CN104363231B - A kind of network security isolation and information switching method and system based on half-duplex channel - Google Patents

A kind of network security isolation and information switching method and system based on half-duplex channel Download PDF

Info

Publication number
CN104363231B
CN104363231B CN201410652474.4A CN201410652474A CN104363231B CN 104363231 B CN104363231 B CN 104363231B CN 201410652474 A CN201410652474 A CN 201410652474A CN 104363231 B CN104363231 B CN 104363231B
Authority
CN
China
Prior art keywords
data
module
nets
arp
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410652474.4A
Other languages
Chinese (zh)
Other versions
CN104363231A (en
Inventor
杜飞
迟悦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING RUICHI XINAN TECHNOLOGY Co Ltd
Original Assignee
BEIJING RUICHI XINAN TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING RUICHI XINAN TECHNOLOGY Co Ltd filed Critical BEIJING RUICHI XINAN TECHNOLOGY Co Ltd
Priority to CN201410652474.4A priority Critical patent/CN104363231B/en
Publication of CN104363231A publication Critical patent/CN104363231A/en
Application granted granted Critical
Publication of CN104363231B publication Critical patent/CN104363231B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/106Mapping addresses of different types across networks, e.g. mapping telephone numbers to data network addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/565Conversion or adaptation of application format or content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/23Bit dropping
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2592Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention provides a kind of network security isolation based on half-duplex channel and information switching method and system, belong to computer network security field.Network security is isolated includes data acquisition module, protocol assembly module, Data Audit module, information unloading and package module and data transmission blocks with Information Exchange System.The realization of each module can be realized using hardware or software.Network security isolation includes data acquisition, protocol assembly, Data Audit, information unloading and the step such as encapsulation and data transmission with information switching method.The present invention transmits data using half-duplex channel, and by special data package processing method, the data to transmission are audited and unloaded, when a failure occurs, can form physical isolation.Network security isolation and the information switching method and system of the present invention can significantly improve data throughput, effectively the data safety between protection heterogeneous networks, prevent the invasion and control of disabled user, and reduce the cost of system.

Description

A kind of network security isolation and information switching method and system based on half-duplex channel
Technical field
The present invention relates to computer network security field, saying more precisely, the present invention relates to a kind of isolation of network security with Information switching method and its system.
Background technology
Informationization is the main trend of World Science technology and society development, and national economy and society are for information and information The dependence of system is increasing, and the application of ICT has penetrated into people's production, the every aspect of life, network Between communication equipment have become between different institutions, it is personal between the basic tool that exchanges.We offer convenience in enjoyment network While puzzlement the problems such as also suffer from malicious code attack, hacker attacks, leakage of information.Information between heterogeneous networks is handed over Mutually one side will meet the requirement of progress information sharing between different networks, the problem of solving information island.On the other hand, To prevent core concerning security matters network from, by external attack, preventing information leakage while information system is opened.From network security From the point of view of angle, network security isolation with message-switching technique be it is a kind of can guarantee critical network isolate with other network securitys Meanwhile, realize the technology of efficient, controlled secure data interaction.In this context, network security isolation is exchanged with information With great application value.Traditional implementation is as follows:
(1) system architecture of " 2+1 ".Including " interior terminal "+" exchanging isolation matrix "+" outer terminal ", isolated part use Duplexing binary channels physical isolation guard plate design, guard plate uses asic chip for core.The complete simulated implementation of whole framework The artificial safety data transmission process for copying disk (Sneaker-net security architectures).Interior terminal and outer end machine have independent storage And arithmetic element, and with independent bus line.Interior terminal and outer terminal are the terminal of Intranet and outer net procotol respectively.All mistakes Toward application layer data peeled off all from the ICP/IP protocol of Intranet and outer net, the data being stripped pass through Data Migration control again It is transmitted including unit between outer terminal.Because security is ensured by physical isolation guard plate, data visit not only slow down The efficiency asked, and poor is supported to most network application agreement.
The system architecture of (2) three machine three.Including " interior terminal "+" arbitration machine "+" outer terminal ", interior terminal and outer terminal are respectively The terminal of Intranet and outer net procotol.All passing application layer messages are peeled off all from Intranet and the procotol of outer net, It is reduced to application layer message.These information are sent to arbitration system by specialized hardware and private communication protocol again.Arbitration machine The information content propagated between filtering inspection, control network is carried out to the application layer message received, while energy killing malicious code, such as Virus etc..Arbitration system is carried out to the information content after examination processing, then will confirm that the data for safety issue inside/outside terminal The opposing party, is finally reduced to general procotol bag form.In a sense, for the appropriate message of validated user Request is exchanged, the system of three machine three is " transparent ", while safety guarantee is provided, provide the user the service of smoothness.But The framework holistic cost of the system of three machine three is higher, handling capacity also due to the complexity of framework and it is impacted.
The content of the invention
Data access efficiency of the invention for legacy network security isolation and message-switching technique presence is low, framework cost High the problems such as, it is proposed that a kind of network security isolation and information switching method and system based on half-duplex channel.
The invention discloses a kind of network security isolation based on half-duplex channel and information switching method, data are netted by A and sent out B nets are sent to, specific steps include:
Step 1:Data acquisition:A network data messages are gathered from specified network interface, and data message is located as follows Reason, is specifically included:
Step 1.1:If data message is ARP broadcast frames, and inquiry be this network interface card MAC Address, then it is the ARP is wide Broadcast frame and reverse data transmission blocks are forwarded to by one-way data passage, otherwise abandon the ARP broadcast frames;
Step 1.2:, then should by the ARP if data message is arp reply frame, and answers the inquiry of this MAC Address of Network Card Answer frame and reverse data transmission blocks are forwarded to by one-way data passage, otherwise abandon the arp reply frame;
Step 1.3:If data message is the ethernet frame of IP agreement, step 2 is sent to by half-duplex channel.
Step 2:Protocol assembly:By in ethernet frame IP packets carry out upper-layer protocol reduction, parse TCP or UDP upper layer application protocol.Specifically include:
Step 2.1:If the agreement of IP packets is TCP, TCP data bag is subjected to protocol assembly, on identifying During layer application protocol, the TCP data bag of reduction is unidirectionally forwarded to step 3;
Step 2.2:If the agreement of IP packets is UDP, UDP message bag is subjected to protocol assembly, on identifying During layer application protocol, the UDP message bag of reduction is unidirectionally forwarded to step 3;
Step 2.3:If IP packets are other protocol fields, when agreement is not TCP or UDP, the packet is abandoned.
Step 3:Data Audit:Filtered and examined according to audit configuration rule to entering the packet in the step, The data for meeting audit configuration rule are forwarded a packet into step 4;Data packet discarding to not meeting audit configuration rule.
Step 4:Information is unloaded and encapsulated:The payload segment in packet is extracted in this step, according to encapsulation Configuration rule, is reassembled into new packet, specifically includes:
Step 4.1:If there is load information in packet, load information is extracted in the one-way transmission of truncated data bag, Mapping address and port in package arrangements rule, encapsulation forms new packet on load information again, will be new Packet is unidirectionally transmitted to step 5;
Step 4.2:If load information is not present in packet, mapping address and end in package arrangements rule Mouthful, it is transmitted to step 5 after the specific fields being directly unidirectionally transmitted to packet in step 5 or modification packet.Described Specific fields include but is not limited to source IP and source port.
Step 5:Data are sent:For the one-way data transmission netted from A net to B, the data flow for being unidirectionally sent to B nets is Forward direction, the data flow for being unidirectionally sent to A nets is reverse;If X is A or B;Data transmission blocks to receive ARP broadcast frames, Arp reply frame and IP packets are handled as follows respectively:
Step 5.1:If ARP broadcast frames, then IP and MAC Address construction ARP in the configuration rule table of address should Answer frame and be sent to X nets;
Step 5.2:If arp reply frame, then by arp reply frame<IP,MAC>Address is to being added to ARP mappings In table;
Step 5.3:If the IP packets that step 4 is sent, then check addresses forwarding table (Address Forwarding Table, AFT) whether purposeful IP MAC Address, be sent directly to X nets if then constructing data frame, it is no Then go to step 5.4;
Step 5.4:Corresponding route table items are searched in the routing table, if not finding corresponding route table items, are configured Searched again after route;If finding corresponding route table items, the IP address of next hop router is obtained, according to router IP address searches corresponding MAC Address in ARP mapping list, and the MAC that ARP broadcast frames inquire router is constructed if not finding Address, and the temporary cache IP packets, wait reverse data acquisition to be forwarded back to the arp reply frame that comes to obtain router MAC Address;After the MAC Address of router is obtained, construction data frame is sent to X nets, while updating addresses forwarding table.
Step 6:1~5 is repeated the above steps until data are sent completely.
The present invention correspondingly also discloses that a kind of network security isolation based on half-duplex channel and Information Exchange System, including Data acquisition module, protocol assembly module, Data Audit module, information unloading and package module and data transmission blocks.Institute The network security stated is isolated data with Information Exchange System from A nets one-way transmission to B nets, or conversely.Here is based on number Illustrated according to situation about being netted from A nets one-way transmission to B.
Data acquisition module gathers A network data messages from specified network interface, and classification processing is carried out to data message: (1) if data message is ARP broadcast frames, and the ARP broadcast frames inquire the MAC Address of this network interface card, then lead to the ARP broadcast frames Cross one-way data passage and be forwarded to reverse data transmission blocks, otherwise abandon the ARP broadcast frames;Described reverse data hair It is to net data to A to send to send module;(2) if data message is arp reply frame, and the inquiry of this MAC Address of Network Card is answered, The arp reply frame is then forwarded to reverse data transmission blocks by one-way data passage, the arp reply frame is otherwise abandoned; (3) if data message is the ethernet frame of IP agreement, ethernet frame is sent to protocol assembly module by half-duplex channel; (4) if data message is not any one in the ethernet frame of ARP broadcast frames, arp reply frame and IP agreement, the number is abandoned According to message.
Protocol assembly module carries out the IP packets in ethernet frame the reduction of upper-layer protocol, parses TCP's or UDP Upper layer application protocol, Data Audit module is unidirectionally forwarded to by the TCP of reduction or UDP message bag.If the agreement of IP packets During for TCP, TCP data bag is subjected to protocol assembly, when identifying upper layer application protocol, the data flow of reduction unidirectionally forwarded To Data Audit module;If the agreement of IP packets is UDP, UDP message bag is subjected to protocol assembly, when identifying upper strata During application protocol, the data flow of reduction is unidirectionally forwarded to Data Audit module.If the agreement of IP packets be not TCP with UDP, when being other protocol fields, abandons the packet.
Data Audit module is filtered and examined to packet according to audit configuration rule, will meet audit configuration rule Data forward a packet to information unloading and package module;The data packet discarding of audit configuration rule will not met.Audit configuration rule Then include but is not limited to white list, any combination of five-tuple, protocol characteristic string of machine learning acquisition etc..
Information is unloaded and package module is handled the packet received, is specifically:Carried if existed in packet The one-way transmission of lotus information, then truncated data bag, extracts load information, regular according to package arrangements, on load information again Encapsulation forms new packet, and new packet is unidirectionally transmitted into data transmission blocks;If load is not present in packet Packet, then according to package arrangements rule, be directly unidirectionally transmitted in data transmission blocks, or modification packet by information Data transmission blocks are relayed to after specific fields.Defined specific fields include but is not limited to source IP and source port.It is described Package arrangements rule, the mapping relations of recording address and port, by source IP address and source port be transformed into different addresses and Port so that the packet that A nets are sent to B nets hides A net topology structures.
For the one-way data transmission netted from A net to B, data are unidirectionally sent to B nets by positive data transmission blocks, instead To data transmission blocks data are unidirectionally sent to A nets;If X is A or B.Data transmission blocks are broadcasted the ARP received Frame, arp reply frame and IP packets are handled as follows respectively:(1) for ARP broadcast frames, according to address configuration rule table In IP and MAC Address construction arp reply frame be sent to X nets;Record data acquisition module in described address configuration rule list IP and MAC Address.(2) for arp reply frame, by arp reply frame<IP,MAC>Address is to being added to ARP mapping list In.(3) for IP packets, the whether purposeful IP of addresses forwarding table MAC Address is checked, it is direct if then constructing data frame X nets are sent to, corresponding route table items are otherwise searched in the routing table, the IP address of next hop router are obtained, according to route The IP address of device searches corresponding MAC Address in ARP mapping list, and ARP broadcast frames inquiry router is constructed if not finding MAC Address, and the temporary cache IP packets wait and are forwarded back to the arp reply frame come to obtain the MAC Address of router, After the MAC Address of router is obtained, construction data frame is sent to X nets, while updating addresses forwarding table.Described address forwarding Table is the mapping table of IP and MAC Address.
The invention discloses a kind of network security isolation based on half-duplex channel and information switching method and system, with public affairs The method opened is compared, and is had the following advantages that:
(1) high-performance:Network security is isolated with each module of Information Exchange System using half-duplex channel transmission data, with tradition " 2+1 system architecture " compared with " system of three machine three ", data throughput can be significantly improved.
(2) security:Network security isolation is connected with each module of Information Exchange System by half-duplex channel, using special Data package processing method, the data to transmission are audited and unloaded, when a failure occurs, can form physical isolation, are effectively protected The data safety protected between heterogeneous networks, prevents the invasion and control of disabled user.
(3) cost is low:Network security, which is isolated, can use the behaviour of general hardware platform and security kernel with Information Exchange System Make system.Significantly reduce the cost of system.
Brief description of the drawings
Fig. 1 is network security isolation and the step flow chart of information switching method of the present invention;
Fig. 2 is network security isolation and the deployment diagram of Information Exchange System of the present invention;
Fig. 3 is network security isolation and the structural representation of Information Exchange System of the present invention.
Embodiment
Below in conjunction with drawings and examples, the present invention is described in further detail.
Fig. 1 gives the present invention network security isolation and information switching method steps flow chart based on half-duplex channel.Data B nets are sent to by A nets, in system initialization and read after correlation takes configuration information, specific implementation step is as follows:
Step 1:Data acquisition:A network data messages are gathered from specified network interface, at data message type Reason, is specifically included:
Step 1.1:If data message is ARP broadcast frames, and inquires the MAC Address of this network interface card, then by the ARP broadcast frames Reverse data transmission blocks are forwarded to by one-way data passage, the ARP broadcast frames are otherwise abandoned;Reverse data are sent out herein Module is sent to be sent to A nets by corresponding arp reply frame is built.For the one-way data transmission netted from A net to B, B is unidirectionally sent to The data flow of net is forward direction, and the data flow for being unidirectionally sent to A nets is reverse.
Step 1.2:If data message is arp reply frame, and answers the inquiry of this MAC Address of Network Card, then the arp reply Frame is forwarded to reverse data transmission blocks by one-way data passage, otherwise abandons the arp reply frame.
Step 1.3:If data message is the ethernet frame of IP agreement, protocol assembly is sent to by half-duplex channel and walked Rapid 2.
If data message is not any one in the ethernet frame of ARP broadcast frames, arp reply frame and IP agreement, lose The data message is abandoned, continues to gather and according to the processing data message of previous step 1.1~1.3.
Security isolation and message exchange equipment in the embodiment of the present invention, by special data package processing method from specified Network interface gathered data frame.This method is:Judge whether data frame is ARP protocol in data link layer, and verify its content It is whether relevant with this network interface card, if then changing the forward-path of ARP data frames, carry out reverse data and send, otherwise abandoning should Frame;If the IP data frames of Ethernet, then protocol assembly step is forwarded directly to, otherwise abandons the frame.The special data Packet processing method is improved based on available data packet processing method, is had the property that:A) in order to improve process performance, do not enter The copy of row kernel;B) in order to improve security, traditional ICP/IP protocol stack is not walked yet.
Step 2:Protocol assembly:By in ethernet frame IP packets carry out upper-layer protocol reduction, parse TCP and UDP upper layer application protocol.Specifically include:
Step 2.1:If the agreement of IP packets is TCP, TCP data bag is subjected to protocol assembly, on identifying During layer application protocol, the data flow of reduction is unidirectionally forwarded to step 3;
Step 2.2:If the agreement of IP packets is UDP, UDP message bag is subjected to protocol assembly, on identifying During layer application protocol, the data flow of reduction is unidirectionally forwarded to step 3;
Step 2.3:If IP packets are other protocol fields, the packet is abandoned.
In the step, the application protocol for parsing upper strata is thought to complete protocol assembly, it is not necessary to cache whole data The bag of stream.
Step 3:Data Audit:Filtered and examined to entering the packet in the step, according to audit configuration rule, The data for meeting audit configuration rule are forwarded a packet into step 4;Packet to not meeting audit configuration rule, abandons the data Bag.
In the step, audit configuration rule includes but is not limited to 1) white list;2) any combination of five-tuple;Described five Tuple is { source IP, purpose IP, source port, destination interface, agreement };3) the protocol characteristic string that machine learning is obtained.
Step 4:Information is unloaded and encapsulated:The payload segment in packet is extracted in this step, according to encapsulation Configuration rule, is reassembled into new packet, specifically includes:
Step 4.1:If there is load information in packet, load information is extracted in the one-way transmission of truncated data bag, Mapping address and port in package arrangements rule, encapsulation forms new packet on load information again, will be new Packet is unidirectionally transmitted to step 5;
Step 4.2:If load information is not present in packet, mapping address and end in package arrangements rule Mouthful, it is transmitted to step 5 after the specific fields being directly unidirectionally transmitted to packet in step 5 or modification packet.Defined Specific fields include but is not limited to source IP and source port.
In this step, the extraction to data is directly operated in raw data packets, without the copy function of internal memory;Its Mapping ruler in package arrangements has blocked unidirectional data transfer.The mapping of package arrangements regular records address and port is closed System, source IP address and source port is transformed into different addresses and port so that the hiding A nets of packet that A nets are sent to B nets are opened up Flutter structure.
Step 5:Data are sent:Data transmission blocks are to the ARP broadcast frames, arp reply frame and IP packets that receive It is handled as follows respectively:
Step 5.1:If ARP broadcast frames, for positive data transmission blocks, come from reverse data acquisition forwarding ARP broadcast frames, IP and MAC Address construction arp reply frame in the configuration rule table of address are sent to B nets;For step 1.1 IP and MAC of the ARP broadcast frames that forward data collection is obtained by reverse data transmission blocks in the configuration rule table of address The corresponding arp reply frame of address architecture is sent to A nets;
Step 5.2:If arp reply frame, then by arp reply frame<IP,MAC>Address is to being added to ARP mappings In table;
Step 5.3:If the IP packets that step 4 is sent, then the whether purposeful IP of addresses forwarding table MAC is checked Address, is sent directly to B nets if then constructing data frame, otherwise goes to step 5.4;
Step 5.4:Corresponding route table items are searched in the routing table, if not finding corresponding route table items, are configured Searched again after route;If finding corresponding route table items, the IP address of next hop router is obtained, according to router IP address searches corresponding MAC Address in ARP mapping list, and the MAC that ARP broadcast frames inquire router is constructed if not finding Address, temporary cache IP packets wait reverse data acquisition to be forwarded back to the arp reply frame come, arp reply frame are gone to Step 5.2 is performed, to obtain the MAC Address of router;If it is found, then construction data frame is sent to B nets, while updating address Forward table.Described addresses forwarding table includes the mapping of purpose IP address and target MAC (Media Access Control) address, and is each mapping relations<IP, MAC>Life cycle is set, mapping relations overtime in addresses forwarding table will be deleted.Addresses forwarding table AFT, routing table, ARP The renewal of mapping table is adaptive learning, and data need reverse data acquisition to provide.
The information such as the addresses forwarding table AFT, routing table, the ARP mapping list that are used in the step can by special hardware Lai Realize, can also be realized by software.Addresses forwarding table AFT includes the mapping of purpose IP address and target MAC (Media Access Control) address, and Its<Purpose IP, purpose MAC>To life cycle set according to network environment, time-out will delete the mapping relations.
Step 6:1~5 is repeated the above steps until information exchanges completion.
Network security isolation and Information Exchange System disclosed by the invention based on half-duplex channel, with reliable high rate Information exchange capacity between net, major deployments in can not directly interconnect and existence information share demand two or more networks it Between.Network security isolation and the Information Exchange System of the present invention is used between standalone module, module independently of one another, each module Realizing can be realized using hardware, can be realized using software, it would however also be possible to employ software is realized with the mode that hardware is combined.
Access network security isolation and Information Exchange System:System access position is network egress interchanger or route Device, access point is the critical point module of interchanger or router, and shown in system deployment such as Fig. 2 (a) and (b), access way is light Fine unidirectional connection.In Fig. 2 (a), network security isolation and Information Exchange System access A network switch and B network switch it Between;In Fig. 2 (b), network security isolation and Information Exchange System access are between A network switch and B net egress routers.
Network security isolation and the Information Exchange System of the present invention mainly includes following module:Data acquisition module, agreement Recovery module, Data Audit module, information unloading and package module and data transmission blocks.These modules are by data from A nets One-way transmission is to B nets, or by data from B nets one-way transmission to A nets.Modules are unidirectionally connected along data flow direction.Such as Fig. 3 It is shown, it is network security isolation and the structural representation of Information Exchange System.Illustrate the work(of modules with reference to Fig. 3 Energy.
Network security is isolated carries out system initialization first before application with Information Exchange System, system initialization refer to from The configuration information of system is read in configuration management file.Data acquisition module IP address of the configuration information of system including system, Audit configuration rule, package arrangements rule, address configuration rule list, addresses forwarding table AFT, routing table and ARP mapping list.Match somebody with somebody After confidence breath is loaded successfully, system monitors the data to be received such as network interface card.
The information such as addresses forwarding table AFT, routing table, ARP mapping list can realize by special hardware, can also be by soft Part is realized.Addresses forwarding table AFT includes the mapping of purpose IP address and target MAC (Media Access Control) address, and its interior map entry< IP, MAC>Life cycle set according to network environment, time-out will delete the mapping relations.Addresses forwarding table AFT design is carried The high efficiency of data forwarding.
Situation about being netted below based on data from A nets one-way transmission to B is illustrated.
Data acquisition module:A network data messages are gathered from specified network interface.The message of collection is classified as follows Processing:(1) if data message is ARP broadcast frames, and the MAC Address of this network interface card of inquiry, then the ARP broadcast frames are passed through into list Reverse data transmission blocks are forwarded to data channel, the ARP broadcast frames are otherwise abandoned;Described reverse data send mould Block refers to netting data into the data transmission blocks sent to A, with data from A nets to the in opposite direction of B net one-way transmissions, reverse IP in the configuration rule table of address and MAC Address construction arp reply frame are sent to A nets by data transmission blocks;(2) if Data message is arp reply frame, and answers the inquiry of this MAC Address of Network Card, then the arp reply frame is passed through into one-way data passage Reverse data transmission blocks are forwarded to, the arp reply frame is otherwise abandoned;(3) if data message is the Ethernet of IP agreement Frame, then be sent to protocol assembly module by the ethernet frame by half-duplex channel;(4) it is any described in (1)~(3) to being not belonging to Data message, abandon the data message.
Protocol assembly module:IP packets in ethernet frame are carried out to the reduction of upper-layer protocol, TCP and UDP is parsed Upper layer application protocol.The TCP of reduction or UDP message bag are unidirectionally forwarded to Data Audit module.If the association of IP packets When discussing as TCP, TCP data bag is subjected to protocol assembly, when identifying upper layer application protocol, the data flow of reduction unidirectionally turned It is dealt into Data Audit module;If the agreement of IP packets is UDP, UDP message bag is subjected to protocol assembly, on identifying During layer application protocol, the data flow of reduction is unidirectionally forwarded to Data Audit module;If IP packets are other protocol fields When, abandon the packet.
Data Audit module:Packet is filtered and examined, according to audit configuration rule, by legal data Forward a packet to information unloading and package module;Otherwise, the packet is abandoned.Audit configuration rule include but is not limited to white list, Protocol characteristic string that any combination of five-tuple, machine learning are obtained etc..Described five-tuple includes source IP, purpose IP, source Mouth, destination interface and agreement.
Information is unloaded and package module extracts the payload segment in packet, regular according to package arrangements, again It is assembled into new packet.Package arrangements regular record address and port mapping relationship, source IP address and source port are converted Into different address and port, make local terminal network transparent to correspondent network so that A nets are sent to the packet of B nets, hidden is netted to B Hide A net topology structures.The address and port mapping that package arrangements rule is recorded are a mappings pair that can be reverse, by reflecting Penetrate relation and the effect for hiding A net topology structures is netted to B to reach, realize packet one-way transmission and isolation.If packet In there is load information, then load information is extracted in the one-way transmission of truncated data bag, according to the mapping in package arrangements rule Location and port, new packet is packaged into the information of load, data transmission blocks are unidirectionally transmitted to again;If packet In be not present load information, then according to package arrangements rule in mapping address and port, be directly unidirectionally transmitted to data transmission Data transmission blocks are transmitted to after specific fields in module or modification packet.Defined specific fields include but not limited In source IP and source port.
For the one-way data transmission netted from A net to B, data are unidirectionally sent to B nets by positive data transmission blocks, instead To data transmission blocks data are unidirectionally sent to A nets.For the data transmission netted from B net to A, positive data send mould Data are unidirectionally sent to A nets by block, and data are unidirectionally sent to B nets by reverse data transmission blocks.Below with regard to data flow Illustrate the function of data transmission blocks for the positive data transmission blocks netted from A net to B.
Data transmission blocks are mainly by packet according to addresses forwarding table (Address Forwarding Table, AFT) Data frame is configured to, B nets are sent to by half-duplex channel.Data transmission blocks receive three kinds of data:ARP broadcast frames, ARP should Answer frame and IP packets.If ARP broadcast frames, then IP and MAC Address construction ARP in the configuration rule table of address should Answer frame and be sent to B nets.If arp reply frame, then by arp reply frame<IP,MAC>Address is to being added to ARP mapping list In.If the common IP packets that information unloading and package module are sent, then check whether addresses forwarding table is purposeful IP MAC Address, is sent directly to B nets if then constructing data frame, corresponding route table items is otherwise searched in the routing table, If not finding corresponding route table items, configuration is needed to route;If finding corresponding route table items, next hop router is obtained IP address, the MAC Address of router is searched in ARP mapping list according to the IP address of router, is constructed if not finding ARP broadcast frames inquire the MAC Address of accessor, and the temporary cache IP packets to be sent wait the ARP for being forwarded back to should Answer frame to obtain the MAC Address of router, after the MAC Address for obtaining router, construction data frame is sent to B nets, updates simultaneously Addresses forwarding table.Addresses forwarding table is updated, is exactly the mapping relations for adding new-found purpose IP and MAC Address in the table. What described address configuration rule list was recorded is upper end network interface card, that is, data acquisition module IP address and MAC Address, be used for Used when construction arp reply bag, when data transmission blocks receive ARP broadcast frames, it is necessary to according to address configuration rule table The IP and MAC of the data acquisition module of middle record construct arp reply frame, act on behalf of upper end network interface card and carry out response.Can by routing table The IP address of forwarding router is obtained, the corresponding MAC Address of known IP address is obtained by ARP mapping list.
Due to network security isolation and each module in Information Exchange System inside along data flow direction to be unidirectionally connected, such as Fig. 3 Shown, the connection method of each module is as follows:Upper end controls the engine of A nets to B network data streams to be I, and lower end controls B nets to A netting indexs It is II according to the engine of stream.Engine I and engine II net end and B nets end in A respectively all has the port of data transmit-receive.Engine I is in A nets The data acquisition module 1 at end unidirectionally connects the data transmission blocks II that engine II nets end in A, and engine II is adopted in the B data for netting end Collection module ii unidirectionally connects the data transmission blocks I that engine I nets end in B.Data transmission blocks II just nets unidirectional as A nets to B The reverse data transmission blocks of data transfer, data transmission blocks I is just as B nets to the reverse of A net one-way data transfers Data transmission blocks.Data acquisition module, data transmission blocks, a protocol assembly mould are included in each engine Block, a data Audit Module and an information unloading and package module.Engine I:Data are connected in the A input ports for netting end Acquisition module I, data acquisition module the I unidirectional connection protocol recovery module I of output, the output of protocol assembly module I unidirectionally connect Connect Data Audit module I, the unidirectional link information unloading of output and package module I, information unloading and encapsulation of Data Audit module I The output of module I unidirectionally connects data transmission blocks I, and the data transmission blocks I unidirectional connection A of output nets the output port at end. Connected in the B input ports for netting end connect data acquisition module II, engine II along B nets to each module in A network data streams direction Structure is identical with each module connection structure in engine I along A nets to B network data streams direction, by being added to module title in figure The numbering I and II of two engines is to distinguish.
By special data package processing method from specified network interface gathered data frame.This method is:In Data-Link Road floor judges whether data frame is ARP protocol, and whether verify its content relevant with this network interface card, if then changing ARP data frames Forward-path, the ARP data frames are sent to reverse data transmission blocks, the frame is otherwise abandoned;If Ethernet IP data frames, then be forwarded directly to protocol assembly module, if nor the IP data frames of Ethernet, abandon the frame.This is special Data package processing method be improved based on available data packet processing method, in order to improve process performance, without kernel Copy;Simultaneously in order to improve security, traditional ICP/IP protocol stack is not walked yet.

Claims (7)

1. it is a kind of based on half-duplex channel network security isolation and Information Exchange System, for by data from A nets one-way transmission to B Net, it is characterised in that described network security isolation and Information Exchange System include data acquisition module, protocol assembly module, Data Audit module, information unloading and package module and data transmission blocks;
Data acquisition module gathers A network data messages from specified network interface, and classification processing is carried out to data message:(1) such as Fruit data message is ARP broadcast frames, and the ARP broadcast frames inquire the MAC Address of this network interface card, then the ARP broadcast frames is passed through into list Reverse data transmission blocks are forwarded to data channel, the ARP broadcast frames are otherwise abandoned;(2) answered if data message is ARP Frame is answered, and the arp reply frame answers the inquiry of this MAC Address of Network Card, then forwards the arp reply frame by one-way data passage To reverse data transmission blocks, the arp reply frame is otherwise abandoned;(3) if data message is the ethernet frame of IP agreement, The ethernet frame is sent to protocol assembly module by half-duplex channel;(4) if data message be not ARP broadcast frames, ARP should Any one in the ethernet frame of frame and IP agreement is answered, the data message is abandoned;
Protocol assembly module carries out the IP packets in ethernet frame the reduction of upper-layer protocol;When the agreement in IP packets is During TCP or UDP, protocol assembly module parses TCP or UDP upper layer application protocol, by the TCP of reduction or UDP message Bao Dan To being forwarded to Data Audit module;When the agreement of IP packets is not TCP or UDP, the packet is abandoned;
Data Audit module is filtered and examined to packet according to audit configuration rule, and legal packet is forwarded To information unloading and package module;
Information is unloaded and package module is handled the packet received, is specifically:If there is load letter in packet Breath, extracts load information, and according to package arrangements rule, encapsulation forms new packet on the load information extracted again, And new packet is unidirectionally transmitted to data transmission blocks;If load information is not present in packet, according to package arrangements Number is transmitted to after rule, the specific fields that packet is directly unidirectionally transmitted in data transmission blocks, or modification packet According to sending module;
For the one-way data transmission netted from A net to B, data are unidirectionally sent to B nets by positive data transmission blocks, reverse Data are unidirectionally sent to A nets by data transmission blocks;If X is A or B;
The ARP broadcast frames, arp reply frame and IP packets that receive are handled as follows data transmission blocks respectively:(1) For ARP broadcast frames, IP and MAC Address construction arp reply frame in the configuration rule table of address are sent to X nets;Described The IP and MAC Address of record data acquisition module in address configuration rule list;(2) for arp reply frame, by arp reply frame 's<IP,MAC>Address is to being added in ARP mapping list;(3) for IP packets, the whether purposeful IP of addresses forwarding table is checked MAC Address, be sent directly to X nets if then constructing data frame, corresponding route table items otherwise searched in the routing table, are obtained The IP address of next hop router is taken, corresponding MAC Address is searched in ARP mapping list according to the IP address of router, if The MAC Address that then construction ARP broadcast frames inquire router is not found, waits the arp reply frame for being forwarded back to obtain router MAC Address, obtain router MAC Address after, construction data frame be sent to X nets, while update addresses forwarding table;It is described Addresses forwarding table for IP and MAC Address mapping table;
When described network security isolation and Information Exchange System carry out data interaction between A nets and B nets, if upper end controls A The engine of net to B network data streams is I, and lower end controls the engine of B nets to A network data streams to be II;Engine I and engine II are respectively in A Netting end and B nets end all has the port of data transmit-receive;Five functional modules are included in each engine:One data acquisition module Block, a protocol assembly module, a data Audit Module, an information unloading and package module and a data send mould Block;Engine I unidirectionally connects the data transmission blocks that engine II nets end in A in the A data acquisition modules for netting end, and engine II is in B nets The data acquisition module at end unidirectionally connects the data transmission blocks that engine I nets end in B;In each engine:The input at correspondence net end connects Data acquisition module is connect, the unidirectional connection protocol recovery module of output of data acquisition module, the output of protocol assembly module is unidirectional Connect Data Audit module, the unidirectional link information unloading of output and package module, information unloading and encapsulation of Data Audit module The output of module unidirectionally connects data transmission blocks, the output port at the unidirectional connection correspondence net end of output of data transmission blocks.
2. a kind of network security isolation and Information Exchange System based on half-duplex channel according to claim 1, its feature It is, described Data Audit module, its audit configuration rule used includes:1) white list;2) five-tuple { source IP, purpose IP, source port, destination interface, agreement } in any combination;3) the protocol characteristic string that machine learning is obtained.
3. a kind of network security isolation and Information Exchange System based on half-duplex channel according to claim 1, its feature It is, described package arrangements rule that source IP address and source port are transformed into difference by the mapping relations of recording address and port Address and port so that the packet that A nets are sent to B nets hides A net topology structures.
4. a kind of network security isolation and information switching method based on half-duplex channel, it is characterised in that between A nets and B nets Data interaction is carried out, if upper end control the engine of A nets to B network data streams to be I, lower end controls the engine of B nets to A network data streams to be II;Engine I and engine II net end and B nets end in A respectively all has the port of data transmit-receive;Five work(are included in each engine Can module:One data acquisition module, a protocol assembly module, a data Audit Module, an information unloading and encapsulation Module and a data transmission blocks;Engine I unidirectionally connects the number that engine II nets end in A in the A data acquisition modules for netting end According to sending module, engine II unidirectionally connects the data transmission blocks that engine I nets end in B in the B data acquisition modules for netting end;Respectively draw In holding up:The input connection data acquisition module at correspondence net end, the unidirectional connection protocol recovery module of output of data acquisition module, association The output of view recovery module unidirectionally connects Data Audit module, the unidirectional link information unloading of output and encapsulation of Data Audit module Module, information unloading and the output of package module unidirectionally connect data transmission blocks, and the output of data transmission blocks is unidirectionally connected The output port at correspondence net end;
Data are unidirectionally sent to B nets by A nets, comprise the following steps:
Step 1:Data acquisition:A network data messages are gathered from specified network interface, and data message is handled as follows, Specifically include:
Step 1.1:If data message is ARP broadcast frames, and inquires the MAC Address of this network interface card, then the ARP broadcast frames are passed through One-way data passage is forwarded to reverse data transmission blocks, otherwise abandons the ARP broadcast frames;
Step 1.2:If data message is arp reply frame, and answers the inquiry of this MAC Address of Network Card, then by the arp reply frame Reverse data transmission blocks are forwarded to by one-way data passage, the arp reply frame is otherwise abandoned;
Step 1.3:If data message is the ethernet frame of IP agreement, ethernet frame is sent to by step by half-duplex channel 2 processing;
Step 2:Protocol assembly:IP packets in ethernet frame are carried out to the reduction of upper-layer protocol, parse TCP's or UDP Upper layer application protocol, is specifically included:
Step 2.1:If the agreement of IP packets be TCP, by TCP data bag carry out protocol assembly, when identify upper strata should When using agreement, the TCP data bag of reduction is unidirectionally forwarded to step 3;
Step 2.2:If the agreement of IP packets be UDP, by UDP message bag carry out protocol assembly, when identify upper strata should When using agreement, the UDP message bag of reduction is unidirectionally forwarded to step 3;
Step 2.3:If the agreement of IP packets is not TCP or UDP, the packet is abandoned;
Step 3:Data Audit:Filtered and examined according to audit configuration rule to entering the packet in the step, will be accorded with Data normally forward a packet to step 4;To not being inconsistent data packet discarding normally;
Step 4:Information is unloaded and encapsulated, and is specifically:
Step 4.1:If there is load information in packet, load information is extracted, the mapping in package arrangements rule Location and port, encapsulation forms new packet on load information again, and new packet is unidirectionally transmitted into step 5;
Step 4.2:If load information is not present in packet, mapping address and port in package arrangements rule, Step 5 is transmitted to after the specific fields being directly unidirectionally transmitted in step 5 or modification packet;
Step 5:Data are sent:For the one-way data transmission netted from A net to B, the data flow of B nets is unidirectionally sent to for just To the data flow for being unidirectionally sent to A nets is reverse;If X is A or B;Data transmission blocks to receive ARP broadcast frames, Arp reply frame and IP packets are handled as follows respectively:
Step 5.1:If ARP broadcast frames, then IP and MAC Address construction arp reply frame in the configuration rule table of address It is sent to X nets;
Step 5.2:If arp reply frame, then by arp reply frame<IP,MAC>Address is to being added in ARP mapping list;
Step 5.3:If IP packets, then the whether purposeful IP of addresses forwarding table MAC Address is checked, if then constructing Data frame is sent directly to X nets, otherwise goes to step 5.4;
Step 5.4:Corresponding route table items are searched in the routing table, if not finding corresponding route table items, configuration route Searched again afterwards;If finding corresponding route table items, the IP address of next hop router is obtained, according to the IP of router Corresponding MAC Address is searched in location in ARP mapping list, the MAC of ARP broadcast frames inquiry router is constructed if not finding Location, and the temporary cache IP packets, wait reverse data acquisition to be forwarded back to the arp reply frame that comes to obtain router MAC Address;After the MAC Address of router is obtained, construction data frame is sent to X nets, while updating addresses forwarding table;
Step 6:1~5 is repeated the above steps until data are sent completely.
5. network security isolation and information switching method according to claim 4 based on half-duplex channel, it is characterised in that Audit configuration rule described in step 3 includes:1) white list;2) five-tuple source IP, purpose IP, source port, destination interface, Agreement } in any combination;3) the protocol characteristic string that machine learning is obtained.
6. network security isolation and information switching method according to claim 4 based on half-duplex channel, it is characterised in that The mapping relations of package arrangements rule described in step 4, recording address and port, source IP address and source port are transformed into not Same address and port so that the packet that A nets are sent to B nets hides A net topology structures.
7. network security isolation and information switching method according to claim 4 based on half-duplex channel, it is characterised in that Addresses forwarding table described in step 5 includes the mapping of purpose IP address and target MAC (Media Access Control) address, and is each mapping relations<IP, MAC>Life cycle is set, mapping relations overtime in addresses forwarding table are deleted.
CN201410652474.4A 2014-11-17 2014-11-17 A kind of network security isolation and information switching method and system based on half-duplex channel Active CN104363231B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410652474.4A CN104363231B (en) 2014-11-17 2014-11-17 A kind of network security isolation and information switching method and system based on half-duplex channel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410652474.4A CN104363231B (en) 2014-11-17 2014-11-17 A kind of network security isolation and information switching method and system based on half-duplex channel

Publications (2)

Publication Number Publication Date
CN104363231A CN104363231A (en) 2015-02-18
CN104363231B true CN104363231B (en) 2017-09-19

Family

ID=52530457

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410652474.4A Active CN104363231B (en) 2014-11-17 2014-11-17 A kind of network security isolation and information switching method and system based on half-duplex channel

Country Status (1)

Country Link
CN (1) CN104363231B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2536059B (en) 2015-03-06 2017-03-01 Garrison Tech Ltd Secure control of insecure device
CN105007272A (en) * 2015-07-21 2015-10-28 陈巨根 Information exchange system with safety isolation
CN105162803A (en) * 2015-09-30 2015-12-16 深圳市金城保密技术有限公司 Safe information output method and safe information output system of secret-relating network
GB2545010B (en) 2015-12-03 2018-01-03 Garrison Tech Ltd Secure boot device
CN107948165B (en) * 2017-11-29 2023-10-20 成都东方盛行电子有限责任公司 Secure broadcast system and method based on private protocol
CN108429729B (en) * 2018-01-19 2023-07-18 昆明理工大学 Data communication isolation system and isolation method in industrial big data acquisition environment
CN109347794A (en) * 2018-09-06 2019-02-15 国家电网有限公司 A kind of Web server safety defense method
CN109756475B (en) * 2018-11-27 2021-07-16 中国船舶重工集团公司第七0九研究所 Data transmission method and device in unidirectional network
EP3905599A4 (en) * 2018-12-28 2022-03-02 Panasonic Intellectual Property Corporation of America Statistic information generation device, statistic information generation method, and program
FR3093879B1 (en) * 2019-03-15 2021-04-09 Renault Sas Reducing the attack surface in a communications system
CN110061999A (en) * 2019-04-28 2019-07-26 华东师范大学 A kind of network data security analysis ancillary equipment based on ZYNQ
CN110365649B (en) * 2019-06-17 2022-12-02 北京旷视科技有限公司 Data transmission method, data access device, data output device and system
CN111770210B (en) * 2020-06-05 2021-09-21 深圳爱克莱特科技股份有限公司 Multi-controller grouping method and readable medium
CN111970256A (en) * 2020-07-31 2020-11-20 深圳市研锐智能科技有限公司 Intelligent isolation and information exchange network brake system
CN112910963A (en) * 2021-01-18 2021-06-04 翰克偲诺水务集团有限公司 Method and system for cross-domain data interaction between local area network and Internet of water treatment equipment
CN114553577B (en) * 2022-02-28 2023-09-26 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Network interaction system and method based on multi-host double-isolation secret architecture
CN115277221A (en) * 2022-07-29 2022-11-01 深圳市风云实业有限公司 Transmission method and isolation device based on transparent data landing and protocol isolation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101127761A (en) * 2006-08-16 2008-02-20 北京城市学院 Unidirectional protocol isolation method and device in network
CN101383813A (en) * 2007-09-03 2009-03-11 深圳市维信联合科技有限公司 Method and system for network uni-directional forwarding
CN101986638A (en) * 2010-09-16 2011-03-16 珠海市鸿瑞软件技术有限公司 Gigabit one-way network isolation device
CN102843352A (en) * 2012-05-15 2012-12-26 广东电网公司茂名供电局 Cross-physical isolation data transparent transmission system and method between intranet and extranet

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101127761A (en) * 2006-08-16 2008-02-20 北京城市学院 Unidirectional protocol isolation method and device in network
CN101383813A (en) * 2007-09-03 2009-03-11 深圳市维信联合科技有限公司 Method and system for network uni-directional forwarding
CN101986638A (en) * 2010-09-16 2011-03-16 珠海市鸿瑞软件技术有限公司 Gigabit one-way network isolation device
CN102843352A (en) * 2012-05-15 2012-12-26 广东电网公司茂名供电局 Cross-physical isolation data transparent transmission system and method between intranet and extranet

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
网络单向隔离控制系统的设计与实现;唐晋;《中国优秀硕士论文全文数据库信息科技辑》;20130515;正文第14页第3章第1行-第20页第9行 *

Also Published As

Publication number Publication date
CN104363231A (en) 2015-02-18

Similar Documents

Publication Publication Date Title
CN104363231B (en) A kind of network security isolation and information switching method and system based on half-duplex channel
US10050970B2 (en) System and method for data center security enhancements leveraging server SOCs or server fabrics
CN107911258B (en) SDN network-based security resource pool implementation method and system
US10523551B1 (en) Methods and apparatus related to a virtual multi-hop network topology emulated within a data center
US8705362B2 (en) Systems, methods, and apparatus for detecting a pattern within a data packet
CN103930882B (en) The network architecture with middleboxes
CN1153416C (en) MAC address based telecommunication limiting method
US7633889B2 (en) Carrier network of virtual network system and communication node of carrier network
CN101013962B (en) Integrated security switch
CN104767752A (en) Distributed network isolating system and method
CN1875585A (en) Dynamic unknown L2 flooding control with MAC limits
CN101499965B (en) Method for network packet routing forwarding and address converting based on IPSec security association
CN102571738A (en) Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof
CN104168257A (en) Data isolation device based on non-network mode, and method and system thereof
CN102480485A (en) System, method and switching device for realizing cross-device isolation of ports in same VLAN (virtual local area network)
US20120106523A1 (en) Packet forwarding function of a mobility switch deployed as routed smlt (rsmlt) node
CN1297105C (en) Method for implementing multirole main machine based on virtual local network
US9893989B2 (en) Hard zoning corresponding to flow
CN1601996A (en) Method for access of IP public net of virtual exchanger system
CN112367263B (en) Multicast data message forwarding method and equipment
CN110233800A (en) A kind of message forwarding method and system of open programmable
US6658012B1 (en) Statistics for VLAN bridging devices
Bederna et al. Modelling computer networks for further security research
CN100452763C (en) Network unit for forwarding an Ethernet packet
CN111885068B (en) Bypass deployment traffic distribution method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant