CN102202055A - Isolation gateway - Google Patents
Isolation gateway Download PDFInfo
- Publication number
- CN102202055A CN102202055A CN201110111474XA CN201110111474A CN102202055A CN 102202055 A CN102202055 A CN 102202055A CN 201110111474X A CN201110111474X A CN 201110111474XA CN 201110111474 A CN201110111474 A CN 201110111474A CN 102202055 A CN102202055 A CN 102202055A
- Authority
- CN
- China
- Prior art keywords
- control unit
- network
- main control
- data
- isolation gap
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses an isolation gateway, which comprises a master control unit A and a master control unit B, wherein the master control unit A is used for performing data interaction with a network A; the master control unit B is used for performing the data interaction with a network B; and the master control units A and B perform the data interaction by a data encapsulation format different from the networks A and B. Data transmission between the master control units A and B adopts the data encapsulation format different from the networks A and B, so isolation between the master control units A and B is difficult for attackers on the networks to step over, data transmitted between the master control units A and B and between the master control unit B and the network B is difficult for the attackers from the network A to steal, and the data transmitted between the master control units A and B and between the master control unit A and the network A is difficult for the attackers from the network B to steal. Therefore, the network isolation security is improved.
Description
Technical field
The present invention relates to be used to realize the isolation gap of Network Isolation.
Background technology
Be used to realize existing isolation gap such as Fig. 1 of Network Isolation, outer net is the not high external network of fail safe, and Intranet is the very high internal proprietary network of fail safe.Under the normal condition, outer net and Intranet disconnect fully.Isolation gap is located between two networks, comprises control desk and storage medium.When Intranet has data to be transferred to outer net, connect between control desk and the intranet host at first as shown in Figure 2, data are sent to control desk from intranet host, and control desk is peeled off and is write data in the storage medium after agreement is isolated data.After control desk writes and finishes, just disconnect with intranet host between be connected, connect as shown in Figure 3 and between the outer net main frame then, control desk is sent to the outer net main frame from the storage medium sense data subsequently, so far finishes a data transfer.
As seen, the similar ferry-boat diverter switch of switching between Intranet and outer net of existing isolation gap is again by writing and reading and realize storage medium.The data encapsulation form that each data transfer adopted in this data forwarding mechanism is identical, make the assailant on the network steal the data of transmitting through isolation gap easily, for example the assailant from outer net passes through the invasion control desk, just can steal from intranet host and send to the data of control desk and the data the storage medium.
Summary of the invention
The objective of the invention is to increase the difficulty of stealing the data of transmitting through isolation gap from the assailant of segregate both sides network, the fail safe that has improved Network Isolation.
Provide isolation gap for this reason, comprise the main control unit A and the main control unit B that is used for carrying out data interaction that are used for carrying out data interaction, on data link layer, carry out data interaction between main control unit A and the main control unit B by the data encapsulation form that is different from network A and network B with network B with network A.
Because the transfer of data between main control unit A and the main control unit B adopts the data encapsulation form that is different from network A and network B, so the assailant on the network is difficult to go beyond this isolation between main control unit A and the main control unit B, assailant from network A just is difficult to steal between main control unit A and main control unit B and the data of transmitting between main control unit B and network B so, assailant from network B just is difficult to steal between main control unit A and main control unit B and the data of transmitting between main control unit A and network A, therefore the fail safe that has improved Network Isolation.Because this different encapsulation format adopts on data link layer, can't not receive relevant packet so do not grasp the assailant of this encapsulation format, thereby stop to carry out the close possibility of stealing data of illegal solution after the assailant receives packet.
Preferably, realize described data interaction by two reciprocal optical fiber one-way transmission paths of direction between main control unit A and the main control unit B, every optical fiber one-way transmission path comprises two light network interface cards, and one is as transmission cards, and it is two as receiving card; Transmission cards have transmitting terminal and receiving terminal, and the data of transmission cards send to be needed to receive that by the receiving terminal of himself light of nominal wave length starts; Be provided with optical splitter, the light of transmission cards emission is as the incident light of optical splitter; The emergent light of optical splitter has two, and one is received by receiving card, and its two receiving terminal by transmission cards receives.Each bar optical fiber one-way transmission path has all been realized safe one-way transmission, avoid a path illegally to be used for reverse transfer, this optical fiber one-way transmission path need not otherwise designed and makes off-gauge smooth network interface card, but adopt existing smooth network interface card, also need not to provide in addition the light source of nominal wave length, and because the receiving terminal of transmission cards receives is the light of the nominal wave length sent of transmission cards self, so do not need through debugging, thus realized the optical fiber one-way transmission with low cost.
If adopt existing data encapsulation form between main control unit A and the main control unit B, though then its data encapsulation form is different from network A and network B can play certain iris action, in case but the assailant detects its affiliated data encapsulation form, data still are stolen easily.Therefore preferably, adopt self-defining data encapsulation form between described main control unit A and the main control unit B.As long as carry out the security work of self-defining data encapsulation format, data are stolen in the isolation that the assailant just can't go beyond between main control unit A and the main control unit B.
Description of drawings
Fig. 1 is an existing network shielding system Organization Chart.
Fig. 2 is the schematic diagram that control desk is handled intranet data among Fig. 1.
Fig. 3 is the schematic diagram that control desk is handled the outer net data among Fig. 1.
Fig. 4 is an embodiment of the invention network isolation system Organization Chart.
Embodiment
As Fig. 4, network A is the very high internal proprietary network of fail safe, and network B is the not high external network of fail safe, is used to realize that the isolation gap of Network Isolation comprises main control unit A, main control unit B and optical splitter 1,2.Main control unit A is used for carrying out data interaction with network A, and main control unit B is used for carrying out data interaction with network B.Main control unit A has authentication module A and data acquisition module A, and main control unit B has authentication module B and data acquisition module B.Among Fig. 4, authentication module all has the light network interface card as transmission cards, and data acquisition module all has the light network interface card as receiving card.The light network interface card is a prior art, and it all has transmitting terminal and receiving terminal, and its data send to be needed to receive that by the receiving terminal of himself light of nominal wave length starts.
Optical fiber one-way transmission path role in system in Fig. 4 left side describes in detail in this section.Optical splitter 1 with the light of authentication module A transmission cards emissions as incident light; The emergent light of optical splitter 1 has two, and one is received by the receiving terminal of data acquisition module B receiving card, and its two receiving terminal by authentication module A transmission cards receives.During initialization, what the transmitting terminal of authentication module A transmission cards sent is not assigned to the receiving terminal of data acquisition module B receiving card and the receiving terminal of authentication module A transmission cards with the light of the nominal wave length of required transmission data by optical splitter 1, not only allow data acquisition module B receiving card finish initialization, also allow authentication module A transmission cards finish initialization.After initialization is finished, when network A has data to be transferred to network B, at first file a request, carry out authentication by authentication module A to main control unit A.After authentication is passed through, the transmitting terminal of authentication module A transmission cards sends data, these data are via the receiving terminal of optical splitter 1 arrival data acquisition module B receiving card, and the receiving terminal of authentication module A transmission cards receives that also these data can't influence the realization of data one-way transmission as for this moment.Data acquisition module B is dealt into network B to the data of being received.
Optical fiber one-way transmission path role in system on Fig. 4 right side describes in detail in this section.Optical splitter 2 with the light of authentication module B transmission cards emissions as incident light; The emergent light of optical splitter 2 has two, and one is received by the receiving terminal of data acquisition module A receiving card, and its two receiving terminal by authentication module B transmission cards receives.During initialization, what the transmitting terminal of authentication module B transmission cards sent is not assigned to the receiving terminal of data acquisition module A receiving card and the receiving terminal of authentication module B transmission cards with the light of the nominal wave length of required transmission data by optical splitter 2, not only allow data acquisition module A receiving card finish initialization, also allow authentication module B transmission cards finish initialization.After initialization is finished, when network B has data to be transferred to network A, at first file a request to main control unit B, carry out authentication by authentication module B. after authentication is passed through, authentication module B transmission cards transmitting terminal sends data, these data are via the receiving terminal of optical splitter 2 arrival data acquisition module A receiving cards, and the receiving terminal of authentication module B transmission cards receives that also these data can't influence the realization of data one-way transmission as for this moment.Data acquisition module A is dealt into network A to the data of being received.
Among Fig. 4, the transmitting terminal of data acquisition module receiving card is inoperative, need not carry out light path and connect.If the assailant only invades the module of one of them transmission direction, the data of this transmission direction can only be intercepted and captured, but the data of reverse transfer can't be intercepted and captured, reduced the possibility that the data of transmitted in both directions are are all intercepted and captured.
Among Fig. 4, data surface speed forwarding in authentication module and data acquisition module has higher transmission bandwidth.
Among Fig. 4, on data link layer, carry out data interaction between main control unit A and the main control unit B by the data encapsulation form that is different from network A and network B, for example, network A and network B adopt IP/Ethernet protocol encapsulation data, above-mentioned optic path between main control unit A and the main control unit B then adopts the data encapsulation form of non-IP/Ethernet, or even self-defining data encapsulation form, make assailant on the network be difficult to go beyond this isolation between main control unit A and the main control unit B, the fail safe that has improved Network Isolation.
Among Fig. 4, data are encrypted by authentication module, are decrypted by data acquisition module, guarantee the safety of data in above-mentioned optic path.
Claims (7)
1. isolation gap, it is characterized in that, comprise the main control unit A and the main control unit B that is used for carrying out data interaction that are used for carrying out data interaction, on data link layer, carry out data interaction between main control unit A and the main control unit B by the encapsulation format that is different from network A and network B with network B with network A.
2. isolation gap according to claim 1, it is characterized in that, realize described data interaction by two reciprocal optical fiber one-way transmission paths of direction between main control unit A and the main control unit B, every optical fiber one-way transmission path comprises two light network interface cards, one is as transmission cards, and it is two as receiving card; Transmission cards have transmitting terminal and receiving terminal, and the data of transmission cards send to be needed to receive that by the receiving terminal of himself light of nominal wave length starts; Be provided with optical splitter, the light of transmission cards emission is as the incident light of optical splitter; The emergent light of optical splitter has two, and one is received by receiving card, and its two receiving terminal by transmission cards receives.
3. isolation gap according to claim 1 is characterized in that, network A is identical with the encapsulation format of network B on data link layer.
4. isolation gap according to claim 3 is characterized in that network A and network B are the IP/Ethernet protocol encapsulation on data link layer.
5. isolation gap according to claim 3 is characterized in that, adopts self-defining data encapsulation form between described main control unit A and the main control unit B.
6. isolation gap according to claim 1 is characterized in that, adopts self-defining data encapsulation form between described main control unit A and the main control unit B.
7. isolation gap according to claim 1 is characterized in that, main control unit A and main control unit B encrypt the data that sent, and the data that received are decrypted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110111474XA CN102202055A (en) | 2011-04-28 | 2011-04-28 | Isolation gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110111474XA CN102202055A (en) | 2011-04-28 | 2011-04-28 | Isolation gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102202055A true CN102202055A (en) | 2011-09-28 |
Family
ID=44662450
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110111474XA Pending CN102202055A (en) | 2011-04-28 | 2011-04-28 | Isolation gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102202055A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103997495A (en) * | 2014-05-23 | 2014-08-20 | 中国人民解放军理工大学 | Security isolation file transmission control method |
| CN105072170A (en) * | 2015-07-30 | 2015-11-18 | 深圳市深信服电子科技有限公司 | Method, terminal and system for obtaining resource data from external network |
| CN110365669A (en) * | 2019-07-05 | 2019-10-22 | 郭爱波 | Unidirectional ether gateway |
| CN112804265A (en) * | 2021-04-08 | 2021-05-14 | 北京乐研科技有限公司 | Unidirectional network gate interface circuit, method and readable storage medium |
| CN114979036A (en) * | 2022-05-31 | 2022-08-30 | 山东中网云安智能科技有限公司 | Dual-computer hot standby system of network gate based on heartbeat and isolation switching matrix |
| CN114979036B (en) * | 2022-05-31 | 2024-05-10 | 山东中网云安智能科技有限公司 | Dual-machine hot standby system of network gate based on heartbeat and isolation exchange matrix |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN2687972Y (en) * | 2003-12-09 | 2005-03-23 | 北京京泰网络科技有限公司 | One-way physical-isolating net gate |
| CN201307864Y (en) * | 2008-12-04 | 2009-09-09 | 杭州恒生数字设备科技有限公司 | Data isolating and forwarding system based on 1394 interface |
| CN102035843A (en) * | 2010-12-17 | 2011-04-27 | 北京锐安科技有限公司 | System and method for transmitting data in one direction |
-
2011
- 2011-04-28 CN CN201110111474XA patent/CN102202055A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN2687972Y (en) * | 2003-12-09 | 2005-03-23 | 北京京泰网络科技有限公司 | One-way physical-isolating net gate |
| CN201307864Y (en) * | 2008-12-04 | 2009-09-09 | 杭州恒生数字设备科技有限公司 | Data isolating and forwarding system based on 1394 interface |
| CN102035843A (en) * | 2010-12-17 | 2011-04-27 | 北京锐安科技有限公司 | System and method for transmitting data in one direction |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103997495A (en) * | 2014-05-23 | 2014-08-20 | 中国人民解放军理工大学 | Security isolation file transmission control method |
| CN105072170A (en) * | 2015-07-30 | 2015-11-18 | 深圳市深信服电子科技有限公司 | Method, terminal and system for obtaining resource data from external network |
| CN110365669A (en) * | 2019-07-05 | 2019-10-22 | 郭爱波 | Unidirectional ether gateway |
| CN112804265A (en) * | 2021-04-08 | 2021-05-14 | 北京乐研科技有限公司 | Unidirectional network gate interface circuit, method and readable storage medium |
| CN112804265B (en) * | 2021-04-08 | 2021-07-30 | 北京乐研科技有限公司 | Unidirectional network gate interface circuit, method and readable storage medium |
| CN114979036A (en) * | 2022-05-31 | 2022-08-30 | 山东中网云安智能科技有限公司 | Dual-computer hot standby system of network gate based on heartbeat and isolation switching matrix |
| CN114979036B (en) * | 2022-05-31 | 2024-05-10 | 山东中网云安智能科技有限公司 | Dual-machine hot standby system of network gate based on heartbeat and isolation exchange matrix |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11134064B2 (en) | Network guard unit for industrial embedded system and guard method | |
| CN102208982A (en) | Isolation gateway | |
| US20130110328A1 (en) | Control network for a rail vehicle | |
| CN106685992B (en) | Cross-network security switching and interactive application system and method based on unidirectional transmission technology | |
| US11086810B2 (en) | Intelligent controller and sensor network bus, system and method including multi-layer platform security architecture | |
| CN103200201A (en) | Public-security inner network and special video network isolation system and method | |
| CN104365062A (en) | Ring network for a vehicle | |
| CN102202055A (en) | Isolation gateway | |
| CN111543036A (en) | Device and method for transmitting data between a first and a second network | |
| CN103475655A (en) | Method for achieving IPSecVPN main link and backup link dynamic switching | |
| CN104025511A (en) | Service protection method, optical line terminal and system in passive optical network | |
| CN103023579A (en) | Method for conducting quantum secret key distribution on passive optical network and passive optical network | |
| WO2015158208A1 (en) | Networking method, optical module and device | |
| TWI242953B (en) | Ethernet passive optical network ring and its method of authorization and collision detection | |
| WO2021146174A1 (en) | Intelligent controller and sensor network bus, system and method including multi-layer platform security architecture | |
| WO2016091094A1 (en) | Optical transport network protection switching method and device | |
| WO2010006248A3 (en) | Service oriented architecture device | |
| US20120308006A1 (en) | Method and Device for Encrypting Multicast Service in Passive Optical Network System | |
| EP1830517A1 (en) | A method, communication system, central and peripheral communication unit for packet oriented transfer of information | |
| CN101282177B (en) | Data transmission method and terminal | |
| CN109587171B (en) | Real-time safety network system based on double-engine forwarding | |
| CN103581774B (en) | A kind of Ethernet one-way transmission light mouth and transmission method thereof and unidirectional transmission equipment | |
| JP4463820B2 (en) | Method and system for secure upstream transmission in a passive optical network | |
| CN207150608U (en) | A kind of quantum key distribution system of channel multiplexing | |
| US10268623B2 (en) | Method for operating a data transfer system, and data transfer system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110928 |