Protection of a computer or data network from undesired and unauthorized data disclosure, interception or alteration has been a perennial concern in the field of computer and network security. For example, firewall and anti-spyware software have been developed to address security concerns for computers and networks connected to the Internet and to protect them from possible cyberattacks such as Trojan horse-type viruses or worms that may trigger undesired and unauthorized data disclosure by these computers and networks. However, for high security computer networks such as those used by government agencies and intelligence communities and certain commercial applications, conventional network security devices such as firewalls may not provide sufficiently reliable protection from undesired data disclosure.
Alternative network security methods and devices have been devised to address the network security concern. For example, U.S. Pat. No. 5,703,562 to Nilsen (“the '562 patent”), the contents of which are hereby incorporated by reference in its entirety, provides an alternative way to address the network security concern. The '562 patent discloses a method of transferring data from an unsecured computer to a secured computer over a one-way optical data link comprising an optical transmitter on the sending side and an optical receiver on the receiving side. By providing such an inherently unidirectional data link to a computer/data network to be protected, one can eliminate any possibility of unintended data leakage out of the computer/data network over the same link.
One-way data transfer systems based on such one-way data links provide network security to data networks by isolating the networks from potential security breaches (i.e., undesired and unauthorized data flow out of the secure network) while still allowing them to import data from the external source in a controlled fashion. FIG. 1 schematically illustrates an example of one such one-way data transfer system. In the one-way data transfer system shown in FIG. 1, two computing platforms (or nodes) 1 and 2 (respectively, “the Send Node” and “the Receive Node”) are connected to the unsecured external network 4 (“the source network”) and the secure network 5 (“the destination network”), respectively. The Send Node is connected to the Receive Node by a one-way optical data link 3, which may comprise, for example, a high-bandwidth optical fiber. This one-way optical data link 3 may be configured to operate as a unidirectional data gateway from the source network 4 to the secure destination network 5 by having its ends connected to an optical transmitter on the Send Node and to an optical receiver on the Receive Node.
This configuration physically enforces one-way data transfer at both ends of the optical fiber connecting the Send Node to the Receive Node, thereby creating a truly unidirectional one-way data link between the source network 4 and the destination network 5 shown in FIG. 1. Unlike the conventional firewalls, one-way data transfer systems based on a one-way optical data link are designed to transfer data or information only in one direction and it is physically impossible to transfer data or information of any kind in the reverse direction. No information or data of any kind, including handshaking protocols such as those used in transfer protocols such as TCP/IP, SCSI, USB, Serial/Parallel Ports, etc., can travel in the reverse direction from the Receive Node back to the Send Node across the one-way data link. Such physically imposed unidirectionality in data flow cannot be hacked by a programmer, as is often done with firewalls. Accordingly, the one-way data transfer system based on a one-way optical data link ensures that data residing on the isolated secure computer or network is maximally protected from any undesired and unauthorized disclosure.
Typically, the computing platforms connected to a data network are personal computers or workstations. To implement a one-way data transfer system such as those discussed above, to achieve and maintain the unidirectionality of data flow over a one-way optical data link, the personal computer at the Send Node must be configured so that only the optical transmitter coupled to the Send Node interfaces one end of the one-way optical data link and, on the other hand, the personal computer at the Receive Node must be configured so that only the optical receiver coupled to the Receive Node interfaces the other end of the one-way optical data link.
However, constructing special purpose, “send-only” or “receive-only” computers with optical emitters or detectors permanently installed and hardwired therein may not be the most efficient and flexible way to construct and operate a one-way data transfer system. Such a system would require, for example, that one has to designate in advance which computers are going to be used permanently or semi-permanently as the Send Node and which ones as the Receiving Node. Once so configured, it would be difficult to upgrade or re-configure the computer host system without replacing the Send Node or the Receive Node. In other words, one does not have the desired flexibility in configuring and upgrading the integrated system with the special-purpose send-only and receive-only computers. Network administrators and users often need flexibility and may want to speedily configure any network computers with readily available off-the-shelf components, without having to order and wait for the special purpose Send-Only or Receive-Only computers.
It is an object of the present invention to overcome the above described and other shortcomings in permanent installation of optical transmitter/receivers in a Send/Receive Node by providing a more efficient and flexible interface means between a data link and computers for a Send Node and a Receive Node in a secure one-way data transfer system.
It is yet another object of the present invention to provide a secure one-way data transfer system based on an interface means between a data link and computing platforms for a Send Node and a Receive Node that is easy to install and configure.
It is yet another object of the present invention to provide a secure one-way data transfer system based on an interface means between a data link and computing platforms for a Send Node and a Receive Node that allows the computing platforms to easily switch the Send/Receive functionality.
It is yet another object of the present invention to provide a secure one-way data transfer system based on an interface means between a data link and computing platforms for a Send Node and a Receive Node that is portable.
It is yet another object of the present invention to provide an interface means between a data link and computers for a Send Node and a Receive Node that is compatible with various standard data formats.
It is yet another object of the present invention to provide an interface means between a data link and computers for a Send Node and a Receive Node that is compatible with multiple computer operating systems and computing platform types.
It is yet another object of the present invention to provide an interface means between a data link and computers for a Send Node and a Receive Node that can be constructed using commercial off-the-shelf components that are easily configurable.
It is yet another object of the present invention to provide a means for easily identifying the Send or Receive-Only functionality of the interface means between a data link and computers for a Send Node and a Receive Node for a secure one-way data transfer system.
It is yet another object of the present invention to provide specially configured network interface circuitry for a Send Node and a Receive Node, respectively, that is to be coupled to the ends of a data link to enforce unidirectionality of data flow across the data link.
It is yet another object of the present invention to provide a secure one-way data transfer system based on specially configured network interface cards for connecting between a data link and computing platforms for a Send Node and a Receive Node.
It is yet another object of the present invention to provide a specially configured network interface circuitry for enforcing unidirectionality of data flow across a data link that is respectively coupled to computers for a Send Node and a Receive Node using standard interface connections.
It is yet another object of the present invention to provide a specially configured network interface circuits for enforcing unidirectionality of data flow across a data link that is respectively coupled to computers for a Send Node and a Receive Node based on PCI interface.
It is yet another object of the present invention to provide specially configured network interface circuits for enforcing unidirectionality of data flow across a data link that are respectively coupled to computers for a Send Node and a Receive Node based on a USB connection.
It is yet another object of the present invention to provide an interface means between an optical fiber, and computers for a Send Node and a Receive Node that enforces unidirectional data flow across the optical fiber data link.
It is yet another object of the present invention to provide an interface means between a shielded twisted pair copper wire communication cable, and computers for a Send Node and a Receive Node that enforces unidirectional data flow across the STP copper wire communication cable.
Other objects and advantages of the present invention will become apparent from the following description.