Bilateral communication using multiple one-way data links

US 7,992,209 B1
Filed: 07/19/2007
Issued: 08/02/2011
Est. Priority Date: 07/19/2007
Status: Active Grant

First Claim

Patent Images

1. A bilateral data transfer system comprising:

a first node;

a second node;

a first one-way link for unidirectional transfer of first data from the first node to the second node; and

a second one-way link for unidirectional transfer of second data from the second node to the first nodewherein the first node comprises;

a processor;

a memory storing a first data sending application, a second data receiving application and a first session managing application;

and wherein the processor is configured to execute;

the first data sending application for sending the first data to the second node over the first one-way link;

the second data receiving application for receiving the second data from the second node over the second one-way link; and

the first session managing application for blocking the first data from the second data receiving application and for blocking the second data from the first data sending application, andwherein the second node comprises;

a processor;

a memory storing a first data receiving application, a second data sending application and a second session managing application;

wherein the processor is configured to execute;

the first data receiving application for receiving the first data from the first node over the first one-way link;

the second data sending application for sending the second data to the first node over the second one-way link; and

the second session managing application for blocking the first data from the second data sending application and for blocking the second data from the first data receiving application, so that the unidirectional transfer of the first data across the first one-way link and the unidirectional transfer of the second data across the second one-way link are independently administered by the bilateral data transfer systemwherein;

the first data comprises keyboard or mouse commands from a remote terminal client;

and the second data comprises graphical display data from a remote terminal server.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A bilateral data transfer system comprising a first node, a second node, a first one-way link for unidirectional transfer of first data from the first node to the second node, and a second one-way link for unidirectional transfer of second data from the second node to the first node, wherein the unidirectional transfer of the first data across the first one-way link and the unidirectional transfer of the second data across the second one-way link are independently administered by the bilateral data transfer system. Under such bilateral data transfer system, each of the one-way data links may be subject to separately administered security restrictions and data filtering processes. Hence, it enables secure bilateral communications across different network security domains.

114 Citations

View as Search Results

23 Claims

1. A bilateral data transfer system comprising:
- a first node;
  
  a second node;
  
  a first one-way link for unidirectional transfer of first data from the first node to the second node; and
  
  a second one-way link for unidirectional transfer of second data from the second node to the first nodewherein the first node comprises;
  
  a processor;
  
  a memory storing a first data sending application, a second data receiving application and a first session managing application;
  
  and wherein the processor is configured to execute;
  
  the first data sending application for sending the first data to the second node over the first one-way link;
  
  the second data receiving application for receiving the second data from the second node over the second one-way link; and
  
  the first session managing application for blocking the first data from the second data receiving application and for blocking the second data from the first data sending application, andwherein the second node comprises;
  
  a processor;
  
  a memory storing a first data receiving application, a second data sending application and a second session managing application;
  
  wherein the processor is configured to execute;
  
  the first data receiving application for receiving the first data from the first node over the first one-way link;
  
  the second data sending application for sending the second data to the first node over the second one-way link; and
  
  the second session managing application for blocking the first data from the second data sending application and for blocking the second data from the first data receiving application, so that the unidirectional transfer of the first data across the first one-way link and the unidirectional transfer of the second data across the second one-way link are independently administered by the bilateral data transfer systemwherein;
  
  the first data comprises keyboard or mouse commands from a remote terminal client;
  
  and the second data comprises graphical display data from a remote terminal server.
- View Dependent Claims (2, 3, 4, 5, 6, 14, 15, 16)
- - 2. The data transfer system of claim 1, further comprising:
    - a first data sending configuration file and a first data receiving configuration file for filtering and routing the first data, wherein the first data sending configuration file is accessible by the first data sending application and the first data receiving configuration file is accessible by the first data receiving application; and
      
      a second data sending configuration file and a second data receiving configuration file for filtering and routing the second data, wherein the second data sending configuration file is accessible by the second data sending application and the second data receiving configuration file is accessible by the second data receiving application.
  - 3. The data transfer system of claim 1, further comprising a remote terminal client connected to the first node and a remote terminal server connected to the second node.
  - 4. The data transfer system of claim 3, wherein:
    - the first session managing application is configured to route the first data from the remote terminal client only to the first data sending application and configured to route the second data from the second data receiving application only to the remote terminal client; and
      
      the second session managing application is configured to route the first data from the first data receiving application only to the remote terminal server and configured to route the second data from the remote terminal server only to the second data send application.
  - 5. The data transfer system of claim 4, wherein the first session managing application is configured to implement bilateral TCP communications with the remote terminal client, and the second session managing application is configured to implement bilateral TCP communications with the remote terminal server.
  - 6. The data transfer system of claim 1, wherein the first data sending and receiving applications and the second data sending and receiving applications are configured to respectively apply different security constraints to the unidirectional transfer of the first data over the first one-way link and the unidirectional transfer of the second data over the second one-way link.
  - 14. The data transfer system of claim 1, further comprising a first data routing configuration file associated with the first session managing application and a second data routing configuration file associated with the second session managing application.
  - 15. The data transfer system of claim 1, wherein:
    - the first node comprises a first software zone comprising the first data sending application, a second software zone comprising the second data receiving application, and a third software zone comprising the first session managing application; and
      
      the second node comprises a fourth software zone comprising the second data sending application, a fifth software zone comprising the first data receiving application, and a sixth software zone comprising the second session managing application,wherein each of the software zones is capable of separate administration.
  - 16. The data transfer system of claim 5, wherein the second session managing application is configured to control a connection between the second node and the remote terminal server so that the remote terminal server cannot initiate the connection.

7. A non-transitory machine readable medium having instructions stored on at least one of a first node and a second node, wherein the first node and the second node are interconnected by a first one-way link for unidirectional transfer of first data from the first node to the second node and a second one-way link for unidirectional transfer of second data from the second node to the first node, the instructions, when executed by the at least one of the first and the second nodes, causing the first and the second nodes to separately administer the unidirectional transfer of the first data from the first node to the second node via the first one-way link and the unidirectional transfer of the second data from the second node to the first node via the second one-way link, wherein the first data comprises keyboard or mouse commands from a remote terminal client connected to the first node and the second data comprises graphical display data from a remote terminal server connected to the second node.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The non-transitory machine readable medium of claim 7, wherein the step to separately administer by the first and the second nodes comprises the steps to:
    - filter and route the first data using a first data transfer configuration file; and
      
      filter and route the second data using a second data transfer configuration file.
  - 9. The non-transitory machine readable medium of claim 8, wherein:
    - the first data transfer configuration file comprises a first data sending configuration file in the first node and a first data receiving configuration file in the second node; and
      
      the second data transfer configuration file comprises a second data sending configuration file in the second node and a second data receiving configuration file in the first node.
  - 10. The non-transitory machine readable medium of claim 7, wherein the instructions, when executed by the at least one of the first and the second nodes, further cause:
    - the first node to further administer bilateral communications with a remote terminal client; and
      
      the second node to further administer bilateral communications with a remote terminal server.
  - 11. The non-transitory machine readable medium of claim 10, wherein the bilateral communications between the first node and the remote terminal client are TCP-based.
  - 12. The non-transitory machine readable medium of claim 10, wherein the bilateral communications between the second node and the remote terminal server are TCP-based.
  - 13. The non-transitory machine readable medium of claim 7, wherein the step to separately administer by the first and the second nodes comprises the step to apply different security constraints to the unidirectional transfer of the first data from the first node to the second node via the first one-way link and the unidirectional transfer of the second data from the second node to the first node via the second one-way link.

17. A non-transitory machine readable medium having instructions stored on at least one of a first node and a second node, wherein the first node and the second node are interconnected by a first one-way link for unidirectional transfer of first data from the first node to the second node and a second one-way link for unidirectional transfer of second data from the second node to the first node, the instructions, when executed by the first node, causing the first node to:
- execute a first data sending application to send the first data to the second node over the first one-way link;
  
  execute a second data receiving application to receive the second data from the second node over the second one-way link; and
  
  execute a first session managing application to block the first data from the second data receiving application and to block the second data from the first data sending application,further the instructions, when executed by the second node, causing the second node to;
  
  execute a first data receiving application to receive the first data from the first node over the first one-way link;
  
  execute a second data sending application to send the second data to the first node over the second one-way link; and
  
  execute a second session managing application to block the first data from the second data sending application and to block the second data from the first data receiving application, so that the unidirectional transfer of the first data across the first one-way link and the unidirectional transfer of the second data across the second one-way link are independently administered by the instructionswherein;
  
  the first data comprises keyboard or mouse commands from a remote terminal client connected to the first node; and
  
  the second data comprises graphical display data from a remote terminal server connected to the second node.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The non-transitory machine readable medium of claim 17, wherein:
    - the step to execute the first data sending application comprises the step to read a first data sending configuration file to route the first data;
      
      the step to execute the first data receiving application comprises the step to read a first data receiving configuration file to route the first data;
      
      the step to execute the second data sending application comprises the step to read a second data sending configuration file to route the second data; and
      
      the step to execute the second data receiving application comprises the step to read a second data receiving configuration file to route the second data.
  - 19. The non-transitory machine readable medium of claim 17, wherein:
    - the step to execute the first session managing application comprises the step to route the first data from a remote terminal client connected to the first node only to the first data sending application and the step to route the second data from the second data receiving application only to the remote terminal client; and
      
      the step to execute the second session managing application comprises the step to route the first data from the first data receiving application only to a remote terminal server connected to the second node and the step to route the second data from the remote terminal server only to the second data sending application.
  - 20. The non-transitory machine readable medium of claim 17, wherein:
    - the step to execute the first session managing application comprises the step to implement bilateral TCP communications between the first node and a remote terminal client; and
      
      the step to execute the second session managing application comprises the step to implement bilateral TCP communications between the second node and a remote terminal server.
  - 21. The non-transitory machine readable medium of claim 17, wherein:
    - the steps to execute the first data sending application and the first data receiving application comprise the step to apply a first security constraint to the unidirectional transfer of the first data over the first one-way link;
      
      the steps to execute the second data sending application and the second data receiving application comprise the step to apply a second security constraint to the unidirectional transfer of the second data over the second one-way link; and
      
      the first security constraint and the second security constraint are different.
  - 22. The non-transitory machine readable medium of claim 17, wherein:
    - the step to execute the first session managing application comprises the step to read a first data routing configuration file; and
      
      the step to execute the second session managing application comprises the step to read a second data routing configuration file.
  - 23. The non-transitory machine readable medium of claim 17, wherein:
    - the first node comprises a first software zone comprising the first data sending application, a second software zone comprising the second data receiving application, and a third software zone comprising the first session managing application;
      
      the second node comprises a fourth software zone comprising the second data sending application, a fifth software zone comprising the first data receiving application, and a sixth software zone comprising the second session managing application; and
      
      each of the software zones is capable of separate administration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OWL Cyber Defense Solutions LLC
Original Assignee
Owl Computing Technologies, Inc.
Inventors
Menoher, Jeffrey Charles, Hope, James, Mraz, Ronald
Primary Examiner(s)
Dinh; Minh
Assistant Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US11/879,968
Time in Patent Office

1,475 Days
Field of Search

713151-152
US Class Current

726/26
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/105   Multiple levels of security

H04L 67/00   Network arrangements or pro...

H04L 67/131   Protocols for games, networ...

H04L 67/34   involving the movement of s...

Bilateral communication using multiple one-way data links

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Bilateral communication using multiple one-way data links

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links