The present invention concerns a secure gateway affording bidirectional communication between two communication networks; a first high-security network and a second network with lower security.
FIG. 1 illustrates the general architecture of the system in which the invention is situated. The gateway referenced 1.1 connects a first network referenced 1.2 to a second network referenced 1.3. In the context of the invention, the two networks do not have the same security level. The term network is employed here to designate the communication network proper as well as the set of connected items of equipment that can communicate with one another. Security level means all the operating rules and constraints imposed on the network in order to ensure that only the expected data streams can pass over this network; that these streams pass between the expected items of equipment and that they are not liable to be captured by unauthorized equipment. When networks having different security levels communicate with each other, it is necessary to ensure that the high-security network cannot be corrupted by attacks coming from the low-security network. In some contexts requiring a high security level, this guarantee must be very strong, or even absolute. One example of such a context concerns avionics, where the data network connecting the control equipment of the aircraft must absolutely offer a very high security level especially during flight. It is however advantageous to connect this high-security network to a lower-security network in order, among other things, to recover data on the various parameters of the flight during maintenance. It is also advantageous to be able on a passenger network to provide real-time information on the flight during the latter.
Constructing monodirectional gateways between two networks having different security levels is known. In this case, the gateway allows the transfers of data from the high-security network to the low-security network. The monodirectional side can even be guaranteed at the physical level of the communication, for example by using the diode described in the patent application of the same applicant published under the publication number FR 2 862 399. This type of gateway guarantees that it will be impossible for an attack coming from the low-security network to compromise the high-security network.
To allow the functioning of certain applications, it is however necessary to transmit information coming from the low-security network to the high-security network. It may sometimes be a case of simple commands.
It is also advantageous to be able to have available flow control mechanisms during data transfers from the high-security level to the low-security level. Flow control requires being able to send back information to the source of the transfer and therefore from the low-security network to the high-security network. However, it is desirable for the security level to be maintained at a very high level. It is therefore necessary to guarantee control over the information going back from the low-security network to the high-security network. This control guarantees security of a very high level.
It is conventional to produce gateways by means of a firewall in this type of situation. These firewalls organize a filtering of the data circulating over the gateway. These filterings are done according to the communication protocols used and the port addresses and numbers involved in the communication. However, the security level afforded by such a firewall is not sufficient in some contexts where the need for security is particularly high. It is advantageous to be able to raise the security level of such a gateway in order to be able to guarantee a security level close to the security level afforded by a monodirectional gateway.