CN100471107C - Data one-way transmission system based on one-way isolated hardware channel - Google Patents

Data one-way transmission system based on one-way isolated hardware channel Download PDF

Info

Publication number
CN100471107C
CN100471107C CN 03124977 CN03124977A CN100471107C CN 100471107 C CN100471107 C CN 100471107C CN 03124977 CN03124977 CN 03124977 CN 03124977 A CN03124977 A CN 03124977A CN 100471107 C CN100471107 C CN 100471107C
Authority
CN
Grant status
Grant
Patent type
Prior art keywords
way
isolated
transmission
channel
system
Prior art date
Application number
CN 03124977
Other languages
Chinese (zh)
Other versions
CN1601955A (en )
Inventor
甘杰夫
伟 郭
Original Assignee
北京国保金泰信息安全技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Abstract

一种单向隔离硬件通道的数据单向传输系统,包括两个数据交换卡,用于将内部网络与外部网络物理隔离。 A one-way one-way transmission system hardware isolated data channels, comprising two data exchange card for the internal network and external network physical isolation. 每个数据交换卡包括两条独立的单向数据传输路径,用于在进行数据传输时使两台进行数据交换的计算机之间实现物理隔离。 Each card includes two independent data exchange of unidirectional data transmission path, for making physical isolation between the two computers to exchange data used when data transfer is performed. 该单向隔离硬件通道的数据单向传输系统也可应用于需要物理隔离的内部网络和外部网络之间的数据传输。 The one-way data transmission system hardware unidirectional isolation channel is also applicable to data transmission between the internal and external networks require physically isolated.

Description

基于单向隔离硬件通道的数据单向传输系统 One-way data transmission system based on hardware channel unidirectional isolation

技术领域 FIELD

本发明涉及一种控制源数据存储体到目的数据体之间的数据传输流向的数据传输系统。 The present invention relates to a method of controlling the source data store to the data transmission system of data transmission between the flow of the data object body. 更具体地说,本发明涉及在计算机之间或网络之间以及计算机和网络之间使数据在信息隔离的前提下单向传输,隔绝计算机间或网络间的直接连接和控制数据在计算机间或网络间的流向的数据传输系统,也称为安全隔离交换系统。 More particularly, the present invention relates to a network between computers and between computers or between a network and causing the unidirectional transmission of data in the premise of information isolation, isolation or between computer and control direct connection between data networks or computer networks the flow of data transmission systems, switching systems also called security isolation.

背景技术 Background technique

网络的方便快捷使我们的工作效率得到了极大地提高,但网络的开放性使得网络安全性受到严重威胁。 Fast and convenient network of our work efficiency has been greatly improved, but the openness of the network makes the network security is seriously threatened. 目前网络面临的安全威胁大体可分为两种: 一种是对网络数据的威胁;另一种是对网络设备的威胁。 Currently the network is facing security threats can be roughly divided into two types: one is a threat to network data; the other is the threat of network devices. 这些威胁可能来源于各种因素:可能是源于企业外部的,也可能是内部人员造成的。 These threats may come from a variety of factors: It may be from outside the enterprise, it may be caused by insiders. 其中最主要的威胁是来自外部和内部人员的恶意攻击和入侵,这是电子商务、政府上网工程等顺利发展的最大障碍。 Chief among these is the threat of malicious attacks and intrusions from external and internal staff, which is the biggest obstacle to the smooth development of e-commerce, the Internet works.

为保证敏感信息不被剽窃、篡改、复制,各种保护软件、身份认证体系、防火墙等技术被大力开发和应用。 To ensure that sensitive information is not plagiarism, altered, various protection software, authentication systems, firewalls and other technology has been vigorously developed and applied. 但是,所有这些信息安全防护方法,都只是针对上层的应用软件和网络的安全,而无法妥善处理信息安全系统所保护的主体,例如,计算机中存储的数据和文件的自身安全保护问题,特别是无法有效阻止大量的计算机内部犯罪。 However, all these information security protection methods are only for security applications and network upper, but can not properly handle the subject of information security systems to protect, for example, its own security protection of data and files stored on your computer, especially can not effectively prevent a large number of internal computer crime.

国家有关部门规定,涉及国家秘密的计算机信息系统,不得直接或间接地与国际互联网或其它公共信息网络相连接,必须实行物理隔离。 The provisions of relevant state departments, computer information involving state secrets system, shall not directly or indirectly connected to the Internet or other public information networks must be physically isolated.

所谓"物理隔离"是指内部网不得直接或间接地连接公共网。 The "physical separation" refers to the internal network can not be connected directly or indirectly to the public network. 物理安全的目的是保护路由器、工作站、各种网络服务器等硬件实体和通信链路免受自然灾害、人为破坏和搭线窃听攻击;只有使内部网和公共网"物理 Physical security is designed to protect hardware entities and communication links routers, workstations, network servers and the like from a variety of natural disasters, man-made destruction attack and wiretapping; only the internal network and the public network "Physics

隔离",才能真正保证内部信息网络不受来自互联网的黑客攻击。此外, Isolation "in order to truly ensure that internal information network from hacker attacks from the Internet. In addition,

"物理隔离"也为政府或企业内部网划定了明确的安全边界,使得网络的可控性增强,便于内部管理。 "Physical isolation" is also classified as government or corporate intranet explicit security boundary, makes enhanced controllability network, to facilitate internal management.

物理隔离技术就是指内部信息网络不和诸如因特网之类的外部信息网络相连、从物理上断开的技术。 Refers to the physical isolation technology is not internal information network and an external information network such as the Internet is connected, is disconnected from the physical techniques. 这种方法基本杜绝了因为网络互通互连所造成的外部攻击或内部泄密的可能。 This approach basically eliminate the possibility of external attack or internal network interconnection and because leaks caused. 为此,网络安全厂商相应地推出了各种以物理隔离为实施目标的网络设备和解决方案。 For this reason, network security vendors accordingly introduced a variety of network equipment and solutions for the implementation of the objectives of physical isolation.

物理隔离技术自问世以来,经过不断发展成熟,目前己历经了三个发展阶段,每个阶段都产生了一种具有代表性的产品或解决方案。 Physical isolation technology since its inception, through constant development mature, the current development has gone through three stages, each stage produces a representative product or solution.

第一代物理隔离主要采用双机双网的技术,即,采取配置两台电脑、 分别联接内外两个网络的做法。 The first generation physical isolation technology mainly adopts dual-dual networks, i.e., configured to take two computers, both internal and external networks are coupled in practice. 这种方式的缺点在于导致投资成本的增加、占用较大办公空间等。 The disadvantage of this approach is that leads to increased investment costs, take up more office space. 另外,双机的使用会带来很多不便,并且网络设置复杂、维护难度也较大, 一旦出现问题,会使对效率要求相当高的部门受到很大影响。 In addition, the use of double machine will bring a lot of inconvenience, complicated network setup and maintenance also more difficult, if there are problems, will severely affect the efficiency of very demanding sector.

第二代产品采用双硬盘隔离卡技术,主要是在计算机等信息设备上增加一块硬盘和一个隔离卡的来实现物理隔离。 The second generation product isolation card dual hard disk technology, is to increase the hard drive and a spacer to physical isolation card on the computer and other information equipment. 两块硬盘分别对应内网和外网。 Two hard drives respectively and the Internet network. 用户启动外网时关闭内网硬盘,启动内网时关闭外网硬盘。 Close the hard disk when the user starts the network outside the network, the external network hard disk to start off the network. 此种隔离方式需要用户在原有基础上再多加一块硬盘,对于一些配置比较高、原有硬盘比较大的机器而言,造成了无谓的浪费,而且频繁地加电和断电容易对原有硬盘造成损坏。 Such isolation mode requires a user and then more based on the original hard disk configuration is relatively high for some, the original hard drive is relatively large in terms of the machine, resulting in unnecessary waste, and frequently power on and off easily on the original hard disk cause damage.

以上两代产品对用户的使用来说都不是很方便。 More than two generations of products are not very convenient for users to use it. 用户往往需要通过繁复的切换才能在双网内工作,而且还无法在两个工作区内拷贝文件。 Users often need to work in dual-network switching through complex, but can not copy files in both the work area. 在经过了大量的实验认证后,开发出了第三代网络安全隔离产品。 After a number of experiments certification, we developed a third-generation network security isolation products.

第三代产品釆用单硬盘隔离卡的原理,将原计算机的单个硬盘从物理层上分割为公共和安全两个分区,安装两套操作系统,从而实现内网和外网的安全隔离。 Third generation principle preclude the isolation card with a single hard disk, the computer the original single hard disk is divided from the physical layer public safety two partitions and install two operating systems, thereby realizing security isolation of the intranet and the Internet. 由于隔离技术并非在系统最底层的磁头上做控制,所以此种隔离方式并无法从根本的硬件层上做到信息隔离,即无法从严格意义上满足国家保密局对信息隔离的要求。 Since isolation is not done on the control system of the bottom of the head, so this information can not be done isolation mode and isolation from the fundamental hardware layer, that is, unable to meet the State Secrecy Bureau of Information request isolation from the strict sense.

目前,这三代物理隔离的产品和方案在内部网中都有所应用。 Currently, three generations of physical isolation products and solutions are applied in the internal network. 但其中都存在一些的缺陷。 But there are some drawbacks. 例如,在易用性、高效性指标上与实际应用需求之间存在一定差距。 For example, there is a gap between demand and on the practical application of ease of use, efficiency indicators. 具体而言,在易用性上,目前隔离技术需要用户频繁地 Specifically, the ease of use, the current isolation technology requires the user to frequently

操作,其过程耗时并且需要大量人工操作的介入;在效率指标性上,目前隔离技术的效率极低。 Operation, the process is time consuming and requires a lot of manual intervention; on the efficiency indicators of the current isolation techniques inefficient.

因此,需要一种既能起到很好的隔离效果,又能降低成本并有效地进行数据交换的系统。 Accordingly, a need exists both play a very good isolation, but also reduce costs and efficiently perform data exchange system.

发明内容 SUMMARY

本发明的目的是提供一种能够在硬件链路层实现数据隔离,并且具备准实时的数据传输能力,从而不影响数据交换及用户使用的单向隔离硬件通道的数据单向传输系统。 Object of the present invention is to provide a hardware for data link layer in the isolation, and have near real-time data transmission capacity, so as not to affect the exchange of data and hardware used by the user unidirectional isolation passage way transmission system.

根据本发明的第一方面,提供一种单向隔离硬件通道的数据单向传输系统,包括:至少一个数据提供部分,用于提供数据;至少一个数据接收部分,用于接收所述至少一个数据提供部分提供的数据;第一数据交换卡, 包括第一开关控制单元,彼此独立的第一单向数据传输路径和第二单向数据传输路径,用于使所述单向数据传输路径之一连接所述至少一个数据提供部分,存储所述至少一个数据提供部分提供的数据;第二数据交换卡, 包括第二开关控制单元,彼此独立的第一单向数据传输路径和第二单向数据传输路径,用于使所述单向数据传输路径之一连接所述至少一个数据接收部分,存储从所述至少一个数据提供部分接收的数据;其中所述第一和第二数据交换卡中各设置有两个分别属于所述第一和第二单向数据传输路径的低压差分信号单元,用于 According to a first aspect of the present invention, there is provided a one-way data transmission system hardware unidirectional isolation channels, comprising: at least one data providing section for providing data; at least one data receiving section for receiving the at least one data providing section provides data; a first data exchange card, comprising a first switching control unit, independently of each other a first unidirectional data transmission path and the second unidirectional data transmission path, the one-way data transmission path for connecting the at least a portion of data provided to store the data portion of the at least one data provider offers; a second data exchange card, comprising a second switch control unit, independently of each other a first unidirectional data transmission path and a second unidirectional data a transmission path for one of the one-way data transmission path connecting the at least one data receiving portion, to provide a data storing portion from the at least one received data; wherein said first and second data each switch card provided with two respectively belonging to the first and second unidirectional low voltage differential signal data transmission path means for 传输数据进行并/串行转换和串/并行转换,所述第一数据交换卡和所述第二数据交换卡分别控制其所具有的所述第一和第二单向数据传输路径之一与所述至少一个数据提供部分和所述至少一个数据接收部分的连接,使得在进行数据传输时所述至少一个数据提供部分与所述至少一个数据接收部分物理隔离,在所述至少一个数据提供部分向所述至少一个数据接收部分传输数据的过程中,所述第一开关控制单元控制所述至少一个数据提供部分与所述第一数据交换卡中的第一单向数据传输路径连接,所述第二开关控制单元控制所述至少一个数据接收部分与所述第二数据交换卡中的第二单向数据传输路径连接。 And data transmission / serial conversion and serial / parallel conversion, the first and second one-way data transmission path having its data exchange of the first card and the second card, respectively, control and data exchange providing at least a portion of said data and said at least one data connector receiving portion, such that the at least one data provided during the data transmission portion of the at least one physical isolation data receiving portion, at least a portion of said data provided process receiving part of the transmission data to the at least one data, the control unit controls the first switch at least a portion connected to the first data providing unidirectional data transmission path in the first switching card data, the a second switching control unit controls the at least one second unidirectional data transmission path data receiving portion and the second data exchange card is connected.

在本发明的优选实施例中,数据提供部分可以是计算机,数据接收部分可以是另一台计算机。 In a preferred embodiment of the present invention, the data supply section may be a computer, a data receiving portion may be another computer.

在本发明的另一个优选实施例中,数据提供部分可以是外部网络,数据接收部分可以是计算机。 In another preferred embodiment of the present invention, the data supply section may be an external network, the data receiving portion may be a computer.

在本发明的再一个优选实施例中,数据提供部分可以是外部网络,数据接收部分可以是内部网络。 In a further preferred embodiment of the present invention, the data supply section may be an external network, the data receiving portion may be an internal network.

利用本发明的单向隔离硬件通道的数据单向传输系统可以隔离数据交互中数据进入和数据外出的两个通道。 One-way data transmission system using the present invention may be unidirectional isolation isolate hardware channel data into the data interaction and data out of the two channels. 使得在数据进、出通道中都只允许数据在某一方向传输,而不允许数据向相反的方向传输,以便在硬件上实现数据传输方向的可控,从而提高数据交换技术的保密性。 So that the data inlet and outlet passage only allow data transfer in one direction, while not allowing data transmission in the opposite direction, so as to achieve the data transmission direction is controlled on the hardware, thus improving the confidentiality of data exchange technology.

附图说明 BRIEF DESCRIPTION

从下面结合作为优选实施例的附图给出的详细说明,可以更充分地理解本发明,并使本发明的特性,优点变得更加显而易见。 From the following detailed description in conjunction with the accompanying drawings given as a preferred embodiment, may be more fully understood from the present invention, and features of the present invention, advantages become more apparent. 应该指出,所给出的优选实施例并不是对本发明的限制,而仅是为了解释和理解本发明。 It should be noted that the embodiments do not limit the present invention set forth a preferred embodiment, but are for explanation and understanding the present invention.

图1是根据本发明一个实施例的单向隔离硬件通道的数据单向传输系统的方框图; The data of FIG. 1 is a block diagram of a hardware channel isolation unidirectional embodiment of the embodiment of the present invention, the one-way transmission system;

图2是表示图1所示的单向隔离硬件通道的数据单向传输系统中从外 FIG 2 is a one-way data transmission system hardware unidirectional isolation channels shown in FIG. 1 from the outside

部设备输入数据的连接状态;和 Connection state of the input data of the equipment; and

图3是表示表示图1所示的单向隔离硬件通道的数据单向传输系统中内部设备从外部设备接收数据的连接状态。 FIG 3 shows a connection state of the one-way data channel hardware illustrated in isolation in FIG. 1 represents an internal one-way transmission system receiving data from the external device.

具体实施方式 detailed description

以下参考附图详细讨论本发明的优选实施例。 Discussed below with reference to the accompanying drawings a preferred embodiment of the present invention in detail. 在以下的说明中,提出了许多特定的细节以便全面了解本发明。 In the following description, numerous specific details in order to fully understand the invention. 应该指出,本领域的技术人员应当理解,本发明可以不限于这些具体细节。 It should be noted that those skilled in the art will appreciate that the present invention may not be limited to these specific details. 在其它的例子中,那些众所周知的结构没有详细的示出,以避免造成本发明不明确。 In other instances, well-known structures not shown in detail, the present invention in order to avoid unclear.

在一般的数据交换系统中,数据源与数据目的地的物理连接的。 In a typical data exchange system, the physical data source and data destination connection. 通过数据源和数据目的地之间传输线路来传递数据。 Via a transmission line to pass data between the data source and data destination. 例如,在用户终端从互连网下载数据,或从用户终端向网络中上载数据,以实现数据的共享。 For example, when the user terminal to download data from the Internet, or a network terminal to upload data from the user, in order to achieve data sharing.

本发明采用分离的单向传输技术,即采用物理上分开的上行通道作为第一数据传输路径,和下行通道作为第二数据传输路径在内部网的数据处 The present invention uses separate unidirectional transmission technology, which uses physically separate up channel as the first data transmission path, and a second data channel as a downlink data transmission path at the internal network

理设备与外部网的数据处理设备之间进行数据交换。 Data exchange between the data processing device and the processing device extranets. 由控制开关根据数据流向在上行通道和下行通道之间进行切换,避免数据处理设备的直接连接,从而防止由数据处理设备的直接连接造成的有害访问,并能方便地对内网和外网进行正常访问。 The switching by the control data flow between the upstream channel and the downstream channel switching, to avoid direct connection of the data processing apparatus, thereby preventing the access of harmful caused by direct connection of the data processing device, and can easily be intranet and extranet normal access.

本发明可以应用于任何数据处理设备之间的连接,例如,诸如计算机之类的用户终端与用户终端之间的连接,用户终端与诸如因特网之类的外部网络之间的连接,或内部网络与外部网络之间的连接。 The present invention may be applied to any connection between the data processing apparatus, e.g., a connection between the connection between the user terminal the terminal user computer with the user terminal or the like with an external network such as the Internet or an internal network the connection between the external network. 为了简单起见, 在下面的说明中将以两台计算机之间的连接为例来描述本发明的单向隔离硬件通道的数据单向传输系统。 For simplicity, the following description will be an example connection between two computers to one-way data transmission system according to the present invention is described with unidirectional isolation hardware channel. 应该指出,本发明不限于此,可以应用于设备与网络,以及网络之间的连接。 It should be noted that the invention is not limited thereto and may be applied to the connection between the device and the network, and the network.

以下参考附图详细说明本发明的实现模式。 Mode of realization of the present invention is described in detail below with reference to the accompanying drawings.

图1中示出了根据本发明的一个实施例的单向隔离硬件通道的数据单向传输系统。 FIG 1 shows a one-way data transmission system according to a unidirectional isolation channel hardware embodiment of the present invention. 如图1所示,该系统包括两台计算机,即,计算机A和计算 As shown, the system includes two computers, namely, computer A and computing

机B。 Machine B. 计算机A和B通过数据交换卡110和210连接。 A and B are computer card 110 and 210 are connected by data exchange. 计算机A可以作为计算机B的数据源和数据目的地。 A computer can be used as a data source and data destination computer B. 同样,计算机B也可以作为计算机A的数据目的地和数据源。 Also, a computer may be used as the data B and the destination computer A data source. 数据交换卡110与计算机A连接,用于处理计算机A待传送的数据和接收从计算机B达到的数据。 Card 110 to exchange data with the computer A is connected, for receiving and processing data to be transmitted reaches the computer A from computer B data. 数据交换卡210与计算机B连接,用于处理计算机B待传送的数据和接收从计算机A达到的数据。 Card 210 to exchange data with a computer connected to B, B to be used for data processing computer and transmitted from the computer A receives the data achieved. 数据交换卡110和210之间通过隔离的传输线路彼此连接。 Card data exchange via the isolation between transmission lines 110 and 210 to each other.

数据交换卡110和210的结构完全相同,可以设置为主卡和从卡,以决定工作方式。 Card 110 exchange data and identical structure 210 may be provided from the main card and the card to determine the operating mode. 在本实施例中,作为例子,数据交换卡110和210可釆用PCI接口。 In the present embodiment, as an example, the data card 110 and exchange 210 may preclude the use of PCI interface. 数据交换卡110包括开关控制逻辑单元111;复杂可编程逻辑单元器件(CPLD)1121, 1122;数据存储区1131, 1132;低压差分信号(LVDS) 单元1141, 1142;和随机数生成器115。 Data exchange logic card 110 includes a switch control unit 111; complex programmable logic cell device (CPLD) 1121, 1122; data storage area 1131, 1132; low voltage differential signaling (LVDS) units 1141, 1142; and the random number generator 115. 同样,数据交换卡210包括开关控制逻辑单元211;复杂可编程逻辑单元器件(CPLD) 2121, 2122;数据存储区2131, 2132;低压差分信号(LVDS)单元2141, 2142;和随机数生成器215。 Similarly, the data exchange logic card 210 includes a switch control unit 211; complex programmable logic cell device (CPLD) 2121, 2122; data storage area 2131, 2132; low voltage differential signaling (LVDS) units 2141, 2142; and a random number generator 215 .

除开关控制逻辑单元111和211,以及随机数生成器115和215外, 每个数据交换卡中的数据存储区,复杂可编程逻辑单元器件,低压差分信号(LVDS)传输单元各为2套,以便在每个数据交换卡中形成2组单独传 In addition to the switch 111 and the control logic unit 211, and a random number generator 115 and 215, the data storage area of ​​each data exchange card, complex programmable logic cell device, a low voltage differential signaling (LVDS) transmission unit 2 sets of each, so as to form two groups separately transmitted in each data exchange card

输通道,即,数据传输路径,并分别由开关控制逻辑单元111和211控制以实现物理隔离。 Transport channel, i.e., a data transmission path, and the control logic unit 111 are controlled by the switch 211 and to physical isolation.

在数据交换卡110中,作为例子,数据存储区1131, 1132可以用静态RAM来实现。 A data exchange card 110, as an example, data store 1131, 1132 may be implemented as static RAM. 数据存储区1131用于存储要从计算机A传送到计算机B 的数据,数据存储区1132用于存储从计算机B接收到的数据。 Data storage area 1131 for storing the data transferred from computer A to computer B, the data storage area 1132 for storing data received from the computer B to. 复杂可编程逻辑单元器件(CPLD) 1121, 1122用于通知数据交换卡110切换连接数据存储区1131, 1132与计算机A的总线(在本例中是PCI总线)的开关的连接位置。 Complex programmable logic cell device (CPLD) 1121, 1122 for notifying the data exchange card connecting position data storage area 110 is connected to switch 1131, A 1132 and the computer bus (PCI bus in the present embodiment) of the switch. 作为例子,复杂可编程逻辑单元器件(CPLD) 1121, 1122 可采用中央处理单元(CPU)。 By way of example, complex programmable logic cell device (CPLD) 1121, 1122 can be a central processing unit (CPU). 开关控制逻辑单元111用于控制PCI总线与数据存储区1131或1132连接,以便向外发送数据或从外部接收数据。 Switch control logic unit 111 for controlling the PCI bus and the data storage area 1131 or 1132 is connected so as to transmit or receive data out from the outside. 开关控制逻辑单元111为独立的逻辑控制,不受与数据交换卡110连接的外部计算机A的控制。 Switch control logic unit 111 independent logic control, an external control computer is not connected to the A data exchange card 110. LVDS单元1141, 1142用于进行高速数据传输。 LVDS units 1141, 1142 for performing high-speed data transmission. LVDS 单元1141, 1142应采用特性不同的LVDS芯片。 LVDS units 1141, 1142 should be different characteristics LVDS chip. 例如,LVDS单元1141只对信号进行并行转串行处理,LVDS单元1142只对信号进行串行转并行处理。 For example, LVDS means 1141 pairs of parallel-to-serial signal processing, LVDS signals only unit 1142 performs serial to parallel processing. 因此,可以建立2条单向数据通道,g卩,上行通道数据(从计算机A 到计算机B)和下行数据通道(从计算机B到计算机A),并且2条单向数据通道互不干扰。 Thus, it is possible to establish two-way data channels, g Jie, up channel data (from computer A to computer B) and the downlink data channel without mutual interference (from computer A to computer B), and two-way data channel. 同时,LVDS单元也支持对CPLD编程,以关闭其中的某一条通道,使得工作模式为l条单向数据通道,即整个系统只可以写入或写出。 Meanwhile, LVDS CPLD programming unit also supports, to close a passage in which certain, so that the operation mode is l unidirectional data channel, i.e., the system can only be written or written. 可以理解,在数据交换卡110中,CPLD 1121, 1122,开关控制逻辑单元111和开关触点可构成开关控制单元,作为本发明的系统的第一开关控制单元。 It will be appreciated, in the data exchange card 110, CPLD 1121, 1122, and switch control logic unit 111 may constitute a switching contact switch control unit, the first switching system according to the present invention the control unit.

同样,在数据交换卡210中,作为例子,数据存储区2131, 2132可以用静态RAM来实现。 Also, in the data exchange card 210, as an example, data store 2131, 2132 can be implemented as static RAM. 数据存储区2131用于存储要从计算机A接收到的数据,数据存储区2132用于存储要从计算机B传送到计算机A的数据。 Data storage area 2131 for storing data received from the computer A, the data storage area 2132 for storing data from the computer B to the computer A. 复杂可编程逻辑单元器件(CPLD) 2121, 2122用于通知数据交换卡210 切换连接数据存储区2131, 2132与计算机B的总线(在本例中是PCI总线)的开关的连接位置。 Complex programmable logic cell device (CPLD) 2121, 2122 for notifying the exchange of card data storage area 210 is switched data connection 2131, computer B 2132 and a bus (PCI bus in this example) connected to a position switch. 作为例子,复杂可编程逻辑单元器件(CPLD)2121, 2122可采用中央处理单元(CPU)。 By way of example, complex programmable logic cell device (CPLD) 2121, 2122 can be a central processing unit (CPU). 开关控制逻辑单元211用于控制PCI 总线与数据存储区2131或2132连接,以便向外发送数据或从外部接收数据。 Switch control logic unit 211 for controlling the PCI bus and the data storage area 2131 or 2132, so as to transmit or receive data from an external outwardly. 开关控制逻辑单元211为独立的逻辑控制,不受与数据交换卡210连 Switch control logic unit 211 independent logic control, data exchange with the card 210 is not connected

接的外部计算机B的控制。 Control B is connected to an external computer. LVDS单元2141, 2142用于进行高速数据传输。 LVDS units 2141, 2142 for performing high-speed data transmission. LVDS单元2141, 2142应采用特性不同的LVDS芯片。 LVDS units 2141, 2142 should be different characteristics LVDS chip. 与数据交换卡110 相反,LVDS单元2141只对信号进行串行转并行处理,LVDS单元2142只对信号进行串行转并行处理。 In contrast with the data exchange card 110, LVDS means 2141 pairs of serial to parallel signal processing, LVDS means 2142 pairs of serial-to-parallel signal processing. 因此,数据交换卡210中可以建立2条与数据交换卡110对应的单向数据通道,g口,上行通道数据(从计算机B到计算机A)和下行数据通道(从计算机A到计算机B),并且2条单向数据通道互不干扰,分别与数据交换卡110的下行通道和上行通道对应。 Thus, the card 210 can exchange data unidirectional data channel established with the card 110 exchange data corresponding to 2, g port, up channel data (from computer A to computer B) and the downlink data channel (from computer A to computer B), and two-way data channels interfere with each other, exchange data with each channel card 110 and the downlink channel corresponds to the uplink. 同时, LVDS单元也支持对CPLD编程,以关闭其中的某一条通道,使得工作模式为l条单向数据通道,即整个系统只可以写入或写出。 Meanwhile, LVDS CPLD programming unit also supports, to close a passage in which certain, so that the operation mode is l unidirectional data channel, i.e., the system can only be written or written. 可以理解,在数据交换卡210中,CPLD 2121, 2122,开关控制逻辑单元211和开关触点可构成开关控制单元,作为本发明的系统的第二开关控制单元。 It will be appreciated, in the data exchange card 210, CPLD 2121, 2122, and switch control logic unit 211 may switch contact constituting the switching control means, as the system according to the present invention, a second switching control unit.

下面结合图2和3说明本发明的单向隔离硬件通道的数据单向传输系统的操作。 Below in conjunction with FIGS. 2 and 3 illustrate operation of the one-way data transmission system hardware channel unidirectional isolation of the present invention. 如图2所示,当计算机A要向计算机B传送数据时,首先由数据交换卡110中的开关控制单元,g卩,第一开关控制单元将数据交换卡110 中的开关控制逻辑单元111使计算机A连接到触点Al。 As illustrated, when data is transferred computer A wants to machine B, the first card 110 exchange data switching control unit, g Jie, a first switch control unit 110 in the data card exchange switch 111 causes the control logic unit 2 A computer connected to the contact Al. 同时由数据交换卡210中的开关控制单元,即,第二开关控制单元将数据交换卡210中的开关控制逻辑单元211使计算机B连接到触点B2。 The data exchange card while the switching control unit 210, i.e., the second data switching control unit 210 in the card exchange switch control logic unit 211 causes the computer B is connected to the contact B2. 此时,计算机A通过数据交换卡110中的数据通道1与数据交换卡210中的数据通道1连通,但不与计算机B连接。 In this case, the computer A via the data communication card 110 exchange data in exchange data with a channel card 210 of channel 1 data, but not connected to the computer B. 计算机B通过数据交换卡210中的数据通道2与数据交换卡110中的数据通道2连通,但不与计算机B连接。 B 2 through computer communication card 210 exchange data in exchange data with the data channel card 2 in the data channel 110, but not connected to the computer B. 在这种状态下,计算机A中的数据被存储在数据交换卡110中的数据存储区1131。 In this state, the data A in the computer is in a data storage card 110 exchange data storage area 1131. 数据交换区1131接到数据后触发中断,并通过CPLD ]121将数据送到由LVDS单元1141。 After the data exchange area 1131 to the data interrupt is triggered and sent to the LVDS unit 1141 through the CPLD] 121 data. LVDS单元1141接收到该数据后执行将并行数据转换成串行数据的工作,转换的串行数据发送到数据交换卡210的LVDS单元2141。 LVDS unit 1141 performs after receiving the data converts parallel data to serial data work, transmitting the converted serial data to the data exchange unit LVDS card of 2,141,210.

在数据交换卡210中,LVDS单元2141接收到该串行数据后,对该数据执行串行转并行的工作。 After the data exchange card 210, LVDS unit 2141 receives the serial data, performs a serial to parallel work on the data. 此后,经串/并行转换的数据通过CPLD 2121 送到数据存储区2131。 Thereafter, the serial / parallel conversion of data to a data storage area CPLD 2121 2131. 此后,如图3所示,由数据交换卡110中的CPLD 1121 通知第一开关控制单元断开计算机A侧的PCI总线与触点Al的连接,而连接到触点A2,从而断开与数据存储区1131的连接。 Thereafter, as shown in FIG off by CPLD 1121 notification card 110 exchange data in a first switching control unit of the computer side A PCI bus is connected to the contact 3 Al, is connected to the contact A2, thereby disconnecting the data connecting the storage area 1131. 在数据交换卡210 中,CPLD 2121通知第二开关控制单元将计算机B侧的PCI总线连接到触 A data exchange card 210, CPLD 2121 control unit notifies the second switch connects the computer to the PCI bus B side contact

点B1,使数据存储区2131与计算机B连接,并将数据存储区2131中存储的数据传送到计算机B,从而完成计算机A与接收机B之间的数据交换。 Point B1, so that the data storage area 2131 connected to the machine B, transmitting and storing data in the storage area 2131 to machine B, thereby completing the data exchange between computer A and the receiver B. 在整个数据交换过程中,计算机A和计算机B不直接连接,因而防止了来自外部设备或网络的攻击。 Throughout the process of data exchange, computer A and computer B are not directly connected, thus preventing attacks from an external device or network.

与此相反,当从计算机B向计算机A传送数据时,计算机B侧的PCI 总线连接到数据交换卡210中的开关触点B2。 In contrast to this, when transferring data from the computer B to the computer A, computer B is connected to the PCI bus side switching contact B2 card 210 exchange data. 同时,使计算机A侧的PCI 总线连接到数据交换卡110中的触点Al。 Simultaneously, the A side is connected to the PCI bus computer Al contact card 110 exchange data. 此时,计算机B通过触点B2和数据交换卡110和210的数据通道2与数据交换卡110连接,而不与计算机A连接。 In this case, computer B data channels 110 and 210 through the contact B2 and 2 are connected to exchange data with the card data exchange card 110, without being connected to the computer A. 此后,通过数据交换卡110和210中的另外一条LVDS单向通道,g卩,数据通道2执行与从计算机A向计算机B传送数据的类似过程, 以此实现计算机B向计算机A中传送数据而计算机B不与计算机A直接连接。 Thereafter, the card 110 through the data exchange and an additional 210 LVDS unidirectional channel, g Jie, data channel 2 performs a similar process for transmitting data from computer A to computer B, in order to achieve the computer B to the computer A transmitted data computer B is not directly connected to the computer A.

在本发明的实施例中,开关控制过程由数据交换卡上的开关控制逻辑单元协同控制完成,开关控制逻辑单元是独立于数据传输的一套硬件控制逻辑单元,具有开关状态检查功能,保证两个数据交换卡中的开关通/断逻辑符合设定的逻辑顺序。 In an embodiment of the present invention, the switching control by the switching control logic cooperative process on the card unit controls the data exchange is completed, the switch control logic is independent of the data transfer control logic unit set of hardware, having a switch state checking to ensure that two switch on / off logic data exchange card set logical sequence. 当出现异常状态时,开关控制逻辑单元将锁死硬件卡,切断对外的全部数据连接线路。 When the abnormal state, the switch control logic unit lock hardware card, all the data off external connection lines.

根据本发明的单向隔离硬件通道的数据单向传输系统利用分别设置在两个数据交换卡中的电子开关来保证数据交换卡IIO上通过PCI总线连接的计算机系统或网络A (简称A机)在任意时刻不与数据交换卡210上通过PCI总线连接的计算机系统或网络B (简称B机)连接。 The one-way data transmission system hardware channel unidirectional isolation of the present invention using two electronic switches are provided for data exchange card is guaranteed by the computer system or network A PCI bus connector (abbreviated A machine) data exchange card IIO at any time not connected to exchange data with the card 210 or by a computer system connected to a network B PCI bus (the machine B). 此外,断开是在PCI总线上进行的,可以理解为物理断开,同时两个数据交换卡又通过数据转存的方式在可控通道上完成了信息交换,达到了隔离和单向的目的。 Further, disconnection is performed on the PCI bus, a physical disconnection will be appreciated that while two data exchange via the data card and dump way to complete the exchange of information on controllable passageway to achieve the purpose of unidirectional and isolation .

本发明的系统可以扩展到多个互连的计算机系统或网络,可以在多个计算机系统之间进行数据隔离和通道隔离,同时又可以进行高效可靠的数据交换,并且可以对单向通道中的数据方向和进、出通道进行控制,做到只可写入或只可写出,以满足对隔离系统的要求。 The system of the present invention can be extended to a plurality of interconnected computer systems or networks, data can be isolated and channel isolation between a plurality of computer systems, but also allows efficient and reliable data exchange, and can be unidirectional channels direction and data into and out of the control channel, so that write-only or write only to meet the requirements of the isolation system.

至此已结合实施例对本发明进行了描述。 Bound to this embodiment of the present invention has been described. 熟悉本领域的人员应当理解,在不脱离本发明的范围和精神的情况下可以容易地对所述实施例作出 Those skilled in the art will appreciate, can be easily made to the described embodiments without departing from the scope and spirit of the present invention

各种其它修改。 Various other modifications. 因此,附属权利要求的范围并不限于上述说明,而是要广义地解释权利要求。 Accordingly, the scope of the appended claims is not limited to the above description, but rather should be construed broadly as claimed in claim.

Claims (7)

  1. 1. 一种单向隔离硬件通道的数据单向传输系统,包括:至少一个数据提供部分,用于提供数据;至少一个数据接收部分,用于接收所述至少一个数据提供部分提供的数据;第一数据交换卡,包括第一开关控制单元,彼此独立的第一单向数据传输路径和第二单向数据传输路径,用于使所述单向数据传输路径之一连接所述至少一个数据提供部分,存储所述至少一个数据提供部分提供的数据;第二数据交换卡,包括第二开关控制单元,彼此独立的第一单向数据传输路径和第二单向数据传输路径,用于使所述单向数据传输路径之一连接所述至少一个数据接收部分,存储从所述至少一个数据提供部分接收的数据;其中所述第一和第二数据交换卡中各设置有两个分别属于所述第一和第二单向数据传输路径的低压差分信号单元,用于对传输数据进行并/串行转换和 A unidirectional isolation hardware channel one-way data transmission system, comprising: at least one data providing section for providing data; at least one data receiving portion for receiving the at least one data providing section provides data; a first a data exchange card, comprising a first switching control unit, independently of each other a first unidirectional data transmission path and the second unidirectional data transmission path, for one-way data transmission path connecting the at least one data provider section for storing at least one data providing section provides data; a second data exchange card, comprising a second switch control unit, independently of each other a first unidirectional data transmission path and the second unidirectional data transmission path for the said one-way data transmission path connecting said at least one data receiving portion, to provide a data storing portion from the at least one received data; wherein said first and second data switching card are each provided with two belonging to the said first and second unidirectional low voltage differential signal means a data transmission path for data transmission and / serial conversion and 串/并行转换,所述第一数据交换卡和所述第二数据交换卡分别控制其所具有的所述第一和第二单向数据传输路径之一与所述至少一个数据提供部分和所述至少一个数据接收部分的连接,使得在进行数据传输时所述至少一个数据提供部分与所述至少一个数据接收部分物理隔离,在所述至少一个数据提供部分向所述至少一个数据接收部分传输数据的过程中,所述第一开关控制单元控制所述至少一个数据提供部分与所述第一数据交换卡中的第一单向数据传输路径连接,所述第二开关控制单元控制所述至少一个数据接收部分与所述第二数据交换卡中的第二单向数据传输路径连接。 Serial / parallel conversion, the first data and the second data card exchange switch card having their respective control at least one of the first and the second unidirectional data transmission path and the one data providing section and the said at least one data connector receiving portion, such that the at least one data during the data transmission portion provided with at least one data receiving portion physical isolation, providing a portion of at least transmitting data to the portion receiving the at least one data a first unidirectional data during data transmission path, the first switch control unit controls the at least one portion of the first data providing data exchange card is connected, the control unit controls the second switch at least a data receiving section connected to the second unidirectional path switched data transmission in the second card data.
  2. 2. 根据权利要求1所述的单向隔离硬件通道的数据单向传输系统,其中所述至少一个数据提供部分是计算机,所述至少一个数据接收部分是另一台计算机。 One-way data transmission system hardware unidirectional isolation channels according to claim 1, wherein said at least one data portion is provided a computer, a data receiving portion of the at least another computer.
  3. 3. 根据权利要求1所述的单向隔离硬件通道的数据单向传输系统,其中所述至少一个数据提供部分是网络,所述至少一个数据接收部分是计算 The one-way data transmission system according to a hardware channel unidirectional isolation claim, wherein said at least one data provider network part, the at least one data receiving portion is calculated
  4. 4. 根据权利要求1所述的单向隔离硬件通道的数据单向传输系统,其中所述至少一个数据提供部分是外部网络,所述至少一个数据接收部分是内部网络。 The one-way data transmission system according to a hardware channel unidirectional isolation claim, wherein said at least one data portion is provided an external network, said at least one receiving portion is an internal data network.
  5. 5. 根据权利要求1所述的单向隔离硬件通道的数据单向传输系统,其中所述第一和第二数据交换卡中各设置有两个分别属于所述第一和第二单向数据传输路径的数据存储区。 The one-way data transmission system according to a hardware channel unidirectional isolation claim, wherein there are provided two each respectively belonging to the first and the second unidirectional data exchange of said first and second data card datastore transmission path.
  6. 6. 根据权利要求1所述的单向隔离硬件通道的数据单向传输系统,其中所述第一和第二数据交换卡中各设置有两个分别属于所述第一和第二单向数据传输路径的复杂可编程逻辑器件。 The one-way data transmission system according to a hardware channel unidirectional isolation claim, wherein there are provided two each respectively belonging to the first and the second unidirectional data exchange of said first and second data card complex programmable logic device of the transmission path.
  7. 7. 根据权利要求1所述的单向隔离硬件通道的数据单向传输系统,其中所述第一和第二开关控制单元中的每一个是独立于数据传输的并具有开关状态检査功能的硬件控制逻辑单元,以保证所述第一和第二数据交换卡中的开关通/断逻辑符合设定的逻辑顺序,并在出现异常状态时,切断 The one-way data transmission system according to a hardware channel unidirectional isolation claim, wherein said first and second switching control unit in each of the data transmission is independent of the switching state and having a check function hardware control logic unit, to ensure the switching on / off said first and second logic data exchange card set logical order, and abnormal state, the cutting
CN 03124977 2003-09-23 2003-09-23 Data one-way transmission system based on one-way isolated hardware channel CN100471107C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 03124977 CN100471107C (en) 2003-09-23 2003-09-23 Data one-way transmission system based on one-way isolated hardware channel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 03124977 CN100471107C (en) 2003-09-23 2003-09-23 Data one-way transmission system based on one-way isolated hardware channel

Publications (2)

Publication Number Publication Date
CN1601955A true CN1601955A (en) 2005-03-30
CN100471107C true CN100471107C (en) 2009-03-18

Family

ID=34658745

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 03124977 CN100471107C (en) 2003-09-23 2003-09-23 Data one-way transmission system based on one-way isolated hardware channel

Country Status (1)

Country Link
CN (1) CN100471107C (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771674B (en) 2008-12-29 2013-09-04 深圳市维信联合科技有限公司 Signal processing method, device and signal processing system
CN101661542B (en) 2009-09-04 2011-05-18 天津光电通信技术有限公司 Unidirectional introducing equipment of movable memory medium
CN101931556A (en) * 2010-08-04 2010-12-29 浪潮(北京)电子信息产业有限公司 Method and device for managing data packet transmission in high-speed transmission system
CN102355409A (en) * 2011-08-16 2012-02-15 中国科学院计算技术研究所 Data one-way transmission system
CN103440217B (en) * 2013-09-17 2016-03-16 武汉大学 Based on unidirectional optocoupler u disk file transmission device
CN104378657A (en) * 2014-09-01 2015-02-25 国家电网公司 Video security access system based on agency and isolation and method of video security access system
CN104394447A (en) * 2014-12-10 2015-03-04 成都爪媒科技有限公司 Video transmission device for mobile Internet

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5812774A (en) 1994-03-01 1998-09-22 Cabletron Systems, Inc. System for transmitting data packet from buffer by reading buffer descriptor from descriptor memory of network adapter without accessing buffer descriptor in shared memory
EP0959586A2 (en) 1998-05-18 1999-11-24 Spearhead Technologies Ltd. System and method for securing a computer communication network
CN2458673Y (en) 2000-04-24 2001-11-07 欧阳雪源 Network safety isolating card
CN1430373A (en) 2002-12-09 2003-07-16 武汉柯创高新技术开发中心 Network isolating card
CN1431606A (en) 2002-12-09 2003-07-23 武汉柯创高新技术开发中心 Networked system for checking and registering ID cards

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5812774A (en) 1994-03-01 1998-09-22 Cabletron Systems, Inc. System for transmitting data packet from buffer by reading buffer descriptor from descriptor memory of network adapter without accessing buffer descriptor in shared memory
EP0959586A2 (en) 1998-05-18 1999-11-24 Spearhead Technologies Ltd. System and method for securing a computer communication network
CN2458673Y (en) 2000-04-24 2001-11-07 欧阳雪源 Network safety isolating card
CN1430373A (en) 2002-12-09 2003-07-16 武汉柯创高新技术开发中心 Network isolating card
CN1431606A (en) 2002-12-09 2003-07-23 武汉柯创高新技术开发中心 Networked system for checking and registering ID cards

Also Published As

Publication number Publication date Type
CN1601955A (en) 2005-03-30 application

Similar Documents

Publication Publication Date Title
US6823453B1 (en) Apparatus and method for implementing spoofing-and replay-attack-resistant virtual zones on storage area networks
US6865672B1 (en) System and method for securing a computer communication network
US6175917B1 (en) Method and apparatus for swapping a computer operating system
US20040054914A1 (en) Method and apparatus for in-line serial data encryption
US20030233573A1 (en) System and method for securing network communications
US20080037418A1 (en) Method, system, apparatus, and program to link aggregate over independent redundant switches
US20100011007A1 (en) Secure high performance multi-level security database systems and methods
US20040177264A1 (en) Secured KVM switch
US9003199B2 (en) Modular cryptographic device providing multi-mode wireless LAN operation features and related methods
US20050216726A1 (en) Modular cryptographic device providing enhanced interface protocol features and related methods
CN101442471A (en) Method for implementing backup and switch of IPSec tunnel, system and node equipment, networking architecture
US20130242999A1 (en) Scalable Virtual Appliance Cloud (SVAC) and Methods Usable in an SVAC
US20130219168A1 (en) Network node with network-attached stateless security offload device employing out-of-band processing
CN202856781U (en) Industrial control system main station safety device
US20050216765A1 (en) Modular cryptographic device and related methods
CN1627682A (en) Method for creating dynamic cipher at time of building connection in network transmission
CN102347867A (en) Processing method and equipment for stacking splitting detection
CN102629225A (en) Dual-controller disk array, storage system and data storage path switching method
US20050213762A1 (en) Modular cryptographic device and coupling therefor and related methods
US7145864B2 (en) Redundant link management switch for use in a stack of switches and method thereof
US20050216750A1 (en) Modular cryptographic device providing status determining features and related methods
CN2337611Y (en) Safety network computer capable of simultaneously connecting internal network and external network
CN201479143U (en) Intranet safety management system
CN101098224A (en) Method for encrypting/deciphering dynamically data file
CN101630270A (en) Data processing system and method therefor

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted