WO2001038991A1 - Methods and apparatus for providing secure multiple-network access at a single workstation - Google Patents

Methods and apparatus for providing secure multiple-network access at a single workstation Download PDF

Info

Publication number
WO2001038991A1
WO2001038991A1 PCT/IL2000/000747 IL0000747W WO0138991A1 WO 2001038991 A1 WO2001038991 A1 WO 2001038991A1 IL 0000747 W IL0000747 W IL 0000747W WO 0138991 A1 WO0138991 A1 WO 0138991A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
subcomputer
assemblies
assembly
selectably
Prior art date
Application number
PCT/IL2000/000747
Other languages
French (fr)
Inventor
Alon Raz
Original Assignee
Net-Safe Communication Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Net-Safe Communication Ltd. filed Critical Net-Safe Communication Ltd.
Priority to AU12981/01A priority Critical patent/AU1298101A/en
Publication of WO2001038991A1 publication Critical patent/WO2001038991A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/54Store-and-forward switching systems 
    • H04L12/56Packet switching systems
    • H04L12/5691Access to open networks; Ingress point selection, e.g. ISP selection
    • H04L12/5692Selection among different networks

Definitions

  • the present invention relates to network computing in general, and more particularly to methods and apparatus for providing secure multiple-network access at a single workstation.
  • LANs Local Area Networks
  • firewalls exist that prevent access to private networks from intruders, they are mainly intended to keep people out and do little to prevent private network users from transmitting confidential data. These technologies are also susceptible to break-ins by intruders who bypass hardware and software security measures that organizations use to protect their data.
  • a workstation having multiple subcomputer assemblies, each subcomputer assembly having its own central processing unit (CPU), memory, hard disk or other non-volatile storage device, basic input/output system (BIOS), network adapter, and display adapter
  • the subcomputer assemblies share a single keyboard, monitor, mouse, I/O ports, and other peripheral devices, as well as the same network connection, via a local control unit (LCU) which determines which of the subcomputer assemblies control of the workstation and its peripherals at any given time
  • LCU local control unit
  • Each subcomputer assembly runs independently of the other, and no facility is provided for data transfer between subcomputer assemblies Given physically separate and thus data-isolated subcomputer assemblies, one or more assemblies may be dedicated for public network access while one or more other assemblies may be dedicated for private network access This total separation between public and private network access provided within the context of a single workstation ensures that private network data is not copied
  • data isolation refers to the inability of a first CPU to transmit data to a second CPU and/or to store data directly to memory or other storage associated with a second CPU due to absence of a communication channel between the first CPU and the second CPU, its memory, or its storage.
  • the apparatus including a subcomputer assembly platform, a plurality of subcomputer assemlies assembled with the subcomputer assembly platform, where each of the subcomputer assemlies Includes a central processing unit (CPU), and a network adapter, a network connection, a local control unit for selectably connecting any one of the subcomputer assemblies to the network connection via its network adapter at any given time and a network control unit for selectably connecting a first of the subcomputer assemblies to a first network and a second of the subcomputer assemblies to a second network, where each of the subcomputer assemblies operates in data isolation from every other of the subcomputer assemblies.
  • CPU central processing unit
  • network adapter a network connection
  • a local control unit for selectably connecting any one of the subcomputer assemblies to the network connection via its network adapter at any given time
  • a network control unit for selectably connecting a first of the subcomputer assemblies to a first network and a second of the subcomputer assemblies to a second network, where each of the subcomputer assemblies operates in data isolation from every other of the subcomputer assemblies.
  • the subcomputer assemblies platform is operative to provide access to plurality of peripheral devices, and where any one of the subcomputer assemblies is operative to control any of the peripheral devices at any given time.
  • the network control unit is operative to selectably connect the first subcomputer assembly to the first network at a first time and the second subcomputer assembly to the second network at a second time.
  • the first network is a private network and where the second network is a public network.
  • the private network is a Local Area Network (LAN).
  • the public network is the Internet.
  • apparatus for the providing secure multiple-network access at a single workstation, the apparatus including a motherboard including a central proccessing unit (CPU), a memory, a storage device having a first operating system, and a network adapter, a subcomputer assembly assembled with the motherboard, where the subcomputer assembly includes a memory including a second operating system, and a boot control program operative to selectably boot the workstation from either of the first operating system and the second operating system and disable the storage device when the workstation boots from the second operating system, a network connection, a local control unit for selectably connecting either of the motherboard and the subcomputer assembly to the network connection via the network adapter at any given time, and a network control unit for selectably connecting the motherboard to a first network and the subcomputer assembly to a second network, where the motherboard and the subcomputer assembly operate in data isolation from one another.
  • a system including a subcomputer assembly platform, a plurality of subcomputer assemblies assembled with the subcomputer assembly platform, where eacv of the subcomputer assemblies includes a central processing unit (CPU) and a network adapter, a network connection, and a plurality of networks, a method for providing secure multiple- network access, the method including the steps of operating each of the subcomputer assemblies in data isolation from every other of the subcomputer assemblies, selectably connecting a first one of the subcomputer assemblies to the network connection via its network adapter, and selectably connecting the first subcomputer assembly to a first one of the plurality of networks
  • the method further includes the steps of selectably disconnecting the first subcomputer assembly from the first network, selectably connecting a second one of the subcomputer assemblies to the network connection via its network adapter and selectably connecting the second subcomputer assembly to a second one of the plurality of networks
  • the subcomputer assembly platform is operative to provide access to a plurality of peripheral devices, and further including the step of providing the first subcomputer assembly with control of any of the peripheral devices
  • the private network is a Local Area Network (LAN)
  • LAN Local Area Network
  • FIG. 1 is a simplified illustration of a system for providing secure multiple- network access at a single workstation, constructed and operative in accordance with a preferred embodiment of the present invention
  • Fig 2 is a simplified flowchart illustration of a method of operation of the system of Fig 1, operative in accordance with a preferred embodiment of the present invention
  • FIG 3 is a simplified illustration of a system for providing secure multiple- network access at a single workstation, constructed and operative in accordance with another preferred embodiment of the present invention.
  • Fig 4 is a simplified flowchart illustration of a method of operation of the system of Fig 3, operative in accordance with a preferred embodiment of the present invention
  • Fig 1 is a simplified illustration of a system for providing secure multiple-network access at a single workstation, constructed and operative in accordance with a preferred embodiment of the present invention
  • a workstation 10 acts as a subcomputer assembly platform having several subcomputer assemblies (SAs) 12, 14, and 16 assembled therewith
  • SAs 12, 14, and 16 typically includes a central processing unit (CPU) 18, a network adapter 20, a BIOS chipset 22, a display adapter 24, a memory 26, a storage device 28, and a control port 30 SAs 12, 14, and 16 are connected via control port 30 to a local control unit (LCU) 32 which preferably comprises a controller 34, a data modulation transmit/receive unit (DMU) 36, and an I/O switching unit 38 which connects any of the SAs 12, 14, and 16 to
  • LCU local control unit
  • DMU data modulation transmit/receive unit
  • network connection refers to a single physical network path between an SA and a network, and not necessarily a single network connector or coupling
  • workstation 10 may be connected to a single RJ-45 jack housing 8-wire category 5 network cabling
  • only one SA may use all 8 wires at a given time, such as in 100BaseT full duplex networks
  • one SA may use 4 of the 8 wires at the same time that another SA uses the other 4 of the 8 wires, such as in lOBaseT half duplex networks
  • a network control unit (NCU) 50 is preferably connected workstation 10 via network connection 48
  • NCU 50 preferably includes a control unit 52 for controlling NCU 50, a data modulation transmit/receive unit (DMU) 54, a user rights database 56, and a switching bank 58 which connects NCU 50 to any of several network hubs/switches 60 or routers 64, which in turn are connected to one or more network servers 62 and 68, either directly such as in a private network arrangement, as with hub 60 and server 62, or via a connection with a remote server such as in a public network arrangement, as with router 64 and server 68 connected via a network 66, such as the Internet Communication between LCU 32 and NCU 50 is provided by DMUs 36 and 54 respectively via network connection 48 by modulating/demodulating data transmissions between them using known techniques
  • NCU 50 may itself be controlled by a computer 70
  • Multiple NCUs may also be used to control large numbers of workstations configured as described herein, and may be daisy- chaine
  • Each of SAs 12, 14, and 16 preferably has its own operating system and network operation software and functions in data-isolation from any other SA
  • Each SA additionally includes SA control software that the SA executes and through which a user at workstation 10 may interact with the SA and "move between" SAs by requesting that one SA or another be given exclusive control over workstation 10's peripheral devices and be connected to a public or private network via network connection 48
  • a user at workstation 10 may interact with the SA and "move between" SAs by requesting that one SA or another be given exclusive control over workstation 10's peripheral devices and be connected to a public or private network via network connection 48
  • Fig 2 is a simplified flowchart illustration of a method of operation of the system of Fig 1, operative in accordance with a preferred embodiment of the present invention
  • the SAs in a workstation operate independently and in data-isolation from other SAs, with one SA currently in control of the workstation's peripheral devices and the workstation's network connection (step 100)
  • Fig 4 is a simplified flowchart illustration of a method of operation of the system of Fig 3, operative in accordance with a preferred embodiment of the present invention
  • the workstation accesses S A 82 when booting and executes a control program stored on SA memory 84 (step 200)
  • the control program asks the user whether he wishes to boot from the operating system on storage 80 or from the operating system on SA memory 84 (step 210) If the user chooses to boot from storage 80, the workstation boots normally and requests network access via the LCU and NCU as described hereinabove with reference to Fig 2 (step 220) If the user chooses to boot from SA memory 84, the workstation boots from memory 84 and access to storage 80 is prevented, preferably through physical disconnection of storage 80 and/or power down of storage 80 (step 230) Operation thereafter of workstation 10 and SA 80 vis-a-vis the LCU and NCU are as described hereinabove with reference to Fig 2, with the notable exception that both workstation 10 and SA
  • multiple SAs 82 may be assembled with workstation 10, with the boot control program asking the user which SA he wishes to boot from Additionally or alternatively, one SA 82 may have multiple memories, each having its own operating system, in which case the user is asked which memory he wishes to boot from Additionally or alternatively, SA 82 may have one memory with multiple storage areas within the memory, with each storage area storing its own operating system, in which case the user is asked which memory storage area he wishes to boot from While the methods and apparatus disclosed herein may or may not have been described with reference to specific hardware or software, the methods and apparatus have been described in a manner sufficient to enable persons of ordinary skill in the art to readily adapt commercially available hardware and software as may be needed to reduce any of the embodiments of the present invention to practice without undue experimentation and using conventional techniques

Abstract

Apparatus and methods for providing secure multiple-network access at single workstation are disclosed. The apparatus includes a subcomputer assembly platform (10), a plurality of subcomputer assemblies includes a central processing unit (CPU) (18), and a network adapter (20), a network connection, a local control unit (32), for selectably connecting any one of the subcomputer assemblies to the network connction via its network adaptor (20) at any given time and a network control unit (32) for selectably connecting a first of the subcomputer assemblies to a first network and a second of the subcomputer assemblies to a second network, where each of the subcomputer assemblies operates in data isolation from every other of the subcomputer assemblies.

Description

METHODS AND APPARATUS FOR PROVIDING SECURE MULTIPLE-NETWORK ACCESS AT A SINGLE WORKSTATION.
FIELD OF THE INVENTION
The present invention relates to network computing in general, and more particularly to methods and apparatus for providing secure multiple-network access at a single workstation.
BACKGROUND OF THE INVENTION
One of the main challenges today facing managers of private networks, such as Local Area Networks (LANs), is giving their authorized computer users access to both private networks and public networks, such as the Internet, while keeping confidential or restricted private network information from being copied to or otherwise accessed from the public network. Although technologies, such as firewalls, exist that prevent access to private networks from intruders, they are mainly intended to keep people out and do little to prevent private network users from transmitting confidential data. These technologies are also susceptible to break-ins by intruders who bypass hardware and software security measures that organizations use to protect their data. The problem has become so acute that many organizations, especially military and governmental organizations and companies who work with them, simply do not allow their users to access public networks from their facilities or provide workstations and servers for public network access that are completely separate from those of the private network, usually placed in separate rooms and with separate communication lines, and usually shared among several users. These separate private/public network access facilities are bothersome to use, requiring users who need to work on both private and public networks to physically move between workstations in order to do so
SUMMARY OF THE INVENTION The present invention seeks to provide methods and apparatus for providing secure multiple-network access at a single workstation that overcome disadvantages of the prior art described hereinabove A workstation is provided having multiple subcomputer assemblies, each subcomputer assembly having its own central processing unit (CPU), memory, hard disk or other non-volatile storage device, basic input/output system (BIOS), network adapter, and display adapter The subcomputer assemblies share a single keyboard, monitor, mouse, I/O ports, and other peripheral devices, as well as the same network connection, via a local control unit (LCU) which determines which of the subcomputer assemblies control of the workstation and its peripherals at any given time Each subcomputer assembly runs independently of the other, and no facility is provided for data transfer between subcomputer assemblies Given physically separate and thus data-isolated subcomputer assemblies, one or more assemblies may be dedicated for public network access while one or more other assemblies may be dedicated for private network access This total separation between public and private network access provided within the context of a single workstation ensures that private network data is not copied to a public network, that intruders cannot access the private network via the public network, and that a computer user need not physically move between multiple workstations
It is noted throughout the specification and claims that the term "data isolation" and variants thereof as used herein refers to the inability of a first CPU to transmit data to a second CPU and/or to store data directly to memory or other storage associated with a second CPU due to absence of a communication channel between the first CPU and the second CPU, its memory, or its storage.
There is thus provided in accordance with a preferred embodiment of the present invention apparatus for providing secure multiple-network access at single workstation, the apparatus including a subcomputer assembly platform, a plurality of subcomputer assemlies assembled with the subcomputer assembly platform, where each of the subcomputer assemlies Includes a central processing unit (CPU), and a network adapter, a network connection, a local control unit for selectably connecting any one of the subcomputer assemblies to the network connection via its network adapter at any given time and a network control unit for selectably connecting a first of the subcomputer assemblies to a first network and a second of the subcomputer assemblies to a second network, where each of the subcomputer assemblies operates in data isolation from every other of the subcomputer assemblies.
Further in accordance with a prreferred ambodiment of the present invention the subcomputer assemblies platform is operative to provide access to plurality of peripheral devices, and where any one of the subcomputer assemblies is operative to control any of the peripheral devices at any given time.
Still further in accordance with a preferred enbodiment of the present invention the network control unit is operative to selectably connect the first subcomputer assembly to the first network at a first time and the second subcomputer assembly to the second network at a second time.
Additionally in accordance with a preferred embodiment of the present invention the first network is a private network and where the second network is a public network. Moreover in accordance with a preferred embodiment of the present invention the private network is a Local Area Network (LAN).
Further in accordance with a preferred embodiment of the present invention the public network is the Internet. There is also provided in accordance with a preferred embodiment of the present invention apparatus for the providing secure multiple-network access at a single workstation, the apparatus including a motherboard including a central proccessing unit (CPU), a memory, a storage device having a first operating system, and a network adapter, a subcomputer assembly assembled with the motherboard, where the subcomputer assembly includes a memory including a second operating system, and a boot control program operative to selectably boot the workstation from either of the first operating system and the second operating system and disable the storage device when the workstation boots from the second operating system, a network connection, a local control unit for selectably connecting either of the motherboard and the subcomputer assembly to the network connection via the network adapter at any given time, and a network control unit for selectably connecting the motherboard to a first network and the subcomputer assembly to a second network, where the motherboard and the subcomputer assembly operate in data isolation from one another.
There is additionally provided in accordance with a preferred embodiment of the present invention in a system including a subcomputer assembly platform, a plurality of subcomputer assemblies assembled with the subcomputer assembly platform, where eacv of the subcomputer assemblies includes a central processing unit (CPU) and a network adapter, a network connection, and a plurality of networks, a method for providing secure multiple- network access, the method including the steps of operating each of the subcomputer assemblies in data isolation from every other of the subcomputer assemblies, selectably connecting a first one of the subcomputer assemblies to the network connection via its network adapter, and selectably connecting the first subcomputer assembly to a first one of the plurality of networks
Further in accordance with a preferred embodiment of the present invention the method further includes the steps of selectably disconnecting the first subcomputer assembly from the first network, selectably connecting a second one of the subcomputer assemblies to the network connection via its network adapter and selectably connecting the second subcomputer assembly to a second one of the plurality of networks
Still further in accordance with a preferred embodiment of the present invention the subcomputer assembly platform is operative to provide access to a plurality of peripheral devices, and further including the step of providing the first subcomputer assembly with control of any of the peripheral devices
Additionally in accordance with a preferred embodiment of the present invention the first one of the plurality of networks is a private network and where the second one of the plurality of networks is a public network
Moreover in accordance with a preferred embodiment of the present invention the private network is a Local Area Network (LAN)
Further in accordance with a preferred embodiment of the present invention the public network is the Internet
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention will be understood and appreciated more fully from the following detailed description taken in conjunction with the appended drawings in which Fig 1 is a simplified illustration of a system for providing secure multiple- network access at a single workstation, constructed and operative in accordance with a preferred embodiment of the present invention,
Fig 2 is a simplified flowchart illustration of a method of operation of the system of Fig 1, operative in accordance with a preferred embodiment of the present invention,
Fig 3 is a simplified illustration of a system for providing secure multiple- network access at a single workstation, constructed and operative in accordance with another preferred embodiment of the present invention, and
Fig 4 is a simplified flowchart illustration of a method of operation of the system of Fig 3, operative in accordance with a preferred embodiment of the present invention
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS Reference is now made to Fig 1 which is a simplified illustration of a system for providing secure multiple-network access at a single workstation, constructed and operative in accordance with a preferred embodiment of the present invention In Fig 1 a workstation 10 acts as a subcomputer assembly platform having several subcomputer assemblies (SAs) 12, 14, and 16 assembled therewith Although only one workstation 10 is shown, it is appreciated that the present invention may include multiple workstations configured as described hereinbelow Each of the SAs 12, 14, and 16 typically includes a central processing unit (CPU) 18, a network adapter 20, a BIOS chipset 22, a display adapter 24, a memory 26, a storage device 28, and a control port 30 SAs 12, 14, and 16 are connected via control port 30 to a local control unit (LCU) 32 which preferably comprises a controller 34, a data modulation transmit/receive unit (DMU) 36, and an I/O switching unit 38 which connects any of the SAs 12, 14, and 16 to any peripheral devices that are connected to the subcomputer assembly platform, such as a keyboard 40, a monitor 42, I/O ports 44, such as COM or LPT ports, a mouse 46, and a network connection 48 LCU 32 preferably selectably connects any one of subcomputer assemblies 12, 14, and 16 to network connection 48 via its network adapter 20 such that only one of subcomputer assemblies 12, 14, and 16 is connected to network connection 48 at any given time
The term "network connection" as used herein refers to a single physical network path between an SA and a network, and not necessarily a single network connector or coupling For example, although workstation 10 may be connected to a single RJ-45 jack housing 8-wire category 5 network cabling, only one SA may use all 8 wires at a given time, such as in 100BaseT full duplex networks Alternatively, one SA may use 4 of the 8 wires at the same time that another SA uses the other 4 of the 8 wires, such as in lOBaseT half duplex networks
A network control unit (NCU) 50 is preferably connected workstation 10 via network connection 48 NCU 50 preferably includes a control unit 52 for controlling NCU 50, a data modulation transmit/receive unit (DMU) 54, a user rights database 56, and a switching bank 58 which connects NCU 50 to any of several network hubs/switches 60 or routers 64, which in turn are connected to one or more network servers 62 and 68, either directly such as in a private network arrangement, as with hub 60 and server 62, or via a connection with a remote server such as in a public network arrangement, as with router 64 and server 68 connected via a network 66, such as the Internet Communication between LCU 32 and NCU 50 is provided by DMUs 36 and 54 respectively via network connection 48 by modulating/demodulating data transmissions between them using known techniques NCU 50 may itself be controlled by a computer 70 Multiple NCUs may also be used to control large numbers of workstations configured as described herein, and may be daisy- chained and centrally controlled by computer 70 through access to any one of the NCUs
Each of SAs 12, 14, and 16 preferably has its own operating system and network operation software and functions in data-isolation from any other SA Each SA additionally includes SA control software that the SA executes and through which a user at workstation 10 may interact with the SA and "move between" SAs by requesting that one SA or another be given exclusive control over workstation 10's peripheral devices and be connected to a public or private network via network connection 48 In order to achieve true data-isolation, preferably only one SA in workstation 10 will be in control of workstation 10's peripheral devices and network connection 48 at any given time Reference is now made to Fig 2 which is a simplified flowchart illustration of a method of operation of the system of Fig 1, operative in accordance with a preferred embodiment of the present invention In the method of Fig 2 the SAs in a workstation operate independently and in data-isolation from other SAs, with one SA currently in control of the workstation's peripheral devices and the workstation's network connection (step 100) A user at the workstation instructs the control application running on the SA currently in control that he wishes to switch to another S A and connect to a network (step 1 10) The control application communicates this to the LCU which places the desired SA in control of the workstation (step 120) The LCU then informs the NCU which network the user's wishes to be connected to (step 130) The NCU then checks the user rights database to see in the requesting user and/or SA being selected is authorized to connect to the requested network (step 140) If so, the NCU switching bank opens a connection between the hub/ switch and network server and the selected SA (step 150) If the requesting user and/or SA being selected is not authorized to connect to the requested network the connection request is refused (step 160) Reference is now made to Fig 3 which is a simplified illustration of a system for providing secure multiple-network access at a single workstation, constructed and operative in accordance with another preferred embodiment of the present invention The system of Fig 3 is similarly configured to that of Fig 1 except as is noted hereinbelow Workstation 10 is preferably configured with a motherboard 72 having a memory 74, a CPU 76, a network adapter 78, and a storage device 80 including an operating system An SA 82 is also provided having a non-volatile memory 84 including its own operating system
Reference is now made to Fig 4 which is a simplified flowchart illustration of a method of operation of the system of Fig 3, operative in accordance with a preferred embodiment of the present invention In the method of Fig 4 the workstation accesses S A 82 when booting and executes a control program stored on SA memory 84 (step 200) The control program asks the user whether he wishes to boot from the operating system on storage 80 or from the operating system on SA memory 84 (step 210) If the user chooses to boot from storage 80, the workstation boots normally and requests network access via the LCU and NCU as described hereinabove with reference to Fig 2 (step 220) If the user chooses to boot from SA memory 84, the workstation boots from memory 84 and access to storage 80 is prevented, preferably through physical disconnection of storage 80 and/or power down of storage 80 (step 230) Operation thereafter of workstation 10 and SA 80 vis-a-vis the LCU and NCU are as described hereinabove with reference to Fig 2, with the notable exception that both workstation 10 and SA 84 use the same network adapter for network access
It is appreciated, with continuing reference to Figs 3 and 4, that multiple SAs 82 may be assembled with workstation 10, with the boot control program asking the user which SA he wishes to boot from Additionally or alternatively, one SA 82 may have multiple memories, each having its own operating system, in which case the user is asked which memory he wishes to boot from Additionally or alternatively, SA 82 may have one memory with multiple storage areas within the memory, with each storage area storing its own operating system, in which case the user is asked which memory storage area he wishes to boot from While the methods and apparatus disclosed herein may or may not have been described with reference to specific hardware or software, the methods and apparatus have been described in a manner sufficient to enable persons of ordinary skill in the art to readily adapt commercially available hardware and software as may be needed to reduce any of the embodiments of the present invention to practice without undue experimentation and using conventional techniques
While the present invention has been described with reference to a few specific embodiments, the description is intended to be illustrative of the invention as a whole and is not to be construed as limiting the invention to the embodiments shown It is appreciated that various modifications may occur to those skilled in the art that, while not specifically shown herein, are nevertheless within the true spirit and scope of the invention

Claims

CLAIMS What is claimed is
1 Apparatus for providing secure multiple-network access at a single workstation, said apparatus comprising a subcomputer assembly platform, a plurality of subcomputer assemblies assembled with said subcomputer assembly platform, wherein each of said subcomputer assemblies comprises a central processing unit (CPU), and a network adapter, a network connection, a local control unit for selectably connecting any one of said subcomputer assemblies to said network connection via its network adapter at any given time, and a network control unit for selectably connecting a first of said subcomputer assemblies to a first network and a second of said subcomputer assemblies to a second network, wherein each of said subcomputer assemblies operates in data isolation from every other of said subcomputer assemblies
2 Apparatus according to claim 1 wherein said subcomputer assembly platform is operative to provide access to a plurality of peripheral devices, and wherein any one of said subcomputer assemblies is operative to control any of said peripheral devices at any given time
3 Apparatus according to claim 1 wherein said network control unit is operative to selectably connect said first subcomputer assembly to said first network at a first time and said second subcomputer assembly to said second network at a second time
4 Apparatus according to claim 1 wherein said first network is a private network and wherein said second network is a public network
5 Apparatus according to claim 4 wherein said private network is a Local Area Network (LAN)
6 Apparatus according to claim 4 wherein said public network is the Internet
7 Apparatus for providing secure multiple-network access at a single workstation, said apparatus comprising a motherboard comprising a central processing unit (CPU), a memory, a storage device having a first operating system, and a network adapter, a subcomputer assembly assembled with said motherboard, wherein said subcomputer assembly comprises a memory comprising a second operating system, and a boot control program operative to selectably boot said workstation from either of said first operating system and said second operating system and disable said storage device when said workstation boots from said second operating system, a network connection, a local control unit for selectably connecting either of said motherboard and said subcomputer assembly to said network connection via said network adapter at any given time, and a network control unit for selectably connecting said motherboard to a first network and said subcomputer assembly to a second network, wherein said motherboard and said subcomputer assembly operate in data isolation from one another
8 In a system including a subcomputer assembly platform, a plurality of subcomputer assemblies assembled with said subcomputer assembly platform, wherein each of said subcomputer assemblies includes a central processing unit (CPU) and a network adapter, a network connection, and a plurality of networks, a method for providing secure multiple-network access, the method comprising the steps of operating each of said subcomputer assemblies in data isolation from every other of said subcomputer assemblies, selectably connecting a first one of said subcomputer assemblies to said network connection via its network adapter, and selectably connecting said first subcomputer assembly to a first one of said plurality of networks
9. A method according to claim 8 and further comprising the steps of selectably disconnecting said first subcomputer assembly from said first network, selectably connecting a second one of said subcomputer assemblies to said network connection via its network adapter, and selectably connecting said second subcomputer assembly to a second one of said plurality of networks
10 A method according to claim 8 wherein said subcomputer assembly platform is operative to provide access to a plurality of peripheral devices, and further comprising the step of providing said first subcomputer assembly with control of any of said peripheral devices
11. A method according to claim 9 wherein said first one of said plurality of networks is a private network and wherein said second one of said plurality of networks is a public network
12 A method according to claim 11 wherein said private network is a Local Area
Network (LAN)
13 A method according to claim 11 wherein said public network is the Internet
PCT/IL2000/000747 1999-11-24 2000-11-15 Methods and apparatus for providing secure multiple-network access at a single workstation WO2001038991A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU12981/01A AU1298101A (en) 1999-11-24 2000-11-15 Methods and apparatus for providing secure multiple-network access at a single workstation

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IL13311699A IL133116A0 (en) 1999-11-24 1999-11-24 Method and apparatus for providing secure multiple-network access at a single workstation
IL133116 1999-11-24

Publications (1)

Publication Number Publication Date
WO2001038991A1 true WO2001038991A1 (en) 2001-05-31

Family

ID=11073526

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2000/000747 WO2001038991A1 (en) 1999-11-24 2000-11-15 Methods and apparatus for providing secure multiple-network access at a single workstation

Country Status (3)

Country Link
AU (1) AU1298101A (en)
IL (1) IL133116A0 (en)
WO (1) WO2001038991A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5550984A (en) * 1994-12-07 1996-08-27 Matsushita Electric Corporation Of America Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information
US5764918A (en) * 1995-01-23 1998-06-09 Poulter; Vernon C. Communications node for transmitting data files over telephone networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5550984A (en) * 1994-12-07 1996-08-27 Matsushita Electric Corporation Of America Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information
US5764918A (en) * 1995-01-23 1998-06-09 Poulter; Vernon C. Communications node for transmitting data files over telephone networks

Also Published As

Publication number Publication date
AU1298101A (en) 2001-06-04
IL133116A0 (en) 2001-03-19

Similar Documents

Publication Publication Date Title
US7444468B2 (en) Storage system and method using interface control devices of different types
US7178021B1 (en) Method and apparatus for using non-secure file servers for secure information storage
US7353353B2 (en) File security management
US8583876B2 (en) Logical unit security for clustered storage area networks
US7594018B2 (en) Methods and apparatus for providing access to persistent application sessions
US6268789B1 (en) Information security method and apparatus
EP1625524B1 (en) Distributed filesystem network security extension
US8682845B2 (en) Secure high performance multi-level security database systems and methods
JP4168052B2 (en) Management server
US20050216767A1 (en) Storage device
WO2006116931A1 (en) A method for guaranteeing the safety of the storage network data and the system thereof
US8281384B2 (en) Method of enabling access to data protected by firewall
US20030233510A1 (en) Storage resource integration layer interfaces
US20030212905A1 (en) Method, computer product and network to regulate software licensure authentication in a computer network environment
KR20010085886A (en) Method for Security Partitioning of a Computer System
WO2001038991A1 (en) Methods and apparatus for providing secure multiple-network access at a single workstation
US6799259B1 (en) Security system for data processing applications
US20030115329A1 (en) Stacked approach to service provider Architecture
Lin A firewall approach to personal knowledge system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase