JP2002533792A - Method and system for protecting the operation of a trusted internal network - Google Patents

Abstract

SUMMARY The present invention is a secure gateway system (10) located between an external unreliable computing environment (16) and an internal reliable computing environment (12). The internal computing environment converts messages received from the external environment into simplified messages, and converts the simplified messages into messages suitable for use in the internal environment. This transformation creates a simplified message, including the removal of the external environment transfer protocol and the reduction of the content of the message left after the removal of that protocol to a simplified representation of that content. The simplified representation is then converted to an internal message by converting it to a representation appropriate for the internal environment, including it in an application running in the internal environment, adding an internal environment protocol, and including a transport protocol. Simplified representations exist for some, but not necessarily all, types of content received from the external environment, thereby limiting the content passed from the external environment to the internal environment.

Description

DETAILED DESCRIPTION OF THE INVENTION

BACKGROUND OF THE INVENTION The present invention relates to a method and system for preventing unauthorized access to computers and networks, and ensuring security of applications running on computers and networks. More particularly, the invention is directed to providing protection to trusted internal networks from intentional or inadvertent introduction of external attacks and bugs or viruses. Much work has been done within the scope of computer and network security. The problem addressed the network context. And they vary widely in their solution, type, scope and severity. Some of the primary existing solutions, such as firewalls, are described below. Despite great efforts dedicated to these publications; however, many problems remain that are not solved by existing solutions. For example, a web server or application server running on a secure network internally is often connected to an external network such as the Internet. In a sense, it limits external uncertain network access to assets in the internal environment. Protecting this internal secure environment from outside, which is intentional or inadvertent due to firewalls. It is plain that TCP / IP packets can enter their environment based on their TCP / IP format. Selecting does not take into account the possibility that the weaknesses of the strategy are in the software that runs on it, trusting the environment. Analyzing the transport protocol format, since most firewalls operate at the network layer, they cannot defend applications and middleware that start on that network. For example, a server may have a bug in its operating system. Alternatively, the protocol stack may have features that invite harmful interference. In addition, special applications by servers to coordinate the outside world can be heritage applications. Or something that isn't a well designed for operation in a plainly opposing online environment. This one application can create the rest of its operation in its protected and vulnerable environment. A currently created protection measure available for blocking such outside of interference and assuring operational goals falling short of its goals both theoretically and practically. These conventional measurements, as described briefly below; they are dual-homed firewalls and basins, filtered, cured operating systems.
Includes system. Access server. Dual-homed firewalls perform network address translation and filtering on network level, data packets to TCP / IP packets. These networks translate the base address of the server, the addresses created, made available by the internal network as its domain, and incoming data packets inside the address to the organization's internal network. To specify the system. Data
Packets only, it receives internal addresses that have passed checks by the packet filter's access control list (ACL). For example, an ACL can enable File Transfer Protocol (FTP) traffic to the path only; if it is put into certain parts of a secure environment. An application level proxy operation or bastion is a type of firewall that separates external client applications that can be conflicting from internal server operation. While simulating client-side application to independent servers, this operational separation is achieved by proxies that simulate server-side application to independent clients. Applicable data
Data is passed in two simulated proxies for half an hour. Context filtering; related to storing a table of data associated with the incoming packet and authorized only for the session; the data for these packets is consistent with the session criteria for that data. If you have. The hardened operating system enhances the application server for development and for bugs that affect the operating system. For example, the separation of clients and servers within a bastion server can be enhanced by disabling the routing of incoming messages due to their natural protocol. This is the external TC
"IP over IP" encapsulation, which sends TCP / IP packets as payload data on P / IP wrappers, prevents operating system development. Removing the TCP / IP wrapper keeps potentially harmful TCP / IP packets complete. Disabling all TCP / IP shipping is due to its natural TCP / IP
Guarantee that some messages have been forwarded in a format different from the IP format. The barricade-built operating system is hardened by stripping everything away. One severely limited,
A set of functions; as a result, the processor responds to the incoming message as a demon, as discussed in US Pat. No. 5,778,174. The access server is used to enhance the application level security within the network by performing access control filtering tasks on the fixed machine in addition to the access control at the network level. . The bastion server acts at a higher level, the application level of the open system interconnection model as a proxy for internal servers. These proxy servers screen the data payload of incoming packets according to rules specific to each application. Format given a law bar,
These combinations from being passed through syntax or proxies.
However, these laws can hide useful data from internal systems. These proxies are regarded as bottlenecks, as they use the proxies intermittently, which creates an incentive to use a "crop" strategy. Filtration leveling application; having increased volume and variety of data streams, regarded as a security building that is not easily rated to the meeting. Many conventional solutions, one of the weaknesses that provide an application level of filtration, identify the safe data expected by a "positively" protected system that they do not. That is it. The filtration rules they use are usually guided by the information that is to be excluded by themselves. Such laws are limited by history. And to recreate any prior attempts at development or attack. Such past experience patchwork cannot guarantee security. This is evident from the numerous monthly reports of new security breaches affecting today's main applications, operating systems and network control package usage. Each time a new function is added to the internal system, a new opportunity for unauthorized access is added. For example, if a bank reveals customer home banking access, it creates an opening with a firewall that provides a TCP / IP filter and an authorizing proxy to the bank's private network (VPN). If the design of the bequest accounting software, formerly still used by bank employees, allows for administrative correction of the report. Reports are vulnerable to hackers despite firewalls and private nets. In another embodiment. If the publisher adds "guest account" access to the list of previews to the features of the server, the list of books available in full text to authorized employees and customer accounts is Can be vulnerable to hacking. These are examples of how newly emerging, application-specific network security issues are inadvertently added, one at a time to the system. Addressing them one at a time (although) is self-destructing due to incremental changes in the design of network security. As a general and practical substance, conventional and incremental solutions are often useless, so attacks and mining attempts that frequently follow the bypass, they also directly affect the application, sometimes rotate, and attack , Safe operation itself. The practical reason for such ominous success is an inherent danger to the size and complexity of the security software used. Complexity and scale are unavoidable when security operations are implemented programmatically by standard, multi-purpose building software components. In addition, it is statistically certain that large composite software packages contain bugs, and careless bugs are more difficult to detect due to the full size of the software code listings that have been created and reproduced more. These are simply predictable products of human and coding errors, such as design errors. Attackers; having an expert who looks good on finding and developing these bugs to their advantage. However, since such an attack requires code, it violates the standard rules for verifying software, once the software is verified,
It is not more robust in operation. Also, it is not very vulnerable to direct attacks. Others have thereby conserved resources in an attempt to develop. Unfortunately, at present, formal verification of software design and execution is applicable to small chunks of software. Thus, the assay is not effectively available for large composite software packages that may need it most. There is a need for a method and system for a trusted computing environment that better protects against attacks from external computing environments.

SUMMARY OF THE INVENTION It is a collection of the present invention that solves the problems scattered in relation to existing security and integrity systems. It effectively shields the internal environment from data potentially harmful to the internal environment,
5 is another example of an invention for restricting communication between an external uncertain environment and an internal secure environment. It is another example of the present invention for implementing a user to specify a set of simplified displays of content data that is implemented to pass from an external computing environment to an internal computing environment. . Also, to protect any arbitrary capacity data other than specific data for passing through the internal environment by converting all allowable data into a simplified representation. These and other aspects of the invention are achieved by a secure gateway system between an externally uncertain computing environment and an internally reliable computing environment. It converts messages received from the external environment into simplified messages. The internal environment then converts the simplified message into an appropriate message. Transformation; involves removing the external environment transport protocol and reducing the volume of messages left after removing the protocol into a simplified representation of the volume to create a simplified message. Simplified expressions should be included in applications that start in the internal environment,
It is converted to an internal message by converting the simplified representation to a representation appropriate for the internal environment. Also, the addition of an internal environment protocol, including the applied protocol to thc, transformed the message. A simplified representation exists for some. Restricting accordingly the content that can pass from the outside to the internal environment, not necessarily all types of content that can be received from the outside environment. The security gateway system protects the computer. Network or sub-network or application confidentiality or behavior from computer resources, intrusions that develop operating systems into faulty files, computer security policy violations such as flood buffers, and from attacks Running application programs and bugs that endanger Gateway systems are robust, complete, effective, and elegant solutions to the problem of protecting secure network security and integrity, computers and applications running on them. In addition, the gateway system has a configuration that improves the robustness of the system and the protection provided to the trusted environment, and helps a simpler assay. In a preferred embodiment of the invention, the security gateway system includes a separately controlled complementary computer processing element that isolates the secure environment from the uncertain environment. These complementary, separately controlled processing elements are sometimes referred to hereafter as internal and external "robots" with external robots connected to uncertain environments and internal robots connected to solid environments. Is done. The external robot reduces the total data received from the external computing environment to simplified shapes that are harmless to the internal environment. The internal robot also converts data received from the internal environment for transfer to the external robot, converting the thc to data suitable for transmission on the external environment.
In the same way. In the first special implementation, the robot is implemented on two independent computers. In a second special implementation, the security gateway is linked to both internal and external environments, such as a network containing terminals accessible to five unauthorized persons or simply less secure resources on the same computer. Residing on a single computer. In this implementation, the gateway system may include a monitor program for creating a protected virtual machine on a single processor. And
Ensures the separation of the assets of the two robots and their operational independence. The robot can be two independent computer steps running in a single CPU alternating time slice. Instead, one of these steps is performed by an add-in CPU processor. The robot process separates the internal and external environment from each other, resulting in a single
The computer itself separates the secure environment from the uncertain environment. The robots pass messages to each other on a dedicated communication link by means of a transport protocol to the security unit. Since the communication link connects the two robots, the transfer protocol can be simplified, with metadata about the content of the simplified message such as the length and number of data items; Having any routing information. The message format, and the format of the message's payload or content, are translated and re-translated by the translator and also by the interpreter for internal application protocols specific to the application protocol of the message received by the security system . When one robot receives the message, it converts the message by a special internal application protocol relay and a special internal transport protocol relay, respectively. The second robot translates the data from each internal protocol as elastic data with the original application or transfer protocol, respectively, and translates the secure environmental safety policy. Temporary data is thus removed by this methodology. Also, because the security gateway system transmits elastic data, if the external robot is compromised, the data can be transmitted and received in a non-standard protocol format; Cannot pass harmful commands to In practice, the acceptance test confirms elastic data. In particular implementations, acceptance testing is an access control test, where data must be elastic with a list of valid users, and the actions that are licensed for those users. In another particular implementation, context-sensitive acceptance tests are used to provide privileged access to graphical or audio devices. Internal robots can be relatively simple because the internal robot receives secure input. Since it is relatively simple, it can be formally identified with relative simplicity.
Since the reliability of this internal robot is critical to the security of a secure environment, the confidence level for a secure environment is very high. In addition, the gateway system transmits elastic data across the communication link between the robots. Also, the data is transmitted and received in a non-standard technical protocol format that is not implemented outside the secure gateway. Uniform; if the external robot is compromised, it cannot pass harmful commands to the internal robot. As a result, the formal test of the internal robot serves as a formal test of the gateway system as a whole. A conceptually sound depiction of the internal computing environment is any depiction applicable to a particular computer source, such as a disk drive, memory-space or add-in card. Alternatively, expanded; to include the entire computer or network. Similarly, an uncertain external environment can be considered to be not necessarily part of a secure environment, or to encompass everything that continues to be of interest, such as a range of problems such as the Internet. Protecting, for example, the company's internal network as its secure environment; information from any confidential breach or attack incident, with networks operated by vendors and suppliers accessing company inventory data. Includes protecting it until exchange. Dial in from a remote location or through an Internet connection, at a company employee, etc. However, the LAN itself device or U.S. S. A laptop computer or hand-held device, such as a palm pilot manufactured by Robotics, which is supposed to be temporarily connected to a LAN or can be responsible for security leaks, The source of an attack on the environment.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In these drawings, similar ones are assigned like reference numerals. The system and method of the preferred embodiment of the present invention will now be described with reference to the drawings. Referring to FIG. 1 a, the network security gateway 10 is between an internal computing environment 12 and an external computing environment 16. In the implementation shown in FIG. 1a, the internal computing environment includes a network server 13 which may belong to a network subnet. Also sensitive system server 14. External environment 16 can be any environment external to the web, system servers 13, 14, typically including the Internet. The gateway 10 is connected to the internal system server 14 by a bus 20b and a communication bus 20a to the network server 13. And to the external environment by the bus 22. Conventional network interface cards can implement these buses as Ethernet connections, such as Ethernet PCI cards. Alternatively, V. It can be implemented as a serial connection with 35 interfaces. Other connection methods known to those skilled in the art. The buses 20a, 20b and 22 can use the same or different types of connections. Security gateway 10; referred to herein as a robot connected by a dedicated fixed communication bus 28, contains two separate and distinct processing elements 24,26.
The internal robot 24 is connected to the web server 13 and the system server 14 by a bus 20b (20a). The external robot 26 is connected to the Internet or another external environment 16 by the bus 22. As described in greater detail below, each robot communicates via its own protocol, referred to as a clear-to-internal protocol or CIP, from its respective environment to simplified messages. The message can be translated or reduced, transmitting the CIP message to the other robot on the internal robot bus 28 via the internal robot transfer protocol or IRP and the received from the other robot into a fixed message for each environment Translate such CIP messages. In one implementation, the security gateway 10 connects to the organization's internal network in the following manner.
Connected to the network. The apply proxy is connected by a bus 20a to the internal system server 14. Also a web proxy 4s connected by a bus 20b to a web subnet where: a web server 13 exists. As will be appreciated by those skilled in the art, it is possible to have multiple web subnets with dedicated interfaces. Or having multiple web servers in the same subnet; similarly, it is possible for a device to serve each dedicated interface to multiple internal environments. Also multiple servers or applications in the same internal area. The implementation described a single internal environment with respect to the service of FIG. 1a, with a single server traveling a single application. Also a single web server on a single web subnet for simplicity reasons and ease of implementation. However, the principles of replication and expansion of gateway system 10 are system design parameters understood by those skilled in the art. For example. FIG. 1b illustrates an alternative configuration for the internal environment 12a. As shown in FIG. 1b, the LAN server 13a is connected to the internal robot 24 by a plurality of interfaces 20a, 20b, 20c. SQL server 14 with LAN server 13a service communication of many internal application servers 14a-14f, with its own additional server security process 11
a, and that it includes financial institution server 14b, which provides access control and other security measures. 3 interface 20a. 20b and 20c providing for various communication protocols to be used, including 120a for issuing SQL commands to SQL database server 14a, CGI in HTML data 120b for transmitting e-mail and web communication protocols including calls and 120c for high security, a financial communication protocol specific to thc financial institution server 14b. A corresponding composite interface 22a-22c can be provided between the external robots 26. The external environment 16 for receipt communicates with various communication protocols. There can be a separate processing module for each message protocol. Alternatively, this combination may be streamlined to provide a single module for a "gateway" transfer protocol implemented with a secure gateway.
One for the "middleware" protocol that bypasses the server, perhaps one for the encryption protocol and one for the application protocol. The streamlined alternative takes away system overhead caused by double filtering of HTTP protocol messages. It occurs with no apparent safety flaws or leaks, and less than that of the linear appendix while still blocking tapping. On the other hand, "powerful" machines with advanced operating system behavior and features, such as the Sun SPARC station, are needed to move it in addition to its overall cost for end users It is said. The advantage of standard sizing is the economics of being able to selectively implement additional protocols by approaching and adding individual modules specific to the task. Internal communication connects the respective robots 24, 26 according to a serial bus, parallel bus or universal serial bus standard, sending 28 by bus. In accordance with the present invention, a SCSI bus and an internal bus 28 linking the two robots, which may be fiber optics. Network interface link or wireless link; the robot must operate on a larger distance, shared memory protected by a VMM. Or the same kind. Together, these three elements 24, 26, 28 implement the protection provided for the internal environment 12 protected by the network security gateway 10. Robot 24. 26 are two separate and independent logical steps that perform the procedures defined by each security gateway software package. The robots 24, 26 can be mounted on two separate or single processors that operate one or both of the robots 24, 26 in a protected mode. In some implementations, each software package is installed on two or more respective separate CPUs for simplicity and off-the-shelf component availability. In this approach, each robot moves on a single independent computer processor with non-shared resources, which is delegated to (eg, disk space, memory addresses, network adapters, various peripherals). Also the same kind. The shared resource in this approach is the communication bus 28. Multiple configurations can be used to implement this approach. One such configuration is different independent computers (PCs) connected by a communication bus, such as a serial line. SCSI line, and the like, with each PC equipped with an internal network or another network adapter to coordinate the rest of the external world. Alternatively, one robot program can travel on a computer (PC) and on the other with additional cards, which can be dedicated cards or devices. Alternatively, a reference card (such as an additional card with a telephone number of 80x86) (which is installed on one slot of a PC equipped with this slot as communication bus 28)
Is done). Both PCs and additional cards; having additional network adapters for internal networking or the rest of the external environment for coordination. The two robot programs can run on different independent processors, implemented on standard (such as dual phone number 80x86 processor cards) or dedicated additional cards. These two processors are SCSI
It is connected by a communication bus such as a line, a Kitano Gui bus, a PCI bus and the like. Each robot has a separate network for linking the internal environment 12 or the external environment 16.
Includes adapter. This additional card is installed in a standard or dedicated network communication device, such as a router, bridge, or communication server. Also the same kind. In another implementation, the two robots 24, 26 are implemented on a single CPU by a protected mode, such as the VM86 mode, provided by VMM and Pentium® technology. For example, a single CP running Windows NT (WINNT) operating system
At U each robot or external robot 26 Protected mode under the supervision of a monitor program or "mediator" to prevent each robot from affecting the other's operation and the rest of the CPU's environment
Operated by The monitor program further implements a communication channel 28 therebetween with shared memory resources and a special API for each protected mode to negotiate the communication of data between them. The two software robots 24, 26 are separated by a CPU under the control of a VMM program. In a sense, each robot transfers certain assets of a computer (such as disk space, memory address ranges, peripherals such as floppy disks or tape drives) that are not shared with the other robot. Is done. Also, the separation policy is enforced by the VMM program. Only one resource Communication bus 28 Shared by two robots 24,26. Also, a dedicated memory address space can implement this bus 28. VMMs and robots running in their personal environment can run on dedicated computers. They can be moved on non-dedicated computers. Certain modifications to the standard OS (Windows) may be necessary to move in a protected mode. A VMM program that controls all events at the CPU level. A hardware interrupt mechanism imposes two virtual processing elements on a single CPU machine.

The structure and operation of the inside and outside robots The inside and outside robots 26, 24 are now described in more detail in FIGS. 2a and 2b. Referring to FIG. 2a, external robot 26; contains a channel manager 54a for wrapping outgoing CIP messages to internal robot 24 in an internal robot protocol or IRP and removing the IRP from incoming messages. The external robot contains a network proxy 4e that wraps the massage in TCP / IP or another transport protocol for the external environment 16. These protocols, mayinclude TCP / IP, UDP, SPX /
IPX, HTTP, SNA, NCP, CORBA, RMI, RPC or communications move protocol. CIP is specific to the application protocol used, such as SMTP, POP3, SQL, CGI. Also application specific protocols such as those for banking. Protected environment 12 uses secure hypertext translation protocol (S-HTTP) over TCP / IP, TCP / IP (or similarly secure scheme SSL) and structured query language (SQL) So you can as well as professional financial communication protocols and application protocols. The robot may need a complementary set of each of the three CIP protocol stacks. External robot; routing manager 4b for routing format messages of CIP or application between various elements of external robot 26
It contains. A routing manager 4b for reducing messages received from the external environment 16 to the CIP according to the procedure described below from the applied format.
The safety gateway 1 under the guidance of the protocol manager 4c and the routing manager 4b connected to
Communication layer security (CLS) routine 4d that provides decryption and authentication services for O. The first routing manager 4b forwards the apply message to the chlorine procedure 4d. The message is then validated and decrypted from the message to the protocol manager.
4c is transferred. The protocol manager 4c reduces the natural application protocols it receives from environments that are not particularly trusted for the respective CIP format for that natural protocol. The channel manager 4a in the external robot 26 moves the CIP fixed data onto the internal robot communication bus 28. As seen in FIG. 2 b, the internal robot 24 has a configuration similar to the external robot 26. It contains a channel manager 2a that is similar to the channel manager 4a of the internal robot 24 and therefore of the external robot 26. Routing manager 2b Protocol manager 2c Also many proxies depending on the configuration of the internal environment. Given the internal environment illustrated in FIG. 1a. Proxy: Include the application proxy 2e and the network proxy 2f. The data received by the channel manager 2a of the internal robot 24 is translated by the protocol manager under the guidance of the routing manager 2b, which is later retranslated from the CIP format into the respective native application protocol. 2c. The re-translated result is sent to the corresponding web server 13 by the data stream sent to the gateway 10 by the application proxy 2e and the bus 20a or by the bus 20b to the web proxy 2f. Web Proxy 2f
To the internal environment 12. And it was led to the protected system server 14 again. As long as the similarity function is provided, these various tasks are said to be performed in the separation module in this implementation; however, they cooperate in producing the described results. , These tasks can be grouped or assigned to different modules, attached to each other, or elsewhere. For example, a security function (as performed by the chlorine module 4d) is possibly assigned to internal and external robots to provide security for cryptographic variables stored in it (keys and signatures) Can be. Communication between the external and internal robots is on a dedicated internal robot bus 28,
Performed by a dedicated simple internal robotic protocol or IRP by itself. The data is translated into security gateway operation by the security protocol specific to the received data and the internal application protocol. A secure environment application is a simple mail transfer protocol (SMTP) (file transfer protocol (FTP) and fixed) where a robot can be configured to authorize data flow according to the selected communication transfer protocol (CTP) Electronic transfer (
Like set) protocol). Preferably, the CIP assigned to the communication is unique during CTP use. Flow sequence corruption enabled by messy operating system calls or looping would be trapped and logged. For example, in a file transfer protocol (FTP), a get command is not recognized by a pass command unless preceded by a successful login sequence containing a user command. Violation of the required flow order results in an alarm to terminate the logging and FTP session. Because each repeater and interpreter pair is a special trans-form derivative of the protocol for the incoming message and the type of data flow enabled by the security administrator, the gateway 10 has a data flow request. To strengthen. For example, when issued by an external SMTP user, the "MAIL FROM"
Command If it is accompanied by a "HELO" command, the external server is "MAIL FROM"
An ART corresponding to the command is sent. FIGS. 3a and 3b show the data flow implemented by the device shown in FIGS. 1, 2a and 2b. At the beginning 40 of the process, a timestamp is logged by the external robot 26 with overview and communication packets received from the external environment 16 as shown in FIG.
Step 50 with the function of data security protection such as decryption into plain data
. Delivery is initiated by a synchronous API module in a secure gateway on a "temporary write" medium (such as a CDW). The material handling process includes sparse recording of program state changes, time stamp messages,
S, system error, access and flow breach attempts, the rule fires on each packet. In general, error and debug entries are maintained with greater detail than message and state entries. Each service module has all administrator actions, user login / logout, database errors, simplified network
Automatically acquired periodically to maintain a full audit trail of protocol management traps or alarms. A database of known intrusion patterns is provided. Also, habitual use patterns of groups in a secure environment are monitored. Further, the administrator is notified of the case branching from the pattern. For security, the timber is accessed locally through internally trusted ends. However, the external timber is not compatible with the internal CIP corresponding to the external timber natural protocol.
It is securely copied to internal records by the protocol and then interpreted into a different article format for use by internal entries to prevent counterfeiting. Alternatively, external wood can be written to a separation system to reduce the overhead imposed on the robot inside by the logistics process. "Dual channel manager structure" where: dedicated channels for recording messages and additional channels within each robot
There is a manager, may have been used. The software for handling the fleet can use an implementation ACE package or other commercial product. The inner and outer lumber are recorded asynchronously by the logger daemon so that the logging items can be written without waiting in vulnerable queues during thread lockout or busy I / O conditions. Immediately go to the written record. Asynchronous wrappers can implement this through comprehensive OS logging, such as UNIX's Syslogd & Error and MEventLogger for abuse. An ODBC standard file structure for program 5 states and messages related to business processing information. Oven Database Conference (ODBC) logger; with some asynchronous attitude options, they are not directly applicable. Therefore, it cannot reproduce a realistic alternative.

[0005] Then, in step 60, the plain data is edited to reduce it to clear data and translated into a CIP format, after which the CIP format is translated into the internal robot 24.
Is sent over the internal communication bus 28 of the security D gateway. In step 70, the internal robot 24 retranslates. Probably remodeling. From the CIP format, the data falls back to a format specific to the application being issued, possibly introducing some editing changes. In step 90; if the data belongs to a web session (HTTP), it is sent first up to 5, web server 12. The web server 12 can initiate an apply request, transport, respond to data internet source, received web server, its network secure gateway. By the rear, meanwhile, step 100
As noted in, the data goes to its destination. If, on the other hand. The data does not belong to a web session, such as data transmitted directly to the application server, the internal robots can easily communicate with the application proxy 2e and on the bus 20a to the internal environment 14 Send the data. Completing the security, which comprises step 100, a gateway security assurance process to step 104. Referring more clearly to FIG. 3b, TCP / IP packets or other basic units of data relating to the appropriate communication protocol for the available
2, if accepted by the secure gateway proxy 4e corresponding to the protocol, it is logged in by the external robot in step 51.
It records the S-number of the packet, which reproduces the completed transport phase for the packet, and the operational status code. However, detailed timber is not maintained because the robot is being barricaded. In step 52, after the secure gateway proxy 4e, the TCP
Removing the supplied encapsulation for transmission of the thc data to the secure gateway by / IP or by some other transport protocol, step 5
3 sends the data to the routing manager 4b which forwards it to the thc communication layer secure (chlorine) module. In step 54, the CLS module decrypts the SSL format, if such encryption is present in the message and interface (or other security scheme S-HTTP), and verifies the identity of the sender.
Mediates the information required by the "structure"; if such authentication is required, thereby providing the routing manager 4b with plain application format data. Public encryption key infrastructure, preferably for decryption. Edit the applied data to clear data, and in step 61
The routing manager 4b, which translates to the P format,
Sends simple application format data to the manager 4c. The protocol manager 4c moves the CIP data to the routing manager 4b in step 62. The routing manager 4b sends the CIP data onto the channel manager 4a to a step 63 for encapsulating the CIP data with the IRP, the transmission of this IRP, the communication bus 28 inside the step 64. This CIP format data is transmitted to the robot 24 inside the. The IRP transport protocol is based on CI originating from different natural applications and transport protocols.
P data can be encapsulated. CIP format data was encapsulated according to the internal IRP transport protocol. Received from the internal communication bus 28 by the channel manager 2a of step 71. The channel manager 2a removes the IRP encapsulation and sends the CIP format data to the protocol manager 2c in step 73 (step 72).
The CIP format data is sent to the routing manager 2b. It is the protocol manager 2c in the robot 24 inside. It eventually translates the CIP format data back into its natural adaptation format, which modifies the data, again with the data, thus performing the external robot 26 from the communication received by the external bus. The plain application format data decrypted by the network security gateway 10 on the internal communication bus 20a provides the clear data in the natural application format supplied to the trusted environment 14. Cannot be similar to Certain additional acceptance tests can be applied to the data at this point to verify the validity of the data, such as tests that have led to the approval of special actions by special users for access control. Providence is created in the context of the present invention to implement for third party integration and system flexibility processing modules to enhance adaptability. Both, the modules referred to below as "plug-in" for internal and external robots, can be called at various locations in the process flow of the equipment. An example of a useful plug-in is access control as described immediately below.
The IP was interpreted at the protocol element level as described subsequently with respect to FIGS. If such an access control plug-in is provided, the protocol manager controls access control by editing its rules. The protocol manager activates access control by sending it four query parameters: actors, actions, resources and properties. Context-sensitive tests can be used to identify multiple messages received from the same source for more than three hours. Access control plug-ins can use secure gates to make such context-sensitive measurements.
Must have read access to the transaction log maintained by wayway 10. For this reason, intrusion detection can use an access control interface to logs. The access control logic (ACL) can be extracted from the monitoring network activity or by extracting rules from the network administrator's response to packets analyzed under the administrator's control. The concept of automatic or guided, semi-automatic recognition of flows, access rules, access lists and valid / invalid data is intended for supply in addition to the device itself. A utility that intercepts all traffic between fixed servers analyzes this traffic and produces a list of users and their implemented activities. And other appropriate parameters (time and date of action), which are intended to provide the utility of retrieving access information from the server itself, which is a window / NT server (registration) or UN1X station (/ etc / pas)
swd). The ACL data is imported into the gateway 10 partially off-time (initial setting). Also partially online (updated). The implemented security standards may include the RADTUS and TACACS RAS standards. TSS mainframe standard or modern alternative: Nickel, NT domain. At step 74, if it passes all such tests, the protocol manager 2c sends the applied format data to the routing manager 2b, which determines its destination. If the data is to be sent directly to the application, it goes to step 101. If the application format is HTTP, the data is sent to the web server. The routing manager 2b sends the application format to the web proxy 2f in step 91 to re-encapsulate it as a TCPIIP packet.・ Send data. Alternatively, all other suitable transfer protocols are to be used by the web server and stack with the protocol. In step 92, the web proxy 2f finally transfers the re-encapsulated data to the bus 20b. In step 93, the web server 12 processes the data. It is expected that web server 12 will translate the data into some applicable format before transferring it to the device. For example, if the user invokes a CGI script on the web server 12 with a CGI request encapsulated in the HTTP transfer protocol, the CGI will also script translate the request into an applicable format SQL or banking. The web server 12 transmits the application format to the network security gateway 10 at the back (SQL query (banking command)); before sending the application data to the routing manager 2b. The web proxy 2f receives it and removes the TCP / IP encapsulation of the thc application data in step 94.
In step 101, the routing manager 2b sends the application format data to the application proxy 2e. The application proxy 2e re-encapsulates all the protocols that were used for the transmission of data to the application data TCP / IP or network security gateway iodine O.

In step 102, the data is sent to the application server 14 in the internal environment 12, where a security assurance process according to the present invention for the data (end to step 104). The back-up process performed by the gateway 10 to process and transmit outgoing data from the internal domain 12 to the external domain 16 includes continued references to the elements identified in FIG. 4a and 4b. Is now described with respect to the flowchart. 1a, 2a and 2b. Referring to FIG. 4a, processing of outgoing data by gateway 10 begins at step 110. In step 120, the internal robot 24 receives application data from the internal system 12. The destination of the data is determined in step 130: If it originates from an indirect session (which is a session associated with a gateway such as web server 13), -The gate is the gateway (
Relayed to a web server; if the data originated from a direct session (a user client communicating directly with the internal system server 14), processing of the data proceeds directly to step 150. . At step 140 of the web server 13 step, the data is stored in web format (H
Web pages to be indicated (such as HTML-pages on the TTP protocol)
While being translated and reconstructed by the thirteen servers, it is also sent to the gateway 100 for processing at this stage and execution proceeds to step 150. In step 150, the data is reduced to a CIP format with some alterations with some filtering related to the nature of the information, such as an article with a "secret" title, such as an article with a "secret" title. Passing from is not feasible. Thereafter, the data is transmitted to the external robot 26 on the communication bus 28. The external robot reassembles the rear CIP format data into the applied format with some changes to the data, step 160. It proceeds by encrypting it or performing some data-related communication security tasks such as attaching it with authentication data. And finally. Secure data is stored in external area 5, process, step 170 to complete step 180
Sent to A more detailed representation of the process was shown in FIG. 4b. Beginning at step 110, application data arrives from the internal system 12 to the application proxy 2e, step 121. In step 122, the apply proxy 2e removes the TCPIIP encapsulation (or which protocol is used to coordinate the network of the internal system) and sends the data to the routing manager 2b (these are the Inside). The routing manager 2b determines the destination of the data, step 130, according to its relation to the session. If the data belongs directly to the session, which one is there? The session routing manager that the client communicates directly with the internal system 14 proceeds directly to step 151. If, on the other hand. The data belongs to an indirect session in which the client cooperates with a gateway such as the network server 13. And relays, information between internal systems, and routing manager 2b
Sends data to the web proxy 2f, step 141. The web proxy 2f encapsulates the data in TCP / IP (or the protocol is used to coordinate 13 web servers or other gateways used). Web server 13 sends it to step 142, web server 1
3 processes the data, typically in response to previous queries, sent by the device O from the web server 13 to the thc internal system 14. It then reproduces it in a web format (typically, the HTML data is fully encapsulated in TCP / IP and "paginated" over the HTTP protocol. Step 143, the web proxy 2f removes the TCP / IP (or other protocol for communication with the web server) encapsulation, step 144. Then, to the routing manager 2b The manager 2b routing to step 151 sends the application data to the protocol manager.
Send 2c. The protocol manager processes the data, step 152. This step may involve performing multiple tests or modifications to protect the internal system 12 and implement security policies practiced by the internal domain. For example, it can reject forward documents or pages, depending on the information they carry. Alternatively, it can remove or hide some information. Or, all based on its capacity. The protocol manager translates the data into CIP, which can be a different coding scheme than that of the incoming direction. At the end of step 152, the CIP data is sent to the routing manager 2b. The manager 2b that routes to step 153 is the channel manager 2
Send data to a. In step 154, the channel manager 2a establishes a CI with an IRP protocol for bus communication.
Encapsulates P data. Then, the data on the communication bus 28 is transmitted to the external robot 26. At step 161 the data arrives at 28 on the communication bus external robot 26; it is processed by the external robot channel manager 4a, step 162. The channel manager 4a removes the IRP encapsulation and routes the CIP data to the manager 4b. In step 163, the routing manager 4b sends data to the protocol manager 4c of the external robot. The protocol manager 4c translates the data from the CIP format into an application format, step 164 with some modifications to the data. The data is sent to the routing manager 4b. In step 171, the routing manager 4b applies to the CLS module 4d which performs a plurality of communication security loads such as encryption to data according to the used security model (SSL) and attached authentication information. Send data and step 172. The chlorine module 4d sends secure data to the routing manager 4b.
The routing manager 4b is a network proxy, stage 173
Finally, send the data to; apply or fix the data, encapsulated in TCP / IP (or whatever protocol, for communication with the client in external area 16). Then, it was sent to the external area 16 by the NIC, step 174. The flow of information from the internal area 12 to the external area 16 is thus completed, step 18
0. Protocol Manager Structure and Operation The core of the robot operation is the protocol manager, labeled 2c and 4c, respectively, in FIGS. 2b and 2a. The protocol manager provides transitions between various application formats to be used by the application protocol. Authorized and implemented by the secure gateway 10 and respective CIP protocols in the CIP format used internally by the secure gateway 10. protocol·
The managers 2c and 4c can perform various other tasks related to the data thc capacity such as access control. As shown in FIG. 5, protocol managers 2b and 4b; respective input queues 210
, 410. Also output columns 250, 450, multiple similarity processing elements between them and the usual two things. The internal input queue 210 comes from the routing managers 2b and 4b, which hold the data and are in a natively adapted protocol format. Data from the routing manager at The internal output string 250 is the CI after translation from the native application format to CIP.
Data in the routing manager 2b or 4b in the P application format
Fix the tread. Further, the external output sequence 450 holds data translated from the CIP. Then, the process goes to the routing manager 2b (4b in the natural application format 50). The work between the input and output queues of each protocol 2 manager c, 4c, session managers 220, 420, which is the session handler 23
A workload balance is provided for their respective sets of 0,430. Each session handler that processes a single session body 240, 440 at a time.
The session handlers 230, 430 determine; the incoming data belongs to which "session" and if no such session is active, the handler will start one.
Each set of session objects 240, 440; they consist of an overall session processor. Each element in the respective set of session records, session objects 240, 440, obtained by combining the data currently received by the protocol managers 2c, 4c and from the thc body container 300 of the protocol managers 2c, 4c, respectively. Process each session. Each communication stream considered by the security gateway as a multiplex rather than a contacting packet. However, the two sessions are usually combined into a single element.

[0007] A "twin session", that is, whenever two sessions connected to the same circuit of information flow, ie, the session handle incoming data and the other handle, outgoing data. Thc concatenation requires that both sessions be synchronized in server state and overall circuit context. Similarly the structure is provided for the internal robot (more precisely). thc Internal robot session object to be able to synchronize external robot session objects; Internal robot session object is an external robot master as child device to maintain security and their roles do. Each session body 240, 440 can write data to the body container 300. The chain order prescribed by which is described below to determine the applicable protocol for processing the data received by the session body in the format prescribed by that protocol. As such, the session objects 240, 440 consult the protocol element table (PET) 310. The session objects each write the output of their respective translation and editing process to a respective one of the output columns 250, 450. Shared Storage Element of Protocol Manager The container 300 and PET 310 hold information that is more global or less temporary in nature than that held in columns 210, 250, 410, 450. The information in the body container 300 is either global to the entire security gateway 10. Or overall, for each user; or for each session. Or session wide, it is global to the entire session, as opposed local information for a single protocol layer or information for a single packet. For example, the username entry in body container 300 is global for all transmitted communications between the user and the server. On the other hand, what protocol elements should be used to reduce or modify PET 310 data, and that it be used to enforce the rules chosen by a particular session body. Overall. One block diagram of the session object is shown in FIG. The session bodies 240, 440 encountered in the thc data in the session-use various protocol elements 70 for processing different protocols. The session bodies 240, 440 consult the PET 310 to determine which protocol, then the element 710 to use. Retrieve information from the protocol element 710 deposits information and from the body container 300.
that's finished. Session bodies 240, 440, call packers / unpackers 720 corresponding to those same protocols streamline the necessary information deposited on body container 300 into a chain of bytes to be output by session bodies 240, 440. In order to select the protocol element 710. The flow of data 2c and 4c into the security gateway 10 in the application 15 format through the protocol manager is shown in FIG.
The data arrives at step 500 in its natural format. Then, 2c and 4c are read from columns 210 by the protocol manager; it contains data coming from the routing managers 2b, 4b. The applied format data is passed to the session manager 220 at step 510.
Moved to At step 520, the session manager 220 locates an available session handler 230. Then, the data buffer is sent to the session handler. In step 530, the session handler 230 currently scans the session, sends the data to the corresponding session body 240 for live, or "oven" processing to determine which sessionthe data belongs. If the data does not belong to one of the oven sessions, the session handler 230 starts a new session body 240 and sends the data, all this. Consisting of: Step 530. The session body 240 begins by storing the data buffer in the body container (or) 300, step 540. The session body 240 may reduce it to clear data in CIP format at step 550 and obtain the identity of the next protocol element 710 that may be used to process the data by PET. Examine 310. If other protocol elements are needed to process the data, the data is passed on to the next j protocol element 710 for processing in step 560, the protocol that element 710 is the data from the buffer. , Or 300, or if the process is complete, deposit the processed result in step 570 there.
If the data has been fully processed by protocol element 710, currently processing it to step 580. The session body repeats step 550 to check if more protocol elements are needed for data. Should be noted, the data provided in the stored buffer, or the end data of the 300, before the protocol is satisfied, is assumed to be incomplete in step 580. Incomplete Data Protocol element 710 and session bodies 240 and 440 cannot complete their respective tasks. Therefore, another buffer is read from the input channel, continuous stage 510. The session body also waits until data for this session has been sent to it by the session manager. If no further protocol elements are needed for step 560, session body 240; it uses a packer 720 corresponding to the protocol element to be used by the session body to wrap data from the buffer, Alternatively, at step 590, 300 into the serial stream of bytes.
This CIP-formatted stream of bytes is transferred to a manager that routes to the output train 250 tread. At this point, the processing cycle is complete, step 600. See figure. The process of converting capacity data from 8 CIP to the applicable format is described and starts at step 700. Protocol managers 2c and 4c read the data from input queue 410 and send the data to session manager, step 710 420. Next session manager 420 sends the data buffer up to one of the available session handlers, steps 720 430. The available session handler checks whether the data belongs to an existing session or whether a new session needs to be created. The session handler sends the data to the appropriate session body, steps 730 440. Session body 440; it uses various unpackers 720 to unpack the CIP information contained in the data and stores the individual data items at its or 300, step 740. The session body 440 examines the PET 310 and information at step 750,
300. for the identity of the next protocol element that is good to process the thc data that is or is now in the body container 300. Ii "there is such a protocol element 710, stage 760. Control passes to it. Also, the protocol element 710 is the OR, the data in step 770 300
The applicable layer data is modified from the data. In step 780, the protocol element 710 determines; whether the operation is complete. At that point, container implementation resumes at step 750 with the determination of the next protocol element. Otherwise, implementation proceeds first; more data is awaited, step 710
. If all protocol elements have been ejected, step 760. The modified data (they are deposited on the body container 310) is sent to the "row to routing on application" 450. Also, the process cycle is 790 complete. Sample PET 310 is shown in FIG. As seen in the retraction PET 310 indicates which protocol element is selected at a point, such as invoking a process (if a TCP / IP protocol element is used). And then. PET 310 indicates which rules and circumstances are required to cause use of a given protocol element. As described above, the session handler consults PET 310 to determine which protocol element is to be used at a given stage in the conversion process. CIP and IRP Protocols According to the present invention, the security gateway's internal CIP and IRP protocols
Data transfer, exchanging the native protocol of messages on the link between the robots, is implemented for a specific data capacity within a given protocol. For example, if a message according to a particular application protocol is disassembled by an external robot, the CIP repeater of the external robot for that protocol can encode, the image information that provides the application rose. Likewise

The internal robot repeater can implement CIP coding for user mouse and keyboard input corresponding to those graphics. In this example, no command code is passed. Defining an acceptable sub-set of the functional set of a given protocol to be implemented to pass through the syntax and trusted environment, CIP
As well as defining that expression. Occurs at different times in the robotic process and is performed in multiple separation stages. First, the user identifies the protocol or set of protocol properties that are implemented to pass into the trusted environment. This can be suitably done in a fourth generation language (4GL) referred to as a protocol definition language ("pedal") that processes string literals. Then, instead of "C" as the target language, a binary virtual machine language (VML) is supplied. The selected command code can be passed by being explicitly or implicitly coded by the transponder. For example, a banknote observation application can be fixed according to the invention by generating a corresponding CIP protocol according to the standard rules for use by messages, natural protocols, and for the entry of a network administrator in a secure environment. Choosing from a natural protocol capacity that you consider safe for attacks that can use banknote observation applications as vehicles, a trusted environment. For the sake of simplicity, assume that the following commands and flow chains are predetermined by the banknote observation protocol: l The "login" command has as its arguments "username" (8 characters, exactly) and "password" (8 characters, Exactly); then 2) the user can choose to issue one of three commands: print, view or LOGOUT to either observe the bill on the screen To produce banknote output Or discontinue each application. However, the response to the print or view command was complete. The system is ready to receive new commands. In contrast, after receiving a LOGOUT command, the system resets to its original state, so subsequently responding to a login command. Corresponding CI for elastic command chains in banknote viewer's natural application protocol
The P protocol format is as follows: 1) username + password (the first 8 bytes are the ASCII code u
16-byte unknown structured string that reproduces (reproduces 8 characters of "samename") The last 8 bytes reproduce the password in ASCII code pair, which is the first in this format. 2) 1, the known, limited, set of strings, 3 commands: identified by O for LOGOUT, print, 1 and 2 for view and 3rd 25 cents; 3) command PRTNT ( -0 or -3) and view (-1) can be by other command identifiers. Since. 4) The command LOGOUT ends any chain. After a 16-character initial valid string is received, the interpreter corresponds to one of two methods: coded as "2", and whenever a CIP interpreter receives a LOGOUT command, the interpreter is in its initial state. And wait for the next one 6-byte sequence. When a print (-0 or -3) or a view (l) appears instead The interpreter corresponds to any of the three command codes. A valid interpretation with three commands, as every sequence of bits must have, creates one of the extra bit combinations by 25 cents. Note that any command is selected to be reproduced in this example by this combination as interpretation is required for multiple combinations. Print command. Note that the login command is valid. "Quantitative" string. Therefore, it is not explicitly coded by the CIP protocol. A supplementary interpreter on the other robot can implicitly pass through the login and re-insert,
When the 16 character strings are received, the interpreter cannot process commands other than login, so the login is not processed under another environment. Therefore, it does not make sense to explicitly provide a command identifier value for a login or other such "quantitative string". The numbers, except for the date, have a logically related "healthy range" for compatibility checking. Only a single date format is implemented from any given or interpreter provided to the CIP repeater. Similarly, unknown and non-systematic strings are supplied with a "health check" value that states the expected length limit for the string. String elements are mapped to a continuous range of characters. Thus, this CIP code step is performed at the level of application of the data suspect class, since the corruption of the thc repeater operation creates a chain of valid commands (though insignificant) that does not damage internal areas. Remove the message at the same time and check the integrity of the internal robot. IRP is a simplified transport protocol adapted for point-to-point communication links, such as between internal and external robots. Since the communication is point-to-point, not routing the information is necessary for the transport protocol. In one implementation, IRP; consists of a header to CIP data with 12 bytes, with 4 remaining bytes being made available for stockpiling use: 1st byte is invalid The second byte; contains the packet S, that is; Stationary variables are used for tracks and increments, numbers from O to 127 assigned packet S; and the third and fourth bytes contain the length of the data in the CIP message. Formal test For a security software product to complete its role, it should be entirely secure, that is. The product must be certified to show that it meets its specifications. Unique combination of technology algorithms / technologies and decoupling two robots with a single link between them to ensure the overall security by checking the accuracy of only the strongly described specific building, internal robot only It allows one to prove the gateway. This is so, because with the use of the reduction method as described herein, anything has sent the communication bus up; as explained above, its interpretation is meaningless data.
Have a valid interpretation by the internal robot, assuming that it is possible but is confirmed. Furthermore, by separating security tasks into internal and external robots, keeping internal robots as simple as possible, the "heavy" task of analyzing the protocols performed by all, external robots and bus drivers Simpler point-to-point internal robot protocols like IRP to simplify, create, verify internal robots, and achieve practical goals. Formally confirm, assuming, that the internal robot and it is a top down approach, first, the robot module (PM, R
M, CM, App-proxy, and network proxy) have the desired characteristics (t
Appropriate interpretation of output from the hc network proxy and input to the CM according to the CM applied by the application proxy, specificationsprovision by the internal application owner
(ded) is proved and confirmed. The characteristics of each module can be manifested in the output it produces in the various output channels available, even as storage areas in the shared memory (-). Or as an I / O port for some connects to peripherals / devices. The assumption of the input it receives is in the precondition format. This allows a full module test with I / O channels by individual module test. Extracting unnecessary information, a specification language such as CSP or its derivatives can describe such a system. And be proven by devices like Spin and FDR2. Thus, the identification of the internal robot is the identification of each module to its output channel characteristics, assuming the accuracy of its input channel. Then, one can move back to proving each is an individual module by breaking it down into its sub-modules. The process of lysis repeats to the level of "atomic" code portion function and treatment; lysis is no longer applicable. However, these code parts are usually small and can be proved by the e "direct" method. These methods can include manual discussions, Theorem Tester (NQTHM, ACL2, PV) and Model Checker (SPT)
N, stages) as well as mechanized methods. He described the invention with particular reference to the presently preferred embodiment, which is apparent to one of ordinary skill in the art; variations and modifications are possible within the spirits and scope of the invention. For example, these implementations; having a local and trusted inter-environmental invention, and one external, untrusted environment, which may be as a storage device intermediary between mutually dangerous environments .

[Brief description of the drawings]

FIG. 1a is a block diagram of a gateway system between internal and external computing environments of one preferred embodiment of the present invention.

FIG. 1b shows a gateway between internal computing environments to be connected to the Internet according to the present invention.
FIG. 3 is a block diagram illustrating an alternative building for a tway system.

FIG. 2a is a block diagram of the external robot shown in FIG. 1a.

FIG. 2b is a block diagram of the internal robot shown in FIG. 1b.

FIG. 3a is a flowchart illustrating a process of processing input data performed by the apparatus of FIG. 1 according to one embodiment of the present invention;

FIG. 3b is a flowchart illustrating the process shown in FIG. 3 in more detail with reference to the elements of the block diagram shown in FIGS. 2a and 2b.

FIG. 4a is a flow chart illustrating a process for processing transmitted data performed by the apparatus of FIG. 1a according to one embodiment of the present invention;

FIG. 4b is a flowchart illustrating the process shown in FIG. 4 in more detail with reference to the elements of the block diagrams shown in FIGS. 2a and 2b.

FIG. 5 is a flow diagram of the protocol manager module shown in FIGS. 2a and 2b.

FIG. 6 is a block diagram of an object container and session sub-module for the device shown in FIG.

FIG. 7 is a flow diagram illustrating a process for converting data from an application protocol to a simplified internal protocol according to one embodiment of the present invention.

FIG. 8 illustrates a simplified internal protocol to application application according to one embodiment of the present invention.
FIG. 4 is a flowchart showing a process of converting data into a protocol.

FIG. 9 is an example of a protocol entry table shown in the apparatus of FIG. 5;

──────────────────────────────────────────────────続 き Continuation of front page (81) Designated country EP (AT, BE, CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, IT, LU, MC, NL, PT, SE ), OA (BF, BJ, CF, CG, CI, CM, GA, GN, GW, ML, MR, NE, SN, TD, TG), AP (GH, GM, KE, LS, MW, SD, SZ, UG, ZW), EA (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), AL, AM, AT, AU, AZ, BA, BB, BG, BR, BY, CA, CH, CN, CU, CZ, DE, DK, EE, ES, FI, GB, GE, GH, GM, HR, HU, ID, IS, JP, KE, KG, KP, KR , KZ, LC, LK, LR, LS, LT, LU, LV, MD, MG, MK, MN, MW, MX, NO, NZ, PL, PT, RO, RU, SD, SE, SG, SI, SK, SL, TJ, TM, TR, TT, UA, UG, UZ, VN, YU, ZW. CA16 5B076 FD08 5B089 GA31 HB18 KF04 5K030 GA15 HA08 HD03 HD06 LD20

Claims (24)

[Claims] 1. A system for achieving limited communication between an external computing environment and an internal computing environment. A system comprising: a first processing element for receiving an external message from an external environment; an external message; One or more external environment protocols for converting an external message into a simplified message by mapping all or a portion of the external message capacity to a simplified representation of the capacity according to a simplex-1ed protocol Contains the volume reproduced in. A simplified protocol definition in which a simplified representation for a certain capacity that can be contained in a message is reproduced in one or more external environment protocols and for the transmission of a simplified message; one or more internal environment protocols Receiving the simplified message transmitted by the first processing element for transforming the simplified message into an internal message by mapping the simplified expression of the capacity to the internal representation of the capacity according to A second processing element for transmitting internal messages to the application starting in the internal computing environment; and a communication channel between the first and second processing elements for moving simplified messages. 2. The system of claim 1, wherein: the second processing element can receive internal messages from the application starting in the internal computing environment. An internal message; it transforms the internal message into a simplified message by mapping all or part of the second capacity to a simplified representation of the second capacity according to a simplified protocol. It contains a second volume that has been reproduced with internal protocols. And transmitting the simplified message to the second processing element of thc over the communication channel. 3. The system of claim 2, wherein: the first processing element externally maps the simplified representation of the second capacity to an external environment representation of the second capacity according to an external environment protocol. The simplified message can be received from a second processing element that converts the simplified message into a message. Transmission of external messages to the external computing environment. 4. The system of claim 3, wherein: each of the first and second processing elements;
It consists of a channel manager to be ansrmted, to encapsulate the simplified message, and to remove the communication channel transport protocol from the received simplified message. 5. The system of claim 4, wherein: encapsulating the simplified message with a communication channel transport protocol; from adding headers to the simplified message without routing information. Become. 6. The system of claim 3, wherein: each of the first and second processing elements; each comprising a protocol manager for converting simplified messages to external or internal messages. And for converting external or internal messages to simplified messages respectively. 7. The system of claim 6, wherein: a protocol manager; consisting of a number of protocol elements. Reproduced in one of many external or internal environment representations, with each protocol element mapping capacity or simplified re presentation reproduced in simplified representation in one of many external or internal environment representations Mapped capacity. 8. The system of claim 7, wherein: a given message comprising a thc protocol manager; a protocol element table for selecting one of a number of protocol elements for capacity mapping. 9. The system of claim 1, wherein: a first processing element; comprising a first CPU and a second processing element; a second CPU.
Consists of 10. The system of claim 10, wherein: the first and second processing elements reside on a single CPU. It is then separated by a fixed shared program running on the CPU. 11. The system of claim 1, wherein: a communication channel moves messages between the first and second processing elements. 12. The system of claim 1, wherein the user defines a subset of the total capacity that can be contained in a message reproduced in an external environment protocol, such as in a simplified representation in the simplified protocol. It consists of an average value to achieve. 13. The system of claim 12, wherein: The simplified protocol defines a simplified representation for a subset of the total capacity that can be contained in a message reproduced in an external environment protocol. A subset of excluded capacity that can harm the internal computing environment. 14. A method for achieving limited communication between an external computing environment and an internal computing environment, comprising: receiving an external message from the external computing environment. Message comprising one or more of: Capacity reproduced in multiple external environment protocols; reducing received external messages to simplified messages by mapping all or part of the external message capacity to a simplified representation of capacity according to the simplified protocol The simplified protocol definition has simplified the representation for a certain capacity that can be contained in a message reproduced in one or more external environment protocols; the mapping of the simplified representation of the capacity in thc Converting a simplified message to another message can be done according to one or more internal environment protocols. Simplified messages to an internal environment representation capacity; also moving the application message to the application that initiated internally computing environment. 15. The method of claim 14, wherein: reducing the external message to accept, external message, and simplified message converts the simplified message to internal message. Performed in one processing element and the thc stage, moving internal messages to the application, performed in a second processing element. The method comprises: transmitting a simplified message from a first processing element to a second processing element on a communication channel. 16. The method of claim 15, comprising encapsulating the simplified message with a communication channel transport protocol prior to transmitting the simplified message. Eliminating the communication channel transport protocol from existing messages simplified the message to applicable messages. 17. The method of claim 14 wherein: receiving an internal message from an application starting in an internal computing environment; an internal message; it is an application reproduced in one or more internal environment protocols. Containing capacity; reducing received internal messages to simplified messages consisting of: all or part of the applicable capacity; converting simplified messages to external messages; and external computing environment To transmit external messages to 18. The method of claim 17, wherein: reducing received internal messages for simplified messages; all or part of the applied capacity in a simplified representation of the applied capacity according to a simplified protocol. . 19. The method of claim 18, wherein: converting the simplified message to an external message; containing the simplified message in an external environment representation of the applied capacity according to one of a number of external environment protocols. And mapping the applied application capacity. 20. The method of claim 19, comprising: converting a simplified message to an external message; encapsulating the mapped capacity in one or more transport communication protocols for the external computing environment. . 21. The method of claim 14, wherein: The first part of the external message capacity is not defined by a simplified representation in a simplified protocol. And. So: The step of reducing incoming external messages to thc simplified the message; consisting of mapping the second part of the external message capacity to a simplified representation. 22. A system for providing limited communication between an internal computing environment and an external computing environment. A system comprising: a first process for receiving an application message from an application starting in an internal computing environment. One for transforming the applied message into a simplified message by mapping all or part of the applied capacity to a simplified representation of the applied capacity, according to a simplified protocol; Contains application volumes reproduced with multiple internal environmental protocols. The simplified protocol definition has simplified the expression for certain capacities that can be contained in messages reproduced in the applicable protocol. And for transmission of simplified messages; messages simplified to external messages by mapping a simplified representation of the applied capacity to a second capacity external environment representation according to one or more external environment protocols A second processing element for receiving the simplified message from the first processing element and transmitting the external message to the external computing environment; and a first for moving the simplified message, Communication channel between the second processing elements. 23. A method for implementing limited communication between an internal computing environment and an external computing environment comprising: receiving an apply message from an application starting in an internal compute environment; an apply message; Containing the applied capacity reproduced in the internal environment protocol of; reducing the received applied message to a simplified message consisting of: a simplified representation of the applied capacity according to the simplified protocol All or part of the applied capacity by mapping all or part of the applied capacity A simplified protocol definition is a representation for a certain capacity that can be contained in a message reproduced in one or more internal environment protocols. In messages that have been simplified to an external environment representation of capacity according to one or more external environment protocols. It converts the simplified messages to an external message by mapping a simplified representation of the use capacity; and deforming the external message to the external computing environment. 24. A method for enabling a formal test of a system. A system comprising: a first processing element and a second processing element connected by a communication bus; An untrusted computing environment connected to the computing environment and a second processing element. Providing a simplified communication protocol between the first and second processing elements comprising: data for moving messages between the first and second processing elements. Also formally identifying only the second processing element.