Abstract: A one-way router combines benefits of a network diode and router, and thus can route data between networks of varying confidentiality and/or integrity in a secure, one-way fashion. Secure routing is provided transparently so that the router is compatible with standard network applications by synthesizing responses for standard network protocols to provide many-to-many network connections while preventing bidirectional data flow. Separate network stacks are provided for each connected network, and the network stacks are separated from each other by data diodes that enforce one-way data flow. The one-way router can be implemented in hardware or software, and provides architectural flexibility to customize levels of assurance, performance, reliability, and cost.

Abstract: A system, method, and apparatus that efficiently and stringently analyze messages are provided. A message's properties are encoded into a bitwise representation of fixed length, which is compared to a binary representation of each rule from a release policy to determine if the rule is satisfied. This process is efficient and allows near real time comparisons and decisions.

Abstract: A one-way router combines benefits of a network diode and router, and thus can route data between networks of varying confidentiality and/or integrity in a secure, one-way fashion. Secure routing is provided transparently so that the router is compatible with standard network applications by synthesizing responses for standard network protocols to provide many-to-many network connections while preventing bidirectional data flow. Separate network stacks are provided for each connected network, and the network stacks are separated from each other by data diodes that enforce one-way data flow. The one-way router can be implemented in hardware or software, and provides architectural flexibility to customize levels of assurance, performance, reliability, and cost.

Abstract: Provided are systems and methods for applying access controls to separate and contain virtual machines in a flexible, configurable manner. Access can be granted or removed to a variety of system resources—including network cards, shared folders, and external devices. Operations, such as cut and paste, between the virtual machines can be restricted or allowed. Virtual machines are run in containers. This allows more than one virtual machine to share the same access profile. Containers can be configured to allow a user to instantiate a virtual machine at run time. This allows the user to dynamically define which virtual machines run in various containers. An administrator determines which containers (if any) allow dynamic instantiation, and specifies the list of virtual machines the user can choose from. A container, and/or virtual machines within the container, can be restricted to particular users.