Current network security solutions are consisted of a single host, with network
interfaces of the host connected to protected and external networks at the same
time. This design ensures security by restricting traffic flow to a single
point, where it can be examined and acted on by a set of rules. However, this
design also has a flaw and a single point of failure, that being the
vulnerabilities in the security device itself. An adversary would have unhindered access
to protected networks if a vulnerability in the security device itself leads to its
compromise. To prevent this possibility, high-security networks are completely
isolated from external networks, by prohibiting any network connection and
constituting a so-called air gap in between. But, data transfer needs do arise between external
networks and high-security networks, and in current technology this problem
does not have a solution without human intervention. In this
theses, we propose a set of mechanisms that allows near-realtime data transfers between
high-security network and external networks, without requiring any human
intervention. The design consists of two hosts connected via a shared storage,
transferring only application layer data between networks. This prevents
attacks targeting network stacks of the security device' / s OS, and confines a
compromised security device to the network that it is already connected to. In case
of a compromise the amount of possible unwanted traffic to and from the
high-security network is vastly reduced.
| Identifer | oai:union.ndltd.org:METU/oai:etd.lib.metu.edu.tr:http://etd.lib.metu.edu.tr/upload/12611436/index.pdf |
| Date | 01 December 2009 |
| Creators | Karadag, Gokdeniz |
| Contributors | Ozgit, Attila |
| Publisher | METU |
| Source Sets | Middle East Technical Univ. |
| Language | English |
| Detected Language | English |
| Type | M.S. Thesis |
| Format | text/pdf |
| Rights | To liberate the content for public access |
Page generated in 0.0021 seconds