CN112671719A - Network security isolation method and device based on data stripping and construction method thereof - Google Patents
Network security isolation method and device based on data stripping and construction method thereof Download PDFInfo
- Publication number
- CN112671719A CN112671719A CN202011421085.2A CN202011421085A CN112671719A CN 112671719 A CN112671719 A CN 112671719A CN 202011421085 A CN202011421085 A CN 202011421085A CN 112671719 A CN112671719 A CN 112671719A
- Authority
- CN
- China
- Prior art keywords
- data
- isolation
- file
- format
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a network security isolation method and device based on data stripping and a construction method thereof, wherein the method comprises the following steps: authenticating the identity of the external network side database server in an IP or MAC address binding mode; collecting data in an external network database, and carrying out format check and virus killing on data contents; packaging the sterilized data into a format file with a special file format required by isolation, encrypting the file and sending the encrypted file to the isolation equipment; and decrypting the file with the special format, converting the format, and loading the file into a target database of the intranet terminal. The invention realizes the technology of information network safety isolation and data stripping under the specific application environment, and is used for isolating the network boundary and protecting the authenticity, integrity and reliability of the internal and external network data.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a network security isolation method and device based on data stripping and a construction method thereof.
Background
In recent years, with the development of informatization and the application of the internet in various industries, in network applications in different business environments and different security domains, the security of data becomes more and more prominent, the data security and security protection of users in a power system become important concerns, and information flow is reported to a power application main station step by step from a user terminal area through an intermediate network, and the relevant regulation and regulation of 'security partition, network special, transverse isolation and longitudinal authentication' need to be met. Therefore, it is urgently needed to solve the risks of network boundary security and transmission channels through related technical means, ensure the normal operation of the master station system, and prevent the related information, instructions and parameters from being tampered, forged, replayed and issued and other illegal behaviors.
The existing isolation equipment has the problems of low throughput, incapability of effectively integrating various service scenes, high damage rate, low communication efficiency and the like, and has potential safety hazards of data stealing by illegal third-party personnel, penetration of an electric power intranet, illegal deployment and access of illegal equipment and the like.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a network security isolation method and device based on data stripping and a construction method thereof, so as to solve the technical problems.
In a first aspect, the present invention provides a network security isolation method based on data stripping, including:
authenticating the identity of the external network side database server in an IP or MAC address binding mode;
collecting data in an external network database, and carrying out format check and virus killing on data contents;
packaging the sterilized data into a format file with a special file format required by isolation, encrypting the file and sending the encrypted file to the isolation equipment;
and decrypting the file with the special format, converting the format, and loading the file into a target database of the intranet terminal.
Further, the method further comprises: and recording the whole data exchange process to form an audit record.
Further, the format checking and virus killing of the data content includes:
carrying out format check on the data content, and filtering data which do not conform to the security policy;
and invoking an antivirus engine to perform virus searching and killing on the large field contents of the character large object and the binary large object in the data.
Further, the method further comprises: and formulating policy rules during data acquisition, format check and format conversion.
In a second aspect, the present invention provides a network security isolation apparatus based on data stripping, including: the system comprises an isolation outer host, an isolation inner host and an isolation interaction assembly, wherein the isolation outer host and the isolation inner host are connected through the isolation interaction assembly; the isolation interaction assembly is used for splitting and recombining data and providing a transmission channel for isolating data interaction of the internal host and the external host;
further, the isolated external host includes: the system comprises an identity authentication unit, a data acquisition unit, a format filtering unit, a virus killing unit, an encryption unit and a file sending unit.
Further, the isolated inner host comprises: the device comprises a file receiving unit, a decryption unit, a format conversion unit, a data loading unit and a process recording unit.
In a third aspect, the present invention provides a method for building a network security isolation device based on data stripping, including:
determining a power system platform network topology architecture, determining service requirements and technologies used, and determining a specific deployment position of an isolation device;
the isolation device is deployed at the network boundary of the internal and external power networks to complete the connection and installation of the internal and external hosts of the equipment and the platform server of the power system;
and through a configuration interface of the isolation device, IP and port rule configuration and user filtering are realized, and data isolation and ferrying of an internal network and an external network of the power system platform are realized.
The beneficial effect of the invention is that,
the invention provides a network security isolation method, a device and a construction method thereof based on data stripping, which can realize the technology of information network security isolation and data stripping under a specific application environment, are used for isolating network boundaries, protecting the authenticity, integrity and reliability of internal and external network data, and provide a safe, efficient and reliable transmission channel for data interaction of an electric power internal and external network system through the separation and recombination of data by an isolation interaction assembly, thereby ensuring the network information security and the efficient and stable data transmission of the electric power internal and external network.
In addition, the invention has reliable design principle, simple structure and very wide application prospect.
Drawings
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present invention, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
FIG. 1 is a schematic flow diagram of a method of one embodiment of the invention.
Fig. 2 is a schematic block diagram of an apparatus of one embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiment of the present invention will be clearly and completely described below with reference to the drawings in the embodiment of the present invention, and it is obvious that the described embodiment is only a part of the embodiment of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
FIG. 1 is a schematic flow diagram of a method of one embodiment of the invention. The execution subject in fig. 1 may be a network security isolation device based on data stripping.
As shown in fig. 1, the method includes:
and step 140, the file with the special format is ferred, decrypted, subjected to format conversion and loaded into a target database of the intranet terminal.
Optionally, as an embodiment of the present invention, the method further includes: and recording the whole data exchange process to form an audit record.
Optionally, as an embodiment of the present invention, the performing format checking and virus killing on the data content includes:
carrying out format check on the data content, and filtering data which do not conform to the security policy;
and invoking an antivirus engine to perform virus searching and killing on the large field contents of the character large object and the binary large object in the data.
Optionally, as an embodiment of the present invention, the method further includes: and formulating policy rules during data acquisition, format check and format conversion.
In order to facilitate understanding of the present invention, the network security isolation method based on data stripping provided by the present invention is further described below with reference to the principle of the network security isolation method based on data stripping of the present invention and the process of stripping data from the database in the embodiment.
Specifically, the network security isolation method based on data stripping includes:
1. the isolation device external host firstly authenticates the identity of a Data Acquisition Object (DAO), and authenticates whether an external network side database server is legal or not in an IP or MAC address binding mode.
2. And the external host of the isolation device acquires data in the external network database according to the configured strategy rules.
3. And the external host of the isolation device checks the format of the data content according to the configured security policy, and filters the data which do not conform to the security policy.
4. The host outside the isolation device calls a built-in antivirus engine to perform virus killing on Large field contents such as a Character Large Object (CLOB) and a Binary Large Object (BLOB), and avoids virus trojans crossing boundaries.
5. And the isolated device external host packages the acquired data into an OUTDATA format file, wherein the OUTDATA format is a special file format of the isolated device.
6. The OUTDATA format file is encrypted by the isolated device external host.
7. And the isolated device external host sends the encrypted OUTDATA file to the isolated interactive component.
8. And the host machine in the isolating device acquires the OUTDATA format file from the ferry.
9. The host decrypts the OUTDATA formatted file within the isolated device.
10. And the host in the isolated device converts the OUTDATA format file according to the configured policy rule.
11. And the host in the isolation device loads the converted data into an intranet end target database.
12. The host computer records the whole process of data exchange in the isolating device, forms audit records, and is convenient for workers to perform later maintenance.
As shown in fig. 2, the apparatus includes:
the system comprises an isolation outer host, an isolation inner host and an isolation interaction assembly, wherein the isolation outer host and the isolation inner host are connected through the isolation interaction assembly; the isolation interaction assembly is used for splitting and recombining data and providing a transmission channel for isolating data interaction of the internal host and the external host; the isolated external host includes: the system comprises an identity authentication unit, a data acquisition unit, a format filtering unit, a virus killing unit, an encryption unit and a file sending unit; the isolated internal host includes: the device comprises a file receiving unit, a decryption unit, a format conversion unit, a data loading unit and a process recording unit.
The embodiment of the application also provides a method for building the network security isolation device based on data stripping, which comprises the following steps:
determining a power system platform network topology architecture, determining service requirements and technologies used, and determining a specific deployment position of an isolation device;
the isolation device is deployed at the network boundary of the internal and external power networks to complete the connection and installation of the internal and external hosts of the equipment and the platform server of the power system;
and through a configuration interface of the isolation device, IP and port rule configuration and user filtering are realized, and data isolation and ferrying of an internal network and an external network of the power system platform are realized.
For example, the port rule configuration sets a terminal peripheral forbidden state for an unused port, and effectively solves the problem of leakage of the terminal peripheral; for the USB port, the USB port of the intranet terminal is set to be read only, so that the storage medium used by the extranet can only copy data into the intranet, but cannot copy data from the intranet terminal.
The same and similar parts in the various embodiments in this specification may be referred to each other. Especially, for the terminal embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant points can be referred to the description in the method embodiment.
In the embodiments provided by the present invention, it should be understood that the disclosed system, system and method can be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, systems or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
Although the present invention has been described in detail by referring to the drawings in connection with the preferred embodiments, the present invention is not limited thereto. Various equivalent modifications or substitutions can be made on the embodiments of the present invention by those skilled in the art without departing from the spirit and scope of the present invention, and these modifications or substitutions are within the scope of the present invention/any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. A network security isolation method based on data stripping is characterized by comprising the following steps:
authenticating the identity of the external network side database server in an IP or MAC address binding mode;
collecting data in an external network database, and carrying out format check and virus killing on data contents;
packaging the sterilized data into a format file with a special file format required by isolation, encrypting the file and sending the encrypted file to the isolation equipment;
and decrypting the file with the special format, converting the format, and loading the file into a target database of the intranet terminal.
2. The method for network security isolation based on data stripping as claimed in claim 1, wherein the method further comprises: and recording the whole data exchange process to form an audit record.
3. The method for network security isolation based on data stripping as claimed in claim 1, wherein the performing format check and virus killing on the data content comprises:
carrying out format check on the data content, and filtering data which do not conform to the security policy;
and invoking an antivirus engine to perform virus searching and killing on the large field contents of the character large object and the binary large object in the data.
4. The method for network security isolation based on data stripping as claimed in claim 1, wherein the method further comprises: and formulating policy rules during data acquisition, format check and format conversion.
5. A network security isolation device based on data stripping is characterized by comprising: the system comprises an isolation outer host, an isolation inner host and an isolation interaction assembly, wherein the isolation outer host and the isolation inner host are connected through the isolation interaction assembly; the isolation interaction assembly is used for splitting and recombining data and providing a transmission channel for data interaction of the isolation internal and external hosts.
6. The data strip-based network security isolation device of claim 5, wherein the isolated foreign host comprises: the system comprises an identity authentication unit, a data acquisition unit, a format filtering unit, a virus killing unit, an encryption unit and a file sending unit.
7. The data strip-based network security isolation device of claim 5, wherein the isolated internal host comprises: the device comprises a file receiving unit, a decryption unit, a format conversion unit, a data loading unit and a process recording unit.
8. A method for building a network security isolation device based on data stripping is characterized by comprising the following steps:
determining a power system platform network topology architecture, determining service requirements and technologies used, and determining a specific deployment position of an isolation device;
the isolation device is deployed at the network boundary of the internal and external power networks to complete the connection and installation of the internal and external hosts of the equipment and the platform server of the power system;
and through a configuration interface of the isolation device, IP and port rule configuration and user filtering are realized, and data isolation and ferrying of an internal network and an external network of the power system platform are realized.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011421085.2A CN112671719A (en) | 2020-12-08 | 2020-12-08 | Network security isolation method and device based on data stripping and construction method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011421085.2A CN112671719A (en) | 2020-12-08 | 2020-12-08 | Network security isolation method and device based on data stripping and construction method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112671719A true CN112671719A (en) | 2021-04-16 |
Family
ID=75401470
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011421085.2A Pending CN112671719A (en) | 2020-12-08 | 2020-12-08 | Network security isolation method and device based on data stripping and construction method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112671719A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114726574A (en) * | 2022-02-28 | 2022-07-08 | 新华三信息安全技术有限公司 | Safety isolation protection system and safety isolation protection method |
| CN115001804A (en) * | 2022-05-30 | 2022-09-02 | 广东电网有限责任公司 | Bypass access control system, method and storage medium for field station |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102843352A (en) * | 2012-05-15 | 2012-12-26 | 广东电网公司茂名供电局 | Cross-physical isolation data transparent transmission system and method between intranet and extranet |
| CN102882850A (en) * | 2012-09-03 | 2013-01-16 | 广东电网公司电力科学研究院 | Cryptographic device and method thereof for isolating data by employing non-network way |
| CN202856781U (en) * | 2012-08-29 | 2013-04-03 | 广东电网公司电力科学研究院 | Industrial control system main station safety device |
| CN104767752A (en) * | 2015-04-07 | 2015-07-08 | 西安汇景倬元信息技术有限公司 | Distributed network isolating system and method |
| CN105656883A (en) * | 2015-12-25 | 2016-06-08 | 冶金自动化研究设计院 | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network |
| CN106941494A (en) * | 2017-03-30 | 2017-07-11 | 中国电力科学研究院 | A kind of security isolation gateway and its application method suitable for power information acquisition system |
| CN107948209A (en) * | 2018-01-05 | 2018-04-20 | 宝牧科技(天津)有限公司 | A kind of network security partition method and device |
| CN108449310A (en) * | 2018-01-26 | 2018-08-24 | 山东超越数控电子股份有限公司 | A kind of domestic network security isolation and one-way import system and method |
-
2020
- 2020-12-08 CN CN202011421085.2A patent/CN112671719A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102843352A (en) * | 2012-05-15 | 2012-12-26 | 广东电网公司茂名供电局 | Cross-physical isolation data transparent transmission system and method between intranet and extranet |
| CN202856781U (en) * | 2012-08-29 | 2013-04-03 | 广东电网公司电力科学研究院 | Industrial control system main station safety device |
| CN102882850A (en) * | 2012-09-03 | 2013-01-16 | 广东电网公司电力科学研究院 | Cryptographic device and method thereof for isolating data by employing non-network way |
| CN104767752A (en) * | 2015-04-07 | 2015-07-08 | 西安汇景倬元信息技术有限公司 | Distributed network isolating system and method |
| CN105656883A (en) * | 2015-12-25 | 2016-06-08 | 冶金自动化研究设计院 | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network |
| CN106941494A (en) * | 2017-03-30 | 2017-07-11 | 中国电力科学研究院 | A kind of security isolation gateway and its application method suitable for power information acquisition system |
| CN107948209A (en) * | 2018-01-05 | 2018-04-20 | 宝牧科技(天津)有限公司 | A kind of network security partition method and device |
| CN108449310A (en) * | 2018-01-26 | 2018-08-24 | 山东超越数控电子股份有限公司 | A kind of domestic network security isolation and one-way import system and method |
Non-Patent Citations (2)
| Title |
|---|
| 刘启文: "《Java Web编程技术》", 31 August 2016, 北京:北京航空航天大学出版社 * |
| 张剑: "《网络安全意识提升》", 31 May 2017, 成都:电子科技大学出版社 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114726574A (en) * | 2022-02-28 | 2022-07-08 | 新华三信息安全技术有限公司 | Safety isolation protection system and safety isolation protection method |
| CN115001804A (en) * | 2022-05-30 | 2022-09-02 | 广东电网有限责任公司 | Bypass access control system, method and storage medium for field station |
| CN115001804B (en) * | 2022-05-30 | 2023-11-10 | 广东电网有限责任公司 | Bypass access control system, method and storage medium applied to field station |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1860590B1 (en) | Posture-based data protection | |
| CN104184735B (en) | Power marketing mobile application security guard system | |
| US9344516B2 (en) | Interlocking applications and files | |
| CN105099705B (en) | A kind of safety communicating method and its system based on usb protocol | |
| CN103413088A (en) | Computer document operational safety audit system | |
| CN112671719A (en) | Network security isolation method and device based on data stripping and construction method thereof | |
| CN104581008B (en) | A kind of video monitoring system information security protection system and method | |
| CN102567233A (en) | Data protection method of USB storage device based on magnetic disc virtual technology | |
| CN102170424A (en) | Mobile medium safety protection system based on three-level security architecture | |
| CN105740725A (en) | File protection method and system | |
| CN103970540B (en) | Key Functions secure calling method and device | |
| CN114942729A (en) | Data safety storage and reading method for computer system | |
| CN108390857A (en) | A kind of method and apparatus of high sensitive network to low sensitive network export | |
| CN103902922A (en) | Method and system for preventing file from being stolen | |
| CN111901418B (en) | External terminal protection equipment and system based on unidirectional file transfer protocol | |
| CN201805447U (en) | Electronic information management platform system of Intranet | |
| CN115941743A (en) | Method and system for identity authentication and data backup | |
| CN115022044A (en) | Storage method and system based on multi-cloud architecture | |
| CN212433757U (en) | Equipment operation and maintenance operation safety protection system | |
| CN111885179B (en) | External terminal protection device and protection system based on file monitoring service | |
| CN104866761B (en) | A kind of high security Android intelligent terminal | |
| CN209201106U (en) | A kind of application gateway system of data chain type storage and access safety | |
| CN111859434A (en) | External terminal protection device and protection system for providing confidential file transmission | |
| CN203233445U (en) | High security internal network information safety system | |
| Yang et al. | Analysis of Computer Network Security and Prevention Technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210416 |
|
| RJ01 | Rejection of invention patent application after publication |