Patent Grant
10356226
The present invention relates generally to digital communications and control, and particularly to systems and methods for secure communications.
In a computer network handling sensitive data or physical processes, portions of the network may be connected by one-way links. The term “one-way link” is used in the context of the present patent application and in the claims to refer to a communication link that is physically configured to carry signals in one direction and to be incapable of carrying signals in the opposite direction. One-way links may be implemented, for example, using Waterfall® systems, which are manufactured by Waterfall Security Solutions, Ltd. (Rosh HaAyin, Israel). The Waterfall system provides a physical one-way connection based on fiberoptic communication, using an underlying proprietary transfer protocol. When a transmitting computer is connected by a Waterfall system (or other one-way link) to a receiving computer, the receiving computer can receive data from the transmitting computer but has no physical means of sending any return communications to the transmitting computer.
One-way links may be used to prevent data either from entering or leaving a protected facility. For example, confidential data that must not be accessed from external sites may be stored on a computer that is configured to receive data over a one-way link and has no physical outgoing link over which data might be transmitted to an external site. On the other hand, in some applications, the operator of the protected facility may be prepared to allow data to exit the facility freely via a one-way link, while preventing data from entering the facility in order to thwart hackers and cyber-terrorists. Unlike conventional firewalls, one-way links permit information to leave a protected facility without risk to the safety or availability of the network in the facility due to attacks originating on an external network. In practice, however, there is sometimes a need to transmit at least small amounts of information from an external network back into the protected facility.
U.S. Patent Application Publication 2014/0068712, whose disclosure is incorporated herein by reference, describes apparatus and methods for automatically controlling inputs to a protected destination. In a disclosed embodiment, communication apparatus includes a one-way, hardware-actuated data relay, which includes a first hardware interface configured to receive a command from a communications network and a second hardware interface configured to convey the received command to a protected destination when the relay is actuated. A decoder includes a third hardware interface configured to receive a digital signature for the command from the communications network and hardware decoding logic coupled to verify the digital signature and to actuate the relay upon verifying the digital signature, whereby the command is conveyed via the second hardware interface to the protected destination.
U.S. Patent Application Publication 2016/0112384, which is assigned to the assignee of the present patent application and whose disclosure is incorporated herein by reference, describes a method for communication that includes receiving in a secure installation via a network from a remote user terminal an input comprising a stream of symbols that has been encrypted using a preselected encryption key. The encrypted stream of symbols is decoded in the secure installation using a decryption key corresponding to the preselected encryption key, to produce a clear stream of symbols. A computer program running on a processor in the secure installation is used in processing the symbols in the clear stream and generating a graphical output in a predefined display format in response to processing the symbols. The graphical output is outputted from the secure installation to the network in an unencrypted format for display on the remote user terminal.
Embodiments of the present invention that are described hereinbelow provide apparatus and methods for secure communication with a protected installation.
There is therefore provided, in accordance with an embodiment of the invention, a system for communication, which includes a station, including first and second interfaces configured to be connected to a packet data network and to have different, respective first and second network addresses, and a terminal, including third and fourth interfaces configured to be connected to the packet data network and to have different, respective third and fourth network addresses. The station is configured to transmit first data to the terminal over a first path through the packet data network directed from the first interface to the third network address, while the terminal is configured to transmit second data to the station over a second path through the packet data network directed from the fourth interface to the second network address. First and second Transmission Control Protocol (TCP) proxies are deployed respectively in the station and in the terminal, and are configured to emulate a TCP connection between the station and the terminal by transmitting TCP frames from the station to the terminal only over the first path and from the terminal to the station only over the second path.
In some embodiments, the station includes a first outgoing one-way link connected between the first TCP proxy and the first interface and a first incoming one-way link connected between the second interface and the first TCP proxy. In a disclosed embodiment, the terminal includes a second outgoing one-way link connected between the second TCP proxy and the fourth interface and a second incoming one-way link connected between the third interface and the second TCP proxy.
Additionally or alternatively, the station includes first and second switches, which are coupled between the outgoing and incoming one-way links and the first TCP proxy and are configured to connect the first TCP proxy to the packet data network via the outgoing and incoming one-way links only when the emulated TCP connection is in use. Typically, the station includes a host computer, which is configured to transmit and receive data packets to and from the packet data network via the outgoing and incoming one-way links, respectively, and which is coupled to the first TCP proxy so as to transmit and receive data over the emulated TCP connection. The first and second switches are configured to isolate the first TCP proxy when the emulated TCP connection is not in use and to convey incoming data packets from the incoming one-way link to the host computer and convey outgoing data packets from the computer to the outgoing one-way link, bypassing the first TCP proxy. In a disclosed embodiment, the station includes a hardware security module (HSM), which is coupled to control actuation of the switches.
Further additionally or alternatively, the terminal includes a secure protocol support module, including a hardware security module (HSM) on which the second TCP proxy runs. In some embodiments, actuation of the HSM to emulate the TCP connection is conditioned on presentation of a hardware credential to the HSM.
In some embodiments, the secure protocol support module includes a first switch, which is coupled between the third interface and the HSM, and a second switch, which coupled between the fourth interface and the HSM, and wherein the first and second switches are configured to connect the HSM to the packet data network via the third and fourth interfaces only when the emulated TCP connection is in use. In a disclosed embodiment, the terminal includes a host processor, which is configured to receive and transmit data packets from and to the packet data network via the third and fourth interfaces, respectively, and which is coupled to the HSM so as to transmit and receive data over the emulated TCP connection. The first and second switches are configured to isolate the second TCP proxy when the emulated TCP connection is not in use and to convey incoming data packets from the third interface to the host processor and convey outgoing data packets from the host processor to the fourth interface, bypassing the HSM.
There is also provided, in accordance with an embodiment of the invention, a method for communication, which includes connecting a station to a packet data network through first and second interfaces having different, respective first and second network addresses, and connecting a terminal to the packet data network through third and fourth interfaces having different, respective third and fourth network addresses. A Transmission Control Protocol (TCP) connection between the station and the terminal is emulated by transmitting first TCP frames from a first TCP proxy deployed in the station to a second TCP proxy deployed in the terminal only over a first path through the packet data network directed from the first interface to the third network address, and transmitting second TCP frames from the second TCP proxy in the terminal to the first TCP proxy in the station only over a second path through the packet data network directed from the fourth interface to the second network address.
The present invention will be more fully understood from the following detailed description of the embodiments thereof, taken together with the drawings in which:
As noted earlier, at outgoing one-way link from a protected facility is an effective means for allowing information to leave a protected facility without risk to the safety or availability of the network in the facility due to attacks originating on an external network. In practice, however, there is sometimes a need to transmit at least small amounts of information from an external network back into the protected facility, such as commands, software updates or configuration changes to remote unattended sites or manufacturing facilities. There are a number of risks associated with such communications. One risk is that if malware has somehow been introduced into the protected network (possibly by insider collaboration), communications back into the protected network could be used to trigger an attack. Another risk is that an attacker might gain remote control capabilities over a system within the protected network or might use the communications channel into the facility to cause unsafe or unreliable conditions in the protected network, by means of a buffer overflow attack, for instance.
The above-mentioned U.S. Patent Application Publication 2014/0068712 describes a possible solution to these problems, by permitting a controlled flow of small amounts of information into a protected network. The flow is automatically controlled so that software-based attacks on protected equipment become difficult or impossible to carry out, even if parts of the command and communications system themselves become compromised. In contrast to conventional firewalls, the control is carried out by hardware logic, rather than software. Consequently, remote attackers are unable to change the operating configuration of the protection logic or to cause it to perform any function other than those initially programmed by the logic designer. In the disclosed embodiments, the hardware logic is configured to control the format and content of commands that can be sent to a protected destination. The hardware logic may also authenticate these commands to ensure they were produced by an authorized transmitter. As a result, by compromising an authorized transmitter, an attacker may, at worst, be able to send an incorrect command to the destination, but will not be able to gain control over the protected facility.
U.S. Patent Application Publication 2016/0112384, also cited above, takes this model a step farther to provide secure remote desktop functionality, while maintaining a high level of security against unauthorized access. These embodiments use hardware components to separate the input from a remote user terminal to the secure installation from the graphical display output that is provided by the installation, and thus avoid creating a closed communication loop that could be exploited by a malicious party. The input to the secure installation comprises a stream of symbols that has been encrypted by the remote user terminal using a preselected encryption key. A decoder in the secure installation converts the encrypted input back into a clear stream of symbols, using a corresponding decryption key. Thus, the remote desktop functionality of the secure installation can be accessed only by a client device that is in possession of the proper encryption key. For enhanced security, the encrypted symbol stream may be generated using a hardware-based encoder in a secure input device of the remote user terminal.
The sorts of remote control functionality that are described in the above publications rely on the human operator of the user terminal to “close the loop” between the information received by the terminal from the protected facility and the input transmitted from the terminal back to the facility. The input stream to the protected facility is transmitted from one port of the user terminal to a corresponding port of the protected facility via a given network path, while the display output typically traverses a different network path between a different pair of ports. (The separation of the ports is enforced at the protected facility, and the paths are determined independently by routers in the network between the terminal and the protected facility, such as Internet Protocol [IP] routers.) This segregation of the two communication directions alleviates many of the security risks that would otherwise be involved in bidirectional interaction with the protected facility, since it prevents the establishment of process-to-process protocol connections, such as Transmission Control Protocol (TCP) sockets, that are generally required for client/server and peer-to-peer interactions.
In some cases, however, an actual bidirectional protocol connection is required between the protected facility and a remote terminal or other computer. Such a connection may be needed, for example, in order to update software running at the protected facility, both during the update and afterwards, to enable verification of proper operation, particularly when the facility is in a remote location without skilled personnel (or possibly without any personnel) on site. A bidirectional connection can also be needed in emergency situations, so that headquarters can exert full, direct, and unrestricted control of the site for operational and safety reasons.
Embodiments of the present invention that are described herein enable the creation of a bidirectional protocol connection over a pair of separate, unidirectional legs through a network, while maintaining a high level of hardware-based protection against malicious exploitation of the connection. These embodiments are based on a TCP proxy, which is capable of opening and maintaining a TCP connection with a remote peer while receiving incoming TCP packets from the peer on an input port with a given Internet Protocol (IP) address and transmitting outgoing TCP packets to the remote peer via an output port with a different IP address. The TCP proxy emulates the operation of TCP over a conventional, bidirectional IP port, so that software applications running on a host processor at either end of the TCP connection can transmit and receive communications via the TCP proxy as though it was a conventional TCP software stack.
Such TCP proxies can be installed at one or both ends of the TCP link, for example, both in a protected facility and in a remote user terminal that communicates with the facility. For enhanced security, the TCP proxy can be installed and run within attack-resistant hardware modules, such as a hardware security module (HSM). As an additional or alternative security measure, the TCP proxy receives the incoming packets from the input port via an incoming one-way link and transmits the outgoing packets to the output port via a separate, outgoing one-way link.
In an example embodiment that is described further hereinbelow, one such TCP proxy is installed in a protected, secure facility, and the other in a remote user terminal. In normal operation of this system, as explained above, the secure facility transmits data to the user terminal over one unidirectional path through a network, while the user terminal transmits instructions to the secure facility over a separate unidirectional path, with segregation enforced by one-way links in both the secure facility and the user terminal. During such normal operation, the TCP proxies are isolated from the one-way links, and hence from the network, by hardware-enforced switching circuits.
For example, connection of the TCP proxies to the network may be subject to actuation by a hardware security model (HSM) at the user terminal, which may be either the same HSM in which the TCP proxy itself runs or a separate HSM that is provided for this purpose. As a result, the TCP connection to the secure facility will be available only when physically actuated by a user of the terminal with the required cryptographic hardware credentials, and the connection is not exposed at any other time to exploitation by attackers elsewhere on the network. When the HSM is not activated, the TCP proxy code itself is encrypted and inaccessible from the network, and thus cannot be exploited to open the bidirectional connection between the user terminal and the secure facility in the absence of authorized personnel with the necessary cryptographic credentials.
Although the pictured example relates, by way of illustration, to an electric power utility, the principles of the present invention are not limited to this particular operating context. Rather, the apparatus and methods that are described below may be applied to utilities of other types (such as gas or water utilities, for instance), as well as in industrial environments and substantially any other application in which tight control is to be exercised over data and commands that may be input to a protected installation. Station 22 is just one example of such an installation. Certain embodiments of the present invention are described hereinbelow, for the sake of clarity and without limitation, with respect to the elements of system 20, but the principles of these embodiments and the techniques that they incorporate may similarly be applied in other operating environments in which an installation is to be protected from undesired data input and unauthorized access.
Station 22 is typically designed as a closed, secure facility, protected physically against unauthorized entry. A host computer 41 in station 22 inputs commands to the switches on network 40 and monitors the operation of the switches and other components of the station. Typically, network 40 comprises multiple sensors and actuators, which are distributed throughout station 22 and report via a secure internal network to host computer 41. Computer 41 outputs information, possibly including a graphical display output, via a one-way link 34 to an output interface 38. Output interface 38 is connected to network 26, which conveys the output information to terminal 24. One-way link 34 connects a secure zone 28, containing the protected components of station 22, to a buffer zone 30, which is accessible to network 26. Although output interface 38 typically comprises a conventional, bidirectional network port, one-way link 34 prevents any sort of access to secure zone 28 via output interface 38.
One-way link 34 conveys output information from station 22 to network 26 but is physically incapable of conveying input data from the network to the station. For this latter purpose, station 22 comprises a secure input 36, which typically has an input interface coupled to network 26 and another interface to the protected elements of the station. In this example, secure input 36 receives and decodes a stream of symbols (typically encrypted symbols) transmitted by terminal 24 over network 26, and conveys the decoded symbols over a one-way link 32 to host computer 41. Details of the structure and operation of secure input 36 are described further, for example, in the above mentioned U.S. Patent Application Publication 2016/01123844. Host computer 41 particularly and secure zone 28 in general receive no inputs from network 26 other than via input 36 and one-way link 32, which are typically contained in station 22 and are thus themselves protected from physical and electrical tampering.
Terminal 24 receives data output by station 22 through output 38 via an output path 42 through network 26, and inputs data, such as commands and/or queries, to station 22 via a separate input path 44 to input 36. As noted earlier, input 36 and output 38 typically comprise separate and independent ports to network 26, with their own, different network addresses, such as IP addresses. Paths 42 and 44 are thus established separately by routers (not shown) in network 26. Terminal 24 is similarly configured with separate input and output interfaces, as is shown and described hereinbelow with reference to
When it is necessary to transmit connection-oriented traffic to and from computer 41 in station 22, a TCP proxy 46 in the station is actuated. Typically, TCP proxy 46 comprises a processor, which is separate from computer 41 and has suitable interfaces and software to carry out the functions that are described herein. In normal operation of station 22, switches 48 and 50, typically hardware-actuated data switches, isolate TCP proxy 46 from network 26, so that all inputs from one-way link 32 to host computer 41 and other elements of internal control network 40, as well as outputs from computer 41 and network 40 to one-way link 34, bypass the TCP proxy.
When a TCP connection with remote terminal 24 is invoked, however, switches 48 and 50 are actuated to connect one-way links 32 and 34 to and from TCP proxy 46, which can then begin TCP emulation. Typically, TCP proxy 46 runs on a hardware security module (HSM) 47 installed in secure zone 28, to prevent tampering and attacks. Additionally or alternatively, TCP proxy 46 and/or switches 48 and 50 comprise other authentication components and software, such as a trusted platform module (TPM). The use of such secure hardware ensures that the switches are actuated and a TCP connection can be set up with terminal 24 only after the user of the terminal has been properly authenticated.
HSM 47 (and similarly an HSM used for the TCP proxy in terminal 24, as described below) typically comprises a software-driven processor, such as a central processing unit (CPU), with a memory and suitable communication interfaces for receiving and transmitting TCP data frames from and to switches 48 and 50. For these purposes, HSM 47 can comprise a commercially-available hardware subsystem, such as the IBM PCIe Cryptographic Coprocessor, which is a tamper-responding, programmable, cryptographic PCIe® card, containing a CPU, encryption hardware, RAM, persistent memory, a hardware random number generator, clock, infrastructure firmware, and software. The software running in the CPU is customized, in the present embodiment, to include the TCP proxy stack and interface. Thus, as noted earlier, the proxy code itself is actually never actually accessible from network 26. The code is held in the HSM memory in encrypted form and is activated and decrypted, to run on the HSM CPU, only after proper authentication. Because the code runs only internally within the secure execution environment of HSM 47, even when TCP proxy 46 is activated, it is not possible to copy the code to use it from another computer on the network.
Secure input device 62, such as a keyboard, mouse, or other user-operated element, receives inputs from an operator of terminal 24 and encodes these inputs as an encrypted symbol stream using a preselected encryption key. One-way link 66 conveys the encrypted output from device 62 to an output interface 68 of terminal 24.
Output interface 68 transmits the encrypted symbol stream from input device 62 via input path 44 over network 26 to input 36, which decodes the symbols and thus provides a corresponding clear symbol stream to host computer 41. Output interface 68 may, for example, establish a secure connection (such as a Transport Layer Security [TLS] encrypted connection, as is known in the art) with input 36 over network 26. This sort of conventional data security measure adds a further layer of protection to the operation of the other security measures described herein. This connection, however, which is set up between the IP addresses of output interface 68 and input 36, carries only the information that is output from terminal 24 via one-way link 66 (and possibly acknowledgment packets from input 36), while one-way links 66 and 32 prevent any meaningful data from reaching terminal 24 via the connection.
Typically, although not necessarily, input device 62 encrypts the operator inputs using hardware logic and holds the encryption key in a memory (not shown) that is inaccessible to the user of terminal 24. This key may similarly be inaccessible to a host processor 72 that is used in running software-based functions of the terminal. For the purpose of these software-based functions (including applications running over TCP connections to station 22), input device 62 may have an additional, non-encrypted mode of operation. Alternatively, one or more additional input devices (not shown) may be connected to terminal 24, or if terminal 24 is configured to send input to station 22 only over a secure TCP connection, input device 62 may be replaced by an ordinary, non-encrypting input device.
In parallel to the operation of input path 44 that is described above, an input interface 54 of terminal 24 receives data output generated by station 22 and transmitted over output path 42 through network 26 via output 38. Input interface 54 conveys the data via one-way link 56 to display 60, which presents the data in alphanumeric and/or graphical form. For these purposes, input interface 54 typically comprises a network interface controller (NIC), coupled to transmit and receive packets to and from network 26, along with a suitable communication controller for transmitting data over one-way link 56 and a suitable buffer memory and logic circuits (hardware or software-driven) connecting them. These functions may be carried out, for example, by a Waterfall unidirectional gateway.
As noted earlier, in normal operation of terminal 24, input path 44 from output interface 68 of terminal 24 to station 22 and output path 42 from station 22 to display 60 are separate and independent, without any electronic interaction between these paths within terminal 24. Input interface 54 may establish an additional secure connection (such as a TLS connection) with output 38 over network 26, which is separate from the connection between output interface 68 and input 36. The only actual connection that normally exists between input and output paths 44 and 42 is the cognitive connection made by the operator of terminal 24.
As explained above, however, the operator of terminal 24 may occasionally need to interact with computer 41 in station 22 using a connection-based client/server or peer-to-peer application. For this purpose, terminal 24 comprises a secure protocol support module 52 with a TCP proxy 70, which interacts with TCP proxy 46 in station 22 when actuated. As on the station side, TCP proxy 70 comprises a processor, which is separate from host processor 72 and has suitable interfaces and software to carry out the functions that are described herein. Module 52, including TCP proxy 70 and switches 58 and 64, is typically implemented as a secure, tamper-proof hardware unit, which is hardened against unauthorized use and disassembly. TCP proxy 70 may be connected to and communicate with host processor 72 via a suitable bus, such as a PCIe bus.
Within module 52, at least TCP proxy 70 runs on an HSM 74, similar to HSM 47 that was described above. Actuation of HSM 74 is conditioned, for example on insertion by the user of a suitable key 76, such as a smartcard or SIM, or presentation of other hardware credentials, possibly accompanied by other security measures, such as password and/or biometric authentication of the user. For further enhanced security, HSM 74 can require the user to present a further key to activate the TCP proxy software, in addition to the key used to activate the HSM.
Key 76 typically holds one or more private cryptographic keys. These keys are used by HSM 74 to send activation commands to HSM 47, and cause HSMs 47 and 74 to activate the proxy code (including decryption of the stored code using the key) and run the code within the secure execution facility of the HSMs.
In normal operation of terminal 24, when HSM 74 is not actuated, switches 58 and 64 isolate TCP proxy 70 from network 26, so that all input from one-way link 56 and output to one-way link 66 bypass the TCP proxy. When HSM 74 is actuated and a TCP connection is invoked, however, switches 58 and 64 operate to connect one-way links 56 and 66 to and from TCP proxy 70, which can then begin TCP emulation. For this purpose, TCP proxy 70 also instructs switches 48 and 50 in station 22 to connect TCP proxy 46 to input 36 and output 38, as described above. Typically, the instruction to switches 48 and 50 is accompanied by cryptographic credentials, which are provided by HSM 74, for example, which enable the controller responsible in station 22 to authenticate the instruction before actuating the switches.
Alternatively, HSM 74 may be solely responsible for data security in terminal 24. In this case, switches 58 and 64 may be actuated manually by the operator of terminal 24, or they may be eliminated entirely. (Switches 48 and 50 in station 22, however, still provide a useful added measure of security.) Additionally or alternatively, one-way links 56 and 66 in terminal 24 may be replaced by one or more ordinary duplex connections, while maintaining the use of one-way links 32 and 34 to protect station 22 from unauthorized access.
In any case, once HSMs 47 and 74 have been activated, as described above, TCP proxies 70 and 46 then communicate with one another in order to initiate and set up TCP socket emulation. The interaction between the TCP proxies is similar to that between conventional TCP endpoints, except that in the present case, TCP frames are transmitted from TCP proxy 70 to TCP proxy 46 over input path 44 and from TCP proxy 46 to TCP proxy 70 over output path 42. As explained earlier, the endpoints of input path 44 have different IP addresses from the endpoints of output path 42. Once the emulated TCP connection is set up and running, TCP proxies 46 and 70 notify the respective hosts 41 and 72 that the connection is available, so that the desired application can run.
Typically, all communication between TCP proxies 46 and 70 is signed by keys. Thus, when key 76 is removed, system 20 defaults to a “no proxy” state, in which HSMs 47 and 74 are inaccessible, and switches connecting the TCP proxies to network 26 are locked. Additionally or alternatively, TCP proxies 46 and 70 regularly exchange authorization messages, and shut down if an authorization message does not arrive when expected.
The elements of station 22 and terminal 24 are shown in the figures and described above in terms of separate functional blocks solely for the sake of convenience and conceptual clarity. In practical implementations, two or more of these blocks may be combined in a single circuit element or, additionally or alternatively, certain blocks may be broken down into separate sub-blocks and circuits. All such embodiments are considered to be within the scope of the present invention.
It will thus be appreciated that the embodiments described above are cited by way of example, and that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present invention includes both combinations and subcombinations of the various features described hereinabove, as well as variations and modifications thereof which would occur to persons skilled in the art upon reading the foregoing description and which are not disclosed in the prior art.
This application claims the benefit of U.S. Provisional Patent Application 62/295,074, filed Feb. 14, 2016, which is incorporated herein by reference
| Number | Name | Date | Kind |
|---|---|---|---|
| 4163289 | Schmidt | Jul 1979 | A |
| 4213177 | Schmidt | Jul 1980 | A |
| 4214302 | Schmidt | Jul 1980 | A |
| 4375665 | Schmidt | Mar 1983 | A |
| 4964046 | Mehrgardt et al. | Oct 1990 | A |
| 4985919 | Naruse et al. | Jan 1991 | A |
| 4987595 | Marino, Jr. et al. | Jan 1991 | A |
| 5140681 | Uchiyama et al. | Aug 1992 | A |
| 5163138 | Thirumalai | Nov 1992 | A |
| 5185877 | Bissett et al. | Feb 1993 | A |
| 5289478 | Barlow et al. | Feb 1994 | A |
| 5388212 | Grube et al. | Feb 1995 | A |
| 5530758 | Marino, Jr. et al. | Jun 1996 | A |
| 5548646 | Aziz et al. | Aug 1996 | A |
| 5677952 | Blakley et al. | Oct 1997 | A |
| 5703562 | Nilsen | Dec 1997 | A |
| 5732278 | Furber et al. | Mar 1998 | A |
| 5748871 | Dulac et al. | May 1998 | A |
| 5815577 | Clark | Sep 1998 | A |
| 5822435 | Boebert et al. | Oct 1998 | A |
| 5825879 | Davis | Oct 1998 | A |
| 5829046 | Tzelnic et al. | Oct 1998 | A |
| 5835726 | Shwed et al. | Nov 1998 | A |
| 5940507 | Cane et al. | Aug 1999 | A |
| 5946399 | Kitaj et al. | Aug 1999 | A |
| 5995628 | Kitaj et al. | Nov 1999 | A |
| 6023570 | Tang et al. | Feb 2000 | A |
| 6049611 | Tatebayashi et al. | Apr 2000 | A |
| 6134661 | Topp | Oct 2000 | A |
| 6167459 | Beardsley et al. | Dec 2000 | A |
| 6170023 | Beardsley et al. | Jan 2001 | B1 |
| 6185638 | Beardsley et al. | Feb 2001 | B1 |
| 6202095 | Beardsley et al. | Mar 2001 | B1 |
| 6226749 | Carloganu et al. | May 2001 | B1 |
| 6239810 | Van Hook et al. | May 2001 | B1 |
| 6240514 | Inoue et al. | May 2001 | B1 |
| 6289377 | Lalwaney et al. | Sep 2001 | B1 |
| 6311272 | Gressel | Oct 2001 | B1 |
| 6317831 | King | Nov 2001 | B1 |
| 6442607 | Korn et al. | Aug 2002 | B1 |
| 6467009 | Winegarden et al. | Oct 2002 | B1 |
| 6470449 | Blandford | Oct 2002 | B1 |
| 6574640 | Stahl | Jun 2003 | B1 |
| 6601126 | Zaidi et al. | Jun 2003 | B1 |
| 6601170 | Wallace, Jr. | Jul 2003 | B1 |
| 6615244 | Singhal | Sep 2003 | B1 |
| 6643701 | Aziz et al. | Nov 2003 | B1 |
| 6738388 | Stevenson et al. | May 2004 | B1 |
| 6738742 | Badt et al. | May 2004 | B2 |
| 6758404 | Ladyansky | Jul 2004 | B2 |
| 6862663 | Bateman | Mar 2005 | B1 |
| 6915369 | Dao et al. | Jul 2005 | B1 |
| 6915435 | Merriam | Jul 2005 | B1 |
| 6931549 | Ananda | Aug 2005 | B1 |
| 6957330 | Hughes | Oct 2005 | B1 |
| 6963817 | Ito et al. | Nov 2005 | B2 |
| 6966001 | Obara et al. | Nov 2005 | B2 |
| 6970183 | Monroe | Nov 2005 | B1 |
| 6986061 | Kunzinger | Jan 2006 | B1 |
| 7031322 | Matsuo | Apr 2006 | B1 |
| 7062587 | Zaidi et al. | Jun 2006 | B2 |
| 7069437 | Williams | Jun 2006 | B2 |
| 7100048 | Czajkowski et al. | Aug 2006 | B1 |
| 7171566 | Durrant | Jan 2007 | B2 |
| 7200693 | Jeddeloh | Apr 2007 | B2 |
| 7234158 | Guo et al. | Jun 2007 | B1 |
| 7254663 | Bartley et al. | Aug 2007 | B2 |
| 7260833 | Schaeffer | Aug 2007 | B1 |
| 7324515 | Chapman | Jan 2008 | B1 |
| 7366894 | Kallimuthu et al. | Apr 2008 | B1 |
| 7509141 | Koenck et al. | Mar 2009 | B1 |
| 7523856 | Block et al. | Apr 2009 | B2 |
| 7581097 | Catherman et al. | Aug 2009 | B2 |
| 7649452 | Zilberstein et al. | Jan 2010 | B2 |
| 7660959 | Asher et al. | Feb 2010 | B2 |
| 7675867 | Mraz et al. | Mar 2010 | B1 |
| 7685436 | Davis et al. | Mar 2010 | B2 |
| 7698470 | Ruckerbauer et al. | Apr 2010 | B2 |
| 7716467 | Deffet et al. | May 2010 | B1 |
| 7761529 | Choubal et al. | Jul 2010 | B2 |
| 7761704 | Ho et al. | Jul 2010 | B2 |
| 7792300 | Caronni | Sep 2010 | B1 |
| 7814316 | Hughes et al. | Oct 2010 | B1 |
| 7815548 | Barre et al. | Oct 2010 | B2 |
| 7845011 | Hirai | Nov 2010 | B2 |
| 7849330 | Osaki | Dec 2010 | B2 |
| 7941828 | Jauer | May 2011 | B2 |
| 7992209 | Menoher et al. | Aug 2011 | B1 |
| 8041832 | Hughes et al. | Oct 2011 | B2 |
| 8046443 | Parker et al. | Oct 2011 | B2 |
| 8223205 | Frenkel et al. | Jul 2012 | B2 |
| 8756436 | Frenkel et al. | Jun 2014 | B2 |
| 8793302 | Frenkel et al. | Jul 2014 | B2 |
| 9116857 | Frenkel | Aug 2015 | B2 |
| 9130768 | Moncaster | Sep 2015 | B2 |
| 9268957 | Frenkel | Feb 2016 | B2 |
| 9305189 | Mraz | Apr 2016 | B2 |
| 9369446 | Frenkel | Jun 2016 | B2 |
| 9419975 | Frenkel | Aug 2016 | B2 |
| 9519616 | Frenkel | Dec 2016 | B2 |
| 9584521 | Frenkel | Feb 2017 | B2 |
| 9635037 | Frenkel | Apr 2017 | B2 |
| 9736121 | Mraz | Aug 2017 | B2 |
| 9762536 | Frenkel | Sep 2017 | B2 |
| 9847972 | Frenkel | Dec 2017 | B2 |
| 10063517 | Frenkel | Aug 2018 | B2 |
| 20010033332 | Kato et al. | Oct 2001 | A1 |
| 20020064282 | Loukianov et al. | May 2002 | A1 |
| 20020065775 | Monaghan | May 2002 | A1 |
| 20020077990 | Ryan, Jr. | Jun 2002 | A1 |
| 20020083120 | Soltis | Jun 2002 | A1 |
| 20020112181 | Smith | Aug 2002 | A1 |
| 20020174010 | Rice | Nov 2002 | A1 |
| 20020186839 | Parker | Dec 2002 | A1 |
| 20020188862 | Trethewey et al. | Dec 2002 | A1 |
| 20020191866 | Tanabe | Dec 2002 | A1 |
| 20020199181 | Allen | Dec 2002 | A1 |
| 20030005295 | Girard | Jan 2003 | A1 |
| 20030037247 | Obara et al. | Feb 2003 | A1 |
| 20030039354 | Kimble et al. | Feb 2003 | A1 |
| 20030061505 | Sperry et al. | Mar 2003 | A1 |
| 20030114204 | Allen et al. | Jun 2003 | A1 |
| 20030140090 | Rezvani et al. | Jul 2003 | A1 |
| 20030140239 | Kuroiwa et al. | Jul 2003 | A1 |
| 20030159029 | Brown et al. | Aug 2003 | A1 |
| 20030188102 | Nagasoe et al. | Oct 2003 | A1 |
| 20030212845 | Court et al. | Nov 2003 | A1 |
| 20030217262 | Kawai et al. | Nov 2003 | A1 |
| 20040022107 | Zaidi et al. | Feb 2004 | A1 |
| 20040024710 | Fernando et al. | Feb 2004 | A1 |
| 20040070620 | Fujisawa | Apr 2004 | A1 |
| 20040071311 | Choi et al. | Apr 2004 | A1 |
| 20040080615 | Klein et al. | Apr 2004 | A1 |
| 20040125077 | Ashton | Jul 2004 | A1 |
| 20040175123 | Lim et al. | Sep 2004 | A1 |
| 20040181679 | Dettinger et al. | Sep 2004 | A1 |
| 20040198494 | Nguyen et al. | Oct 2004 | A1 |
| 20040217890 | Woodward et al. | Nov 2004 | A1 |
| 20040247308 | Kawade | Dec 2004 | A1 |
| 20040250096 | Cheung et al. | Dec 2004 | A1 |
| 20050015624 | Ginter et al. | Jan 2005 | A1 |
| 20050033990 | Harvey et al. | Feb 2005 | A1 |
| 20050057774 | Maruyama | Mar 2005 | A1 |
| 20050066186 | Gentle et al. | Mar 2005 | A1 |
| 20050071632 | Pauker et al. | Mar 2005 | A1 |
| 20050085964 | Knapp et al. | Apr 2005 | A1 |
| 20050091487 | Cross et al. | Apr 2005 | A1 |
| 20050108524 | Witchey | May 2005 | A1 |
| 20050119967 | Ishiguro et al. | Jun 2005 | A1 |
| 20050120214 | Yeates et al. | Jun 2005 | A1 |
| 20050120251 | Fukumori et al. | Jun 2005 | A1 |
| 20050138369 | Lebovitz et al. | Jun 2005 | A1 |
| 20050165939 | Nikunen et al. | Jul 2005 | A1 |
| 20050216648 | Jeddeloh | Sep 2005 | A1 |
| 20050264415 | Katz | Dec 2005 | A1 |
| 20050270840 | Kudelski | Dec 2005 | A1 |
| 20060047887 | Jeddeloh | Mar 2006 | A1 |
| 20060085354 | Hirai | Apr 2006 | A1 |
| 20060085534 | Ralston et al. | Apr 2006 | A1 |
| 20060064550 | Katsuragi et al. | May 2006 | A1 |
| 20060095629 | Gower et al. | May 2006 | A1 |
| 20060136724 | Takeshima et al. | Jun 2006 | A1 |
| 20060155939 | Nagasoe et al. | Jul 2006 | A1 |
| 20060161791 | Bennett | Jul 2006 | A1 |
| 20060165347 | Mita | Jul 2006 | A1 |
| 20060173787 | Weber et al. | Aug 2006 | A1 |
| 20060179208 | Jeddeloh | Aug 2006 | A1 |
| 20060195704 | Cochran et al. | Aug 2006 | A1 |
| 20060220903 | Zigdon et al. | Oct 2006 | A1 |
| 20060224848 | Matulik et al. | Oct 2006 | A1 |
| 20060242423 | Kussmaul | Oct 2006 | A1 |
| 20060248582 | Panjwani et al. | Nov 2006 | A1 |
| 20060259431 | Poisner | Nov 2006 | A1 |
| 20060271617 | Hughes et al. | Nov 2006 | A1 |
| 20060288010 | Chen et al. | Dec 2006 | A1 |
| 20060294295 | Fukuzo | Dec 2006 | A1 |
| 20070028027 | Janzen et al. | Feb 2007 | A1 |
| 20070028134 | Gammel et al. | Feb 2007 | A1 |
| 20070043769 | Kasahara et al. | Feb 2007 | A1 |
| 20070055814 | Jeddeloh | Mar 2007 | A1 |
| 20070094430 | Speier et al. | Apr 2007 | A1 |
| 20070063866 | Webb | May 2007 | A1 |
| 20070112863 | Niwata et al. | May 2007 | A1 |
| 20070150752 | Kudelski | Jun 2007 | A1 |
| 20070174362 | Pham et al. | Jul 2007 | A1 |
| 20070180263 | Delgrosso et al. | Aug 2007 | A1 |
| 20070180493 | Croft et al. | Aug 2007 | A1 |
| 20070203970 | Nguyen | Aug 2007 | A1 |
| 20070204140 | Shade | Aug 2007 | A1 |
| 20070258595 | Choy | Nov 2007 | A1 |
| 20070283297 | Hein et al. | Dec 2007 | A1 |
| 20080005325 | Wynn et al. | Jan 2008 | A1 |
| 20080059379 | Ramaci et al. | Mar 2008 | A1 |
| 20080065837 | Toyonaga et al. | Mar 2008 | A1 |
| 20080066192 | Greco et al. | Mar 2008 | A1 |
| 20080082835 | Asher et al. | Apr 2008 | A1 |
| 20080120511 | Naguib | May 2008 | A1 |
| 20080144821 | Armstrong | Jun 2008 | A1 |
| 20080155273 | Conti | Jun 2008 | A1 |
| 20080209216 | Kelly et al. | Aug 2008 | A1 |
| 20080244743 | Largman et al. | Oct 2008 | A1 |
| 20080263672 | Chen et al. | Oct 2008 | A1 |
| 20080288790 | Wilson | Nov 2008 | A1 |
| 20090019325 | Miyamoto et al. | Jan 2009 | A1 |
| 20090319773 | Frenkel et al. | Dec 2009 | A1 |
| 20090328183 | Frenkel et al. | Dec 2009 | A1 |
| 20100275039 | Frenkel et al. | Oct 2010 | A1 |
| 20100278339 | Frenkel et al. | Nov 2010 | A1 |
| 20100324380 | Perkins et al. | Dec 2010 | A1 |
| 20110026523 | Charzinksi | Feb 2011 | A1 |
| 20110107023 | McCallister et al. | May 2011 | A1 |
| 20110202772 | Frenkel et al. | Aug 2011 | A1 |
| 20110213990 | Poisner | Sep 2011 | A1 |
| 20110276699 | Pedersen | Nov 2011 | A1 |
| 20120198225 | Gadouche et al. | Aug 2012 | A1 |
| 20130024700 | Peterson et al. | Jan 2013 | A1 |
| 20130179685 | Weinstein et al. | Jul 2013 | A1 |
| 20140020109 | Mraz | Jan 2014 | A1 |
| 20140040679 | Shimizu et al. | Feb 2014 | A1 |
| 20140068712 | Frenkel et al. | Mar 2014 | A1 |
| 20140122965 | Zeng et al. | May 2014 | A1 |
| 20140282215 | Grubbs et al. | Sep 2014 | A1 |
| 20140317753 | Frenkel | Oct 2014 | A1 |
| 20150135264 | Amiga | May 2015 | A1 |
| 20170201379 | Frenkel | Jul 2017 | A1 |
| Number | Date | Country |
|---|---|---|
| 1632833 | Mar 2006 | EP |
| 2267986 | Dec 1993 | GB |
| 2371125 | Jul 2002 | GB |
| 9526085 | Sep 1995 | WO |
| 0110079 | Feb 2001 | WO |
| 0163879 | Aug 2001 | WO |
| WO-2008001344 | Jan 2008 | WO |
| 2008072234 | Jun 2008 | WO |
| WO-2008087640 | Jul 2008 | WO |
| WO-2009053990 | Apr 2009 | WO |
| 2010049839 | May 2010 | WO |
| Entry |
|---|
| IBM Technical Disclosure Bulletin, Separate Write/Read Logical Paths to Optimize Library Network File System Data Rates, vol. 37, No. 09, pp. 1-3, Sep. 1994. |
| Innominate Security Technologies, “Press Release: Innominate joins Industrial Defender Enabled Partner Program”, Germany, 2 pages, Apr. 14, 2008 (http://www.innominate.com/content/view/288/120/lang,en/). |
| Frenkel, L., “Unidirectional Information Transfer”, Web issue, 1 page, Jun. 2005. |
| Dierks, T., “The TLS Protocol”, version 1.0, RFC 2246, Networking Group of IETF, 71 pages, Jan. 1999. |
| Waterfall Security Solutions Ltd., “Waterfall One Way Link Technology”, 1 page, year 2008 ( http://www.waterfall-solutions.com/home/Waterfall.sub.--Technology.a- spx). |
| Msisac, “Cyber Security Procurement Language for Control Systems”, version 1.8, revision 3, 120 pages, Feb. 2008 (http://www.msisac.org/scada/documents/4march08scadaprocure.pdf). |
| Axis Communications, “Axis Network Cameras”, 8 pages, year 2008 (http://www.axis.com/products/video/camera/index.htm). |
| Check Point Software Technologies Ltd., “Extended Unified Threat Management capabilities with new multi-layer messaging security deliver best all-inclusive security solution”, USA, 3 pages, Nov. 18, 2008 (http://www.checkpoint.com/press/2008/utm-1-edge-upgrade-111808.html). |
| Einey, D., “Waterfall IP Surveillance Enabler”, 14 pages, Jul. 2007. |
| U.S. Appl. No. 15/806,375 office action dated Mar. 22, 2018. |
| U.S. Appl. No. 15/458,044 office action dated May 23, 2018. |
| Number | Date | Country | |
|---|---|---|---|
| 20170237834 A1 | Aug 2017 | US |
| Number | Date | Country | |
|---|---|---|---|
| 62295074 | Feb 2016 | US |
