Re: [ISN] New Defence Computer Keeps Hackers Out and Secret (fwd)

[Steve Bellovin <smb () research att com>]

In message <3.0.5.32.19981019090959.0099f100 () cchest mitretek org>, Rick Murphy 
writes:
> At 01:39 PM 10/16/98 +0400, ark () eltex ru wrote:
> > what the hell is that thing if _not_ firewall??
> > Does anybody know?
>
> It's not a firewall; it's a unidirectional data transfer device.
> It's intended to be put between classified and unclassified networks
> so that information can flow up toward the classified network but
> nothing can leak back down. 
>
> Vision Abell have built an x-windows proxy capability using this box.
> Writing proxies is difficult because you can't get any feeback
> (acknowledgements, for example) from the classified side back to the
> unclassified side because you have a write-only link. Your proxy has
> to mimic the behavior of the classified side and can't tell if the
> classified side is even listening.

Right.  It's important to understand the threat model that that sort
of device is intended to counter:  an enemy program (possibly a
Trojan horse) that is reading classified files on the inside, and
attempting to export them via surreptitious means, such as modulating
ACK timings, etc.