CN110557378A - network boundary security isolation and information one-way transmission system and transmission method - Google Patents

network boundary security isolation and information one-way transmission system and transmission method Download PDF

Info

Publication number
CN110557378A
CN110557378A CN201910714956.0A CN201910714956A CN110557378A CN 110557378 A CN110557378 A CN 110557378A CN 201910714956 A CN201910714956 A CN 201910714956A CN 110557378 A CN110557378 A CN 110557378A
Authority
CN
China
Prior art keywords
service
network
file
information
transmission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910714956.0A
Other languages
Chinese (zh)
Inventor
李红卫
周盛
张银利
吕小兵
徐驰
孙黎
杨如峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Aircraft Industry Group Co Ltd
Original Assignee
Xian Aircraft Industry Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Aircraft Industry Group Co Ltd filed Critical Xian Aircraft Industry Group Co Ltd
Priority to CN201910714956.0A priority Critical patent/CN110557378A/en
Publication of CN110557378A publication Critical patent/CN110557378A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/26Special purpose or proprietary protocols or architectures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

a network boundary security isolation and information one-way transmission system and a transmission method are provided, wherein a first network boundary application proxy module is arranged between a first network service system client and a security isolation and information one-way import module, and data transmission is carried out through a SOAP protocol, and the transmission protocol is an internal private protocol; and a second network boundary application proxy module is arranged at the security isolation and information one-way import module and a second network service system server side, and data transmission is carried out through a SOAP protocol, wherein the transmission protocol is also an internal private protocol. The invention adopts file-level transmission without changing the physical characteristics of the network security isolation and the one-way import equipment, realizes the transparent butt joint of the front end and the seamless analysis of the back end of the service data by arranging a network layer data receiving and processing mechanism at the two ends of the security isolation and the one-way import equipment, and achieves the purposes of uninterrupted service flow and the safe and reliable data transmission without differential experience when being directly butted with the original service system on the basis of the standardized network security isolation and the one-way import technology of the information. The method is suitable for application scenes of carrying out safe and reliable data among networks of different types and different security levels and realizing service-independent one-way transmission.

Description

Network boundary security isolation and information one-way transmission system and transmission method
Technical Field
The invention relates to a network technology, in particular to a network boundary security isolation and information one-way transmission system and a transmission method.
Background
Under the wave of high-speed informatization development, business systems become important components for supporting enterprise development, a large number of business systems are respectively built inside and outside an enterprise, and a plurality of physically isolated networks are built according to different purposes and security levels of information. With the application of technologies such as information fusion, big data and the like, data interaction between a large number of business secrets and even national secret service systems is increasingly frequent, and how to ensure information security in the information transmission process, especially the security of data interaction of the same or different business systems between networks of different types and different security levels is a new requirement of enterprises for information security.
in order to meet the above safety requirements, in the conventional scheme, manual ferrying is adopted or a safety isolation and information one-way leading-in device is simply added, so that the safety requirements of physical isolation are effectively met, but the method does not have real-time performance, and particularly cannot meet the requirements of real-time data transmission among service systems. Chinese patent publication specification "unidirectional network data transmission device" (CN204993438U) utilizes unidirectional configuration of light to realize unidirectional irreversible transmission of data between different networks; chinese patent publication Specification "a computer network isolation System" (CN205068408U) utilizes a computer device positioned between two networks as a data intermediate area, realizes the physical isolation of the two networks by switching network cards, and ensures the confidentiality and the safety of data
the two different network data security exchanges realized by adopting the network security isolation and unidirectional import technologies mainly focus on the internal mechanism or product structure of two different types of network security isolation information transmission, and although unidirectional feedback-free transmission of data can be ensured, the requirements of seamless and uninterrupted information transmission of services cannot be met by matching with a service system. The problems are mainly presented in the following aspects: (1) the network security isolation and unidirectional import technology adopts a file form to exchange data, breaks through the original network transmission mode among service systems, and cannot be connected with a service system data interface. (2) Accidental data loss requires human intervention, cannot be found in time, and is difficult in data breakpoint transmission processing. (3) And the service systems at two ends of unidirectional transmission cannot sense the integrity and the incidence relation of data. (4) After receiving the data, the sending end cannot predict whether the data is successfully transmitted. (5) The effect brought by using the information system and the damage to the continuity and consistency of the business process are seriously influenced.
In summary, the above schemes cannot meet the requirements of real-time and secure data transmission between service systems, and meanwhile, a transparent and uninterrupted data transmission method for services in a unidirectional isolated switching environment is urgently needed, so that the data switching efficiency of physically isolated two-end networks is improved, and the problems of data loss and integrity damage caused by physical isolated transmission are solved.
Disclosure of Invention
The invention aims to provide a network boundary security isolation and information one-way transmission system and a transmission method.
a network boundary security isolation and information one-way transmission system comprises a first network and a second network, wherein the file and parameter information of the first network are transmitted to the second network in a one-way mode, a service system client of the first network is connected with a service system server of the second network through a security isolation and information one-way import module, the security isolation and information one-way import module comprises an external terminal server and an internal terminal server, the first network is an external terminal by default, and the second network is an internal terminal; the system is characterized in that a first network boundary application proxy module is arranged between a first network service system client and a security isolation and information one-way import module and performs data transmission through a SOAP protocol, the first network boundary application proxy module comprises a service proxy end and an external client end, the service proxy end is in butt joint with an interface of the first network service system client, the external client end is connected with an external client end server of the security isolation and information one-way import module, and a transmission protocol is an internal private protocol; the security isolation and information one-way import module and the second network service system server are provided with a second network boundary application agent module and carry out data transmission through a SOAP protocol, the second network boundary application agent module comprises an internal client and a service request end, the service request end is in butt joint with an interface of the second network service system server, the internal client is connected with the internal client server of the security isolation and information one-way import module, and the transmission protocol is also an internal private protocol.
the first network boundary application agent module and the security isolation and information one-way import module, and the second network boundary application agent module and the security isolation and information one-way import module are connected by one-way optical fibers, and the service agent end and the external terminal client end, the internal terminal client end and the service request end are all devices which are packaged independently and integrally by software and hardware, and are provided with a customized version Linux operating system to prevent information transmission caused by external intrusion from being monitored, stolen and tampered.
the first network service system client converts the file to be transmitted into a Base64 encoding format, and forms the standard format of the XML service file defined by the WSDL file and the XML XSD file defined by the first network service agent together with the Base64 encoding, the MD5 signature and the parameter information of the file.
The WebService service issued by the service agent end is based on an XML SOAP protocol, a WSDL file based on the service is defined, the WSDL file is used for describing the service provided by the second network service system service end to the first network service system client, the address and the port of the service agent end, an XSD file is constructed at the same time, the XSD file defines the standard format and the constraint requirement of the XML service file of the service, the service agent end verifies the XML service file transmitted by the first network according to the constraint requirement, if the transmission file is included, the transmission file is described in the XML service file and carries an MD5 signature, the file content is encoded by using a Base64 format, and the service agent end supports the construction and the registration of a plurality of WSDL files and XSD files so as to meet the requirement of providing services from a plurality of different service systems of a second network.
The application also provides a network boundary safety isolation and information one-way transmission method, using the network boundary safety isolation and information one-way transmission system, the first network sends the XML service file to the service agent end, the service agent end transmits the verified XML service file to the external client end, the external client end converts the XML service file into a binary code format, establishes connection with the external client end of the safety isolation and information one-way import module, and transmits the XML service file to the external client end of the safety isolation and information one-way import module through an internal private protocol; the safety isolation and information one-way leading-in module leads the transcoded service file into an internal client server from an external client server in a one-way feedback-free manner by using an optical one-way technology, the internal client server receives the transcoded service file, establishes connection with an internal client of a second network and transmits the transcoded service file to the internal client of the second network through an internal private protocol; the service file reversion code is restored into an XML service file by the client of the internal terminal, the XML service file is forwarded to the service request end of the second network, the WebService service issued by the service system server end of the second network is called by the service request end of the second network, the restored service file is encapsulated into a SOAP request body in a specified format again, and the XML service file is transmitted to the service system server end of the second network; and the service end of the service system of the second network verifies the XML service file sent by the service request end of the second network according to the WSDL file and the XSD file which are commonly specified with the service agent end of the first network, the MD5 signature in the XML service file is identified after verification to carry out MD5 data integrity verification, and the Base64 encoding format in the XML service file is restored into the original transmission file after the verification is qualified.
the beneficial effect of this application lies in: 1) the invention realizes the safe data transmission of the network service interface through the WSDL and the XSD on the basis of the traditional standardized Web service interface service, and effectively prevents the external system and the files outside the regulation from being transmitted to other networks through the system. 2) Meanwhile, the first network boundary application agent module and the security isolation and information one-way import module, and the second network boundary application agent module and the security isolation and information one-way import module are connected by using one-way optical fibers and bound by an IP address and an MAC address, and no network equipment is arranged between the first network boundary application agent module and the security isolation and information one-way import module, so that the security of service transmission is further improved, and the layer-by-layer security check mechanism of a service layer, a network layer and a physical layer and the one-way transmission of two-network data are realized on the premise of ensuring the uninterrupted automatic transparent transmission of the service. 3) Under the condition that the physical characteristics of network security isolation and one-way import equipment are not changed, file-level transmission is still adopted, a network layer data receiving and processing mechanism is arranged at two ends of the security isolation and one-way import equipment, so that transparent butt joint of the front end and seamless analysis of the rear end of service data are realized, and the aims of direct butt joint of a service system and uninterrupted and reliable data transmission of a process are achieved on the basis of a standardized network security isolation and information one-way import technology. 4) The invention relates to a unidirectional data transmission method between two different security level networks, which is suitable for unidirectional transmission application scenes of data safety and reliability and transparent butt joint of service systems between different types and different security level networks.
The present application is described in further detail below with reference to the accompanying drawings of embodiments.
drawings
FIG. 1 is a schematic diagram of a network boundary security isolation and information one-way transmission system according to the present invention
Detailed Description
Referring to the attached drawings, the network boundary security isolation and information one-way transmission system comprises a first network and a second network, wherein the first network and the second network transmit file and parameter information of the first network to the second network in a one-way mode, a service system client of the first network is connected with a service system server of the second network through a security isolation and information one-way import module and a network boundary application agent module, the security isolation and information one-way import module comprises an external terminal server and an internal terminal server, the first network is an external terminal by default, and the second network is an internal terminal;
a first network boundary application proxy module is arranged between a first network service system client and a security isolation and information one-way import module and performs data transmission through a SOAP protocol, the first network boundary application proxy module comprises a service proxy end and an external client end, the service proxy end is in butt joint with an interface of the first network service system client, the external client end is connected with an external client end of the security isolation and information one-way import module, and the transmission protocol is an internal private protocol.
The security isolation and information one-way import module and the second network service system server are provided with a second network boundary application agent module and carry out data transmission through a SOAP protocol, the second network boundary application agent module comprises an internal client and a service request end, the service request end is in butt joint with an interface of the second network service system server, the internal client is connected with the internal client server of the security isolation and information one-way import module, and the transmission protocol is also an internal private protocol.
According to the safe and reliable network boundary safety isolation and information one-way transmission system, the first network service system client is connected with the first network boundary application proxy module, and data transmission is carried out by using a SOAP protocol;
the second network service system server is connected with a second network boundary application agent module and uses the SOAP protocol to carry out data transmission;
The first network boundary application agent module comprises a service agent end and an external client end;
The second network boundary application agent module comprises an internal terminal client and a service request terminal;
the service agent end is connected with the first network service system interface, and the service request end is connected with the second network service system interface;
The safety isolation and information one-way leading-in module comprises an external terminal machine server and an internal terminal machine server;
the outer terminal server is connected with an outer terminal client, the inner terminal server is connected with an inner terminal client, and the transmission protocols of the two parts are specified to be internal private protocols;
The external terminal server is connected with the internal terminal server through an optical unidirectional mechanism;
The first network boundary application agent module and the security isolation and information one-way import module and the second network boundary application agent module and the security isolation and information one-way import module are connected by one-way optical fibers, no network equipment is arranged between the first network boundary application agent module and the security isolation and information one-way import module, the service agent end, the external terminal client end, the internal terminal client end and the service request end are all devices which are packaged independently in a soft-hard integrated mode, a customized Linux operating system is mounted, and information transmission caused by external intrusion is prevented from being monitored, stolen and tampered.
Furthermore, the service agent end carries out service interface butt joint with the service system in the first network, and the service agent end acts on the service end of the second network service system to issue standard WebService service to the service system in the first network;
the standard WebService service issued by the service agent is an XML-based SOAP protocol, defines a WSDL file based on the service and is used for describing the service provided by the second network service system to the first network service system, the address and the port of the service agent;
Furthermore, the service agent end specifies the format of the XML service file sent by the first network service system;
The service agent end defines the standard format and the constraint requirement of the XML business file of the first network through the pre-constructed XML XSD file, and performs format check on the XML business file transmitted by the first network according to the constraint requirement, wherein if the XML business file contains a transmission file, the XML business file is specified to describe the transmission file and carry a transmission file MD5 signature, the file content is encoded by using a Base64 format, the integrity of the data of the transmission file can be ensured by using the MD5 signature, and the transmission problem of the binary file on an HTTP protocol can be solved by using the Base64 encoding;
Further, the service agent terminal transmits the verified XML service file to the external client terminal, and the external client terminal analyzes and identifies the XML service file;
further, the external client terminal converts the service file into a binary code format, establishes connection with the external client terminal server terminal, and transmits the service file to the external client terminal server terminal through an internal private protocol;
The external terminal server transmits the transcoded service file to the internal terminal server in a one-way feedback-free manner by utilizing an optical one-way technology;
The server end of the internal terminal machine receives the transcoded service file, establishes connection with the client end of the internal terminal machine and transmits the service file to the client end of the internal terminal machine through an internal private protocol;
Further, the client end of the internal terminal restores the service file reversion code;
furthermore, the service calling end calls the service of the second network service system server end, repackages the restored service file into an XML service file with a specified format, forms an SOAP request and transmits information to the second network service system server end;
further, the second network service system service end verifies the XML service file sent by the service calling end according to the specified constraint requirements of the WSDL file and the XSD file, identifies whether the XML service file contains the transmission file and the MD5 signature of the transmission file after verification, and if the XML service file contains the transmission file, performs Base64 decoding on the transmission file and performs MD5 data integrity verification;
further, after the verification, the second network service system server side obtains real request parameters and transmission files and processes the request;
Finally, the second network service system server transmits the processing result back to the application system in the first network by using the other reverse device through the transmission method.
the first network boundary application agent module and the security isolation and information one-way import module, and the second network boundary application agent module and the security isolation and information one-way import module are connected by one-way optical fibers, and the service agent end and the external terminal client end, the internal terminal client end and the service request end are all devices which are packaged independently and integrally by software and hardware, and are provided with a customized version Linux operating system to prevent information transmission caused by external intrusion from being monitored, stolen and tampered.
The first network service system client carries out MD5 signature on the file to be transmitted, converts the file content into a Base64 encoding format, and forms and initiates an XML service file request based on SOAP according to a WSDL file, an XML XSD standard format and constraint requirements defined by the first network service agent.
The WebService service issued by the service agent is based on an XML SOAP protocol, a WSDL file based on the service is defined, the WSDL file is used for describing the service provided by the second network service system service end to the first network service system client, the address and the port of the service agent end, an XSD file is constructed at the same time, the XSD file defines the standard format of the XML service file of the first network, the format of the XML service file transmitted by the first network is checked, and if the transmission file is included, the condition that an MD5 signature is required to be carried in the XML service file and the file content uses a Base64 coding format is stipulated.
the application also provides a network boundary safety isolation and information one-way transmission method, using the network boundary safety isolation and information one-way transmission system, the first network sends the XML service file to the service agent end, the service agent end transmits the verified XML service file to the external client end, the external client end converts the XML service file into a binary code format, establishes connection with the external client end of the safety isolation and information one-way import module, and transmits the XML service file to the external client end of the safety isolation and information one-way import module through an internal private protocol; the safety isolation and information one-way leading-in module leads the transcoded service file into an internal client server from an external client server in a one-way feedback-free manner by using an optical one-way technology, the internal client server receives the transcoded service file, establishes connection with an internal client of a second network and transmits the transcoded service file to the internal client of the second network through an internal private protocol; the service file reversion code is restored into an XML service file by the client of the internal terminal, the XML service file is forwarded to the service request end of the second network, the WebService service issued by the service system server end of the second network is called by the service request end of the second network, the restored service file is encapsulated into a SOAP request body in a specified format again, and the XML service file is transmitted to the service system server end of the second network; and the service end of the service system of the second network verifies the XML service file sent by the service request end of the second network according to the WSDL file and the XSD file which are commonly specified with the service agent end of the first network, the MD5 signature in the XML service file is identified after verification to carry out MD5 data integrity verification, and the Base64 encoding format in the XML service file is restored into the original transmission file after the verification is qualified.
the second network service system issues service to the first network service system and generates a WSDL file for describing the service, wherein the WSDL file appoints service, service agent end address and port for accessing a service end of the second network service system, and simultaneously prevents other external systems from accessing the service end of the second network service system;
The first network service system and the second network service system agree to construct an XSD file which is specific to the service, has structural description and constraint requirements and can be used for verification, and the non-specified service file is prevented from being output from the first network service system;
Respectively configuring the WSDL file and the XSD file on a service agent end of a first network boundary application agent module and a service interface of a second network service system;
The method comprises the steps that a first network service system obtains WSDL service description and an XSD file which are issued on a first network boundary application agent module, a client framework code is generated by utilizing a namespace and the XSD file of the WSDL, and service process development based on the framework code is achieved;
The method comprises the steps that a first network service system client side packages service files to be transmitted into XML service files according with XSD format verification by means of frame codes, and the transmission files in the XML service files are specified to contain MD5 signature and Base64 format codes;
The first network service system client encapsulates the XML service file according to the WSDL service description file to form an external XML file conforming to the WSDL service request, and transmits the external XML file to the first network boundary application agent module through a SOAP protocol;
A service agent end in a first network boundary application agent middle module processes a SOAP request from a first network service system client, analyzes an external XML file, verifies the compliance of the external XML file according to a preset WSDL file, rejects the request and feeds back service request failure information to the first network service system client if the request is not in accordance with the definition;
After the WSDL file is verified, the service agent terminal analyzes the XML service file, performs forced format verification according to a preset XSD file, refuses the request if the XML file format does not accord with the definition, and feeds back verification failure information to the first network service system client;
when the request service from the first network service system client passes XSD verification, the external client analyzes the XML service file, extracts a real service file in the XML service file and converts the real service file into a binary format, re-uses a preset internal private protocol to package the file, and transmits the file to the external client server of the security isolation and information one-way import module through a one-way optical fiber;
the external terminal server receives the service file and then is connected with the internal terminal server by utilizing an optical unidirectional technology to realize automatic unidirectional feedback-free transmission of the service file, and the service file is packaged by using a preset internal private protocol after virus searching and killing and keyword filtering are carried out in the internal terminal server and is sent to the internal terminal client in the second network boundary application agent module through a unidirectional optical fiber;
The internal client receives and analyzes the service data encapsulated by the internal private protocol, and restores the service file reversal code;
A service request end in the second network boundary application agent module carries out secondary packaging on the service file restored by the reversal code again to restore the service file into an original SOAP request body, and the original SOAP request body is sent to a second network service system service end;
The second network service system server analyzes an external XML file from the service request end according to a preset WSDL file and checks the external XML file, if the request is not consistent with the definition, the request is rejected, and service request failure information is fed back to the service request end and the first network service system client, wherein the method for feeding back the information to the first network service system client is the reverse operation of the system and the method;
After the WSDL file is verified, the second network service system server analyzes the XML service file in the service request, forced format verification is carried out according to a preset XSD file, if the XML file format does not accord with the definition, receiving is refused, and verification failure information is fed back to the service request end and the first network service system client, wherein the method for feeding back the information to the first network service system client is the reverse operation of the system and the method.

Claims (5)

1. a network boundary security isolation and information one-way transmission system comprises a first network and a second network, wherein the file and parameter information of the first network are transmitted to the second network in a one-way mode, a service system client of the first network is connected with a service system server of the second network through a security isolation and information one-way import module, the security isolation and information one-way import module comprises an external terminal server and an internal terminal server, the first network is an external terminal by default, and the second network is an internal terminal; the system is characterized in that a first network boundary application proxy module is arranged between a first network service system client and a security isolation and information one-way import module and performs data transmission through a SOAP protocol, the first network boundary application proxy module comprises a service proxy end and an external client end, the service proxy end is in butt joint with an interface of the first network service system client, the external client end is connected with an external client end server of the security isolation and information one-way import module, and a transmission protocol is an internal private protocol; the security isolation and information one-way import module and the second network service system server are provided with a second network boundary application agent module and carry out data transmission through a SOAP protocol, the second network boundary application agent module comprises an internal client and a service request end, the service request end is in butt joint with an interface of the second network service system server, the internal client is connected with the internal client server of the security isolation and information one-way import module, and the transmission protocol is also an internal private protocol.
2. The system for network boundary security isolation and information unidirectional transmission according to claim 1, wherein the first network boundary application agent module and the security isolation and information unidirectional import module, and the second network boundary application agent module and the security isolation and information unidirectional import module are all connected by unidirectional optical fibers, and the service agent end and the external client, the internal client and the service request end are all devices which are packaged independently and integrally by software and hardware, and are equipped with a Linux operating system to prevent information transmission caused by external intrusion from being monitored, stolen and tampered.
3. the network boundary security isolation and information unidirectional transmission system of claim 1 or 2, wherein the first network service system client converts the file to be transmitted into Base64 encoding format, and the Base64 encoding, the MD5 signature and the parameter information of the file together form an XML service file standard format defined by a WSDL file and an XML XSD file defined by the first network service agent.
4. The network boundary security isolation and information unidirectional transmission system of claim 1 or 2, it is characterized in that the WebService service issued by the service agent is SOAP protocol based on XML, and defines a service-based WSDL file describing the service provided by the second network service system service terminal to the first network service system client terminal, the service agent terminal address and the port, simultaneously, an XSD file is constructed, the XSD file defines the standard format and the constraint requirement of the XML business file of the service, the service agent end verifies the XML business file transmitted by the first network according to the constraint requirement, if the transmission file is contained, the transmission file needs to be described in an XML service file and carries a signature of the transmission file MD5, the file content is coded by using a Base64 format, and a service agent end supports the construction and registration of a plurality of WSDL files and XSD files so as to meet the requirements of providing services from a second network by a plurality of different service systems.
5. a network boundary safety isolation and information one-way transmission method, characterized by that, using the network boundary safety isolation and information one-way transmission system as claimed in claim 1, the first network sends XML business file to the service agent end, the service agent end transmits the verified XML business file to the external client end, the external client end converts the XML business file into binary code format, establishes connection with the external client end server end of the safety isolation and information one-way import module, and transmits to the external client end server end of the safety isolation and information one-way import module through internal private protocol; the safety isolation and information one-way leading-in module leads the transcoded service file into an internal client server from an external client server in a one-way feedback-free manner by using an optical one-way technology, the internal client server receives the transcoded service file, establishes connection with an internal client of a second network and transmits the transcoded service file to the internal client of the second network through an internal private protocol; the service file reversion code is restored into an XML service file by the client of the internal terminal, the XML service file is forwarded to the service request end of the second network, the WebService service issued by the service system server end of the second network is called by the service request end of the second network, the restored service file is encapsulated into a SOAP request body in a specified format again, and the XML service file is transmitted to the service system server end of the second network; and the service end of the service system of the second network verifies the XML service file sent by the service request end of the second network according to the WSDL file and the XSD file which are commonly specified with the service agent end of the first network, the MD5 signature in the XML service file is identified after verification to carry out MD5 data integrity verification, and the Base64 encoding format in the XML service file is restored into the original transmission file after the verification is qualified.
CN201910714956.0A 2019-08-02 2019-08-02 network boundary security isolation and information one-way transmission system and transmission method Pending CN110557378A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910714956.0A CN110557378A (en) 2019-08-02 2019-08-02 network boundary security isolation and information one-way transmission system and transmission method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910714956.0A CN110557378A (en) 2019-08-02 2019-08-02 network boundary security isolation and information one-way transmission system and transmission method

Publications (1)

Publication Number Publication Date
CN110557378A true CN110557378A (en) 2019-12-10

Family

ID=68736983

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910714956.0A Pending CN110557378A (en) 2019-08-02 2019-08-02 network boundary security isolation and information one-way transmission system and transmission method

Country Status (1)

Country Link
CN (1) CN110557378A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912940A (en) * 2019-12-25 2020-03-24 普世(南京)智能科技有限公司 Isolated network transparent service access method and system based on double unidirectional switching equipment
CN111600927A (en) * 2020-04-03 2020-08-28 浙江工业大学 Method for service adaptive calling under complex network environment
CN112436998A (en) * 2020-11-12 2021-03-02 北京天融信网络安全技术有限公司 Data transmission method and electronic equipment
CN112597497A (en) * 2020-12-25 2021-04-02 军工保密资格审查认证中心 Safety data exchange device and method based on multi-channel independent interaction
CN112866206A (en) * 2020-12-31 2021-05-28 北京天融信网络安全技术有限公司 Unidirectional data transmission method and device
CN114826760A (en) * 2022-05-12 2022-07-29 深圳铸泰科技有限公司 Network security analysis method based on boundary theory
CN114938368A (en) * 2022-06-13 2022-08-23 深圳市星火电子工程公司 Network boundary safety access method
CN116319733A (en) * 2022-09-09 2023-06-23 中央军委政治工作部军事人力资源保障中心 Cross-network service switching system and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442524A (en) * 2008-12-23 2009-05-27 成都市科陆洲电子有限公司 Method for data communication with national electric network marketing system server
CN102970378A (en) * 2012-12-13 2013-03-13 中国电子科技集团公司第十五研究所 Binary data optimized transmission system
CN202906969U (en) * 2012-09-25 2013-04-24 上海辰锐信息科技公司 Boundary safety transmission equipment base on unidirectional light technology and a communication system employing the equipment
CN103491072A (en) * 2013-09-06 2014-01-01 北京信息控制研究所 Boundary access control method based on double one-way separation gatekeepers
CN104767752A (en) * 2015-04-07 2015-07-08 西安汇景倬元信息技术有限公司 Distributed network isolating system and method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442524A (en) * 2008-12-23 2009-05-27 成都市科陆洲电子有限公司 Method for data communication with national electric network marketing system server
CN202906969U (en) * 2012-09-25 2013-04-24 上海辰锐信息科技公司 Boundary safety transmission equipment base on unidirectional light technology and a communication system employing the equipment
CN102970378A (en) * 2012-12-13 2013-03-13 中国电子科技集团公司第十五研究所 Binary data optimized transmission system
CN103491072A (en) * 2013-09-06 2014-01-01 北京信息控制研究所 Boundary access control method based on double one-way separation gatekeepers
CN104767752A (en) * 2015-04-07 2015-07-08 西安汇景倬元信息技术有限公司 Distributed network isolating system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
宋卫平: "四川省电力公司双网隔离环境下内外网交互平台的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912940A (en) * 2019-12-25 2020-03-24 普世(南京)智能科技有限公司 Isolated network transparent service access method and system based on double unidirectional switching equipment
CN111600927A (en) * 2020-04-03 2020-08-28 浙江工业大学 Method for service adaptive calling under complex network environment
CN111600927B (en) * 2020-04-03 2022-12-20 浙江工业大学 Method for service adaptive calling under complex network environment
CN112436998A (en) * 2020-11-12 2021-03-02 北京天融信网络安全技术有限公司 Data transmission method and electronic equipment
CN112597497A (en) * 2020-12-25 2021-04-02 军工保密资格审查认证中心 Safety data exchange device and method based on multi-channel independent interaction
CN112866206A (en) * 2020-12-31 2021-05-28 北京天融信网络安全技术有限公司 Unidirectional data transmission method and device
CN114826760A (en) * 2022-05-12 2022-07-29 深圳铸泰科技有限公司 Network security analysis method based on boundary theory
CN114826760B (en) * 2022-05-12 2023-08-15 深圳铸泰科技有限公司 Network security analysis method based on boundary theory
CN114938368A (en) * 2022-06-13 2022-08-23 深圳市星火电子工程公司 Network boundary safety access method
CN116319733A (en) * 2022-09-09 2023-06-23 中央军委政治工作部军事人力资源保障中心 Cross-network service switching system and method

Similar Documents

Publication Publication Date Title
CN110557378A (en) network boundary security isolation and information one-way transmission system and transmission method
US6665674B1 (en) Framework for open directory operation extensibility
US9491201B2 (en) Highly scalable architecture for application network appliances
US8239520B2 (en) Network service operational status monitoring
US6216173B1 (en) Method and apparatus for content processing and routing
CN101953224B (en) Message processing engine with a virtual network interface
EP1364511B1 (en) A digital television application protocol for interactive television
US9459936B2 (en) Enterprise client-server system and methods of providing web application support through distributed emulation of websocket communications
KR100456634B1 (en) Alert transmission apparatus and method for policy-based intrusion detection & response
EP2842052B1 (en) File transfer using xml
CN110912940A (en) Isolated network transparent service access method and system based on double unidirectional switching equipment
CN105681462A (en) Cluster system based on message router, and data communication transfer method
WO2010127531A1 (en) Apparatus, web service component and method based on web service
CN112492017A (en) Websocket connection method and system based on token authentication
CN103002049A (en) Network transmission system of large quantities of data
CN113747375A (en) One-key acquisition system and method for third-party application user sensitive information in 5G message
CN114157537A (en) System and method for realizing multi-source heterogeneous data access by general equipment gateway
KR102441752B1 (en) System and method for supporting between heterogeneous networks communication using unidirectional communication
WO2007143903A1 (en) A system and method for realizing message service
CN111708515B (en) Data processing method based on distributed shared micro-module and salary file integrating system
WO2010060312A1 (en) Method and system for implementing web application and external device network connection
KR100309561B1 (en) Security devices and methods in the corridor of web and information providers and their recording media
Guan et al. Research and Design of Secure Data Exchange Model Based on the Interactivity Environment of Energy Internet
US11895078B2 (en) System for communicating among end-user devices having different message channel formats and associated methods
KR100562148B1 (en) Method for transmitting enormous message in internet edi system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20191210

WD01 Invention patent application deemed withdrawn after publication