The present invention is generally directed to maintaining security in a computer network. More particularly, the invention is directed to a system that allows flow of information in one direction only: from a source network to a destination network, such as from a low-security network to a high-security network.
Computers are often used to store sensitive information. Such information may include government-classified information and business-sensitive proprietary information. For example, government agencies construct and maintain networks of computers for storing and analyzing vast amounts of secret and top-secret classified data. Those government agencies attempt to maintain the security of their computer networks by electronically isolating those high-security networks from the rest of the world. The goal is to prevent both accidental and clandestine transfer of classified information from the high-security network to a non-secure or low-security network.
There are situations in which it is desirable for a computer connected to a high-security network to be able to access information that resides on a low-security network. For the computer on the high-security network to have such access to low-security information, the high-security network must be electronically connected to the low-security network. However, whenever a connection exists between a high-security network and a low-security network, a threat of the accidental or clandestine transfer of classified information to the low-security network also exists.
Therefore, there is a need for a system that connects a high-security network to a low-security network, that allows transfer of low-security information from the low-security network to the high-security network, and that prohibits transfer of high-security information from the high-security network to the low-security network
The foregoing and other needs are met by a system for controlling movement of information between a source network and a destination network, where the information includes source network information on the source network and destination network information on the destination network. The system includes a low-side network interface for receiving from the source network a low-side request relating to the information. The system also includes a low-side processor for analyzing the low-side request to determine whether the low-side request is allowable. If the low-side request is a request to write source network information to the destination network, the low-side processor generates an acknowledgment in response, so that the requested information transfer may proceed. However, if the low-side request is a request to read destination network information from the destination network, the low-side processor denies the low-side request.
If the low-side request is a request to write source network information to the destination network, the low-side network interface receives the acknowledgement from the low-side processor, sends the acknowledgement to the source network, receives source network information from the source network in response to the acknowledgement, and sends the source network information to a low-side intermediate network interface.
The low-side intermediate network interface sends the source network information across an intermediate network to a high-side intermediate network interface. The high-side intermediate network interface receives the source network information, and sends the source network information to a high-side network interface. The high-side network interface receives the source network information, and sends the source network information to the destination network.
The system also includes high-side processor that denies all information packets from the destination network received by the high-side network interface. In this manner, the high-side processor allows no information to flow from the destination network to the source network.
Thus, the invention provides a two-layered system that denies all requests to write or read destination network information, while allowing requests to write source network information. In this way, the invention prohibits the flow of destination network information from the destination network to the source network, while allowing source network information to flow to the destination network.
In another aspect, the invention provides a method for controlling movement of information between a source network and a destination network, where source network information resides on the source network and destination network information resides on the destination network. The method includes the steps of: (a) moving the source network information from the source network to a low-side processing system using a first information transfer protocol that precludes movement of destination network information from the low-side processing system to the source network; (b) moving the source network information from the low-side processing system to a high-side processing system across an intermediate network using a network transfer protocol that precludes movement of destination network information from the high-side processing system to the low-side processing system; and (c) moving the source network information from the high-side processing system to the destination network using a second information transfer protocol that precludes movement of destination network information from the destination network to the high-side processing system.