Secure communication channel mechanisms for isolated networks


Tezin Türü: Yüksek Lisans

Tezin Yürütüldüğü Kurum: Orta Doğu Teknik Üniversitesi, Enformatik Enstitüsü, Siber Güvenlik Anabilim Dalı, Türkiye

Tezin Onay Tarihi: 2009

Öğrenci: GÖKDENİZ KARADAĞ

Danışman: ATTİLA ÖZGİT

Özet:

Current network security solutions are consisted of a single host, with network interfaces of the host connected to protected and external networks at the same time. This design ensures security by restricting traffic flow to a single point, where it can be examined and acted on by a set of rules. However, this design also has a flaw and a single point of failure, that being the vulnerabilities in the security device itself. An adversary would have unhindered access to protected networks if a vulnerability in the security device itself leads to its compromise. To prevent this possibility, high-security networks are completely isolated from external networks, by prohibiting any network connection and constituting a so-called air gap in between. But, data transfer needs do arise between external networks and high-security networks, and in current technology this problem does not have a solution without human intervention. In this theses, we propose a set of mechanisms that allows near-realtime data transfers between high-security network and external networks, without requiring any human intervention. The design consists of two hosts connected via a shared storage, transferring only application layer data between networks. This prevents attacks targeting network stacks of the security device's OS, and confines a compromised security device to the network that it is already connected to. In case of a compromise the amount of possible unwanted traffic to and from the high-security network is vastly reduced.