Deployment of virtual machines in Lock-Keeper

As a remarkable realization of the simple idea "Physical Separation", the Lock-Keeper technology has been proven to be a practical approach to provide high-level security for a sensitive internal network by completely separating it with the less secure external network. The data exchange between the two separated networks is accomplished by the Lock-Keeper Secure Data Exchange software which is occupied by three PC-based Lock-Keeper components: INNER, OUTER and GATE. The SDE's application modules on INNER and OUTER provide specific network services to the external world through normal network connections and organize the network traffic into Lock-Keeper-mode units which can be transferred through the Lock-Keeper by its SDE's basic data exchange modules on INNER, OUTER and GATE. There is an extra data scanning module located on GATE to check the passing data contents. In this paper, a new implementation of the SDE software will be proposed based on the Virtual Machine technology. Application modules on INNER and OUTER are respectively replaced by some Virtual Machines. According to different requirements of corresponding applications, different configurations and resource assignments can be employed by these Virtual Machines. Such special-purpose Virtual Machines and their underlying host can be isolated from one another by the natural property of the Virtual Machine technology so that both the host and each single application can be easily restored in the case of destruction. In addition, a content scanning VM will be built on GATE to support offline scanning, configuration, updating and other useful extension.