|
|
|
|
|
|
by jandrewrogers
399 days ago
|
|
|
Such a thing exists though usually not called “military-grade” per se. It is more similar to a data diode [0] than a classic firewall but has significant differences from either. Data streams are converted into a sequence of objects that are required to have and satisfy certain formally verifiable properties as a pre-condition of forwarding. Any data or objects that cannot satisfy formal analysis requirements are dropped. Forwarding policies are only applied to objects that meet the prerequisite of being rigorously analyzable. This behavior is bidirectional. It applies equally to data egress to mitigate internal threats and accidental data leakage. The internal mechanics can be pretty complicated and they necessarily operate on a store-and-forward basis. The data objects may be “laundered” by the firewall, what you send may not be exactly what the other side receives. To make this work, the wire protocol, data representation, etc must be designed specifically to allow this kind of rigorous analysis and work well within these constraints. It usually won’t work on a random web stream and the data representation often sacrifices efficiency of storage for efficiency of verification and analysis at runtime. In reality, virtually no one uses this type of tech outside of defense and intelligence because it won’t let almost any of the standard web stack slop through. [0] https://en.wikipedia.org/wiki/Unidirectional_network |
|
|