1. Field of Invention
The present invention is generally directed to routing network traffic. More particularly, it is directed to transparently routing network traffic across networks in a unidirectional fashion.
2. Description of Related Art
Many standard network protocols, e.g., FTP, require bidirectional communication to function properly. Even unidirectional data transfers require bidirectional communication at the protocol level for these standard network protocols. However, various protected environments, such as power plants, secure government facilities, and Supervisory Control And Data Acquisition (SCADA) environments, for security and other reason may need to pass outbound data, while preventing and/or limiting inbound data. A similar need to control network traffic exists networks communicating classified data. For example, there may be a need to allow lower classification data to pass from a user having a “confidential” clearance level to a user having a “secret” clearance level while at the same time preventing higher classification data from passing from a “secret” clearance level user to a “confidential” clearance level user.
Conventional unidirectional networks, utilizing data diodes and data pumps, can enable one-way flow of data to provide some measure of security, but are expensive and cumbersome to deploy, manage, and use because of overhead associated with implementing and managing such networks. For example, transferring data over a conventional data diode network requires custom developed servers and/or custom protocols to be developed to accompany the conventional data diode, the custom servers usually placed on either side of the conventional data diode. Additional training for users is required to accommodate use of the custom servers interacting with the conventional data diodes, typically requiring manual user intervention on each side of the conventional data diode. Furthermore, data diodes do not provide network routing, and are therefore limited only to point-to-point data transfer.
Data Pumps require development and use of custom wrappers for each protocol, and are limited to point-to-point communication (e.g., a custom system is required to be attached to each side of the data pump). Point-to-point unidirectional networks require custom client and server software. Consequently, new techniques are required for providing secure transparent unidirectional routing of network traffic using standard network protocols.