1. Technical Field
The present disclosure relates to systems and methods for the transmission and reception of data, and in particular to a system and method for transmitting data from a lower security domain to a higher security domain.
2. Description of the Related Art
The dissemination and processing of data is one of the key characteristics of the information age. Data can be categorized in a number of different ways, but one of the important data classifications involves how widely the data is permitted to be disseminated. For example, it has long been the case in military-related matters that data be unclassified (for general dissemination), confidential (not generally disseminated, but no harm to national security if disseminated), secret (dissemination would harm national security), and top secret (dissemination would do grave harm to national security).
As shown in FIG. 1, only a small amount of the data needed by Department of Defense (DoD) decision makers is classified (e.g. not “unclassified”). However, most of the decision making is done in middle and higher security domains (e.g. Secret or Top Secret). The challenge then is to rapidly, reliably and with high assurance move the data from the security domains were it is created (in most cases unclassified) to the security domains were it is needed by the decision makers.
In the past data was moved between security domains via “sneaker” net in which the data was copied to some medium (i.e. paper, disk) and hand carried by a person between security domains. This was obviously slow and therefore, to no surprise, resulted in the data being somewhat obsolete when it got to where it was to be used, requiring the decision makers to make decisions with less than optimum data. It was not possible to have a common operation picture between the various security domains. It also resulted in excessive data of lower classifications having to be maintained or destroyed in the high classification domains.
While it is possible to share information between computers of different security levels, current systems for accomplishing this task are unacceptably slow. One of the reasons for the slow transfer of data is inherent to the security protocol of MLS systems. For security purposes, such systems typically enforce a one way data transfer (e.g. data is passed from the system at the lower security level to the system at the upper security level, but no data or information whatsoever is returned). Since no confirming data is provided, the sender does not know which packets were successfully transmitted and received, and multiple attempts to deliver the messages often results.
FIG. 2 illustrates another solution to this problem, as demonstrated in Coalition Warfighter Interoperability Demonstration (CWID) 2005. This system 200 comprises one or more computer system(s) providing an Internet access point 202 and plurality of domains 204A-204C of different security classifications. Each domain may include a plurality of computers, communicating via a network such as local area network (LAN). In the illustrated example, the domains 204A-204C include an unclassified domain 204A, a secret domain 204B which has a security classification or level above that of the unclassified domain 204A, and a top secret domain 204C that is characterized by a security classification or level above that of both the unclassified domain 204A and the secret domain 204B.
One or more data diode(s) 212, 214 are used to move large amounts of data segments from the lower classification domains to the higher domains. Data diodes 212, 214 are devices which provide data in one direction (here, from a lower classification domain to a higher classification domain) but do not provide any data whatsoever in the other direction (from higher classification domain to a lower classification domain). For example, data diode 212 moves data from an Internet access point 202 to the unclassified domain 204A and data diode 214 moves data from the Internet access point 202. However, data diode 212 does not permit the communication of data from the unclassified domain 204A to the Internet access point 202, nor does data diode 214 permit the communication of data from the top-secret domain 204C to the Internet Access Point 202.
The system 200 also includes a high assurance data guard/downgrader 210, which is coupled between domains 204 of different classification. When so configured, the data guard/downgrader 210 provides for bi-directional movement of smaller data segments between domains (e.g. unclassified domain 204A and the secret/top secret domains 204B and 204C).
While this system 200 facilitated the movement of data between security domains closer to near real time than sneaker net, it required one or more expensive data diode 214, 216 for each security domain pairs to be interconnected (two in the example shown in FIG. 2) and each data diode 214, 216 must be manually tuned (i.e. slowed) on installation to minimize packet loss by the data diode 214, 216 during use. Because the data diode 214, 216 is a one way communication channel, it uses User Data Protocol (UDP)-like communications that is unreliable because the receiver of the data can not communicate with the sender of the data. For this reason if, unfortunately, a data packet was missed or dropped by the high (classification) side receiver, there is no way for it to notify the low (classification) side sender, thus the high side decision maker might be working with incomplete or erroneous data.
What is needed is a system and method that reduces the cost of data sharing between security domains, while, at the same time, improving the reliability of data sharing in a Multi Level Secure (MLS)/Multiple Independent Levels of Security (MILS) environment. The system and method described herein satisfies this need.