초록 ▼

A bidirectional gateway with enhanced security level between a high-security communication network and a low-security communication network. The return pathway from the low-security network to the high-security network comprises a low-speed link. The physical layer of the low-speed link differs from

A bidirectional gateway with enhanced security level between a high-security communication network and a low-security communication network. The return pathway from the low-security network to the high-security network comprises a low-speed link. The physical layer of the low-speed link differs from the physical layers involved in the high-security network and the low-security network. The low-speed link having a linking layer according to a protocol differing from the protocols used on the linking layers used on the high-security network and the low-security network. The linking layer of the low-speed link has an authentication protocol to guarantee the data's origin.

대표청구항 ▼

1. A bidirectional gateway with enhanced security level (2.1) for interconnecting a first network having a first security level and at least one second network having a second security level that is lower than the security level of the first network, said device (2,1) comprising: a. a first interfac

1. A bidirectional gateway with enhanced security level (2.1) for interconnecting a first network having a first security level and at least one second network having a second security level that is lower than the security level of the first network, said device (2,1) comprising: a. a first interface (2,11) intended to receive data from and transmit data toward said first network and a second interface (2,12) intended to receive data from and transmit data toward said second network,b. a routing module (2,3) connected to the first interface (2,11), to a first monodirectional pathway (2,4; 2,6), referred to as the downlink pathway, and to a second monodirectional pathway (2,5; 2,7), referred to as the returnlink pathway, and provided to route, in one hand, all data on the first interface (2,11) to the first monodirectional pathway (2,4; 2,6) and, in other hand, data from the second monodirectional pathway (2,5; 2,7) to the first interface (2,11),c. an adaptation module (2,8) connected to the second interface (2,12), to said first monodirectional pathway (2,4; 2,6) and to said second monodirectional pathway (2,5; 2,7) and provided to route, in one hand, all data on the second interface (2,12) to the second monodirectional pathway (2,4; 2,6) and, in other hand, data from the first monodirectional pathway (2,5; 2,7) to the second interface (2,11), said first monodirectional pathway (2,4; 2,6) including means for performing a first processing and, said second monodirectional pathway (2,5; 2,7) including means for performing a second processing different from the first processing. 2. The gateway of claim 1, wherein said first monodirectional pathway includes means (2.6) for guaranteeing, at the physical level, the monodirectional feature of the downlink pathway. 3. The gateway of claim 1, wherein said second monodirectional pathway includes means (2.10) for reducing the data rate so that the data rate on at least a portion of the return pathway is reduced compared with the data rate on said second interfaces (2,12), thus forming a link referred to as a low data rate link. 4. The gateway of claim 3, wherein said low data rate link is a series link. 5. The gateway of claim 1, wherein said second monodirectional pathway includes a firewall (2.7) for filtering the data passing over the return pathway. 6. The gateway of claim 1, wherein said adaptation module (2.8) includes means for formatting the data routed to the second monodirectional pathway so that the communication protocol of said formatted data is different from the communication protocols used on the second interface (2,12) and said second monodirectional pathway includes means (2.5) for reconstituting the original data from the formatted data. 7. The gateway of claim 6, wherein said means for formatting the data transmitted to the return pathway are upstream of the low data rate link and said means (2.5) for reconstituting the original data are downstream of the low data rate link. 8. The gateway of the claim 6, wherein said communication protocol different from the communication protocols used for communication on the second interface (2,12) is a data packets transport protocol, each data packet comprising a label (3.1) identifying the type of data transported, said second monodirectional pathway including a firewall (2,7) intended to filter said packets according to a list of authorised labels. 9. The gateway of claim 8, wherein said communication protocol provides a maximum transmission rate for each label, and said firewall (2.7) comprises means for measuring the effective transmission rate of each packet and for rejecting a packet in case its effective transmission rate exceeds the maximum transmission rate corresponding to its label. 10. The gateway of claim 9, wherein the list of authorised labels depends on the operating mode of the device among several operating modes. 11. The gateway of claim 1, wherein all the data transmitted over the return pathway are cryptographically enciphered by an asymmetric-key mechanism, and the second monodirectional pathway includes cryptography means (2.5) for deciphering the data transmitted. 12. The gateway of claim 1, wherein all the data transmitted over the return pathway are cryptographically signed by an asymmetric-key mechanism and the second monodirectional pathway includes cryptography means (2.5) for verifying the identity of the data source. 13. The gateway of claim 12, wherein the data transmission over the first and second monodirectional pathways are packet transmission, wherein said first monodirectional pathway includes path control means (2,4), a. said path control means (2,4) being intended to prepare, for each packet to be transmitted from the first network to the second network a signed packet referred to as Ok packet and a signed packet referred to as the Ko packet, and to conjointly transmit said data packet along with both Ok and Ko packets;b. said adaptation module (2,8) further being intended to test over the first monodirectional pathway and, if the transmission has judged to be correct, to transmit said Ok packet on the return pathway, whereas, if the transmission has judged to be incorrect, to transmit the Ko packet on the return pathway. 14. The gateway of claim 13, wherein said first path control means (2,4) are intended to periodically transmit over the downlink pathway a signed packet referred to as a NOP packet in the event of non-reception on the return pathway of neither an Ok packet or a Ko packet during a given time and said adaptation module is intended to transmit on the return pathway any NOP packet received from the downlink pathway.