A network boundary device

The network boundary device with three processors and contextual criteria ensures secure data transfer by verifying and abstracting information, addressing the vulnerability of existing devices to malicious data transmission.

WO2026133183A1PCT designated stage Publication Date: 2026-06-25THE SECRETARY OF STATE FOR FOREIGN & COMMONWEALTH & DEV AFFAIRS

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
THE SECRETARY OF STATE FOR FOREIGN & COMMONWEALTH & DEV AFFAIRS
Filing Date
2025-12-17
Publication Date
2026-06-25

AI Technical Summary

Technical Problem

Existing network boundary devices fail to ensure secure and robust information transfer between networks of differing security levels by not verifying incoming messages against contextual criteria, making them susceptible to malicious data transmission.

Method used

A network boundary device with three processors (first, second, and inspection) that abstracts and inspects information using contextual criteria defined by the trusted network, ensuring that only expected and legitimate data is transmitted between trusted and lesser-trusted networks.

Benefits of technology

Enhances security by verifying incoming data against dynamic contextual criteria, reducing the risk of malicious data entry into trusted networks and ensuring outgoing data meets predefined criteria, thus providing a more secure and robust gateway.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure IB2025063040_25062026_PF_FP_ABST
    Figure IB2025063040_25062026_PF_FP_ABST
Patent Text Reader

Abstract

The present disclosure provides a method performed by a network boundary device to enable information transfer between a trusted network and a lesser- trusted network. The method comprises receiving, from the trusted network, first electronic information for transmission to the lesser-trusted network; transmitting, to the lesser-trusted network, the first electronic information; receiving, from the lesser-trusted network, second electronic information; determining, at the network boundary device, whether the second electronic information meets one or more contextual criteria; and if the second electronic information meets the one or more contextual criteria, transmitting the second electronic information to the trusted network.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] A NETWORK BOUNDARY DEVICE

[0002] FIELD OF THE DISCLOSURE

[0003] Embodiments of the present disclosure relate generally to network boundary devices. More specifically they relate to cross domain devices that enable the transfer of information between networks operating at different levels of security. For example, embodiments of the present disclosure may relate to devices for enabling the transfer of information from a network operating at a low level of security to a network operating at a high level of security.

[0004] BACKGROUND OF THE DISCLOSURE

[0005] The onset of hybrid working as common practice has drastically changed the way that businesses think about their IT systems and how best to keep them secure. Similarly, Internet connected industrial machinery, industrial control systems, and Internet of Things (loT) systems have provided new attack vectors for those wishing to negatively impact businesses. A decade ago, most businesses could maintain a high level of security using "air gaps" between secure internal networks (i.e. private networks) and external networks, such as the Internet. Employees wishing to access the internal network would be required to physically attend a specific location and, therefore, the employer could rely on robust physical security measures to keep the internal network secure. However, with more employees working from home or other locations further afield, and with Internet access being a requirement for more industrial systems, enabling access to internal networks from off-site locations is of increasing importance.

[0006] Network boundary devices provide a means of enabling digital access to internal networks by acting as a security gateway that monitors and controls the flow of traffic into or out of the internal network. Where undesired traffic attempts to pass through the gateway, the gateway is enabled to block the traffic entirely. Thus, access to the internal network is securely maintained for approved traffic, while restricting access by malicious entities. Known network boundary devices typically restrict the flow of traffic to specific file types. In this manner, a network boundary device may only allow simple text files, such as a JavaScript Object Notation (JSON) files, to pass through the device. Alternatively, or in addition, the network boundary device may restrict the content of messages forming the traffic. For example, the network boundary device may only allow messages to pass that contain time information or weather information. In this manner, the network boundary device can ensure that any messages entering the internal network cannot contain harmful data, such as malware, and that any messages leaving the internal network contain only data that has been approved for release.

[0007] SUMMARY OF THE DISCLOSURE

[0008] The present disclosure describes a method performed by a network boundary device to enable information transfer between a trusted network and a lesser- trusted network. The method comprises receiving, from the trusted network, first electronic information for transmission to the lesser-trusted network; transmitting, to the lesser-trusted network, the first electronic information; receiving, from the lesser-trusted network, second electronic information; determining, at the network boundary device, whether the second electronic information meets one or more contextual criteria; and if the second electronic information meets the one or more contextual criteria, transmitting the second electronic information to the trusted network.

[0009] As will be appreciated, the present disclosure provides several advantages over the prior art. For example, by ensuring that messages sent into the trusted (e.g. internal, or private) network are received in response to an outgoing message, the facilitator of the trusted network can rely on onsite physical security measures to guarantee that traffic flow is initiated by a trusted person with authorised access to the trusted network. Further, by verifying the incoming message from the lesser-trusted (e.g. external) network against one or more contextual criteria, the facilitator of the trusted network can confirm that, not only is the received traffic of an allowable type, but that it is an expected type to be received in the context of the outgoing message that initiated the traffic flow. In this manner, the network boundary device of the present disclosure provides a more secure and robust gateway than prior art devices.

[0010] The one or more contextual criteria may be defined with respect to the first electronic information.

[0011] The one or more contextual criteria may define one or more associations between the first electronic information and the second electronic information.

[0012] Receiving the first electronic information may comprise receiving the first electronic information at a first processor of the network boundary device and transmitting the first electronic information to an inspection processor of the network boundary device.

[0013] The method may further comprise abstracting the first electronic information prior to transmitting the first electronic information to the inspection processor.

[0014] The inspection processor may be configured to determine whether the first electronic information meets one or more transmission criteria and, if the one or more transmission criteria are met, forward the first electronic information to a second processor.

[0015] Transmitting the first electronic information may comprise transmitting the first electronic information by the second processor of the network boundary device to the lesser-trusted network.

[0016] Receiving the second electronic information may comprise receiving the second electronic information at the second processor of the network boundary device and transmitting the second electronic information to the inspection processor.

[0017] The method may further comprise abstracting the second electronic information prior to transmitting the second electronic information to the inspection processor.

[0018] Determining whether the second electronic information meets the one or more contextual criteria may be performed by the inspection processor and, if the one or more contextual criteria are met, the method further comprises approving the second electronic information for transmission to the trusted network.

[0019] The method may further comprise receiving contextual information, wherein the contextual information defines the one or more contextual criteria.

[0020] The method may further comprise receiving transmission information, wherein the transmission information defines the one or more transmission criteria.

[0021] The one or more contextual criteria may comprise one or more of an expected information type; an expected time of receipt; an expected file size; an expected message format; a sequence of received electronic information; and a content of the electronic information.

[0022] Transmitting the second electronic information may comprise transmitting the second electronic information by the first processor.

[0023] The second electronic information may comprise a plurality of messages, and determining whether the second electronic information meets the one or more contextual criteria may comprise using the same contextual criteria for each of the plurality of messages that are part of the second electronic information.

[0024] The present disclosure also describes a network boundary device configured to enable information transfer between a trusted network and a lesser-trusted network, the network boundary device being configured to receive, from the trusted network, first electronic information for transmission to the lesser-trusted network; transmit, to the lesser-trusted network, the first electronic information; receive, from the lesser-trusted network, second electronic information; determine at the network boundary device, whether the second electronic information meets one or more contextual criteria; and if the second electronic information meets the one or more contextual criteria, transmit the second electronic information to the trusted network.

[0025] The one or more contextual criteria may be defined with respect to the first electronic information. The one or more contextual criteria may define one or more associations between the first electronic information and the second electronic information.

[0026] The device may be configured to receive the first electronic information at a first processor of the network boundary device and transmit the first electronic information to an inspection processor of the network boundary device.

[0027] The device may be further configured to abstract the first electronic information prior to transmitting the first electronic information to the inspection processor.

[0028] The inspection processor may be configured to determine whether the first electronic information meets one or more transmission criteria and, if the one or more transmission criteria are met, forward the first electronic information to a second processor.

[0029] The device may be further configured to transmit the first electronic information to the lesser-trusted network using the second processor.

[0030] The device may be further configured to receive the second electronic information at the second processor of the network boundary device and transmit the second electronic information to the inspection processor.

[0031] The device may be further configured to abstract the second electronic information prior to transmitting the second electronic information to the inspection processor.

[0032] Determining whether the second electronic information meets the one or more contextual criteria may be performed by the inspection processor and, if the one or more contextual criteria are met, the inspection processor may be configured to approve the second electronic information for transmission to the trusted network.

[0033] The device may be further configured to receive contextual information, wherein the contextual information defines the one or more contextual criteria. The device may be configured to receive transmission information, wherein the transmission information defines the one or more transmission criteria.

[0034] The one or more contextual criteria may comprise one or more of: an expected information type; an expected time of receipt; an expected file size; an expected message format; a sequence of received electronic information; and a content of the electronic information.

[0035] Transmitting the second electronic information may comprise transmitting the second electronic information by the first processor.

[0036] The second electronic information may comprise a plurality of messages, and determining whether the second electronic information meets the one or more contextual criteria may comprise using the same contextual criteria for each of the plurality of messages that are part of the second electronic information.

[0037] The present disclosure also describes a trusted network comprising a network boundary device configured to enable information transfer between the trusted network and a lesser-trusted network wherein the network boundary device comprises one or more of the features described above.

[0038] Whilst the disclosure has been described above it extends to any combination of the features set out above, or in the following description, drawings or claims. For example, any features described in relation to any one aspect of the disclosure is understood to be disclosed also in relation to any other aspect of the disclosure.

[0039] BRIEF DESCRIPTION OF THE DRAWINGS

[0040] The present disclosure will now be described, by way of example only, and with reference to the accompanying drawings, in which:

[0041] FIGURE 1 shows a schematic drawing of a network boundary device according to the present disclosure; FIGURE 2 shows a flow diagram detailing a method performed by a network boundary device according to the present disclosure;

[0042] FIGURE 3 shows a flow diagram detailing one step of the method shown in Figure 2; and

[0043] FIGURE 4 shows a flow diagram detailing further steps that may be introduced into the method shown in Figure 2.

[0044] DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

[0045] Network boundary devices, in the context of the present disclosure, refer to devices that sit on the boundary between two or more networks and facilitate the transfer of information between those networks using a set of configured rules. In this capacity, a network boundary device may be referred to by many different names, such as: cross domain device, cross domain solution, cross domain security device, cross domain guard device, network gateway, data diode, or others. In general, what is meant here by a network boundary device, is a device that enables the transmission and verification of information between two networks of differing levels of trust.

[0046] It is appreciated that "trust" is something that is personal and subjective. Different people or organisations will trust others to varying degrees and something that one entity considers trustworthy may be considered completely untrusted by another entity. In the context of this disclosure, a first network will be referred to as a "trusted network" and a second network will be referred to as a "lesser- trusted network". These terms are used for contextualising the first and second networks and are considered from the perspective of one who facilitates the first network and (typically) does not facilitate the second network. In this scenario, the facilitator of the first network has knowledge and / or control over the security of the first network and, therefore, can assign a higher level of trust to that network than the second network, over which they have no (or less) knowledge and / or control. It is to be understood that a facilitator of the second network may consider the second network to be the "trusted" network and the present disclosure could equally be used in such a scenario. However, for the sake of simplicity with respect to describing the present disclosure, one network should be considered to be "trusted", and the other network should be considered to be "lesser-trusted".

[0047] With reference to Figure 1, the network boundary device 100 of the present disclosure facilitates the transmission of information between the trusted (first) network 101 and the lesser-trusted (second) network 102. The trusted and lesser- trusted networks 101, 102 may be any type of computer network, such as a private network, a public network, or the Internet. In practice, it is expected that at least the trusted network 101 will be a private network, such as that of an organisation or individual, as these networks tend to be smaller, and the facilitators of private networks tend to be more security conscious. In some examples, the lesser-trusted network 102 may be a public network, such as a publicly accessible WiFi network, or the Internet. In other examples, the lesser- trusted network 102 may be another private network, possibly even facilitated by the same facilitator as the trusted network 101, but, for example, centred around a different physical location. As will be appreciated, there are several forms that the trusted network 101 and the lesser-trusted network 102 may take.

[0048] While the network boundary device 100 may be implemented by anyone, it is typical for such devices to be implemented by the facilitator of the trusted network 101 and, as such, the network boundary device 100 may even form a part of the trusted network 101. This is because trusted networks 101 are more likely to require stringent security protocols for information entering the trusted network 101 for the reasons outlined above and the network boundary device 100 will be part of the system in place for enforcing these protocols. For example, where the trusted network 101 belongs to a business, it may be important for that business to restrict the transmission of certain file types into the trusted network 101, so as to ensure that the trusted network 101 cannot be infected by, for example, malware. Moreover, in respect of the present disclosure, there are particular benefits achieved by the facilitator of the trusted network 101 when deploying the network boundary device 100, as will be discussed further below.

[0049] The network boundary device 100 comprises three processors: a first processor 103; a second processor 104; and an inspection processor 105. The first processor 103 is located on the 'trusted network side' of the network boundary device 100. That is to say, with respect to other components of the network boundary device 100 (such as the second processor 104 and the inspection processor 105), the first processor 103 is communicatively closer to the trusted network 101. In some embodiments of the disclosure, the first processor 103 is in direct communication with the trusted network 101. However, it may be that other components and / or devices are communicatively located between the first processor 103 and the trusted network 101, such as a network filter or further inspection-type devices.

[0050] Opposite to the first processor 103, the second processor 104 is located on the 'lesser-trusted network side' of the network boundary device 100. As will be understood from the context above, this is to say that the second processor 104 is located communicatively closer to the lesser-trusted network 102 than other components of the network boundary device 100 (such as the first processor 103 and the inspection processor 105). The second processor 104 may be directly or indirectly connected to the lesser-trusted network 102, in a similar manner as to the connections between the first processor 103 and the trusted network 101.

[0051] The inspection processor 105 is located communicatively between the first processor 103 and the second processor 104. In this manner, any communication (i.e. transmission of information or data) that is routed between the first and second processors 103, 104 will pass through the inspection processor 105. There is no direct means of communication between the first processor 103 and the second processor 104. All communication between the two processors 103, 104 passes through the inspection processor 105.

[0052] Therefore, any information that is transmitted from the trusted network 101 and to the lesser-trusted network 102 will pass, in order, through the first processor 103, the inspection processor 105, and the second processor 104 before entering the lesser-trusted network 102. Similarly, any information that is transmitted from the lesser-trusted network 102 and to the trusted network 101 will pass, in order, through the second processor 104, the inspection processor 105, and the first processor 103, before entering the trusted network 101. As shown in Figure 1, information may flow in either direction through the network boundary device 100. However, the information will generally flow in only one direction once it has entered the network boundary device 100. For example, information that enters the network boundary device 100 from the lesser-trusted network 102 at the second processor 104 will enter the inspection processor 105. Once the inspection processor 105 has performed its necessary functions (described in more detail below) the information will (if enabled) pass into the first processor 103. However, it should be noted that the information will not be transferred back into the second processor 104 after entering the inspection processor 105. That is to say, while the network boundary device 100 enables bidirectional dataflow, the dataflow is unidirectional once it has entered the network boundary device 100.

[0053] The first processor 103 is designed to receive information (i.e. data) from the trusted network 101 and prepare it for inspection by the inspection processor 105. In this manner, the first processor 103 comprises a data connection 106 with the trusted network 101, such as a Transmission Control Protocol / Internet Protocol (TCP / IP) connection. The first processor 103 also comprises a processing unit 107 (e.g. a central processing unit (CPU)), and memory 108 (e.g. random access memory (RAM) and / or read-only memory (ROM)), such that the first processor 103 is capable of receiving and implementing instructions for how to prepare information received from the trusted network 101 for inspection by the inspection processor 105 and how to prepare information received from the inspection processor 105 for transmission to the trusted network 101. The first processor 103 also has a data connection 109 to the inspection processor 105 to enable this transmission of information. Similar to the data connection 106 between the trusted network 101 and the first processor 103, the data connection 109 between the first processor 103 and the inspection processor 105 may be any kind of data connection, such as a TCP / IP connection, and the type of connection may be the same or different than the data connection 106 between the first processor 103 and the trusted network 101. With two separate connections being used for the first processor 103 to communicate with the trusted network 101 and the inspection processor 105 respectively, it is to be appreciated that the first processor 103 provides a break in the flow of data which improves the security of the network boundary device 100.

[0054] Preparing the information for inspection by the inspection processor 105 may take one of many forms. For example, it may comprise abstracting the information such that it is more easily interpreted by the inspection processor 105. Abstraction may entail removing extraneous information, such as headers, footers, metadata, or other information typically found in a data packet. Abstraction may also entail the translation of the relevant information from one form to another, such as into a different programming language or into a machine-readable or easily verifiable format. Abstraction may also result in a change of the number of messages that form the information (i.e. from 1 to N, or N to 1 messages). In short, abstracting the information can be employed to ensure that the inspection processor 105 does not need to be configured for a large amount of functionality. By abstracting information before it is received by the inspection processor 105, the inspection processor 105 may be simple in design. With a simpler design of inspection processor 105, it is easier to validate its code to ensure that it remains uncompromised and correctly implements the intended function.

[0055] Alternatively, preparing the information for inspection may simply entail forwarding it on to the inspection processor 105. This may be the case if, for example, the information is already of a format that is capable of inspection by the inspection processor 105.

[0056] The first processor 103 is further arranged to receive information from the inspection processor 105 and prepare it for transmission to the trusted network 101. The information received from the inspection processor 105 may be received using the same or different data connection 109 as is used to transmit information received from the trusted network 101. Preparing the information for transmission to the trusted network 101 can, in short, be viewed as an opposite step to that of the abstraction detailed above. In this manner, any processes performed to enable the inspection processor 105 to properly inspect the information need to be reversed, such that the trusted network 101 is able to appropriately read and route the information. In this manner, preparing the information for transmission to the trusted network 101 may entail a kind of "un-abstraction", such as adding in headers, footers, and metadata and / or translating the information to be readable by the trusted network 101. It is to be noted that the step of "unabstracting" the information does not require the information to be returned exactly to the same form as it was received. For example, preparing the information for transmission to the trusted network 101 may entail converting it into a different file type than was initially received by the network boundary device 100. To be specific, one example may be that the network boundary device 100 receives information in the form of a JPEG, which is converted (i.e. abstracted) into a BMP format for inspection and then converted (i.e. "un-abstracted") into a PNG format for onward transmission.

[0057] Similar to the first processor 103, the second processor 104 is designed to receive information from the lesser-trusted network 102 and prepare it for inspection by the inspection processor 105 and, vice-versa, receive information from the inspection processor 105 for transmission to the lesser-trusted network 102. With this in mind, the structure of, and processes performed by, the second processor 104 are largely the same as that of the first processor 103. The second processor

[0058] 104 comprises respective data connections 110, 111 for transmitting data between the second processor 104 and the lesser-trusted network 103 or the inspection processor 105. The second processor 104 also comprises one or more processing units 112 and memory 113 such that it is capable of receiving and implementing a set of processes for it to perform those functions described in the context of the present disclosure.

[0059] The primary process that may differ between the first processor 103 and the second processor 104 is that the first processor 103 may be further arranged to provide control data to the inspection processor 105. If implemented, it is likely that only the first processor 103 will have this capability (as opposed to the second processor 104) as the first processor 103, being located on the trusted network side of the network boundary device 100, is better placed to receive and implement adjustments to the functionality of the inspection processor 105. However, other means of adjusting the functionality of the inspection processor

[0060] 105 are possible and, therefore, it is not always necessary for the first processor 103 to structurally or functionally differ from the second processor 104. The functionality of the first processor 103 and the second processor 104 can be pre-configured, such that the correct procedure (abstraction, transmission etc.) is followed upon receipt of electronic information. Alternatively, or in addition, the configuration may be provided or updated by one of several means, such as directly interfacing with the relevant processor, or providing a new configuration from the trusted network 101.

[0061] The inspection processor 105 may be structurally similar to the first and second processors 103, 104, but is functionally quite different. The inspection processor 105 comprises a data connection 114 to the first processor 103 and a data connection 115 to the second processor 104. Similar to first and second processors 103, 104, the data connections 114, 115 may be any kind of data connection, such as a TCP / IP connection. The data connections 114, 115 may be of the same or a different type. It should be understood that each data connection 103, 109, 110, 111, 114, 115 of the processors 103, 104, 105 may respectively comprise one bidirectional connection or two unidirectional connections to enable the flow of data in both directions through the network boundary device 100.

[0062] The inspection processor 105 also comprises a processing unit 116 and a memory 117 for storing instructions for the processing unit 116. As mentioned above, the inspection processor 105 is arranged to receive information from the first and second processors 103, 104 for inspection. The inspection processor 105 is therefore arranged to perform a detailed inspection of the received information and to determine whether it meets the necessary criteria for transmission. If the criteria are met, the information is transmitted on to the next processor 103, 104 in accordance with the direction of the flow of data through the network boundary device 100. If one or more criteria are not met, the process is halted, and the information is destroyed or quarantined. The specific criteria used by the inspection processor 105 will depend on various factors. For example, the criteria may depend, at least partly, on which of the processors 103, 104 has sent the information to the inspection processor 105. Information received from the first processor 103, inferred to have originated from the trusted network 101, may be assumed to have certain characteristics that cannot be assumed of data originating from the lesser-trusted network 102. For example, information received from the first processor 103 may be assumed not to contain malware or other such code that would be detrimental to the trusted network 101. As it is unlikely that data leaving the trusted network 101 is harmful to the integrity of the trusted network 101, it may be that the inspection processor 105 inspects the information according to less stringent criteria than for information originating from the lesser-trusted network 102.

[0063] The criteria for inspecting the received information may also vary depending on the type of information. For example, certain file types may be basic in nature and, therefore, simple to inspect. In contrast, complex file types may enable more complex code to be contained within it and, therefore, require more detailed inspection to ensure that the file is safe for transmission. Moreover, as will be discussed further below, the present disclosure requires that information received from the lesser-trusted network 102 is inspected with respect to one or more contextual criteria. In this regard, the context in which the information is received from the lesser-trusted network 102 may also impact the criteria that are used to inspect the information. For example, if the trusted network 101 requests time information from the lesser-trusted network 102, the criteria used for inspecting the information may be simpler than if the trusted network 101 had requested a word- processed document.

[0064] In general, the criteria used by the inspection processor 105 for inspecting the information, i.e. inspection criteria, may comprise different types of criteria. For example, the inspection criteria may comprise criteria that set limitations on a file type, file size, information contents. However, in the context of the present disclosure, for information received from the lesser-trusted network 102, the criteria will at least include contextual criteria. Contextual criteria meaning criteria that are context specific to a message / information sent by the trusted network 101. In other words, the contextual criteria are defined with respect to the initial request from the trusted network 101 (hereinafter referred to as the first electronic information). In this manner, the contextual criteria may define one or more associations between the first electronic information and a subsequent message received from the lesser-trusted network (hereinafter referred to as the second electronic information). For example, where the trusted network 101 has sent a request to the lesser-trusted network 102 for a JPEG file, the contextual criteria used by the inspection processor 105 ensure that the information from the lesser-trusted network 102 does indeed contain a JPEG file. In other words, the contextual criteria defines an association between the first electronic information being a request for a JPEG file and that the second electronic information should therefore be a JPEG file. This is different from prior art network boundary devices, where a simple approval list may enable JPEG files to be received from the lesser- trusted network 102 without checking that the trusted network 101 actually requested such a file. By introducing contextual criteria into the inspection criteria for the inspection processor 105, it is more difficult to send malicious file types to the trusted network 101.

[0065] In another example, the contextual criteria may define a check of a time of receipt of a message from the lesser-trusted network 102 in the context of the time of transmission of a request from the trusted network 101. For example, should the lesser-trusted network 102 take too long to respond to a request from the trusted network 101, then the contextual criteria may not be met. In examples where the second electronic information comprises a plurality of messages, the check of the time of receipt may be with respect to a previous message forming part of the second electronic information. This may be useful where a heartbeat signal is expected periodically, such that the periodicity can be used as contextual criteria for checking each heartbeat signal is genuine. As such, the contextual criteria may additionally be defined with respect to earlier transmitted second electronic information, such as the time of receipt of an earlier message in a series of heartbeat signals.

[0066] In yet another example, the contextual criteria may define that a certain file size is expected in response to a request from the trusted network 101. If the lesser- trusted network 102 responds to a request from the trusted network 101 with a file of the correct type, but of an anomalous size (e.g. too big, or too small), then the contextual criteria may not be met. Again, this is different from a simple predefined range of allowable file sizes, as is known in the prior art. The file size is reviewed in the context of the request from the trusted network 101 and, therefore, makes it more difficult for a malicious entity to introduce harmful data into a response from the lesser-trusted network 102. As will be appreciated from the above, the contextual criteria may overlap with other inspection criteria in that similar characteristics of the information received from the lesser-trusted network 102 may be inspected. However, where prior art inspection criteria may be static in nature, the contextual criteria are dynamic in response to the context of an initiating / request message from the trusted network 101. In this regard, the inspection criteria and the contextual criteria, for any given inspection, will likely have different acceptable values. The inspection criteria may be seen as setting a kind of base level of acceptability, with the contextual criteria setting a higher level of acceptability. In other words, the contextual criteria is determined based on the first electronic information.

[0067] As stated above, the contextual criteria are only necessarily applied for information / messages received from the lesser-trusted network 102. This is because the contextual criteria are applied in the context of a request from the trusted network 101. While it is plausible for the same or similar contextual criteria to be applied for information received from the trusted network 101 in response to a request from the lesser-trusted network 102, it is not essential in respect of the present disclosure.

[0068] While contextual criteria are not necessarily applied for information originating from the trusted network 101, it may be desirable to apply some kind of inspection criteria to minimise the chances of, for example, important information leaving the trusted network 101. Such inspection criteria applied to information leaving the trusted network 101 will herein be referred to as transmission criteria, and can have different acceptable values than the contextual criteria.

[0069] The specific inspection criteria (contextual criteria and / or transmission criteria) to be used by the inspection processor 105 may be provided to the inspection processor 105 in one of many ways. For example, as discussed above, the inspection criteria may be transmitted to the inspection processor 105, via the first processor 103, from the trusted network 101. The inspection criteria may then be stored in the memory 117 of the inspection processor 105.

[0070] In the alternative, the inspection criteria may be provided directly to the inspection processor 105, for example, via direct connection using a separate device or by the insertion of a physically removable memory. In this way, the inspection criteria may only be updated by physical access to the inspection processor 105 and, therefore, robust physical security measures can be used to ensure that the inspection criteria are not tampered with.

[0071] In any event, the specific inspection criteria to be used by the inspection processor 105 in a given instance can be preconfigured or indicated on a case-by-case basis by the trusted network 101. For example, where the first electronic information is a request for time information, the first processor 103 can provide an indication that the inspection processor 105 is to apply transmission criteria and (subsequently) contextual criteria that relates to time information. Alternatively, the inspection processor 105 can be preconfigured to detect that it has received a request for time information from the first processor 103, and then apply the relevant transmission criteria and (subsequently) the relevant contextual criteria when it receives the second electronic information.

[0072] With reference to Figure 2, there is described a method performed by a network boundary device 100 to enable information transfer between a trusted network 101 and a lesser-trusted network 102, according to an embodiment of the present disclosure. The method relates to a procedure in which the trusted network 101 requests some information from the lesser-trusted network 102. The lesser- trusted network 102 then provides some information in response to the request. The method of the present disclosure relates to the steps performed by the network boundary device 100 during this process.

[0073] In a first step, the network boundary device 100 receives S201, from the trusted network 101, first electronic information. As discussed above, the first electronic information (or simply "information") may take one of many forms, such as a complex message or a simple data packet. In different situations, different information types will be possible, and various information types are acceptable in the context of the present disclosure. Generally, though, the first electronic information is some form of information request, be that a direct request or an implicit request to be inferred from the first electronic information. A direct request may be, for example, an explicit request (e.g. message) for a time check. An implicit request may be, for example, some form of instruction (e.g. perform an action within the lesser-trusted network 102) with an expected response being confirmation that the action has taken place. The common theme being that some further (second) electronic information is expected to be received in response to transmission of the first electronic information.

[0074] In a second step, the network boundary device 100 transmits S202, to the lesser- trusted network 102, the first electronic information. As described above, and as will be described further with reference to Figure 3, the network boundary device 100 may perform one or more inspections of the first electronic information before transmission S202 to the lesser-trusted network 102. Alternatively, or in addition, transmitting S202 the first electronic information may further comprise storing some metadata related to the first electronic information to be used when determining the appropriate contextual criteria to be applied at a later stage of the method. In the present embodiment, however, the first electronic information is simply transmitted S202 directly to the lesser-trusted network 102 after receipt S201. With reference to Figure 1, this would entail the transmission of the first electronic information through the processors 103, 104, 105 to the data connection 110 of the second processor 104, for transmission to the lesser-trusted network 102.

[0075] In a third step, the network boundary device 100 receives S203, from the lesser trusted network 102, second electronic information. As with the first electronic information, the second electronic information may take one of many forms, such as a complex message or a simple data packet and the present disclosure should not be considered to be limited to any particular type of electronic information. It is expected, however, that the second electronic information will be some form of response to the first electronic information, and it is in this context that the network boundary device 100 will perform the next step.

[0076] In a fourth step, the network boundary device 100 determines S204 whether the second electronic information meets one or more contextual criteria. The one or more contextual criteria are defined with respect to the first electronic information. In other words, the contextual criteria define an association between the first electronic information and the second electronic information. For example, determining whether the one or more contextual criteria are met may comprise determining whether the second electronic information is an expected information type (e.g. data type, or file type) that corresponds to a request contained within the first electronic information. If the second electronic information is not of an appropriate information type, then the contextual criteria will not be met.

[0077] Alternatively, or in addition, determining whether the one or more contextual criteria are met may comprise determining whether the second electronic information was received within an expected time of receipt compared to the transmission of the first electronic information. For example, transmission of the first electronic information to the lesser-trusted network 102 may trigger the start of a timer which is checked against the contextual criteria upon receipt of the second electronic information. If, at the time of receipt of the second electronic information, the timer exceeds a threshold value for a predetermined response time, the contextual criteria will not be met. If, at the time of receipt of the second electronic information, the timer is below the predetermined threshold, that particular contextual criterion will be considered to have been met. More than a simple timer, the contextual criterion in this example may set a different timer depending on the first electronic information. For example, the timer may be repetitive if the first electronic information is a request for a heartbeat signal. Alternatively, if the first electronic information is a request to perform a function that may take a long time to perform within the lesser-trusted network 102, an appropriate length of timer may be set to accommodate this.

[0078] Additionally, or alternatively, determining whether the one or more contextual criteria are met may comprise determining whether the second electronic information is of an expected file size in the context of the first electronic information. If the second electronic information is of a size which is inappropriate in the context of the first electronic information, the contextual criteria may not be met. For example, if the first electronic information contains instructions to perform an action in the lesser-trusted network 102, the second electronic information would be expected only to contain a simple acknowledgement of failure or success to perform the action. If the second electronic information, in this context, is of a large file size (e.g. several gigabytes), then this contextual criterion may be considered not to have been met.

[0079] Additionally, or alternatively, determining whether the one or more contextual criteria are met may comprise determining whether the second electronic information is of an expected message format in the context of the first electronic information. For example, the first electronic information may include a request for a word- processed document comprising simple text only. If the second electronic information comprises a word- processed document with complex functions embedded within it, then the contextual criterion will not be met.

[0080] Additionally, or alternatively, determining whether the one or more contextual criteria are met may comprise determining whether the second electronic information is part of a sequence of received electronic information in the context of the first electronic information. For example, the first electronic information may comprise a request for a heartbeat signal from a device within the lesser- trusted network 102. The second electronic information may, therefore, comprise several pieces of electronic information that are received over time in response to one first electronic information. In the context of this example, the contextual criteria may also comprise comparing the present piece of second electronic information to previously received pieces. For example, the file type, file size, and time of receipt may be comparable to previous pieces of electronic information that were received in response to the first electronic information.

[0081] Additionally, or alternatively, determining whether the one or more contextual criteria are met may comprise determining whether the second electronic information has an expected content in the context for the first electronic information. For example, if the first electronic information contained a request for a time check, a contextual criterion will not be met if the second electronic information contains the value "25:03:98" or "450000", i.e. invalid time values.

[0082] In order to determine S204 whether the second electronic information meets the one or more contextual criteria, the network boundary device 100 moves the second electronic information into the inspection processor 105 for inspection. The contextual criteria are located within the memory 117 of the inspection processor 105 and used to appropriately analyse the second electronic information. As described earlier, and as will be described with reference to Figure 4, the second electronic information may be processed in some capacity before it is inspected by the inspection processor 105.

[0083] Depending on a result of the determination S204 as to whether the second electronic information meets the one or more contextual criteria, the network boundary device 100 will perform one of two actions.

[0084] If the second electronic information does not meet the one or more contextual criteria, the network boundary device 100 terminates S205 the transfer of information between the networks 101, 102. In this manner, the network boundary device 100 may delete the second electronic information or quarantine it within a memory, such as the memory 117 of the inspection processor 105. The network boundary device 100 can be configured to provide an indication to one or both networks 101, 102 that the procedure has been terminated.

[0085] If the second electronic information does meet the one or more contextual criteria (as well as any other inspection criteria that may be in place), the network boundary device 100 transmits S206 the second electronic information to the trusted network 101. If the second electronic information has been abstracted or otherwise processed for the determination S204 to take place, this may be undone (or reversed) before the second electronic information is transmitted to the trusted network 101. As mentioned above, the undoing of the abstraction does not necessarily require the second electronic information to be returned to the same form in which it was received at the network boundary device 100. Instead, the second electronic information may be converted into a further file format that is useful for its purpose within the trusted network 101. Undoing the abstraction (or "un-abstraction") simply means that the second electronic information is transformed from the format that makes it easily inspected by the inspection processor 105 into a format that is suitable for further transmission.

[0086] With reference to Figure 3, an embodiment is described in which the step of transmitting S202 the first electronic information includes further steps that occur immediately prior to the transmission S202. These steps are optional, but provide the additional benefit of ensuring that the information leaving the trusted network 101 is approved to do so.

[0087] The network boundary device 100 may optionally receive S301 transmission information comprising one or more transmission criteria. Similar to the contextual criteria for the second electronic information, the transmission criteria are used to aid in determining whether the first electronic information is suitable for transmission to the lesser-trusted network 102. In this regard, the transmission criteria provide limits or ranges on the characteristics of the first electronic information that are approved for leaving the trusted network 101. For example, the transmission criteria, similar to the contextual criteria, may provide an indication as to the types of files, file sizes, or message contents that are approved, i.e. an approved list of characteristics of the first electronic information. Alternatively, the transmission criteria may provide a list of prohibited characteristics of the first electronic information, such as restrictions on message formats or message sizes. The primary difference between the transmission criteria and the contextual criteria is that the contextual criteria are defined with respect to an earlier message (i.e. the first electronic information). As the first electronic information is likely to be the beginning of an interaction between the trusted network 101 and the lesser-trusted network 102, there is no earlier message to aid definition of the transmission criteria. Therefore, the transmission criteria are not defined in the same way as the contextual criteria, but provide more static criteria for what may be transmitted.

[0088] The reception S301 of the transmission information may occur by many different means. The network boundary device 100 may receive S301 the transmission information in the same manner as the first electronic information, e.g. from the trusted network 101. Alternatively, the network boundary device 100 may receive S301 the transmission information from a separate device that interfaces directly with the network boundary device 100. Alternatively, the network boundary device 100 may receive S301 the transmission information by introduction of some form of removable memory at the network boundary device 100. Within the network boundary device 100, any of these methods of receiving S301 the transmission information may occur within the first processor 103 or the inspection processor 105. It is to be understood, however, that the transmission information will, if not already located there, be transmitted internally to the inspection processor 105 in advance of its use.

[0089] Although Figure 3 depicts that the transmission information is received S301 at a particular point in the process, it is to be understood that this is not essential. The transmission information only needs to be acquired by the network boundary device 100 prior to determining S304 whether the transmission criteria have been met.

[0090] If required, the first electronic information is abstracted S302 (or otherwise processed) prior to transmission to the inspection processor 105 for inspection. As described above with reference to Figure 1, abstraction may entail removing extraneous information, such as headers, footers, metadata, or other information typically found in a data packet. Abstraction may also entail the translation of the relevant information from one form to another, such as into a different programming language or into a machine-readable or easily verifiable format. Of course, if the first electronic information is already in a format that is readable by the inspection processor 105, and there is no extraneous information to remove, then this step is not required to occur before the first electronic information is transmitted S303 from the first processor 103 to the inspection processor 105.

[0091] Whether or not the abstraction S302 occurs, the first electronic information, after being received at the first processor 103 of the network boundary device 100 is transmitted / transferred S303 from the first processor 103 to the inspection processor 105, via the relevant data connections 109, 114.

[0092] After receipt of the first electronic information, the inspection processor 105 determines whether the first electronic information meets the transmission criteria. This requires the inspection processor 105 to inspect the first electronic information in order to determine particular characteristics depending on the requirements set by the transmission criteria. For example, this may require the inspection processor 105 to determine a file type of a file forming part of the first electronic information. Alternatively, this may require the inspection processor to determine a total computational size of the first electronic information. If the first electronic information does not meet the transmission criteria, the procedure is terminated S305. Terminating S305 the procedure may entail halting any ongoing processes and deleting the first electronic information. Alternatively, the first electronic information may be stored in a memory for later review and analysis as to why the transmission criteria were not met. In any case, if the procedure is terminated S305, the first electronic information is not transmitted to the lesser-trusted network 102. More specifically, the first electronic information is not transmitted to the second processor 104 to be prepared for transmission to the lesser-trusted network 102. Where the process is halted, an indication or report may be sent to the trusted network 101.

[0093] If the first electronic information does meet the transmission criteria, the first electronic information is transmitted S306 to the second processor 104 for preparing it to be transmitted to the lesser-trusted network 102. Preparing the first electronic information can mean a variety of things. For example, it may require the reversal of any abstraction performed by the first processor 103. Alternatively, or additionally, it may require the introduction of routing information, headers, footers etc. It may also require the transformation of the first electronic information into a format that is ready for transmission according to the necessary protocols (i.e. not necessarily the same format as the format in which the first electronic information was received by the network boundary device 100). Alternatively, no preparation may be required other than to ensure that the first electronic information is sent via the data connection 110 of the second processor 104 to be transmitted to the lesser-trusted network 102. In general, with respect to the first electronic information, the purpose of the second processor 104 is to ensure that it is correctly transmitted to the lesser-trusted network 102 for effective routing to the intended destination.

[0094] With reference to Figure 4, there is described an embodiment of the present disclosure in which further optional steps are defined between the steps of receiving S203 the second electronic information and determining S204 whether the second electronic information meets the one or more contextual criteria, described earlier with reference to Figure 2. The steps of Figure 4 follow on directly from those described with respect to Figure 3 and may occur in combination with those steps or separately from them. After transmission S202 of the first electronic information to the lesser-trusted network 102, the network boundary device 100 is arranged to receive S203, from the lesser-trusted network 102, second electronic information. The second electronic information is received by the second processor 104, being on the lesser-trusted network side of the network boundary device 100. As discussed above with reference to Figure 2, the second electronic information may take any form of electronic information, but it is expected to be some form of response to the first electronic information (e.g. a requested file, or an acknowledgement message).

[0095] The network boundary device receives S401 contextual information defining, at least in part, the contextual criteria that are to be used in inspecting the second electronic information. Similar to the reception S301 of the transmission information, the specific point in time at which the contextual information is received is not important, except that it should occur before the contextual information is required for its purpose in aiding inspection of the second electronic information. Therefore, it should be understood that the point in the flow chart at which the contextual information is received S401 is for example only and may, in practice, occur at any time prior to determining S204 whether the second electronic information meets the contextual criteria.

[0096] Again, similar to the reception S301 of the transmission information, the manner in which the contextual information is received S401 may vary between embodiments of the disclosure. For example, the contextual information may be received by the network boundary device 100 from the trusted network 101. Alternatively, the contextual information may be provided to the network boundary device 100 from a separate device that interfaces directly with it. Alternatively, the network boundary device 100 may receive S401 the contextual information by means of some form of removable memory. Whichever way the contextual information is received S401 by the network boundary device 100, if it is not already located in the inspection processor 105, it is internally transferred to it, in order that the inspection processor 105 may determine S204 whether the contextual criteria are met. After receiving the second electronic information, the second processor 104 may be required to prepare it for inspection by the inspection processor 105, such as by abstracting S402 the second electronic information. As described above, this abstraction process, may mean the removal of headers, footers, metadata etc., that are superfluous to the inspection process or potentially unreadable by the inspection processor 105. The abstraction may also entail the translation of the second electronic information into a format that is readable by the inspection processor 105. In short, the abstraction is a processing step in which the second electronic information is prepared for inspection. After the second processor 104 has performed the abstraction S402 (should it be required), the second processor 104 transmits S403 the second electronic information to the inspection processor 105.

[0097] As described with reference to Figure 2, the network boundary device 100 then determines whether the second electronic information meets the one or more contextual criteria. More specifically, the inspection processor 105 of the network boundary device 100 receives the second electronic information from the second processor 104 and recalls the contextual criteria from its memory 117. The specific contextual criteria to be recalled may be determined in one of many ways, for example, by automatic determination based on detection of the second electronic information or, in another example, by instruction (from the first processor 103 of the trusted network 101). The second electronic information is then inspected against the contextual criteria (among any other required criteria) to determine whether it meets the requirements for onward transmission. If the second electronic information does meet the contextual criteria, it is then forwarded onto the first processor 103 for preparing (e.g. un-abstracting, if necessary) and transmitting to the trusted network 101. Receipt of the second electronic information at the first processor 103 can be considered a deemed approval, by the inspection processor 105, of the transmission of the second electronic information to the trusted network 101. If the second electronic information does not meet one or more of the contextual criteria, the process is halted, and the second electronic information is not transmitted to the first processor 103. The second electronic information is then either destroyed or quarantined in the memory 117 of the inspection processor 105 for review. In either case, the halting of the process can be reported to the trusted network 101 and / or the lesser- trusted network 102.

[0098] The network boundary device 100, as detailed above, is therefore enabled to facilitate the transmission of information between two networks in such a manner that a trusted network 101 may be prevented from receiving potentially harmful and important information may be prevented from leaving the trusted network 101.

[0099] Embodiments described above, in particular with reference to Figure 1, state that all communication between the first processor 103 and the second processor 104 must pass through the inspection processor 105. It is to be understood that this is only one embodiment and not a requirement of the disclosure. In alternative embodiments, some electronic information may not be transmitted via the inspection processor 105.

[0100] For example, in an alternative embodiment, electronic information that passes through the network boundary device 100 may be split into parts, such that one part passes through the network boundary device 100 via the inspection processor 105 while the other part passes through the network boundary device 100 without passing through the inspection processor 105 (i.e. it is transmitted directly from the first processor 103 to the second processor 104). This may occur as part of the abstraction process, wherein metadata is transmitted separately to the remaining data forming the electronic information.

[0101] Additionally or alternatively, the electronic information may be copied. A first copy may be inspected by the inspection processor 105, in a similar process to that described above with respect to the Figures. A second copy may be transmitted directly between the processors 103, 104. Where the inspection criteria are deemed to be met by the inspection processor 105, the inspection processor 105 may, instead of transmitting the first copy of the electronic information on to the relevant processor 103,104, transmit only a release authorisation that can be used by the relevant processor 103, 104 to approve transmission of the second copy of the electronic information. In this manner, the electronic information (be it the first or second electronic information), may only be transmitted once the release authorisation has been provided by the inspection processor 105. In this manner, no un-abstraction process is required to take place as the second copy of the electronic information is never abstracted.

[0102] Variations on the above examples of direct communication between the first processor 103 and the second processor 104 are possible. The examples are only to show that, in some embodiments, direct communication between the processors 103, 104 is possible.

[0103] While the embodiments above have been described as requiring abstraction and "un-abstraction" to be performed by the first and second processors 103, 104, in some embodiments, the electronic information received by the network boundary device 100 may already be in a format that is suitable for inspection by the inspection processor 105. In such embodiments, it is to be understood that the network boundary device 100 may not comprise a first processor 103 and / or a second processor 104. Instead, the network boundary device 100 may comprise only one processor, the inspection processor 105.

[0104] It is to be appreciated that although the transmission of information discussed herein is exemplarily considered to be by means of physical electrical connections, communication between the networks 101, 102 and the network boundary device 100, or even within the network boundary device 100 itself, they may alternatively be wireless in nature. For example, there may be a transmitter and a receiver arrangement, such that the information may be sent via Bluetooth ®, RF signal, WiFi ® or any other type of wireless transmission means.

[0105] The skilled person will also realise that steps of various above-described methods can be performed by programmed computers. Accordingly the above-mentioned embodiments should be understood to cover storage devices containing machineexecutable or computer-executable instructions to perform some or all of the steps of the above-described methods. The embodiments are also intended to cover computers programmed to perform the steps of the above-described methods.

[0106] The functionality of the elements shown in the Figures can be provided using either dedicated hardware and / or software. The expressions "processor", "processing means" and "processing module" can include, but is not limited to, any of digital signal processor (DSPs) hardware, network processors, application specific integrated circuits (ASICs), CPUs, graphics processing units (GPUs), field programmable gate arrays (FPGAs), ROMs for storing software, RAMs, and nonvolatile storage. Similarly, where functionality has been described as being performed across multiple processors (for example, in the first processor 103, second processor 104, and inspection processor 105), it should be understood that this is for illustrative purposes only and that the same functionality may be performed within one processor or several more processors depending on the specific implementation of the disclosure. For example, the functionality of the first processor 103, the second processor 104, and the inspection processor 105 may be incorporated within a single processor. Such single processor may require a level of isolation between each functional part within it that performs the functions of the processors described above, but this readily achievable and, therefore, not discussed in detail here.

[0107] Features of the present disclosure are defined in the appended claims. While particular combinations of features have been presented in the claims, it will be appreciated that other combinations, such as those provided above, may be used.

Claims

CLAIMS1) A method performed by a network boundary device, to enable information transfer between a trusted network and a lesser-trusted network, wherein the method comprises:Receiving, from the trusted network, first electronic information for transmission to the lesser-trusted network;Transmitting, to the lesser-trusted network, the first electronic information; Receiving, from the lesser-trusted network, second electronic information; Determining, at the network boundary device, whether the second electronic information meets one or more contextual criteria; andIf the second electronic information meets the one or more contextual criteria, transmitting the second electronic information to the trusted network.2) The method of claim 1, wherein the one or more contextual criteria are defined with respect to the first electronic information.3) The method of claim 1 or 2, wherein the one or more contextual criteria define one or more associations between the first electronic information and the second electronic information.4) The method of any preceding claim, wherein receiving the first electronic information comprises receiving the first electronic information at a first processor of the network boundary device and transmitting the first electronic information to an inspection processor of the network boundary device.5) The method of claim 4, wherein the method further comprises abstracting the first electronic information prior to transmitting the first electronic information to the inspection processor.6) The method of claim 4 or 5, wherein the inspection processor is configured to determine whether the first electronic information meets one or moretransmission criteria and, if the one or more transmission criteria are met, forward the first electronic information to a second processor.7) The method of any preceding claim, wherein transmitting the first electronic information comprises transmitting the first electronic information by the second processor of the network boundary device to the lesser-trusted network.8) The method of any preceding claim, wherein receiving the second electronic information comprises receiving the second electronic information at the second processor of the network boundary device and transmitting the second electronic information to the inspection processor.9) The method of claim 8, wherein the method further comprises abstracting the second electronic information prior to transmitting the second electronic information to the inspection processor.10) The method of any preceding claim, wherein determining whether the second electronic information meets the one or more contextual criteria is performed by the inspection processor and, if the one or more contextual criteria are met, the method further comprises approving the second electronic information for transmission to the trusted network.11) The method of any preceding claim, wherein the method further comprises:Receiving contextual information, wherein the contextual information defines the one or more contextual criteria.12) The method of any of claims 6 to 11, wherein the method further comprises:Receiving transmission information, wherein the transmission information defines the one or more transmission criteria.13) The method of any preceding claim, wherein the one or more contextual criteria comprise one or more of:- An expected information type;- An expected time of receipt;- An expected file size;- An expected message format;- A sequence of received electronic information;- A content of the electronic information.14) The method of any preceding claim, wherein transmitting the second electronic information comprises transmitting the second electronic information by the first processor.15) The method of any preceding claim, wherein the second electronic information comprises a plurality of messages, and wherein determining whether the second electronic information meets the one or more contextual criteria comprises using the same contextual criteria for each of the plurality of messages that are part of the second electronic information.16) A network boundary device configured to enable information transfer between a trusted network and a lesser-trusted network, the network boundary device being configured to:Receive, from the trusted network, first electronic information for transmission to the lesser-trusted network;Transmit, to the lesser-trusted network, the first electronic information;Receive, from the lesser-trusted network, second electronic information;Determine at the network boundary device, whether the second electronic information meets one or more contextual criteria; andIf the second electronic information meets the one or more contextual criteria, transmit the second electronic information to the trusted network.17) The device of claim 16, wherein the one or more contextual criteria are defined with respect to the first electronic information.18) The device of claim 16 or 17, wherein the one or more contextual criteria define one or more associations between the first electronic information and the second electronic information.19) The device of any of claims 16 to 18, wherein the device is configured to receive the first electronic information at a first processor of the network boundary device and transmit the first electronic information to an inspection processor of the network boundary device.20) The device of claim 19, wherein the device is further configured to abstract the first electronic information prior to transmitting the first electronic information to the inspection processor.21) The device of claim 19 or 20, wherein the inspection processor is configured to determine whether the first electronic information meets one or more transmission criteria and, if the one or more transmission criteria are met, forward the first electronic information to a second processor.22) The device of any of claims 16 to 21, wherein the device is further configured to transmit the first electronic information to the lesser-trusted network using the second processor.23) The device of any of claims 16 to 22, wherein the device is further configured to receive the second electronic information at the second processor of the network boundary device and transmit the second electronic information to the inspection processor.24) The device of claim 23, wherein the device is further configured to abstract the second electronic information prior to transmitting the second electronic information to the inspection processor.25) The device of any of claims 16 to 24, wherein determining whether the second electronic information meets the one or more contextual criteria is performed by the inspection processor and, if the one or more contextualcriteria are met, the inspection processor is configured to approve the second electronic information for transmission to the trusted network.26) The device of any of claims 16 to 25, wherein the device is further configured to receive contextual information, wherein the contextual information defines the one or more contextual criteria.27) The device of any of claims 21 to 26, wherein the device is configured to receive transmission information, wherein the transmission information defines the one or more transmission criteria.28) The device of any of claims 16 to 27, wherein the one or more contextual criteria comprise one or more of:- An expected information type;- An expected time of receipt;- An expected file size;- An expected message format;- A sequence of received electronic information;- A content of the electronic information.29) The device of any of claims 16 to 28, wherein transmitting the second electronic information comprises transmitting the second electronic information by the first processor.30) The device of any of claims 16 to 29, wherein the second electronic information comprises a plurality of messages, and wherein determining whether the second electronic information meets the one or more contextual criteria comprises using the same contextual criteria for each of the plurality of messages that are part of the second electronic information.31) A trusted network comprising a network boundary device configured to enable information transfer between the trusted network and a lesser- trusted network in accordance with any of claims 16 to 30.