| 摘要 |
A device to establish a two-way communications channel between at least a first network N1 and a second network N2 with a lower level of security than N1 is disclosed. The device includes an encryption module (302), a decryption module (303), a first routing module (301), a second routing module (305) and a filtering module (304). The first routing module (301) guides the data packets originating from the first network N1 either to the encryption module (302) or to the filtering module (304). The second routing module (305) guides the data packets originating from the second network N2 either to the decryption module (303) or to the filtering module (304). The device implements the step of defining one or more types of data authorized to be transmitted from N1 to N2. For a datum transmitted from N1 to N2: if the datum is of a type authorized to be transmitted between N1 and N2, routing the datum to a first filtering step or else routing the datum to an encryption step. If the datum is routed to the first filtering step: saving the context associated with this datum and applying one or more analysis filters to the datum to prevent the creation of a hidden communications channel. For a datum transmitted from N2 to N1: if the datum is of a type authorized to be transmitted between N 1 and N2, routing the datum to a second filtering step or else routing the datum to a decryption step. If the datum is routed to the second filtering step: comparing the context of the datum with the context saved in the first filtering step and blocking the datum if the contexts are inconsistent or else applying one or more analysis filters to the datum. A method for protecting a two-way communications channel between at least a network N1 and a network N2 with a lower level of security than N1 is also disclosed.
|
