One-way router
First Claim
1. A system for routing network traffic, comprising:
- a receiver configured to receive and process network traffic from one or more network traffic sources, the receiver comprising one or more transport destination synthesizers configured to selectively generate one or more synthetic destination transport responses;
one or more application destination synthesizers configured to receive the network traffic from the receiver and selectively transmit to the receiver one or more synthetic destination application responses, the receiver being configured to transmit the one or more synthetic destination application responses to the one or more network traffic sources;
one or more data diodes, each of which is coupled to a corresponding one of the one or more application destination synthesizers and configured to selectively provide one-way passage of the network traffic from the corresponding one of the one or more application destination synthesizers;
one or more application source synthesizers corresponding to the one or more application destination synthesizers, each of the one or more application source synthesizers coupled to a corresponding one of the one or more data diodes and configured to receive the network traffic from the one or more data diodes; and
a sender configured to receive the network traffic from the one or more application source synthesizers, the sender comprising one or more transport source synthesizers configured to selectively generate one or more synthetic source transport responses,wherein the sender is further configured to (i) transmit the one or more synthetic source transport responses to the one or more network traffic destinations, (ii) receive one or more destination responses from the corresponding one or more network traffic destinations, and (iii) transmit the one or more destination responses to the one or more application source synthesizers,wherein the one or more application source synthesizers are further configured to selectively generate and transmit, to the sender, one or more synthetic source application responses, andwherein the sender is further configured to transmit, to the corresponding one or more network traffic destinations, the network traffic and the one or more synthetic source application responses from the one or more application source synthesizers.
5 Assignments
0 Petitions
Accused Products
Abstract
A one-way router combines benefits of a network diode and router, and thus can route data between networks of varying confidentiality and/or integrity in a secure, one-way fashion. Secure routing is provided transparently so that the router is compatible with standard network applications by synthesizing responses for standard network protocols to provide many-to-many network connections while preventing bidirectional data flow. Separate network stacks are provided for each connected network, and the network stacks are separated from each other by data diodes that enforce one-way data flow. The one-way router can be implemented in hardware or software, and provides architectural flexibility to customize levels of assurance, performance, reliability, and cost.
22 Citations
20 Claims
-
1. A system for routing network traffic, comprising:
-
a receiver configured to receive and process network traffic from one or more network traffic sources, the receiver comprising one or more transport destination synthesizers configured to selectively generate one or more synthetic destination transport responses; one or more application destination synthesizers configured to receive the network traffic from the receiver and selectively transmit to the receiver one or more synthetic destination application responses, the receiver being configured to transmit the one or more synthetic destination application responses to the one or more network traffic sources; one or more data diodes, each of which is coupled to a corresponding one of the one or more application destination synthesizers and configured to selectively provide one-way passage of the network traffic from the corresponding one of the one or more application destination synthesizers; one or more application source synthesizers corresponding to the one or more application destination synthesizers, each of the one or more application source synthesizers coupled to a corresponding one of the one or more data diodes and configured to receive the network traffic from the one or more data diodes; and a sender configured to receive the network traffic from the one or more application source synthesizers, the sender comprising one or more transport source synthesizers configured to selectively generate one or more synthetic source transport responses, wherein the sender is further configured to (i) transmit the one or more synthetic source transport responses to the one or more network traffic destinations, (ii) receive one or more destination responses from the corresponding one or more network traffic destinations, and (iii) transmit the one or more destination responses to the one or more application source synthesizers, wherein the one or more application source synthesizers are further configured to selectively generate and transmit, to the sender, one or more synthetic source application responses, and wherein the sender is further configured to transmit, to the corresponding one or more network traffic destinations, the network traffic and the one or more synthetic source application responses from the one or more application source synthesizers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15)
-
-
14. A method of routing network traffic, comprising:
-
generating, at a first component, a synthetic destination transport response based on network traffic received from a network traffic source; generating, at the first component, a synthetic destination application response based on the network traffic; sending, from the first component, the synthetic destination application response to the network traffic source; generating, at a second component, a synthetic source transport response based on the network traffic received via the first component using a coupling that allows only one-way communication from the first component; sending, from the second component, the generated synthetic source transport response to a network traffic destination; receiving, at the second component, a destination response from the network traffic destination; generating, at the second component, a synthetic source application response based on the received destination response; and sending, from the second component, the generated synthetic source application response to the network traffic destination. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium having stored thereon, computer-executable instructions that, if executed by a computing device, cause the computing device to perform a method for routing network traffic, comprising:
-
generating, at a first component, a synthetic destination transport response based on network traffic received from a network traffic source; generating, at the first component, a synthetic destination application response based on the network traffic; sending, from the first component, the synthetic destination application response to the network traffic source; generating, at a second component, a synthetic source transport response based on the network traffic received via the first component using a coupling that only allows one-way communication from the first component; sending, from the second component, the generated synthetic source transport response to a network traffic destination; receiving, at the second component, a destination response from the network traffic destination; generating, at the second component, a synthetic source application response based on the received destination response; and sending, from the second component, the generated synthetic source application response to the network traffic destination.
-
Specification