Author: claimsbot

1. A storage system that is accessed from a host device, comprising:
a storage device comprising a plurality of logical volumes;
a storage device control section that controls said storage device;
an interface section that receives a snapshot acquisition instruction and snapshot utilization instruction from said host device;
and a snapshot processing device that executes processing for acquisition and utilization of snapshots in accordance with said snapshot acquisition instruction and said snapshot utilization instruction received by said interface section;
wherein said snapshot processing device, in response to said snapshot acquisition instruction, selects a logical volume that is capable of use as a snapshot target from said plurality of logical volumes, instructs said storage device control section to acquire a snapshot of the logical volume of the snapshot source, designated in said snapshot acquisition instruction for the selected logical volume, and holds generation information that associates the generation number specified in said snapshot acquisition instruction with the address of said selected logical volume, and in response to said snapshot utilization instruction, specifies a logical volume where the snapshot corresponding to the generation number specified in said snapshot utilization instruction is held, by referring to said generation information, and allocates an address accessible by said host device to said specified logical volume.
2. The storage system according to claim 1 wherein the address accessible by said host device that is allocated to said specified logical volume is a logical volume address that is registered beforehand in said host device.
3. The storage system according to claim 1 wherein, when the address accessible by said host device is allocated to said specified logical volume, said snapshot processing device adds information indicating the fact that the address accessible by said host device has been allocated to said specified logical volume to said generation information.
4. The storage system according to claim 1 wherein the snapshot acquisition instruction further includes designation of the logical volume of the snapshot target and
said snapshot processing device, in response to said snapshot acquisition instruction, if the snapshot target logical volume designated in said snapshot acquisition instruction is already used, selects an unused logical volume from said plurality of logical volumes and gives an instruction to said storage device control section to acquire a snapshot of the snapshot source logical volume designated in said snapshot acquisition instruction for the selected logical volume.
5. The storage system according to claim 1 wherein said snapshot utilization instruction further includes designation of the logical volume of the snapshot target and
said snap shot processing device, in response to said snapshot utilization instruction, if a snapshot of the generation number specified in said snapshot utilization instruction has not been acquired by the snapshot target logical volume specified in said snapshot utilization instruction, allocates the logical volume address of said specified snapshot target to the logical volume where the snapshot of said designated generation number is held, by referring to said generation information, and gives notification to said host device of the fact that a snapshot of said specified generation number has become available for use.
6. A storage system that is accessed from a host device, comprising:
a storage means comprising a plurality of logical volumes;
a storage means control means that controls said storage means;
an interface means that receives a snapshot acquisition instruction and snapshot utilization instruction from said host device; and
snapshot processing means that executes processing for acquiring and utilizing snapshots in accordance with said snapshot acquisition instruction and said snapshot utilization instruction received by said interface means;
wherein said snapshot processing means, in response to said snapshot acquisition instruction, if the snapshot target logical volume designated in said snapshot acquisition instruction is already used, selects an unused logical volume from said plurality of logical volumes; gives an instruction to said storage device control means to acquire a snapshot of the logical volume of the snapshot source designated in said snapshot acquisition instruction for the selected logical volume, and holds generation information associating the generation number specified in said snapshot acquisition instruction with the address of said selected logical volume; and
in response to said snapshot utilization instruction, specifies a logical volume where a snapshot corresponding to the generation number specified in said snapshot utilization instruction is held, by referring to said generation information, and allocates an address accessible by said host device to said specified logical volume.
7. A method of acquiring and utilizing snapshots in a storage system that is accessed from a host device, comprising a storage device comprising a plurality of logical volumes, the method comprising the steps of;
selecting, when a snapshot acquisition instruction is received from said host device, an unused logical volume from said plurality of logical volumes if the snapshot target logical volume designated in said snapshot acquisition instruction is already used;
acquiring a snapshot of the snapshot source volume designated in said snapshot acquisition instruction for the selected logical volume;
holding generation information associating the generation number specified in said snapshot acquisition instruction with the address of said selected logical volume; and
specifying, when a snapshot utilization instruction is received from said host device, a logical volume where a snapshot corresponding to the generation number specified in said snapshot utilization instruction is held, by referring to said generation information; and
allocating an address accessible by said host device to said specified logical volume.
8. A storage system that is accessed from a host device, comprising:
a storage device comprising a plurality of logical volumes;
a storage device control section that controls said storage device;
an interface section that receives a snapshot acquisition instruction, snapshot utilization instruction and generation information acquisition instruction from said host device; and
a snapshot processing device comprising a generation information storage section that stores generation information indicating the snapshot acquisition status for each generation and that executes processing in accordance with said snapshot acquisition instruction, said snapshot utilization instruction and generation information acquisition instruction received by said interface section; and wherein
said snapshot processing device, in response to said snapshot acquisition instruction, selects one logical volume from said plurality of logical volumes; gives instruction to acquire a snapshot of the logical volume of the snapshot source designated in said snapshot acquisition instruction for the selected logical volume and, specifies a generation number by referring to said generation information storage section and associates this specified generation number with the address of said selected logical volume and stores these in the generation information storage section;
in response to said generation information acquisition instruction, acquires the information stored in the generation information storage section and gives an instruction to said interface section to send the information to said host device;
and, in response to said snapshot utilization instruction, specifies the logical volume where a snapshot has been acquired corresponding to the generation number specified in said snapshot utilization instruction by referring to said generation information storage section and allocates an address accessible by said host device to said specified logical volume.
9. A storage system that is accessed from a host device, comprising:
storage means comprising a plurality of logical volumes;
storage means control means that controls said storage means;
interface means that receives a snapshot acquisition instruction, snapshot utilization instruction and generation information acquisition instruction from said host device; and
snapshot processing means comprising generation information storage means that stores generation information indicating the snapshot acquisition status for each generation and that executes processing in accordance with said snapshot acquisition instruction, said snapshot utilization instruction and generation information acquisition instruction received by said interface means; and wherein
said snapshot processing means, in response to said snapshot acquisition instruction, selects one logical volume from said plurality of logical volumes; gives an instruction to acquire a snapshot of the logical volume of the snapshot source designated in said snapshot acquisition instruction for the selected logical volume and, specifies a generation number by referring to said generation information storage means, and associates this specified generation number with the address of said selected logical volume and stores these in said generation information storage means;
in response to said generation information acquisition instruction, acquires the information stored in said generation information storage means and gives an instruction to said interface means to send the information to said host device;
and, in response to said snapshot utilization instruction, specifies the logical volume where a snapshot has been acquired corresponding to the generation number specified in said snapshot utilization instruction by referring to said generation information storage means, and allocates an address accessible by said host device to said specified logical volume.
10. A method of acquiring and utilizing snapshots in a storage system that is accessed from a host device, comprising a storage device comprising a plurality of logical volumes and a generation information storage device that stores generation information indicating for each generation the snapshot acquisition status, the method comprising the steps of;
selecting a logical volume from said plurality of logical volumes when a snapshot acquisition instruction is received from said host device;
giving an instruction in respect of the selected logical volume for the acquisition of a snapshot of the snapshot source logical volume designated in said snapshot acquisition instruction;
specifying a generation number by referring to said generation information storage section, and associating the specified generation number with the address of said selected logical volume and storing these in said generation information storage device;
acquiring and sending to the host device the information stored in said generation information storage section when said generation information acquisition instruction is received from said host device;
specifying a logical volume where a snapshot has been acquired corresponding to the generation number specified in said snapshot utilization instruction by referring to said generation information storage section when said snapshot utilization instruction is received from said host device; and
allocating an address accessible by said host device to said specified logical volume.

The claims below are in addition to those above.
All refrences to claim(s) which appear below refer to the numbering after this setence.

1. A method of controlling steering of a vehicle through setting wheel angles of a plurality of modular electronic corner assemblies (eModules), the method comprising:
receiving a driving mode selected from a mode selection menu;
determining, in a master controller, a position of a steering input device;
determining, in the master controller, a velocity of the vehicle when the determined position of the steering input device is near center;
transmitting a drive mode request corresponding to the driving mode to a plurality of steering controllers when the steering wheel is near center and the velocity of the vehicle is below a maximum velocity;
determining, in the master controller, a required steering angle of each of the plurality of eModules as a function of the determined position of the steering input device, the determined velocity of the vehicle, and the driving mode; setting each of the eModules to an angle of 0 degrees and recording the angle setting of each of the eModules to a memory in the master controller, when the determined position of the steering input device is near 0 degrees; and
setting the eModules to the respective determined steering angles.
2. A method, as set forth in claim 1, wherein the plurality of eModules are a left front (LF) eModule, a right front (RF) eModule, a left rear (LR) eModule, and a right rear (RR) eModule.
3. A method, as set forth in claim 2, wherein determining, in the master controller, a required steering angle is further defined as:
calculating a steering angle when the determined position of the steering input device is not near 0 degrees;
setting an instantaneous center of rotation (ICR) to be along a centerline of rear wheels of the LR eModule and the RR eModule;
setting each of the LR and RR eModules to an angle;
calculating a coordinate position of the ICR as a function of the calculated steering angle;
calculating angles of the LF eModule and RF eModule;
calculating a wheel angle of the LF eModule and the RF eModule; and
recording the wheel angle of the LF eModule and the RF eModule to the memory in the master controller.
4. A method, as set forth in claim 3, wherein setting each of the LR and RR eModules to an angle is further defined as setting each of the LR and RR eModules to an angle of 0 degrees when the drive mode request is a two-wheel steer (2WS) drive mode request.
5. A method, as set forth in claim 3, further comprising:
calculating a caster wheel offset for the LF eModule and the RF eModule; and
calculating wheel angle offsets for the LF eModule and the RF eModule to align a center of each of the respective wheels to the ICR;
wherein calculating a wheel angle of the LF eModule and the RF eModule is further defined as calculating a wheel angle of the LF eModule and the RF eModule as a function of the alignment of the center of each of the respective wheels to the ICR.
6. A method, as set forth in claim 3, wherein receiving a driving mode selected from the mode selection menu is further defined as receiving a four wheel steer (4WS) drive mode request from the mode selection menu when the vehicle is operating in a 2WS drive mode; and
wherein setting the LR and RR eModules to an angle is further defined as:
setting the LR and RR eModules to an angle of 0 degrees when the velocity of the vehicle is greater than a maximum velocity;
setting the LR and RR eModules to a desired angle when the velocity of the vehicle is no greater than a minimum velocity; and
transitioning the angle of the LR and RR eModules linearly from the angle of 0 degrees to the desired angle when the velocity of the vehicle is greater than the minimum velocity and no greater than the maximum velocity.
7. A method, as set forth in claim 2, wherein determining, in the master controller, a required steering angle is further defined as:
calculating an ICR lateral line offset as a function of the determined velocity of the vehicle when the drive mode request is the 4WS drive mode;
calculating a steering angle when the determined position of the steering input device is not near 0 degrees;
calculating a coordinate position of the ICR as a function of the calculated steering angle;
calculating angles of the LF eModule, the RF eModule, the LR eModule, and the RR eModule;
calculating a wheel angle of the LF eModule, the RF eModule, the LR eModule, and the RR eModule; and
recording the wheel angle of the LF eModule, the RF eModule, the LR eModule, and the RR eModule to the memory in the master controller.
8. A method, as set forth in claim 7, further comprising:
calculating a caster wheel offset for the LF eModule, the RF eModule, the LR eModule, and the RR eModule; and
calculating wheel angle offsets for the LF eModule, the RF eModule, the LR eModule, and the RR eModule to align a center of each of the respective wheels to the ICR;
wherein calculating a wheel angle of the LF eModule, the RF eModule, the LR eModule, and the RR eModule is further defined as calculating a wheel angle of the LF eModule, the RF eModule, the LR eModule, and the RR eModule as a function of the alignment of the center of each of the respective wheels to the ICR.
9. A method, as set forth in claim 7, further comprising:
wherein calculated ICR lateral line is configured to intersect a center of the vehicle when the determined velocity of the vehicle is no greater than a minimum velocity;
wherein the calculated ICR lateral line is configured to intersect the center of the wheels of each of the LR eModule and RR eModule when the determined velocity of the vehicle is greater than a maximum velocity; and
wherein the calculated ICR lateral line is configured to transition linearly between center of the vehicle and the center of the wheels of each of the LR eModule and the RR eModule when the determined vehicle as a function of the linear transition between the determined velocity of the vehicle of between greater than the minimum velocity and no greater than the maximum velocity.
10. A method, as set forth in claim 2, wherein determining, in the master controller, a required steering angle is further defined as:
calculating an directional vector as a function of the determined position of the steering input device;
determining a normalized yaw angle of a joystick input device about a Z-axis;
calculating a steering angle when the determined normalized yaw angle of the joystick is less than a minimum angle or greater than a maximum angle;
calculating a steering radius from the center of the vehicle;
calculating a coordinate position of the ICR as a function of the calculated steering radius and directional vector;
calculating angles of the LF eModule, the RF eModule, the LR eModule, and the RR eModule;
calculating a wheel angle of the LF eModule, the RF eModule, the LR eModule, and the RR eModule; and
recording the wheel angle of the LF eModule, the RF eModule, the LR eModule, and the RR eModule to the memory in the master controller.
11. A method, as set forth in claim 10, further comprising:
calculating a caster wheel offset for the LF eModule, the RF eModule, the LR eModule, and the RR eModule; and
calculating wheel angle offsets for the LF eModule, the RF eModule, the LR eModule, and the RR eModule to align a center of each of the respective wheels to the ICR;
wherein calculating a wheel angle of the LF eModule, the RF eModule, the LR eModule, and the RR eModule is further defined as calculating a wheel angle of the LF eModule, the RF eModule, the LR eModule, and the RR eModule as a function of the alignment of the center of each of the respective wheels to the ICR.
12. A method, as set forth in claim 1, further comprising:
determining, in the master controller, a required steering angle of each of the plurality of eModules when the vehicle is determined to not be in motion and a park mode is selected as the driving mode; and
setting the eModules to an angle such that the vehicle does not move when pushed in any direction.
13. A method of controlling steering of a vehicle through setting wheel angles of a plurality of modular electronic corner assemblies (eModules), the method comprising:
activating a mode selection menu;
receiving a driving mode selected from the mode selection menu;
determining, by a master controller, the position of a steering input device;
determining, by the master controller, a velocity of the vehicle; transmitting a drive mode request corresponding to the driving mode to a plurality of steering controllers when the steering wheel is near center and the velocity of the vehicle is below a maximum velocity;
determining the wheel angle for each of the plurality of eModules as a function of the driving mode, the position of the steering input device, and the determined velocity of the vehicle; setting each of the eModules to an angle of 0 degrees and recording the angle setting of each of the eModules to a memory in the master controller, when the determined position of the steering input device is near 0 degrees; and
transmitting the determined wheel angle for each of the plurality of eModules to a respective steering controller.
14. A method, as set forth in claim 13, further comprising:
determining, with at least one location device, a spot defined between objects adjacent the vehicle;
wherein determining the wheel angle is further defined as determining the wheel angle for each of the plurality of eModules as a function of the driving mode, the position of the steering input device, the determined velocity of the vehicle, and the spot defined between objects adjacent the vehicle.

1. An earth-boring tool, comprising:
a body comprising a face;
a plurality of cutting elements positioned over the face of the body; and
an impact material positioned on at least one portion of the body and exhibiting a lower abrasion resistance than the body, wherein the impact material has a relative exposure greater than at least one cutting elements that is located along a substantially similar rotational path as the impact material.
2. The earth-boring tool of claim 1, wherein the impact material is positioned on at least one of a shoulder region and a gage region of the body.
3. The earth-boring tool of claim 1, wherein the impact material comprises bronze.
4. The earth-boring tool of claim 3, wherein the impact material comprises a copper alloy comprising aluminum or silicon.
5. The earth-boring tool of claim 1, wherein the impact material is configured as a cutting structure.
6. The earth-boring tool of claim 1, further comprising at least one discrete cutter, in addition to the plurality of cutting elements, positioned on body.
7. The earth-boring tool of claim 6, wherein the at least one discrete cutter has a greater relative exposure than at least some cutting elements of the plurality of cutting elements that is located along a substantially similar rotational path as the at least one discrete cutter.
8. The earth-boring tool of claim 7, wherein the impact material positioned on at least one portion of the body is positioned proximate the at least one discrete cutter along a substantially similar rotational path as the at least one discrete cutter and has a greater relative exposure than the exposure of the at least one discrete cutter.
9. The earth-boring tool of claim 1, further comprising a hardfacing material positioned between the impact material and at least a portion of the body underlying the impact material, the hardfacing material exhibiting a higher abrasion resistance than the impact material.
10. The earth-boring tool of claim 1, wherein the impact material has a relative exposure greater than at least some cutting elements of the plurality of cutting elements.
11. A method of drilling material of a casing disposed in a subterranean formation, comprising:
directing a rotating earth-boring tool toward an inner surface of a casing, the earth-boring tool comprising an impact material positioned on at least one portion of a body of the earth-boring tool, the impact material having a lower abrasion resistance than the body and a relative exposure greater than a relative exposure of a plurality of cutting elements disposed on the body and located along a substantially similar rotational path as the impact material;
during rotation, engaging the inner surface of the casing with at least the impact material positioned on the at least one portion of the body; and
wearing away the impact material responsive to engagement thereof with the inner surface of the casing as the earth-boring tool cuts into the inner surface of the casing.
12. The method of claim 11, wherein directing the rotating earth-boring tool toward the inner surface of the casing comprises employing a whipstock to direct the rotating earth-boring tool toward the inner surface of the casing.
13. The method of claim 11, wherein engaging the inner surface of the casing with the impact material comprises engaging the inner surface of the casing with the impact material positioned on a shoulder region of the body.
14. The method of claim 11, wherein wearing away the impact material as the earth-boring tool cuts into the surface of the casing comprises wearing away the impact material to expose at least one of another cutting structure and the plurality of cutting elements.
15. The method of claim 14, wherein wearing away the impact material to expose at least one of another cutting structure and the plurality of cutting elements comprises wearing away the impact material to expose the at least one of another cutting structure and the plurality of cutting elements when the earth-boring tool has cut about 5 inches (12.7 cm) into the casing.
16. The method of claim 11, further comprising continuing to drill into the subterranean formation outside of the casing.
17. A method of drilling material of a casing disposed in a subterranean formation, comprising:
directing a rotating earth-boring tool toward an inner surface of a casing, the earth-boring tool comprising an impact material positioned on at least one portion of a body of the earth-boring tool, the impact material having a lower abrasion resistance than the body and a relative exposure at least substantially equal to a relative exposure of a plurality of cutting elements disposed on the body;
during rotation, engaging the inner surface of the casing with at least the impact material positioned on the at least one portion of the body; and
wearing away the impact material responsive to engagement thereof with the inner surface of the casing as the earth-boring tool cuts into the inner surface of the casing to expose at least one of another cutting structure and the plurality of cutting elements when the earth-boring tool establishes a cutting pattern in the casing.
18. The method of claim 17, wherein directing the rotating earth-boring tool toward the inner surface of the casing comprises employing a whipstock to direct the rotating earth-boring tool toward the inner surface of the casing.
19. The method of claim 17, wherein engaging the inner surface of the casing with the impact material comprises engaging the inner surface of the casing with the impact material positioned on a shoulder region of the body.
20. The method of claim 17, wherein wearing away the impact material to expose at least one of another cutting structure and the plurality of cutting elements when the earth-boring tool establishes the cutting pattern in the casing comprises wearing away the impact material to expose the at least one of another cutting structure and the plurality of cutting elements when the earth-boring tool has cut about 5 inches (12.7 cm) into the casing.
21. The method of claim 17, further comprising continuing to drill into the subterranean formation outside of the casing.

The claims below are in addition to those above.
All refrences to claim(s) which appear below refer to the numbering after this setence.

1. A system for communicating over a network having a plurality of secured users utilizing multi-level network security devices and a plurality of unsecured users employing no network security devices, said system comprising:
an interface unit configured to send a message from a first user;
a first multi-level network security device configured to:
intercept said message from the first user; and
discard said message if said message violates security parameters associated with said interface unit,
wherein in a first mode, the first multi-level network security device is configured to send said message to a second user, and
wherein in a second mode, the first multi-level network security device comprises an encryptor configured to encrypt said message and send said encrypted message to a second multi-level network security device, and wherein in said second mode the second multi-level network security device comprises a decryptor configured to decrypt the message and send said decrypted message from said second multi-level network security device to a third user selected from said plurality of secured users.
2. The system of claim 1, further comprising a third multi-level network security device configured to intercept said encrypted message, validate a signature of said first multi-level network security interface, and send said encrypted message from said third multi-level network security interface to said second multi-level network security interface.
3. The system of claim 1, wherein each multi-level network security device is configured to use association establishment messages for authenticating other multi-level network security interfaces.
4. The system of claim 1, wherein each multi-level network security device is configured to use association establishment messages for exchanging security parameters between said multi-level network security interfaces.
5. A system for mixed enclave communications over a network having both secured and unsecured users, the system comprising:
a network security device configured to permit communication over the network between one of said secured users and one of said unsecured users, and further configured to dynamically determine whether a user initiating communication is one of said secured users or one of said unsecured users; and
a control module operationally coupled to said network security device, the control module being configured to control passage of information between said one of said secured users and said one of said unsecured users to secure information residing with said one of said secured users against transfer to said one of said unsecured users when not permissible, wherein the network security device is configured to use association establishment messages sent over the network for said secured users in authenticating each other, and wherein the network security device is configured to use association establishment messages for the secured users exchanging security parameters.
6. The system of claim 5, wherein the network security device is configured to examine Internet Protocol (IP) addresses for identifying the secured and unsecured users.
7. The system of claim 5, wherein the network security device comprises an encryptor configured to encrypt information residing with one of the secured users.
8. An apparatus for providing multi-level security in a computer network having a plurality of users and at least one relatively secure portion relative to at least one relatively unsecure portion of the network, the apparatus comprising:
a network security device configured to intercept a message transmitted between said at least one secure and said at least one unsecure portions of said network, and further configured to determine whether transmission of said intercepted message violates network security parameters;
an encryptor configured to encrypt said intercepted message if said intercepted message:
originates from a first secure portion of said network,
is destined for a second secure portion of said network, and
wherein said computer network is configured so that said intercepted message traverses an unsecure portion of said network to reach said second secure portion of said network; and

if said network security device determines that said intercepted message violates said network security parameters:
in a first mode, the network security device is configured to transmit said intercepted message; and,
in a second mode, the network security device is configured to transmit said encrypted intercepted message.
9. The apparatus claim 8, wherein the network security device is further configured to select the types of messages that are permissible.
10. The apparatus of claim 8, wherein the network security device is further configured to examine Internet protocol (IP) addresses for identifying the source and destination of said message.
11. The apparatus of claim 10, wherein the network security device is further configured to use association establishment messages for allowing those users which reside in said at least one secure portion of said network to authenticate other users residing in other secure portions of said network.
12. The apparatus of claim 11, wherein said association establishment messages comprise security parameters.
13. The apparatus of claim 11, further comprising a host configured to utilize a message intended to evoke a response from a destination user selected from said plurality of users and intended to receive said message to determine whether said destination user resides in the same portion of the network as a source user selected from said plurality which sent said message.
14. The apparatus of claim 13, wherein said message intended to evoke a response from said destination user comprises a message which evokes a response only if said destination user and source user reside in the same portion of said network.
15. The apparatus of claim 8, further comprising a waiting queue configured to queue passage of information.
16. The apparatus of claim 8, wherein the network security device is configured to create an entry in an association table indicative of the source of a received message.
17. The apparatus of claim 16, wherein the network security device is configured to compare the message destination’s security level to that of the source of said intercepted message, so as to determine if said intercepted message may proceed.
18. The apparatus of claim 17, wherein the network security device is configured to release said intercepted message if the message destination’s security level is higher than that of the source.
19. The apparatus of claim 17, wherein the network security device is configured to communicate the message between the message source and destination if the message destination’s security level is equivalent to that of the source.
20. The apparatus of claim 17, wherein the network security device is configured to prohibit release of said message when the message destination’s security level is lower than that of the source unless said message is predicted.
21. An apparatus for communicating over a network having a plurality of secured users utilizing multi-level network security devices and a plurality of unsecured users, the apparatus comprising:
a first network security device configured to control the transmission of a message from a first user to a second user, wherein
in the event that either (a) the first user is a secured user and the second user is an unsecured user, or (b) the first user is an unsecured user and the second user is a secured user, the first network security device is configured to intercept a message sent by the first user, determine whether transmission of said message breaches network security parameters, and transmit said message to said second user if transmission of said message does not breach network security parameters, and
in the event that both the first and second users are secured users, the first network security device is configured to
intercept the message sent by the first user,
determine whether transmission of said message breaches network security parameters,
encrypt said message,
transmit said encrypted message to a second network security device utilized by said second user if transmission of said message does not breach network security parameters, and
the second network security device is configured to decrypt said encrypted message and transmit said decrypted message to the second user.
22. The apparatus of claim 21, wherein the first network security device is configured to compare the message destination’s security level to that of the source of said intercepted message.
23. The apparatus of claim 22, wherein:
when the message destination’s security level is higher than that of the source, the intercepted message is permissible to be released;
when the message destination’s security level is equivalent to that of the source, information transfers between the source and destination; and,
when the message destination’s security level is lower than that of the source, the intercepted message is not permissible to be released, unless said message is predicted.
24. The apparatus of claim 20, wherein said message is predicted if another message is first received by the source from the destination.
25. The apparatus of claim 20, wherein said message is predicted if said message responds to another message from the destination.
26. An apparatus for communicating over a network having a plurality of secured users utilizing multi-level network security devices and a plurality of unsecured users, the apparatus comprising:
a multi-level network security device configured to:
intercept a message from a source to a destination;
determine a first security parameter associated with the source;
determine a second security parameter associated with the destination, wherein the device is configured to send association establishment messages over the network to determine at least one of the first or second security parameters;
identify a security policy based on the first and second security parameter;
determine whether said message complies with said security policy; and
transmit said message to the destination if said message complies with said security policy.
27. The system of claim 26, wherein the system further comprises an encryptor configured to encrypt said message if so specified by said security policy.
28. The system of claim 26, wherein the first security parameter identifies the source as one of a secured or unsecured user.
29. The system of claim 26, wherein the second security parameter identifies the destination as a secured or unsecured user.
30. The system of claim 26, wherein at least one of the first or second security parameters identifies a classification level of data.
31. The system of claim 26, wherein the multi-level network security device is configured to inhibit covert channel use.
32. The system of claim 31, wherein the multi-level network security device is configured to limit the rate of data transfer between a secure source and an insecure destination to a convert channel rate.
33. The system of claim 26, wherein the multi-level network security device is configured to inhibit denial of service attacks.
34. The system of claim 26, wherein the multi-level network security device is configured to inhibit denial of service attacks.
35. A method for mixed enclave communications over a network including both secured and unsecured users, said method comprising:
permitting communications over the network between one of said secured users and one of said unsecured users;
discovering dynamically using messages sent over the network by said secured user whether a user initiating communications is one of said secured users or one of said unsecured users;
controlling passage of information between said one of said secured users and said one of said unsecured users for securing given information residing with said one of said secured users against transference to said one of said unsecured users when not permissible; and
inhibiting covert channel use.
36. The method of claim 35, wherein inhibiting covert channel use comprises limiting the rate of data transfer between a secure source and an insecure destination to a convert channel rate.
37. The method of claim 35, wherein permitting communication comprises permitting Internet Protocol communications.
38. The method of claim 37, wherein inhibiting covert channel use comprises detecting dialog sequence errors.
39. The method of claim 35, wherein discovering includes using Internet Protocol (IP) addresses for identifying the secured and unsecured users.
40. The method of claim 35, wherein discovering includes using association establishment messages for said secured users authenticating each other.
41. The method of claim 35, wherein discovering includes using association establishment messages for the secured users exchanging security parameters.
42. The method of claim 35, wherein for communications between one of the secured users and one of the unsecured users, the secured user employs a waiting queue to influence passage of information.
43. The method of claim 35, wherein controlling passage of information comprises:
determining when one of the secured users receives initial information from one of the unsecured users that is not already established; and
creating an entry in an association table indicative of at least the unsecured user’s IP address and association type.
44. The method of claim 43, wherein controlling passage of information comprises further comparing a security level of the one of the secured users to that of the unsecured user for determining if information to the unsecured user can be allowed to proceed.