Abstract: A method is disclosed for mixed enclave operation of a computer network with users employing a multi-level network security interface and users without any network security interface. Either the network security user selects or the network security interface automatically selects whether communications are permissible with other unsecured users. Where a mixed enclave operation is selected, the network security user identifies when communications are being undertaken with another secured user or a non-secured user. Communications with a non-secured user at a lower security level entail securing the data residing with the secured user from transmission back to the non-secured user.

Abstract: A method is disclosed for mixed enclave operation of a computer network with users employing a multi-level network security interface and users without any network security interface. Either the network security user selects or the network security interface automatically selects whether communications are permissible with other unsecured users. Where a mixed enclave operation is selected, the network security user identifies when communications are being undertaken with another secured user or a non-secured user. Communications with a non-secured user at a lower security level entail securing the data residing with the secured user from transmission back to the non-secured user.

Abstract: A multi-level network security system is disclosed for a computer host device coupled to at least one computer network. The system including a secure network interface Unit (SNIU) contained within a communications stack of the computer device that operates at a user layer communications protocol. The SNIU communicates with other like SNIU devices on the network by establishing an association, thereby creating a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within the global security perimeter. The SNIU includes a host/network interface for receiving messages sent between the computer device and network. The interface operative to convert the received messages to and from a format utilized by the network. A message parser for determining whether the association already exists with another SNIU device.

Abstract: A method is disclosed for mixed enclave operation of a computer network with users employing a multi-level network security interface and users without any network security interface. Either the network security user selects or the network security interface automatically selects whether communications are permissible with other unsecured users. Where a mixed enclave operation is selected, the network security user identifies when communications are being undertaken with another secured user or a non-secured user. Communications with a non-secured user at a lower security level entail securing the data residing with the secured user from transmission back to the non-secured user.

Abstract: A multi-level network security system is disclosed for a computer host device coupled to at least one computer network. The system including a secure network interface Unit (SNIU) contained within a communications stack of the computer device that operates at a user layer communications protocol. The SNIU communicates with other like SNIU devices on the network by establishing an association, thereby creating a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within the global security perimeter. The SNIU includes a host/network interface for receiving messages sent between the computer device and network. The interface operative to convert the received messages to and from a format utilized by the network. A message parser for determining whether the association already exists with another SNIU device.

Abstract: A method is disclosed for mixed enclave operation of a computer network with users employing a multi-level network security interface and users without any network security interface. Either the network security user selects or the network security interface automatically selects whether communications are permissible with other unsecured users. Where a mixed enclave operation is selected, the network security user identifies when communications are being undertaken with another secured user or a non-secured user. Communications with a non-secured user at a lower security level entail securing the data residing with the secured user from transmission back to the non-secured user.

Abstract: A method is disclosed for establishing trusted communications with associations for communications between users on an Internet Protocol based computer network. The method entails the first user's SNIU determining the Internet Protocol (IP) address of a second user's SNIU on the computer network through the use of custom and ICMP Echo Request and Reply messages. The user's SNIUs exchange security related information needed to complete the establishment of a trusted association. The trusted association is maintained during all communications between the first user and the second user.

Abstract: A secured network interface unit (SNIU) for providing multi-level security on a network having a plurality of secured and unsecured users including: network interface means for communicating on the network; identifying the source and destination of a message intercepted on the network; determining the security levels of each of the plurality of users; a trusted computing base for determining whether the message, if transmitted to the destination user, will violate security parameters; and, cryptographically encrypting messages sent to, and decrypting messages received from another SNIU affiliated with the destination user.

Abstract: A method is disclosed for establishing trusted communications with associations for communications between users on an Internet Protocol based computer network. The method entails the first user determining the Internet Protocol (IP) address of a second user on the computer network through the use of Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP). The first user then determining the accessability of the second user on the computer network. The users exchange security related information needed to complete the establishment of a trusted association. The trusted association is maintained during all communications between the first user and the second user.

Abstract: A multi-level network security system is disclosed for a computer host device coupled to at least one computer network. The system including a secure network interface Unit (SNIU) contained within a communications stack of the computer device that operates at a user layer communications protocol. The SNIU communicates with other like SNIU devices on the network by establishing an association, thereby creating a global security perimeter for end-to-end communications and wherein the network may be individually secure or non-secure without compromising security of communications within the global security perimeter. The SNIU includes a host/network interface for receiving messages sent between the computer device and network. The interface operative to convert the received messages to and from a format utilized by the network. A message parser for determining whether the association already exists with another SNIU device.

Abstract: A method is disclosed for mixed enclave operation of a computer network with users employing a multi-level network security interface and users without any network security interface. Either the network security user selects or the network security interface automatically selects whether communications are permissible with other unsecured users. Where a mixed enclave operation is selected, the network security user identifies when communications are being undertaken with another secured user or a non-secured user. Communications with a non-secured user at a lower security level entail securing the data residing with the secured user from transmission back to the non-secured user.

Abstract: A multi-level security device is disclosed for providing security between a user and at least one computer network, wherein the user is selected from the group consisting of a host computer and at least a second network. A secure network interface Unit (SNIU) that operates at a user layer communications protocol, which communicates with other like SNIU devices by establishing an association at a session layer of a communication stack in order to create a global security perimeter for end-to-end communications. The SNIU includes a host/network interface for receiving messages sent between the user and the at least one network, which is operative to convert the received messages to and from a format utilized by the at least one network. A message parser for determining whether the association already exists with another SNIU device. A session manager coupled to the interface for identifying and verifying the user requesting access to the network.

Abstract: A method is disclosed for limited write downs of data from higher security classification users to lower security classification users across computer networks, while preserving the security of classified data at the higher security classification user from covert transmission via acknowledgment messages from the higher user to the lower user. The intended acknowledgment message is released to the lower user when it matches the user content of a predicted acknowledgment message. In TCP/IP interface applications, the acknowledgment messages are IP based data transfer protocols acknowledging the transfer of data from the lower side to the higher side. With IP datagram transfers, deterministic portions are predicted and non-deterministic portions are identified. Where the number of non-deterministic bits exceed a predetermined rate, the acknowledgment message is discarded.