header of the outbound packet with the determined unique source address; and forwarding the outbound packet for transmission to one of the at least one communication partner system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product for providing multi-level security systems, the computer program product embodied on one or more computer-usable storage media and comprising:
-
computer-usable program code for defining, for each of a plurality of different security classifications to be used by a multi-level security (“
MLS”
) system when sending outbound packets to at least one communication partner system, a unique source address; andcomputer-usable program code for using, for each of the outbound packets sent from the MLS system, the unique source address defined for a particular one of the security classifications which is associated with the outbound packet as a source address value in a source address field of a packet header for the outbound packet, thereby conveying the security classification of each of the outbound packets through the source address value in the packet header, further comprising computer-usable program code for; determining the security classification associated with the outbound packet; determining the unique source address defined for the determined security classification; replacing a source address field of a packet header of the outbound packet with the determined unique source address; and forwarding the outbound packet for transmission to one of the at least one communication partner system. - View Dependent Claims (12, 13, 14)
-
-
15. A computer-implemented method of communicating security classifications, comprising:
-
defining, for a multi-level security (“
MLS”
) system that supports user sessions with a communication partner, the supported user sessions having a plurality of different security classifications, a unique source address to represent each unique one of the security classifications, wherein each of the unique source addresses is associated with the MLS system; andusing the defined unique source addresses in outbound packets sent from the MLS system to the communication partner, further comprising; selecting, for each outbound packet to be sent from the MLS system to the communication partner, the unique source address defined to represent the security classification of the outbound packet; replacing a source address field of the outbound packet with the selected unique source address; and sending the outbound packet to the communication partner, wherein the communication partner is adapted for associating the selected unique source address with the security classification of the packet.
-
Specification