Search

CN-118451697-B - Cloud-based cross-domain system-virtual data diode

CN118451697BCN 118451697 BCN118451697 BCN 118451697BCN-118451697-B

Abstract

In some aspects, a Network Interface Card (NIC) may receive, at a first node of the network interface card associated with a disconnected network, a message intended for the disconnected network and sent using a first communication protocol. The network interface card may send the message from the first node to a second node of the network interface card using a second communication protocol, the second communication protocol configured for unidirectional communication. The network interface card may receive the message at the second node. The network interface card may send the message from the second node to a destination node of the disconnected network using a third communication protocol. Many other aspects are described.

Inventors

  • E - G - Adaoge pull
  • GAHLESEN JOHN M.

Assignees

  • 甲骨文国际公司

Dates

Publication Date
20260505
Application Date
20221116
Priority Date
20211123

Claims (20)

  1. 1. A computer-implemented method, comprising: Receiving, at a first processing node of a network interface card associated with a virtual network, a message intended for the virtual network and sent using a bi-directional communication protocol, the network interface card comprising a network virtualization device configured to implement a virtual network running over a physical network; Converting, at a first processing node, the message from the bi-directional communication protocol to a uni-directional communication protocol; transmitting the message from the first processing node to a second processing node of the network interface card using the unidirectional communication protocol; Receiving the message at the second processing node, and The message is sent from the second processing node to a destination resource of the virtual network.
  2. 2. The method of claim 1, wherein the unidirectional communication protocol is user datagram protocol.
  3. 3. The method of claim 1, wherein the network interface card comprises an intelligent network interface card.
  4. 4. The method of claim 1, wherein the virtual network comprises a virtual cloud network.
  5. 5. The method of claim 1, wherein the virtual network is configured not to connect to a public network.
  6. 6. The method of claim 1, wherein the message, after leaving the second processing node, passes through a filter chain before reaching the destination resource.
  7. 7. The method of claim 1, wherein the connection between the first processing node and the second processing node is established using a networking cable.
  8. 8. The method of claim 7, wherein the connection established using the networking cable does not include a diode.
  9. 9. The method according to claim 1, Wherein the message is received at the first processing node from a first source, and wherein converting the message from the bi-directional communication protocol to the uni-directional communication protocol is performed based on the message being received from the first source; Wherein the method further comprises: receiving, at a first processing node of a network interface card associated with the virtual network, a second message intended for the virtual network and sent using the bi-directional communication protocol, wherein the second message is received at the second processing node from a second source, wherein the second source is different from the first source; Transmitting a second message from the first processing node to a second processing node of the network interface card using the bi-directional communication protocol based on the second message being received from a second source; Receiving a second message at a second processing node, and A second message is sent from the second processing node to a second destination resource of the virtual network.
  10. 10. The method according to claim 9, wherein the method comprises, Wherein the first source is a first streaming data source and wherein the second source is a second streaming data source.
  11. 11. The method according to claim 1, Wherein converting the message from the bi-directional communication protocol to the uni-directional communication protocol comprises: the bi-directional communication protocol is configured for uni-directional communication.
  12. 12. The method according to claim 1, Wherein the message is a streaming message, and wherein converting the message from the bi-directional communication protocol to the uni-directional communication protocol comprises: Repackaging the message into a format defined by the unidirectional communication protocol; wherein sending the message from the second processing node to the destination resource comprises: the message is forwarded from the second processing node to the destination resource as originating from the second processing node.
  13. 13. The method of claim 12, wherein receiving the message at the first processing node comprises: The streaming message is intercepted at a first processing node, wherein the first processing node acts as a destination node.
  14. 14. The method of claim 13, wherein receiving the message at the first processing node comprises: intercepting the streaming message at a first processing node, wherein the streaming message comprises a plurality of message packets, and The plurality of message packets are stored at a first processing node.
  15. 15. The method according to claim 14, Wherein the destination resource is located within the protected network; wherein forwarding the message from the second processing node to the destination resource as originating from the second processing node comprises: the plurality of message packets are transmitted from a second processing node to a destination resource using a network protocol employed in the protected network.
  16. 16. The method of claim 14, wherein the unidirectional communication protocol is a connectionless protocol.
  17. 17. A non-transitory computer-readable storage medium storing a set of instructions that, when executed by one or more processors of a computing device, cause the computing device to perform instructions comprising: Receiving, at a first processing node of a network interface card associated with a virtual network, a message intended for the virtual network and sent using a bi-directional communication protocol, the network interface card comprising a network virtualization device configured to implement a virtual network running over a physical network; Converting, at a first processing node, the message from the bi-directional communication protocol to a uni-directional communication protocol; transmitting the message from the first processing node to a second processing node of the network interface card using the unidirectional communication protocol; Receiving the message at the second processing node, and The message is sent from the second processing node to a destination resource of the virtual network.
  18. 18. The non-transitory computer readable storage medium of claim 17, wherein the unidirectional communication protocol is a user datagram protocol.
  19. 19. The non-transitory computer readable storage medium of claim 17, wherein the network interface card comprises an intelligent network interface card.
  20. 20. The non-transitory computer readable storage medium of claim 17, wherein the virtual network comprises a virtual cloud network.

Description

Cloud-based cross-domain system-virtual data diode Cross Reference to Related Applications The present application claims priority from U.S. non-provisional application Ser. No.17/534,187 entitled "CLOUD BASED CROSSDOMAIN SYSTEM-VIRTUAL DATA DIODE" filed on month 11 of 2021, attorney docket Ser. No.088325-1259513 (296100 US), U.S. non-provisional application Ser. No.17/534,194 entitled "CLOUD BASED CROSSDOMAIN SYSTEM-CDSaaS" filed on month 11 of 2021, attorney docket Ser. No.088325-1259518 (296110 US), and U.S. non-provisional application Ser. No.17/534,196 entitled "CLOUD BASED CROSS DOMAIN SYSTEM-CDS WITH DISAGGREGATED PARTS" filed on month 11 of 2021, attorney docket Ser. No. 0825-1260117 (296120 US), the disclosures of which are incorporated herein by reference in their entirety for all purposes. Technical Field The present disclosure relates to network security. In particular, the present disclosure relates to cross-domain solutions. Background Techniques exist for hardware implemented cross-domain solutions to control and examine data entering a private network. However, such techniques are difficult to maintain and operate. Disclosure of Invention Techniques are provided for a software-implemented cloud-based cross-domain system that allows secure unidirectional traffic into a private network without requiring specialized hardware. In an embodiment, a system of one or more computers may be configured to perform particular operations or actions by installing software, firmware, hardware, or a combination thereof on the system that in operation causes the system to perform the actions. The one or more computer programs may be configured to perform particular operations or actions by comprising instructions that, when executed by the data processing apparatus, cause the apparatus to perform the actions. One general aspect includes a computer-implemented method. The computer-implemented method further includes receiving, at a first node of a Network Interface Card (NIC) associated with the disconnected network (disconnected network), a message or data intended for the disconnected network and sent using a first communication protocol. The method further includes transmitting the message or data from the first node to a second node of the network interface card using a second communication protocol, the second communication protocol configured for unidirectional communication. The method further includes receiving a message or data at the second node. The method further includes transmitting the message or data from the second node to a destination node of the disconnected network using a third communication protocol. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods. In one general aspect, the second communication protocol is User Datagram Protocol (UDP). In one general aspect, the network interface card includes an intelligent network interface card (smart NIC). The smart NIC may process a message or data arriving on one of its interfaces and forward it to the other interface. The process may take the form of software and/or hardware that analyzes the incoming message or converts according to rules that may be configured on the smart NIC. In one general aspect, the disconnected network comprises a virtual cloud network. In one general aspect, the disconnected network is not connected to the internet. In one general aspect, after leaving the second node, the message passes through a filter chain before reaching the destination node. In one general aspect, the connection between the first node and the second node is established using a networking link (e.g., an ethernet cable). In one general aspect, a connection established using a network link is capable of two-way communication. One general aspect includes a computer program product tangibly embodied in one or more non-transitory machine-readable media comprising instructions configured to cause one or more data processors to perform operations comprising receiving, at a first node of a Network Interface Card (NIC) associated with a disconnected network, a message intended for the disconnected network and sent using a first communication protocol. The method also includes transmitting the message from the first node to a second node of the network interface card using a second communication protocol, the second communication protocol configured for unidirectional communication. The method also includes receiving a message at the second node. The method further includes sending the message from the second node to a destination node of the disconnected network using a third communication protocol. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the m