Protection of a computer or data network from undesired and unauthorized data disclosure has been a perennial concern in the field of computer and network security. For example, firewall and anti-spyware software have been developed to address security concerns for computers and networks connected to the Internet and to protect them from possible cyberattacks such as Trojan horse-type viruses or worms that may trigger undesired and unauthorized data disclosure by these computers and networks. However, for high security computer networks such as those used by government agencies and intelligence communities and certain commercial applications, the conventional network security devices such as firewalls may not provide sufficiently reliable protection from undesired data disclosure.
Alternative network security methods and devices have been devised to address the network security concern. For example, U.S. Pat. No. 5,703,562 to Nilsen (“the '562 patent”), the contents of which are hereby incorporated by reference in their entirety, provides an alternative way to address the network security concern. The '562 patent discloses a method of transferring data from an unsecured computer to a secured computer over a one-way optical data link comprising an optical transmitter on the sending side and an optical receiver on the receiving side. By providing such an inherently unidirectional data link to a computer/data network to be protected, one can eliminate any possibility of unintended data leakage out of the computer/data network over the same link.
One-way data transfer systems based on such one-way data links, including Dual Diode developed and marketed by Owl Computing Technologies, Inc., provide network security to data networks by isolating the networks from potential security breaches (i.e., undesired and unauthorized data flow out of the secure network) while still allowing them to import data from the external source in a controlled fashion. FIG. 1 schematically illustrates an example of one such Dual Diode one-way data transfer system. In the one-way data transfer system shown in FIG. 1, two computing platforms (or nodes) 1 and 2 (respectively, “the Send Node” and “the Receive Node”) are connected to the unsecured external network 4 (“the source network”) and the secure network 5 (“the destination network”), respectively. The Send Node is connected to the Receive Node by one-way data link 3, which may comprise, for example, a high-bandwidth optical fiber configured to operate as a unidirectional data gateway from the source network 4 to the secure destination network 5.
The one-way data transfer system described above may further comprise two specially configured Asynchronous Transfer Mode (ATM) network interface cards installed respectively in the Send Node and the Receive Node and respectively coupled to the ends of the high-bandwidth optical fiber. The interface card in the Send Node may be equipped only with components for phototransmission and the card in the Receive Node may be equipped only with components for photodetection, so that unidirectionality of data flow from the Send Node to the Receive Node across the optical fiber is physically enforced.
This configuration physically enforces one-way data transfer at both ends of the optical fiber connecting the Send Node to the Receive Node, thereby creating a truly unidirectional one-way data link between the source network 4 and the destination network 5 shown in FIG. 1. Unlike conventional firewalls, one-way data transfer systems such as Dual Diode based on a one-way data link are designed to transfer data or information only in one direction and it is physically impossible to transfer data or information of any kind in the reverse direction. No information or data of any kind, including handshaking protocols such as those used in TCP/IP, SCSI, USB, Serial/Parallel Ports, etc., can travel in the reverse direction from the Receive Node back to the Send Node across the one-way data link. Such physically imposed unidirectionality in data flow cannot be hacked by a programmer, as is often done with firewalls. Accordingly, the one-way data transfer system based on a one-way data link ensures that data residing on the isolated secure computer or network is maximally protected from any undesired and unauthorized disclosure.
There exist other types of one-way data links that are capable of enforcing unidirectional data flow. For example, IP (Internet Protocol) architecture using standard firewalls or routers can be specially configured in various ways to enforce unidirectional data flow between two network domains or nodes. One example of such one-way data link is specially configured IP architecture that uses standard firewalls to enforce unidirectional flow of UDP (User Datagram Protocol) data packets between two network security domains corresponding to Send Node and Receive Node. In that configuration, a Receive Node may be protected by a standard firewall which is designed to accept only UDP data packets and deny all other service requests. Furthermore, a pair of additional firewalls that are joined back to back and positioned between the Send Node and the Receive Node may form a network guard capable of enforcing unidirectional flow of UDP data packets from the Send Node to the Receive Node. Preferably, this network guard is administered separately.
The unidirectionality of data flow in such configuration can be achieved as follows: The first firewall of the network guard which interfaces with the Send Node (which may also be protected by its own standard firewall) is designed to accept only UDP data packets from the Send Node and deny all other service requests from the Send Node. The second firewall of the network guard which interfaces with the firewall associated with the Receive Node is designed to deny all incoming service requests or data flow from the Receive Node. In this manner, the specially configured IP architecture based on standard firewalls may permit only unidirectional flow of UDP data packets from the Send Node to the Receive Node and denies any data flow from the Receive Node to the Send Node.
While a one-way data link provides excellent protection for data residing in the secure network as described above, its use raises a dilemma concerning data verification capability which is critical in any data transfer system: In a one-way data transfer system based on a one-way data link, the Send Node cannot verify from the Receive Node the status and integrity of the data it sent to the Receive Node without giving up the unidirectionality of data flow and thereby compromising the security provided by use of one-way data links.
The conventional implementation of data verification schemes requires a way for the Receive Node to communicate to the Send Node information regarding the status and integrity of the data received by the Receive Node from the Send Node. However, since a one-way data link allows only unidirectional communications from the Send Node to the Receive Node, a one-way data transfer system based solely on a one-way data link between the Send Node and the Receive Node cannot implement the data verification schemes without giving up the unidirectionality of data flow in the system. The present invention seeks to resolve this dilemma for one-way data transfer systems based on a one-way data link by providing them with built-in data verification mechanism without sacrificing the unidirectionality of data flow in the system.
The '562 patent addresses data verification for one-way data transfer systems based on a one-way data link by providing a “warning device” coupled to the secured computer that “emits” a “warning signal” when the secured computer detects error in data transmission over the one-way data link. As an example, the '562 patent suggests the use of “a single long duration tone” as the warning signal for error detection. (The '562 patent, Col. 4, lines 20-29, and FIG. 1.) However, while the '562 patent discloses that parity or checksum calculations or other conventional error detection calculations may be performed to detect any errors introduced during the repeated data transfer, it does not disclose or suggest any means for transmitting the result of such error detection calculations by the Receive Node to the Send Node so that the Send Node can compare the results and deduce the status and integrity of the transferred data from the comparison. Accordingly, the warning device as described in the '562 patent is not capable of maximally utilizing modern data verification schemes such as advanced hash algorithms. The present invention seeks to provide a one-way data transfer system with built-in data verification mechanism that is capable of maximally utilizing the power and benefits of the modem data verification schemes without compromising the level of security afforded by the use of one-way data links.
It is an object of the present invention to overcome the above described shortcomings in data verification mechanism for existing one-way data transfer systems based on a one-way data link.
It is another object of the present invention to provide a one-way data transfer system with built-in data verification mechanism without allowing any bilateral communications between nodes within the system.
It is yet another object of the present invention to provide a one-way data transfer system with built-in data verification mechanism wherein the nodes are interconnected with each other by a one-way data link.
It is yet another object of the present invention to provide a node that is designed specifically and solely for relaying data verification information from the Receive Node to the Send Node without compromising the level of security for the Receive Node.
It is yet another object of the present invention to provide a node that is designed solely to process and relay error detection calculations using modern data verification schemes.
It is yet another object of the present invention to provide a system of one-way data transfer sub-systems with built-in data verification mechanism comprising a plurality of Send Nodes and Receive Nodes interconnected by one-way data links.
Other objects and advantages of the present invention will become apparent from the following description.