Systems and methods for utilizing uni-directional inter-host communication in an air gap environment

US 9,306,906 B2
Filed: 03/25/2014
Issued: 04/05/2016
Est. Priority Date: 03/25/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating a request message, with a trusted network entity executing trusted code on a first network layer, the request message to target a non-trusted network entity executing non-trusted code, on a second network layer;

transmitting the request message from the trusted network entity to the non-trusted network entity through at least a policy enforcement entity, wherein the policy enforcement entity applies one or more network traffic rules to enforce a unidirectional flow of traffic from the first network layer to the second network layer;

generating a response check message with the trusted network entity, the response check message to determine whether response information is available on the non-trusted network entity in response to the request message; and

transmitting the response check message from the trusted network entity to the non-trusted network entity through at least the policy enforcement entity, the response check message to determine whether the response information is stored in a conceptual mailbox on the non-trusted network entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request message is generated with a trusted network entity executing trusted code on a first network layer. The request message to target a non-trusted network entity executing non-trusted code on a second network layer. The request message is transmitted from the trusted network entity to the non-trusted network entity through at least a policy enforcement entity. The policy enforcement entity applies one or more network traffic rules to enforce a unidirectional flow of traffic from the first network layer to the second network layer. A response check message is generated with the trusted network entity. The response check message to determine whether response information is available on the non-trusted network entity in response to the request message. The response check message is transmitted from the trusted network entity to the non-trusted network entity through at least the policy enforcement entity. The response check message to determine whether the response information is stored in a conceptual mailbox on the non-trusted network entity.

124 Citations

14 Claims

1. A method comprising:
- generating a request message, with a trusted network entity executing trusted code on a first network layer, the request message to target a non-trusted network entity executing non-trusted code, on a second network layer;
  
  transmitting the request message from the trusted network entity to the non-trusted network entity through at least a policy enforcement entity, wherein the policy enforcement entity applies one or more network traffic rules to enforce a unidirectional flow of traffic from the first network layer to the second network layer;
  
  generating a response check message with the trusted network entity, the response check message to determine whether response information is available on the non-trusted network entity in response to the request message; and
  
  transmitting the response check message from the trusted network entity to the non-trusted network entity through at least the policy enforcement entity, the response check message to determine whether the response information is stored in a conceptual mailbox on the non-trusted network entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the trusted network entity comprises a management server.
  - 3. The method of claim 2 wherein the non-trusted network entity comprises a compute layer server.
  - 4. The method of claim 1 wherein the trusted network entity is part of a first virtual private network (VPN), the non-trusted network entity is part of a second VPN, and the firewall is configured to communicate with both the first VPN and the second VPN.
  - 5. The method of claim 1 wherein the trusted network entity is part of a first virtual local area network (VLAN), the non-trusted network entity is part of a second VLAN, and the firewall is configured to communicate with both the first VLAN and the second VLAN.
  - 6. The method of claim 1 wherein the trusted network entity is a management server within an on demand services environment and the non-trusted network entity is a content server within the on demand services environment.
  - 7. The method of claim 6 wherein the on demand services environment comprises a multi-tenant database environment.

8. A non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors, is configurable to:
- generate a request message, with a trusted network entity executing trusted code on a first network layer, the request message to target a non-trusted network entity executing non-trusted code, on a second network layer;
  
  transmit the request message from the trusted network entity to the non-trusted network entity through at least a policy enforcement entity, wherein the policy enforcement entity applies one or more network traffic rules to enforce a unidirectional flow of traffic from the first network layer to the second network layer;
  
  generate a response check message with the trusted network entity, the response check message to determine whether response information is available on the non-trusted network entity in response to the request message; and
  
  transmit the response check message from the trusted network entity to the non-trusted network entity through at least the policy enforcement entity, the response check message to determine whether the response information is stored in a conceptual mailbox on the non-trusted network entity.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8 wherein the trusted network entity comprises a management server.
  - 10. The non-transitory computer-readable medium of claim 9 wherein the non-trusted network entity comprises a compute layer server.
  - 11. The non-transitory computer-readable medium of claim 8 wherein the trusted network entity is part of a first virtual private network (VPN), the non-trusted network entity is part of a second VPN, and the firewall is configured to communicate with both the first VPN and the second VPN.
  - 12. The non-transitory computer-readable medium of claim 8 wherein the trusted network entity is part of a first virtual local area network (VLAN), the non-trusted network entity is part of a second VLAN, and the firewall is configured to communicate with both the first VLAN and the second VLAN.
  - 13. The non-transitory computer-readable medium of claim 8 wherein the trusted network entity is a management server within an on demand services environment and the non-trusted network entity is a content server within the on demand services environment.
  - 14. The non-transitory computer-readable medium of claim 13 wherein the on demand services environment comprises a multi-tenant database environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Fry, Benjamin, Kral, Timothy, Chen, Simon, Falko, Andrey
Primary Examiner(s)
Gee, Jason K

Application Number

US14/225,164
Publication Number

US 20140289792A1
Time in Patent Office

742 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Systems and methods for utilizing uni-directional inter-host communication in an air gap environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

124 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for utilizing uni-directional inter-host communication in an air gap environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

124 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links