It is often necessary to control the flow of data into or out of a computer network in order to protect the network and data stored on the network. For example, where two connected networks store data with different security classifications it is desired to prevent data stored on the network with a higher security classification from being transferred to the network with a lower security classification. Whilst data from the network with the lower security classification may in principle be transferred to the network with the higher security classification, it may be desirable to ensure that data is not transferred which could affect the integrity of data stored on the network with the higher classification or otherwise harm that network.
One way to protect computer networks is the use of so called data diodes, as disclosed in U.S. Pat. No. 5,703,562. A data diode provides a unidirectional data connection, so that data can be restricted to flow only in to or out of a network. Whilst this is useful in protecting confidentiality or integrity of information stored by the network, preventing two way communication with the network causes problems.
One problem is that of controlling the flow of data through the data diode. The receiving part of the diode cannot inform the transmitting part of the optimal rate at which to send data, and it is not possible to automatically recover from transmission errors or failures of the receiving logic because the receiving logic cannot inform the sending logic of any problems.
Another problem is that a data diode necessarily has equipment either side of the unidirectional link it provides which requires management, in that it must be configured and will need to report activity for security monitoring purposes. However if the equipment each side of the link is connected to a management system, this provides a bypass of the unidirectional link that could introduce bidirectional communication between the two networks. The only way the unidirectional property can be retained is to use separate management systems for each side of the diode, which is expensive to provide and error prone in operation.
A related problem is that the management system itself is typically a sensitive system that requires protection from the data networks and communications equipment it is managing. The data diode being managed offers no protection for the management system, so further equipment is needed to do this. This additional equipment may include a data diode, in which case it too must be managed without introducing a bypass of the data diode. To avoid this recursion, it is usual for such equipment to be managed from several points with a resultant increase in the scale of management overheads.
In order to address problems caused by imposing unidirectional flow of data between networks, but retain network security, it has been proposed to connect two networks with two separate unidirectional data connections arranged to transmit data in opposite directions between the networks. Each connection comprises a content checker, arranged in series between a pair of data diodes which respectively limit the transmission of data into and out of the content checker. The function of the content checkers is to allow only acceptable data to be transmitted from one network to the other, and the security of the connection relies principally on the content checkers. The data diodes provide protection to the content checkers.
Whilst this arrangement allows for controlled bidirectional communication between networks it is still far from ideal. Although applications running on each network can communicate with each other, to do so they must coordinate to provide the required flow control and error recovery. For example a first application running on a computer on a first network may need to send data to a second application running on a computer on a second, connected, network. The first application can send data via a unidirectional link, but must then listen for an acknowledgement message sent from the second application via the second, opposed, unidirectional link before sending a further message. This approach is in contrast to standard computer network communications protocols which are arranged in a stack with flow control and error recovery typically implemented at multiple levels of the stack. As a result, applications need not concern themselves with flow control and error recovery as this is handled by the network stack. Requiring applications to implement custom protocols for flow control and error recovery, at the application level, is burdensome and limits the usefulness of the approach.
Nor does this approach enable equipment either side of the data diodes to be managed by a single system without bypassing the data diodes and/or the content checkers.
Embodiments of the present invention have been made in consideration of these problems.