Summary of the invention
Technical problem to be solved by this invention is to overcome the deficiencies in the prior art, and next effective protecting network system of a more perfect Protection of Network Security system is provided.
The technical scheme that the present invention solves the problems of the technologies described above is as follows: a kind of safety isolation and Information Exchange System, comprise the first equipment and the second equipment, described the first equipment is used for receiving and resolving the data message that first network sends, extract useful data message, again after setting up new data message and encrypting and the data message after will encrypting synchronously to the second equipment, perhaps will after the data message after the encryption of the second device synchronization is deciphered, be sent to first network; Described the second equipment is used for and will be sent to second network after the deciphering of the data message after the encryption of the first device synchronization, perhaps receive and resolve the data message of second network transmission, extract useful data message, after again setting up new data message and encrypting and the data message after will encrypting synchronously to the first equipment;
Described the first equipment comprises the first private network driver module, the first universal network driver module, first service module, the first system administration module, the first security strategy module, the first system log pattern and the first enciphering/deciphering module;
Described the first universal network driver module, be used for receiving the data message that first network sends, and data message is sent to the first service module, perhaps receive the data message after the deciphering that the first service module sends, and data message is sent to the first universal network driver module;
Described first service module, be used for receiving and resolving the data message that the first universal network driver module sends, abandon the data message that does not meet rule, and legal data message is sent to the first private network driver module, perhaps receive the data message after the deciphering that the first private network driver module sends;
Described the first system administration module is used for the system mode at first service module configuration the first equipment;
Described the first security strategy module is used for according to user configured policing rule, is the discernible form of system with rule process, and the data message after the first service module parses is carried out corresponding rule-based filtering;
Described the first system log pattern is used for the log information that record first service module produces;
Described the first private network driver module, be used for extracting useful data message at legal data message, again set up new data message, and new data message is sent to after the first enciphering/deciphering module encrypt synchronously to the second equipment, perhaps the data message after the second device decrypts is sent to the first service module;
Described the first enciphering/deciphering module is used for the new data message of again setting up through the first private network driver module is encrypted processing, perhaps the data message after the encryption of the second device synchronization is decrypted processing.
The invention has the beneficial effects as follows: by safety isolation and the Information Exchange System that between separate first network and second network, connects, so that do not have direct data link between first network and the second network, and can carry out the exchange of internetwork information and data; Simultaneously, after the data message in the first equipment or the second equipment is encrypted processing, be sent to again the second equipment or the first equipment is decrypted processing, further improve the fail safe of information and exchanges data between first network and the second network, fully guaranteed accuracy and reliability that information is transmitted.
Further, described the second equipment comprises the second private network driver module, the second universal network driver module, second service module, second system administration module, the second security strategy module, second system log pattern and the second enciphering/deciphering module;
Described the second universal network driver module, be used for receiving the data message that second network sends, and data message is sent to the second service module, perhaps receive the data message after the deciphering that the second service module sends, and data message is sent to the second universal network driver module;
Described second service module, be used for receiving and resolving the data message that the second universal network driver module sends, abandon the data message that does not meet rule, and legal data message is sent to the second private network driver module, perhaps receive the data message after the deciphering that the second private network driver module sends;
Described second system administration module is used for the system mode at second service module configuration the second equipment;
Described the second security strategy module is used for according to user configured policing rule, is the discernible form of system with rule process, and the data message after the second service module parses is carried out corresponding rule-based filtering;
Described second system log pattern is used for the log information that record second service module produces;
Described the second private network driver module, be used for extracting useful data message at legal data message, again set up new data message, and new data message is sent to after the second enciphering/deciphering module encrypt synchronously to the first equipment, perhaps the data message after the first device decrypts is sent to the second service module;
Described the second enciphering/deciphering module is used for the new data message of again setting up through the second private network driver module is encrypted processing, perhaps the data message after the encryption of the first device synchronization is decrypted processing.
Further, described service module comprises FTP module, HTTP module, POP3 module, SMTP module or database module.
Further, described first network is outer net, and described second network is Intranet.
On the basis of technique scheme, the present invention also provides another kind of technical scheme, and a kind of safety isolation and information switching method may further comprise the steps:
Step 1: receive and resolve the data message that first network sends, extracts useful data message, the data message after also will encrypting after again setting up new data message and encrypting is synchronous;
Step 2: will after the deciphering of the data message after the synchronous encryption, be sent to second network.
Further, described step 1 may further comprise the steps:
The first universal network driver module receives the data message that first network sends, and data message is sent to the first service module;
The first service module receives and resolves the data message that the first universal network driver module sends, and abandons the data message that does not meet rule, and legal data message is sent to the first private network driver module;
The first private network driver module extracts useful data message in legal data message, again set up new data message, and new data message is sent to the first enciphering/deciphering module; And
After the first enciphering/deciphering module is encrypted processing to the new data message of again setting up through the first private network driver module and be sent to the first private network driver module to carry out data message synchronous.
Further, described step 2 may further comprise the steps:
The second private network driver module receives through the synchronous data message of the first private network driver module, and data message is sent to the second enciphering/deciphering module;
The second enciphering/deciphering module is decrypted processing to the data message that sends through the second private network driver module, and the data message after will deciphering is sent to the second service module via the second private network driver module; And
Data message behind the second service module receiving and deciphering also is sent to second network through the second universal network driver module.
Further, described first network is outer net, and described second network is Intranet.
Embodiment
Below in conjunction with accompanying drawing principle of the present invention and feature are described, institute gives an actual example and only is used for explaining the present invention, is not be used to limiting scope of the present invention.
Fig. 1 is that the present invention isolates safely the structural representation with Information Exchange System the first embodiment.As shown in Figure 1, this is isolated safely with Information Exchange System and comprises the first equipment 10 and the second equipment 20, and described the first equipment 10 and the second equipment 20 interconnect by data line.This is isolated safely and Information Exchange System is connected between separate first network 30 and the second network 40, so that do not have direct data link between first network 30 and the second network 40, and can carry out the exchange of internetwork information and data.Described the first equipment 10 is connected to first network 30, and described the second equipment 20 is connected to second network 40.Among the present invention, described first network 30 is outer net, described second network 40 is Intranet, described the first equipment 10 is main equipment, be responsible for receiving the data message that outer net sends, described the second equipment 20 is from equipment, and the data message that in described safety isolation and Information Exchange System the first equipment 10 is received is synchronized in the second equipment 20, makes the first equipment 10 identical with the data message of the second equipment 20.
Safety isolation in the present embodiment is passed through the promiscuous mode reception of network and is sent data message with Information Exchange System, does not set up any network connection, thereby makes this system become transparent network equipment.This system is in being linked into actual network environment the time, can not be found its in network existence and do not take Internet resources, avoid or reduced safety isolation of the present invention and attacked with Information Exchange System or invaded possibility, thereby ensured this Security of the system.Simultaneously, after this system becomes transparent network equipment, can not become the node in the network, do not need the network informations such as configuration of IP address, do not need to configure the configuration of other equipment in the former network yet, also can not take simultaneously the resource of other equipment in the former network, namely not need to change former topology of networks and network configuration.
Fig. 2 is that the present invention isolates safely the structural representation with Information Exchange System the second embodiment.As shown in Figure 2, be with Fig. 1 difference, described the first equipment 10 comprises the first universal network driver module 101, first service module 102, the first system administration module 103, the first security strategy module 104, the first system log pattern 105, the first private network driver module 106 and the first enciphering/deciphering module 107.Described the second equipment 20 comprises the second universal network driver module 201, second service module 202, second system administration module 203, the second security strategy module 204, second system log pattern 205, the second private network driver module 206 and the second enciphering/deciphering module 207.
Described the first universal network driver module 101 is responsible for receiving the data message that first network 30 sends, and data message is sent to first service module 102, perhaps receive the data message that first service module 102 sends, and data message is sent to first network 30; Described the second universal network driver module 201 is responsible for receiving the data message that second network 40 sends, and data message is sent to second service module 202, perhaps receive the data message that second service module 202 sends, and data message is sent to second network 40.Data format in described the first universal network driver module 101 and the second universal network driver module 201 is standard compliant ICP/IP protocol standard.
Described first service module 102 is the nucleus modules in the first equipment 10, be responsible for connecting the modules in the first equipment 10, behind the data message that receives 101 transmissions of the first universal network driver module, according to the filtering rule that the first security strategy module 104 arranges, the data message that will meet filtering rule is sent to the first private network driver module 106; Described second service module 202 is the nucleus modules in the second equipment 20, be responsible for connecting the modules in the second equipment 20, behind the data message that receives 201 transmissions of the second universal network driver module, according to the filtering rule that the second security strategy module 204 arranges, the data message that will meet filtering rule is sent to the second private network driver module 206.
Described the first system administration module 103 is used for the system mode of configuration the first equipment 10, such as the management of equipment state, the management of Version Control etc., itself does not participate in the processing of data message; Described second system administration module 203 is used for the system mode of configuration the second equipment 20, and such as the management of equipment state, the management of Version Control etc., itself does not participate in the processing of data message.
Described the first security strategy module 104 can be according to user configured policing rule, be the discernible form of system with rule process, be added on the first service module 102 of core, for first service module 102 provides filtering rule, such as IP filtering rule, protocol filtering rule etc.; Described the second security strategy module 204 can be according to user configured policing rule, be the discernible form of system with rule process, be added on the second service module 202 of core, for second service module 202 provides filtering rule, such as I P filtering rule, protocol filtering rule etc.
Described the first system log pattern 105 can be recorded to some daily record situations of this first equipment 10 in the process of the first equipment 10 operations; Described second system log pattern 205 can be recorded to some daily record situations of this second equipment 20 in the process of the second equipment 20 operations.
The data message communication that described the first private network driver module 106 and the second private network driver module 206 are responsible between the first equipment 10 and the second equipment 20, what all adopt is private data information communication form, respectively the data message of first service module 102 and 202 transmissions of second service module is recombinated according to private data information communication form again.This private data information communication form comprises protocol header organization definition and application data formal definition, with prior art need not, private data information communication form of the present invention has been simplified complicated protocol header structure, only keep necessary information, as destination-mac address, MAC Address, control command, encrypted instruction, data command, reservation position and verification and; In the application data formal definition, adopted simultaneously and can transmit simultaneously the application of polylith data, thereby improved the efficiency of transmission of data message.The private data information communication form that adopts among the present invention can prevent effectively that the third party from obtaining, monitoring even distorting data message in the network by improper means.
Described the first enciphering/deciphering module 107 and the second enciphering/deciphering module 207 are responsible for respectively the data message in the first equipment 10 and the second equipment 20 being encrypted and decryption processing, thereby guarantee fail safe and the integrality of the first equipment 10 and the second equipment 20 internal communications.
Fig. 3 is that the present invention isolates safely the structural representation with Information Exchange System the 3rd embodiment.As shown in Figure 3, be with Fig. 2 difference, described first service module 102 can comprise various application protocol modules, such as FTP module, HTTP module, POP3 module, SMTP module or database module; Described second service module 202 can comprise various application protocol modules, such as FTP module, HTTP module, POP3 module, SMTP module or database module.
Fig. 4 is that the present invention isolates safely the schematic flow sheet with information switching method.As shown in Figure 4, the method may further comprise the steps:
Step 50: receive and resolve the data message that first network sends, extracts useful data message, the data message after also will encrypting after again setting up new data message and encrypting is synchronous;
Step 51: will after the deciphering of the data message after the synchronous encryption, be sent to second network.
Described first network is outer net in an embodiment, second network is Intranet, the below's safety isolation shown in Figure 3 in the present embodiment is the basis with Information Exchange System, the process that data message transmits to Intranet through this system from outer net is described in detail in detail, if carry out data information transfer through this system to outer net from Intranet, then opposite to the process of Intranet transmission through this system from outer net with data message, at this Ao Shu no longer.
In the present embodiment in safety isolation and the information switching method step 50 may further comprise the steps:
Step 501: the first universal network driver module receives the data message that first network sends, and data message is sent to the first service module.
Step 502: the first service module receives and resolves the data message that the first universal network driver module sends, and abandons the data message that does not meet rule, and legal data message is sent to the first private network driver module.
Described first service module 102 is enabled different application protocol modules according to different data messages, such as the HTTP module, data message is resolved; And according to the policing rule that the first security strategy module 104 provides, carry out corresponding rule-based filtering, and as whether satisfying I P feature, whether satisfy URL feature etc., abandon the data message that does not meet rule; Produce simultaneously relevant log information and carry out record by the first system log pattern 105.
Step 503: the first private network driver module extracts useful data message in legal data message, again set up new data message, and new data message is sent to the first enciphering/deciphering module.
Described the first private network driver module 106 extracts useful data message in the legal data message that first service module 102 sends, such as data content, address, time, link information etc., the data message that these are useful is recombinated according to private data information communication form again again.
Step 504: after the first enciphering/deciphering module is encrypted processing to the new data message of again setting up through the first private network driver module and be sent to the first private network driver module to carry out data message synchronous.
The cryptographic algorithm and the encryption key that provide by the first enciphering/deciphering module 107 in the first equipment 10 are encrypted processing to the new data message of again setting up.Generate unique decruption key with the irregular time as encryption key in the present embodiment, as take the standard time as time format, namely from 0 of on January 1st, 1970 to current number of seconds, as the current time be 2008-11-27,11:30:17, the first equipment is converted to the standard time with this time, namely generate 1259379017 time character string, carry out the hash of twice MD5 algorithm, obtain one 32 character string, this is exactly the key of encryption and decryption.The first equipment 10 can send to the second equipment 20 with this key.Simultaneously, after generating this key, the second enciphering/deciphering module 207 of the second equipment 20 will be notified the first enciphering/deciphering module 107 of the first equipment 10 in safety isolation and the Information Exchange System, change cryptographic algorithm or encryption key in the first enciphering/deciphering module 107, further improve the safety letter of system data communication.
In the present embodiment in safety isolation and the information switching method step 51 may further comprise the steps:
Step 511: the second private network driver module receives through the synchronous data message of the first private network driver module, and data message is sent to the second enciphering/deciphering module.
Step 512: the second enciphering/deciphering module is decrypted processing to the data message that sends through the second private network driver module, and the data message after will deciphering is sent to the second service module via the second private network driver module.
Described the second enciphering/deciphering module 207 will be decrypted processing through the data message that the second private network driver module 206 sends first, and the data message after will deciphering is again set up again becomes the network data of standard form.
Step 513: the data message behind the second service module receiving and deciphering also is sent to second network through the second universal network driver module.
Behind the data message behind described second service module 202 receiving and decipherings, no longer enable the application protocol module in the second service module 202, namely no longer carry out protocal analysis, only in second system log pattern 205, behind the necessary log information of record, be transmitted to again the second universal network driver module 201.
The above only is preferred embodiment of the present invention, and is in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.