CN104363231A - Network security isolation and information exchange method and system based on one-way channel - Google Patents
Network security isolation and information exchange method and system based on one-way channel Download PDFInfo
- Publication number
- CN104363231A CN104363231A CN201410652474.4A CN201410652474A CN104363231A CN 104363231 A CN104363231 A CN 104363231A CN 201410652474 A CN201410652474 A CN 201410652474A CN 104363231 A CN104363231 A CN 104363231A
- Authority
- CN
- China
- Prior art keywords
- data
- net
- packet
- frame
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/106—Mapping addresses of different types across networks, e.g. mapping telephone numbers to data network addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/565—Conversion or adaptation of application format or content
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/23—Bit dropping
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2592—Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network security isolation and information exchange method and system based on a one-way channel and belongs to the field of computer network security. The network security isolation and information exchange system comprises a data acquisition module, a protocol reassembling module, a data audition module, an information unloading and packaging module and a data transmission module. Each module can be acquired through hardware or/and software. The network security isolation and information exchange method includes the steps of data acquisition, protocol reassembling, data audition, information unloading and packaging, data transmission and the like. The one-way channel is adopted for transmitting data, the transmitted data are audited and unloaded through a special data package processing method, and when a fault occurs, physical isolation is formed. According to the network security isolation and information exchange method and system, the data throughput rate can be remarkably increased, data security between different networks can be effectively protected, illegal user intrusion and control are avoided, and system cost is reduced.
Description
Technical field
The present invention relates to computer network security field, more specifically, the present invention relates to the isolation of a kind of network security and information switching method and system thereof.
Background technology
Informationization is the main trend of World Science technology and society development, national economy is increasing for the dependence of information and information system with society, the application of ICT (information and communication technology) has penetrated into the every aspect of people's production, life, and inter-net communication equipment has become the basic tool exchanged between different institutions, between individual.We are also subjected to the puzzlement of the problems such as malicious code attack, hacker attacks, leakage of information the while that network bringing easily enjoying.Information interaction between heterogeneous networks will meet the requirement carrying out information sharing between different networks on the one hand, solves the problem of information island.On the other hand, also to prevent core concerning security matters network from suffering external attack while information system is open, prevent information leakage.From the angle of network security, network security isolation is a kind ofly ensureing critical network and other network securitys are isolated while, can realize the technology that efficient, controlled secure data is mutual with message-switching technique.In this context, network security isolation has great using value with information exchange.Traditional implementation is as follows:
(1) system architecture of " 2+1 ".Comprise " interior terminal "+" exchanging isolation matrix "+" outer terminal ", isolated part adopts duplexing binary channels physical isolation guard plate to design, and guard plate adopts asic chip to be core.The complete simulated implementation of whole framework manually copies the safety data transmission process of dish (Sneaker-net security architecture).Interior terminal and outer end facility have independently storage and arithmetic element, and have independent bus line.Interior terminal and outer terminal are the terminal of Inside and outside network procotol respectively.All passing application layer datas are all peeled off from the ICP/IP protocol of Inside and outside network, and the data be stripped are transmitted between inside and outside terminal by Data Migration control unit again.Because fail safe is ensured by physical isolation guard plate, not only slow down the efficiency of data access, and support poor to most network application agreement.
(2) three machine three system architectures.Comprise " interior terminal "+" arbitration machine "+" outer terminal ", interior terminal and outer terminal are the terminal of Inside and outside network procotol respectively.All passing application layer messages are all peeled off from the procotol of Inside and outside network, are reduced to application layer message.These information send to arbitration system by specialized hardware and private communication protocol again.Arbitration machine carries out filtration inspection to the application layer message received, the information content propagated between net control, and the malicious code of energy killing simultaneously, as virus etc.After arbitration system carries out examination process to the information content, then will safe data be confirmed as issue the opposing party of inside/outside terminal, finally be reduced to general procotol packet format.In some sense, the appropriate message for validated user exchanges request, and three machine three systems are " transparent ", while providing safety guarantee, for user provides smooth service.But the framework holistic cost of three machine three systems is higher, and throughput is also influenced due to the complexity of framework.
Summary of the invention
The present invention is directed to that the data access efficiency that legacy network Secure isolation and message-switching technique exist is low, framework high in cost of production problem, propose the isolation of a kind of network security based on half-duplex channel and information switching method and system.
The invention discloses the isolation of a kind of network security based on half-duplex channel and information switching method, data are sent to B net by A net, and concrete steps comprise:
Step 1: data acquisition: gather A network data message from the network interface of specifying, and data message is handled as follows, specifically comprise:
Step 1.1: if data message is ARP broadcast frame, and inquiry is the MAC Address of this network interface card, then this ARP broadcast frame is forwarded to reverse data transmission blocks by one-way data passage, otherwise abandons this ARP broadcast frame;
Step 1.2: if data message is arp reply frame, and answer the inquiry of this MAC Address of Network Card, be then forwarded to reverse data transmission blocks by this arp reply frame by one-way data passage, otherwise abandon this arp reply frame;
Step 1.3: if data message is the ethernet frame of IP agreement, be then sent to step 2 by half-duplex channel.
Step 2: protocol assembly: the reduction IP packet in ethernet frame being carried out upper-layer protocol, parses the upper layer application protocol of TCP or UDP.Specifically comprise:
Step 2.1: if when the agreement of IP packet is TCP, tcp data bag is carried out protocol assembly, when identifying upper layer application protocol, is forwarded to step 3 by unidirectional for the tcp data bag of reduction;
Step 2.2: if when the agreement of IP packet is UDP, UDP message bag is carried out protocol assembly, when identifying upper layer application protocol, is forwarded to step 3 by unidirectional for the UDP message bag of reduction;
Step 2.3: if when IP packet is other protocol fields, when agreement is not TCP or UDP, abandon this packet.
Step 3: Data Audit: filter to the packet entered in this step according to audit configuration rule and examine, is forwarded to step 4 by the packet meeting audit configuration rule; To the data packet discarding not meeting audit configuration rule.
Step 4: information unloading and encapsulation: extracted by the payload segment in packet in this step, according to package arrangements rule, is reassembled into new packet, specifically comprises:
Step 4.1: if there is load information in packet, the then one-way transmission of truncated data bag, extracts load information, according to the mapping address in package arrangements rule and port, again on load information, encapsulation forms new packet, is transmitted to step 5 by unidirectional for new packet;
Step 4.2: if there is not load information in packet, then according to the mapping address in package arrangements rule and port, be directly transmitted to step 5 by after unidirectional for the packet specific fields be transmitted in step 5 or Update Table bag.Described specific fields includes but not limited to source IP and source port.
Step 5: data send: for the one-way data transmission of netting from A net to B, the data flow of the unidirectional B of being sent to net is forward, and the data flow of the unidirectional A of being sent to net is reverse; If X is A or B; Data transmission blocks is handled as follows respectively to the ARP broadcast frame received, arp reply frame and IP packet:
Step 5.1: if ARP broadcast frame, be then sent to X net according to the IP in the configuration rule table of address and MAC Address structure arp reply frame;
Step 5.2: if arp reply frame, then by the <IP in arp reply frame, MAC> address to adding in ARP mapping list;
Step 5.3: if the IP packet that step 4 is sent, then check addresses forwarding table (Address Forwarding Table, AFT) whether have the MAC Address of object IP, if had, construction data frame is directly sent to X net, otherwise forwards step 5.4 to;
Step 5.4: search corresponding route table items in the routing table, if do not find corresponding route table items, then searches after configuring route again; If find corresponding route table items, obtain the IP address of next hop router, in ARP mapping list, corresponding MAC Address is searched according to the IP address of router, if do not found, the MAC Address of structure ARP broadcast frame inquiry router, and this IP packet of temporary cache, wait for that reverse data acquisition forwards the arp reply frame of returning to obtain the MAC Address of router; When after the MAC Address obtaining router, construction data frame is sent to X net, and scheduler is transmitted simultaneously.
Step 6: repeat above-mentioned steps 1 ~ 5 until data are sent completely.
The present invention correspondingly also discloses the isolation of a kind of network security based on half-duplex channel and Information Exchange System, comprises data acquisition module, protocol assembly module, Data Audit module, information unloading and package module and data transmission blocks.Described network security isolation with Information Exchange System by data from A net one-way transmission to B net, or on the contrary.Here is that the situation of netting from A net one-way transmission to B based on data is described.
Data acquisition module gathers A network data message from the network interface of specifying, classification process is carried out to data message: (1) is if data message is ARP broadcast frame, and this ARP broadcast frame inquires the MAC Address of this network interface card, then this ARP broadcast frame is forwarded to reverse data transmission blocks by one-way data passage, otherwise abandons this ARP broadcast frame; Described reverse data transmission blocks is sent to A net data; (2) if data message is arp reply frame, and answer the inquiry of this MAC Address of Network Card, then this arp reply frame is forwarded to reverse data transmission blocks by one-way data passage, otherwise abandon this arp reply frame; (3) if data message is the ethernet frame of IP agreement, then ethernet frame is sent to protocol assembly module by half-duplex channel; (4) if data message is not any one in the ethernet frame of ARP broadcast frame, arp reply frame and IP agreement, this data message is abandoned.
IP packet in ethernet frame is carried out the reduction of upper-layer protocol by protocol assembly module, parses the upper layer application protocol of TCP or UDP, by the TCP of reduction or UDP message bag is unidirectional is forwarded to Data Audit module.If when the agreement of IP packet is TCP, tcp data bag being carried out protocol assembly, when identifying upper layer application protocol, being forwarded to Data Audit module by unidirectional for the data flow of reduction; If when the agreement of IP packet is UDP, UDP message bag being carried out protocol assembly, when identifying upper layer application protocol, being forwarded to Data Audit module by unidirectional for the data flow of reduction.If the agreement of IP packet is not TCP and UDP, during for other protocol fields, abandon this packet.
Data Audit module to be filtered packet according to audit configuration rule and is examined, and the packet meeting audit configuration rule is forwarded to information unloading and package module; The data packet discarding of audit configuration rule will do not met.Audit configuration rule includes but not limited to the combination in any of white list, five-tuple, the protocol characteristic string etc. of machine learning acquisition.
Information unloading and package module process the packet received, specifically: if there is load information in packet, the then one-way transmission of truncated data bag, extract load information, according to package arrangements rule, on load information, Reseal forms new packet, is transmitted to data transmission blocks by unidirectional for new packet; If there is not load information in packet, then according to package arrangements rule, be directly transmitted to data transmission blocks by unidirectional for packet, or be transmitted to data transmission blocks again after specific fields in Update Table bag.The specific fields defined includes but not limited to source IP and source port.Described package arrangements rule, the mapping relations of recording address and port, are transformed into different addresses and port by source IP address and source port, and the packet making A net be sent to B net hides A net topology structure.
For the one-way data transmission of netting from A net to B, the data transmission blocks of forward by data sheet to being sent to B net, reverse data transmission blocks by data sheet to being sent to A net; If X is A or B.Data transmission blocks is handled as follows respectively to the ARP broadcast frame received, arp reply frame and IP packet: (1), for ARP broadcast frame, is sent to X net according to the IP in the configuration rule table of address and MAC Address structure arp reply frame; The IP of record data acquisition module and MAC Address in described address configuration rule list.(2) for arp reply frame, by the <IP in arp reply frame, MAC> address to adding in ARP mapping list.(3) for IP packet, check whether addresses forwarding table has the MAC Address of object IP, if had, construction data frame is directly sent to X net, otherwise search corresponding route table items in the routing table, obtain the IP address of next hop router, in ARP mapping list, corresponding MAC Address is searched according to the IP address of router, if do not found, the MAC Address of structure ARP broadcast frame inquiry router, and this IP packet of temporary cache, wait for that the arp reply frame forwarding and is to obtain the MAC Address of router, after the MAC Address obtaining router, construction data frame is sent to X net, scheduler is transmitted simultaneously.Described addresses forwarding table is the mapping table of IP and MAC Address.
The invention discloses the isolation of a kind of network security based on half-duplex channel and information switching method and system, compared with published method, tool has the following advantages:
(1) high-performance: network security isolation adopts half-duplex channel to transmit data with each module of Information Exchange System, compares, can significantly improve data throughput with traditional " system architecture of 2+1 " with " three machine three systems ".
(2) fail safe: network security isolation is connected by half-duplex channel with each module of Information Exchange System; adopt special data package processing method; the data of transmission are audited and unloaded; when a failure occurs; physical isolation can be formed; data security between available protecting heterogeneous networks, prevents invasion and the control of disabled user.
(3) cost is low: network security isolation and Information Exchange System can adopt the operating system of general hardware platform and security kernel.Significantly reduce the cost of system.
Accompanying drawing explanation
Fig. 1 is the flow chart of steps of network security of the present invention isolation and information switching method;
Fig. 2 is the deployment diagram of network security of the present invention isolation and Information Exchange System;
Fig. 3 is the structural representation of network security of the present invention isolation and Information Exchange System.
Embodiment
Below in conjunction with drawings and Examples, the present invention is described in further detail.
Fig. 1 gives the network security isolation and information switching method steps flow chart that the present invention is based on half-duplex channel.Data are sent to B net by A net, at system initialization and read relevant get configuration information after, concrete implementation step is as follows:
Step 1: data acquisition: gather A network data message from the network interface of specifying, process according to data message type, specifically comprise:
Step 1.1: if data message is ARP broadcast frame, and inquire the MAC Address of this network interface card, be then forwarded to reverse data transmission blocks by this ARP broadcast frame by one-way data passage, otherwise abandon this ARP broadcast frame; Data transmission blocks reverse herein sends to A net by building corresponding arp reply frame.For the one-way data transmission of netting from A net to B, the data flow of the unidirectional B of being sent to net is forward, and the data flow of the unidirectional A of being sent to net is reverse.
Step 1.2: if data message is arp reply frame, and answer the inquiry of this MAC Address of Network Card, then this arp reply frame is forwarded to reverse data transmission blocks by one-way data passage, otherwise abandons this arp reply frame.
Step 1.3: if data message is the ethernet frame of IP agreement, be then sent to protocol assembly step 2 by half-duplex channel.
If data message is not any one in the ethernet frame of ARP broadcast frame, arp reply frame and IP agreement, abandon this data message, continue gather and according to previous step 1.1 ~ 1.3 deal with data message.
Secure isolation and message exchange equipment in the embodiment of the present invention, by special data package processing method from the network interface image data frame of specifying.The method is: judge whether Frame is ARP agreement in data link layer, and whether verify its content relevant with this network interface card, if then revise the forward-path of ARP Frame, carries out reverse data and sends, otherwise abandon this frame; If be the IP Frame of Ethernet, be then forwarded directly to protocol assembly step, otherwise abandon this frame.This special data package processing method improves based on available data packet processing method, has following characteristic: a) in order to improve handling property, does not carry out the copy of kernel; B) in order to improve fail safe, traditional ICP/IP protocol stack is not walked yet.
Step 2: protocol assembly: the reduction IP packet in ethernet frame being carried out upper-layer protocol, parses the upper layer application protocol of TCP and UDP.Specifically comprise:
Step 2.1: if when the agreement of IP packet is TCP, tcp data bag is carried out protocol assembly, when identifying upper layer application protocol, is forwarded to step 3 by unidirectional for the data flow of reduction;
Step 2.2: if when the agreement of IP packet is UDP, UDP message bag is carried out protocol assembly, when identifying upper layer application protocol, is forwarded to step 3 by unidirectional for the data flow of reduction;
Step 2.3: if when IP packet is other protocol fields, abandon this packet.
In this step, namely the application protocol parsing upper strata is thought and to be completed protocol assembly, does not need the bag of the whole data flow of buffer memory.
Step 3: Data Audit: filter the packet entered in this step and examine, according to audit configuration rule, is forwarded to step 4 by the packet meeting audit configuration rule; To the packet not meeting audit configuration rule, abandon this packet.
In this step, audit configuration rule includes but not limited to 1) white list; 2) combination in any of five-tuple; Described five-tuple is { source IP, object IP, source port, destination interface, agreement }; 3) the protocol characteristic string of machine learning acquisition.
Step 4: information unloading and encapsulation: extracted by the payload segment in packet in this step, according to package arrangements rule, is reassembled into new packet, specifically comprises:
Step 4.1: if there is load information in packet, the then one-way transmission of truncated data bag, extracts load information, according to the mapping address in package arrangements rule and port, again on load information, encapsulation forms new packet, is transmitted to step 5 by unidirectional for new packet;
Step 4.2: if there is not load information in packet, then according to the mapping address in package arrangements rule and port, be directly transmitted to step 5 by after unidirectional for the packet specific fields be transmitted in step 5 or Update Table bag.The specific fields defined includes but not limited to source IP and source port.
In this step, the extraction of data is directly operated in raw data packets, do not carry out the copy function of internal memory; Mapping ruler in its package arrangements has blocked unidirectional data transmission.The package arrangements regular record mapping relations of address and port, are transformed into different addresses and port by source IP address and source port, and the packet making A net be sent to B net hides A net topology structure.
Step 5: data send: data transmission blocks is handled as follows respectively to the ARP broadcast frame received, arp reply frame and IP packet:
Step 5.1: if ARP broadcast frame, for the data transmission blocks of forward, forwards ARP broadcast frame from reverse data acquisition, is sent to B net according to the IP in the configuration rule table of address and MAC Address structure arp reply frame; ARP broadcast frame for step 1.1 forward data collection acquisition constructs corresponding arp reply frame by reverse data transmission blocks according to the IP in the configuration rule table of address and MAC Address and is sent to A net;
Step 5.2: if arp reply frame, then by the <IP in arp reply frame, MAC> address to adding in ARP mapping list;
Step 5.3: if the IP packet that step 4 is sent, then check whether addresses forwarding table has the MAC Address of object IP, if had, construction data frame is directly sent to B net, otherwise forwards step 5.4 to;
Step 5.4: search corresponding route table items in the routing table, if do not find corresponding route table items, then searches after configuring route again; If find corresponding route table items, obtain the IP address of next hop router, in ARP mapping list, corresponding MAC Address is searched according to the IP address of router, if do not found, the MAC Address of structure ARP broadcast frame inquiry router, this IP packet of temporary cache, wait for that reverse data acquisition forwards the arp reply frame of returning, step 5.2 is forwarded to arp reply frame and performs, to obtain the MAC Address of router; If found, then construction data frame is sent to B net, and scheduler is transmitted simultaneously.Described addresses forwarding table comprises the mapping of object IP address and target MAC (Media Access Control) address, and is that each mapping relations <IP, MAC> arrange life cycle, will delete the mapping relations of time-out in addresses forwarding table.The renewal of addresses forwarding table AFT, routing table, ARP mapping list is adaptive learning, and data need reverse data acquisition to provide.
The information such as addresses forwarding table AFT, routing table, ARP mapping list used in this step can be realized by special hardware, also can be realized by software.Addresses forwarding table AFT includes the mapping of object IP address and target MAC (Media Access Control) address, and its < object IP, object MAC> are arranged according to network environment right life cycle, and time-out is by these mapping relations of deletion.
Step 6: repeat above-mentioned steps 1 ~ 5 until information exchange completes.
Network security based on half-duplex channel disclosed by the invention isolation and Information Exchange System, information exchange ability between the net with reliable high rate, major deployments in can not directly interconnected and there is information sharing demand two or more networks between.Network security isolation of the present invention adopts standalone module with Information Exchange System, and independent of one another between module, the realization of each module can adopt hardware implementing, can adopt software simulating, and the mode that also software restraint can be adopted to combine realizes.
Access network Secure isolation and Information Exchange System: system access position is network egress switch or router, access point is the critical point module of switch or router, system is disposed as shown in (a) and (b) of Fig. 2, and access way is the unidirectional connection of optical fiber.In (a) of Fig. 2, network security isolation and Information Exchange System access between A network switch and B network switch; In (b) of Fig. 2, network security isolation and Information Exchange System access between A network switch and B net egress router.
Network security of the present invention isolation mainly comprises as lower module with Information Exchange System: data acquisition module, protocol assembly module, Data Audit module, information unload and package module and data transmission blocks.These modules by data from A net one-way transmission to B net, or by data from B net one-way transmission to A net.Modules is along the unidirectional connection of data flow direction.As shown in Figure 3, be network security isolation and the structural representation of Information Exchange System.The function of modules is described below in conjunction with Fig. 3.
First network security isolation carries out system initialization before application with Information Exchange System, and system initialization refers to the configuration information of reading system from configuration management file.The configuration information of system comprises the data acquisition module IP address of system, audit configuration rule, package arrangements rule, address configuration rule list, addresses forwarding table AFT, routing table and ARP mapping list.Configuration information loads successfully, and system monitors network interface card wait-receiving mode data.
The information such as addresses forwarding table AFT, routing table, ARP mapping list can be realized by special hardware, also can be realized by software.Addresses forwarding table AFT includes the mapping of object IP address and target MAC (Media Access Control) address, and in it life cycle of map entry <IP, MAC> arrange according to network environment, time-out by these mapping relations of deletion.The design of addresses forwarding table AFT improves the efficiency of data retransmission.
The situation of netting to B from A net one-way transmission based on data is below described.
Data acquisition module: gather A network data message from the network interface of specifying.The message gathered is classified process as follows: (1) is if data message is ARP broadcast frame, and the MAC Address of this network interface card of inquiry, then this ARP broadcast frame is forwarded to reverse data transmission blocks by one-way data passage, otherwise abandons this ARP broadcast frame; Described reverse data transmission blocks refers to data transmission blocks data sent to A net, contrary to the direction of B net one-way transmission from A net with data, reverse data transmission blocks is sent to A net by according to the IP in the configuration rule table of address and MAC Address structure arp reply frame; (2) if data message is arp reply frame, and answer the inquiry of this MAC Address of Network Card, then this arp reply frame is forwarded to reverse data transmission blocks by one-way data passage, otherwise abandon this arp reply frame; (3) if data message is the ethernet frame of IP agreement, then this ethernet frame is sent to protocol assembly module by half-duplex channel; (4) to not belonging to arbitrary described data message in (1) ~ (3), this data message is abandoned.
Protocol assembly module: the reduction IP packet in ethernet frame being carried out upper-layer protocol, parses the upper layer application protocol of TCP and UDP.By the TCP of reduction or UDP message bag is unidirectional is forwarded to Data Audit module.If when the agreement of IP packet is TCP, tcp data bag being carried out protocol assembly, when identifying upper layer application protocol, being forwarded to Data Audit module by unidirectional for the data flow of reduction; If when the agreement of IP packet is UDP, UDP message bag being carried out protocol assembly, when identifying upper layer application protocol, being forwarded to Data Audit module by unidirectional for the data flow of reduction; If when IP packet is other protocol fields, abandon this packet.
Data Audit module: filter packet and examine, according to audit configuration rule, is forwarded to information unloading and package module by legal packet; Otherwise, abandon this packet.Audit configuration rule includes but not limited to the combination in any of white list, five-tuple, the protocol characteristic string etc. of machine learning acquisition.Described five-tuple comprises source IP, object IP, source port, destination interface and agreement.
Payload segment in packet extracts by information unloading and package module, according to package arrangements rule, is reassembled into new packet.Package arrangements regular record address and port mapping relationship, be transformed into different addresses and port by source IP address and source port, make local terminal network transparent to correspondent network, makes A net be sent to the packet of B net, hides A net topology structure to B net.The package arrangements rule address of recording and port mapping be one can be reverse mapping pair, reached effect B net being hidden to A net topology structure by mapping relations, achieve packet one-way transmission and isolation.If there is load information in packet, then the one-way transmission of truncated data bag, extracts load information, according to the mapping address in package arrangements rule and port, again in the information of load, is packaged into new packet, be unidirectionally transmitted to data transmission blocks; If there is not load information in packet, then according to the mapping address in package arrangements rule and port, be directly transmitted to data transmission blocks after the unidirectional specific fields be transmitted in data transmission blocks or Update Table bag.The specific fields defined includes but not limited to source IP and source port.
For the one-way data transmission of netting from A net to B, the data transmission blocks of forward by data sheet to being sent to B net, reverse data transmission blocks by data sheet to being sent to A net.For the data transmission of netting from B net to A, the data transmission blocks of forward by data sheet to being sent to A net, reverse data transmission blocks by data sheet to being sent to B net.Be that the data transmission blocks of the forward netted from A net to B is to illustrate the function of data transmission blocks below with regard to data flow.
Packet is mainly configured to Frame according to addresses forwarding table (Address Forwarding Table, AFT) by data transmission blocks, is sent to B net by half-duplex channel.Data transmission blocks receives three kinds of data: ARP broadcast frame, arp reply frame and IP packet.If ARP broadcast frame, be then sent to B net according to the IP in the configuration rule table of address and MAC Address structure arp reply frame.If arp reply frame, then by the <IP in arp reply frame, MAC> address to adding in ARP mapping list.If the common IP packet that information unloading and package module send, then check whether addresses forwarding table has the MAC Address of object IP, if had, construction data frame is directly sent to B net, otherwise search corresponding route table items in the routing table, if do not find corresponding route table items, then need to configure route; If find corresponding route table items, obtain the IP address of next hop router, in ARP mapping list, the MAC Address of router is searched according to the IP address of router, if do not found, the MAC Address of structure ARP broadcast frame inquiry accessor, the IP packet that temporary cache will send, waits for that the arp reply frame forwarding and is to obtain the MAC Address of router, after obtaining the MAC Address of router, construction data frame is sent to B net, and scheduler is transmitted simultaneously.Scheduler is transmitted, and is exactly the mapping relations of adding new-found object IP and MAC Address in the table.What described address configuration rule list was recorded is upper end network interface card, the namely IP address of data acquisition module and MAC Address, use time for constructing arp reply bag, when data transmission blocks receives ARP broadcast frame, need to construct arp reply frame according to IP and MAC of the data acquisition module recorded in the configuration rule table of address, act on behalf of upper end network interface card to reply.The IP address of forwarding router can be obtained by routing table, obtain MAC Address corresponding to known IP address by ARP mapping list.
Because the inner each module of network security isolation and Information Exchange System is connected along data flow direction with unidirectional, as shown in Figure 3, the method of attachment of each module is as follows: upper end control A net is I to the engine of B network data stream, and lower end control B net is II to the engine of A network data stream.Engine I and engine II has the port of data transmit-receive respectively at A net end and B net end.The data transmission blocks II that engine I holds at A net at the data acquisition module 1 unidirectional connection engine II of A net end, engine II net the data transmission blocks I of data acquisition module II unidirectional connection engine I at B net end of end at B.Data transmission blocks II is just as the reverse data transmission blocks of A net to B net one-way data transfer, and data transmission blocks I is just as the reverse data transmission blocks of B net to A net one-way data transfer.A data acquisition module, a data transmission blocks, a protocol assembly module, a data Audit Module and an information unloading and package module is comprised in each engine.Engine I: at the input port connection data acquisition module I of A net end, the unidirectional connection protocol recovery module I of output of data acquisition module I, the output unidirectional connection data Audit Module I of protocol assembly module I, the unidirectional link information unloading of output of Data Audit module I and package module I, the output port of the output unidirectional connection A net end of the output unidirectional connection data sending module I of information unloading and package module I, data transmission blocks I.At the input port connection data acquisition module II of B net end, identical to each module connection structure of B network data flow path direction along A net with engine I to each module connection structure of A network data flow path direction along B net in engine II, by adding the numbering I of two engines and II to module title to distinguish in figure.
By special data package processing method from the network interface image data frame of specifying.The method is: judge whether Frame is ARP agreement in data link layer, and whether verify its content relevant with this network interface card, if then revise the forward-path of ARP Frame, by this ARP dataframe to reverse data transmission blocks, otherwise abandons this frame; If be the IP Frame of Ethernet, be then forwarded directly to protocol assembly module, if neither the IP Frame of Ethernet, then abandon this frame.This special data package processing method improves based on available data packet processing method, in order to improve handling property, does not carry out the copy of kernel; Simultaneously in order to improve fail safe, do not walk traditional ICP/IP protocol stack yet.
Claims (8)
1. the isolation of the network security based on half-duplex channel and Information Exchange System, for by data from A net one-way transmission to B net, it is characterized in that, described network security isolation and Information Exchange System comprise data acquisition module, protocol assembly module, Data Audit module, information unload and package module and data transmission blocks;
Data acquisition module gathers A network data message from the network interface of specifying, classification process is carried out to data message: (1) is if data message is ARP broadcast frame, and this ARP broadcast frame inquires the MAC Address of this network interface card, then this ARP broadcast frame is forwarded to reverse data transmission blocks by one-way data passage, otherwise abandons this ARP broadcast frame; (2) if data message is arp reply frame, and this arp reply frame answers the inquiry of this MAC Address of Network Card, then this arp reply frame is forwarded to reverse data transmission blocks by one-way data passage, otherwise abandons this arp reply frame; (3) if data message is the ethernet frame of IP agreement, then this ethernet frame is sent to protocol assembly module by half-duplex channel; (4) if data message is not any one in the ethernet frame of ARP broadcast frame, arp reply frame and IP agreement, this data message is abandoned;
IP packet in ethernet frame is carried out the reduction of upper-layer protocol by protocol assembly module; When the agreement in IP packet is TCP or UDP, protocol assembly module parses the upper layer application protocol of TCP or UDP, by the TCP of reduction or UDP message bag is unidirectional is forwarded to Data Audit module; When the agreement of IP packet is not TCP or UDP, abandon this packet;
Data Audit module to be filtered packet according to audit configuration rule and is examined, and legal packet is forwarded to information unloading and package module;
Information unloading and package module process the packet received, specifically: if there is load information in packet, extract load information, according to package arrangements rule, again on extracted load information, encapsulation forms new packet, and is transmitted to data transmission blocks by unidirectional for new packet; If there is not load information in packet, according to package arrangements rule, be transmitted to data transmission blocks by directly unidirectional for packet, or be transmitted to data transmission blocks after specific fields in Update Table bag;
For the one-way data transmission of netting from A net to B, the data transmission blocks of forward by data sheet to being sent to B net, reverse data transmission blocks by data sheet to being sent to A net; If X is A or B;
Data transmission blocks is handled as follows respectively to the ARP broadcast frame received, arp reply frame and IP packet: (1), for ARP broadcast frame, is sent to X net according to the IP in the configuration rule table of address and MAC Address structure arp reply frame, the IP of record data acquisition module and MAC Address in described address configuration rule list, (2) for arp reply frame, by the <IP in arp reply frame, MAC> address to adding in ARP mapping list, (3) for IP packet, check whether addresses forwarding table has the MAC Address of object IP, if had, construction data frame is directly sent to X net, otherwise search corresponding route table items in the routing table, obtain the IP address of next hop router, in ARP mapping list, corresponding MAC Address is searched according to the IP address of router, if do not found, the MAC Address of structure ARP broadcast frame inquiry router, wait for that the arp reply frame forwarding and is to obtain the MAC Address of router, after the MAC Address obtaining router, construction data frame is sent to X net, scheduler is transmitted simultaneously, described addresses forwarding table is the mapping table of IP and MAC Address.
2. a kind of isolation of the network security based on half-duplex channel according to claim 1 and Information Exchange System, it is characterized in that, described Data Audit module, its audit configuration rule used comprises: 1) white list; 2) combination in any in five-tuple { source IP, object IP, source port, destination interface, agreement }; 3) the protocol characteristic string of machine learning acquisition.
3. a kind of isolation of the network security based on half-duplex channel according to claim 1 and Information Exchange System, it is characterized in that, described package arrangements rule, the mapping relations of recording address and port, source IP address and source port are transformed into different addresses and port, and the packet making A net be sent to B net hides A net topology structure.
4. a kind of isolation of the network security based on half-duplex channel according to claim 1 and Information Exchange System, it is characterized in that, described network security isolation and Information Exchange System, data interaction is carried out between A net and B are netted, if upper end control A net is I to the engine of B network data stream, lower end control B net is II to the engine of A network data stream; Engine I and engine II has the port of data transmit-receive respectively at A net end and B net end; Five functional modules are comprised: a data acquisition module, protocol assembly module, data Audit Module, an information unloading and a package module and a data transmission blocks in each engine; The data transmission blocks that engine I holds at A net at the data acquisition module unidirectional connection engine II of A net end, engine II nets the data transmission blocks of data acquisition module unidirectional connection engine I at B net end of end at B; In each engine: the input connection data acquisition module of corresponding net end, the unidirectional connection protocol recovery module of output of data acquisition module, the unidirectional connection data Audit Module of output of protocol assembly module, the unidirectional link information unloading of output of Data Audit module and package module, the unidirectional connection data sending module of output of information unloading and package module, the unidirectional output port connecting corresponding net end of the output of data transmission blocks.
5., based on network security isolation and the information switching method of half-duplex channel, data are netted by A and are unidirectionally sent to B net, it is characterized in that, comprise the steps:
Step 1: data acquisition: gather A network data message from the network interface of specifying, and data message is handled as follows, specifically comprise:
Step 1.1: if data message is ARP broadcast frame, and inquire the MAC Address of this network interface card, be then forwarded to reverse data transmission blocks by this ARP broadcast frame by one-way data passage, otherwise abandon this ARP broadcast frame;
Step 1.2: if data message is arp reply frame, and answer the inquiry of this MAC Address of Network Card, be then forwarded to reverse data transmission blocks by this arp reply frame by one-way data passage, otherwise abandon this arp reply frame;
Step 1.3: if data message is the ethernet frame of IP agreement, then by half-duplex channel, ethernet frame is sent to step 2 and processes;
Step 2: protocol assembly: the reduction IP packet in ethernet frame being carried out upper-layer protocol, parses the upper layer application protocol of TCP or UDP, specifically comprise:
Step 2.1: if when the agreement of IP packet is TCP, tcp data bag is carried out protocol assembly, when identifying upper layer application protocol, is forwarded to step 3 by unidirectional for the tcp data bag of reduction;
Step 2.2: if when the agreement of IP packet is UDP, UDP message bag is carried out protocol assembly, when identifying upper layer application protocol, is forwarded to step 3 by unidirectional for the UDP message bag of reduction;
Step 2.3: if when the agreement of IP packet is not TCP or UDP, abandon this packet;
Step 3: Data Audit: the packet entered in this step is filtered according to audit configuration rule and examined, legal packet is forwarded to step 4; To the data packet discarding not meeting rule;
Step 4: information unloading and encapsulation, specifically:
Step 4.1: if there is load information in packet, extracts load information, and according to the mapping address in package arrangements rule and port, on load information, encapsulation forms new packet again, is transmitted to step 5 by unidirectional for new packet;
Step 4.2: if there is not load information in packet, then according to the mapping address in package arrangements rule and port, be directly transmitted to step 5 after the unidirectional specific fields be transmitted in step 5 or Update Table bag;
Step 5: data send: for the one-way data transmission of netting from A net to B, the data flow of the unidirectional B of being sent to net is forward, and the data flow of the unidirectional A of being sent to net is reverse; If X is A or B; Data transmission blocks is handled as follows respectively to the ARP broadcast frame received, arp reply frame and IP packet:
Step 5.1: if ARP broadcast frame, be then sent to X net according to the IP in the configuration rule table of address and MAC Address structure arp reply frame;
Step 5.2: if arp reply frame, then by the <IP in arp reply frame, MAC> address to adding in ARP mapping list;
Step 5.3: if IP packet, then check whether addresses forwarding table has the MAC Address of object IP, if had, construction data frame is directly sent to X net, otherwise forwards step 5.4 to;
Step 5.4: search corresponding route table items in the routing table, if do not find corresponding route table items, then searches after configuring route again; If find corresponding route table items, obtain the IP address of next hop router, in ARP mapping list, corresponding MAC Address is searched according to the IP address of router, if do not found, the MAC Address of structure ARP broadcast frame inquiry router, and this IP packet of temporary cache, wait for that reverse data acquisition forwards the arp reply frame of returning to obtain the MAC Address of router; When after the MAC Address obtaining router, construction data frame is sent to X net, and scheduler is transmitted simultaneously;
Step 6: repeat above-mentioned steps 1 ~ 5 until data are sent completely.
6. the isolation of the network security based on half-duplex channel according to claim 5 and information switching method, it is characterized in that, the audit configuration rule described in step 3 comprises: 1) white list; 2) combination in any in five-tuple { source IP, object IP, source port, destination interface, agreement }; 3) the protocol characteristic string of machine learning acquisition.
7. the isolation of the network security based on half-duplex channel according to claim 5 and information switching method, it is characterized in that, package arrangements rule described in step 4, the mapping relations of recording address and port, source IP address and source port are transformed into different addresses and port, and the packet making A net be sent to B net hides A net topology structure.
8. the isolation of the network security based on half-duplex channel according to claim 5 and information switching method, it is characterized in that, addresses forwarding table described in step 5 comprises the mapping of object IP address and target MAC (Media Access Control) address, and be each mapping relations <IP, MAC> arranges life cycle, deletes the mapping relations of time-out in addresses forwarding table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410652474.4A CN104363231B (en) | 2014-11-17 | 2014-11-17 | A kind of network security isolation and information switching method and system based on half-duplex channel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410652474.4A CN104363231B (en) | 2014-11-17 | 2014-11-17 | A kind of network security isolation and information switching method and system based on half-duplex channel |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104363231A true CN104363231A (en) | 2015-02-18 |
| CN104363231B CN104363231B (en) | 2017-09-19 |
Family
ID=52530457
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410652474.4A Active CN104363231B (en) | 2014-11-17 | 2014-11-17 | A kind of network security isolation and information switching method and system based on half-duplex channel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104363231B (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105007272A (en) * | 2015-07-21 | 2015-10-28 | 陈巨根 | Information exchange system with safety isolation |
| CN105162803A (en) * | 2015-09-30 | 2015-12-16 | 深圳市金城保密技术有限公司 | Safe information output method and safe information output system of secret-relating network |
| CN107948165A (en) * | 2017-11-29 | 2018-04-20 | 成都东方盛行电子有限责任公司 | A kind of safety based on proprietary protocol send broadcast system and method |
| US9973532B2 (en) | 2015-03-06 | 2018-05-15 | Garrison Technology Ltd | Secure control of insecure device |
| CN108429729A (en) * | 2018-01-19 | 2018-08-21 | 昆明理工大学 | Data communication isolating system and its partition method under industrial big data acquisition environment |
| CN109347794A (en) * | 2018-09-06 | 2019-02-15 | 国家电网有限公司 | A kind of Web server safety defense method |
| US10242198B2 (en) | 2015-12-03 | 2019-03-26 | Garrison Technology Ltd | Secure booting of a computing system based on write request and power-up management |
| CN109756475A (en) * | 2018-11-27 | 2019-05-14 | 中国船舶重工集团公司第七0九研究所 | Data transmission method and device in a kind of unilateral network |
| CN110061999A (en) * | 2019-04-28 | 2019-07-26 | 华东师范大学 | A kind of network data security analysis ancillary equipment based on ZYNQ |
| CN110365649A (en) * | 2019-06-17 | 2019-10-22 | 北京旷视科技有限公司 | Data transmission method, data insertion equipment, data output apparatus and system |
| CN111770210A (en) * | 2020-06-05 | 2020-10-13 | 深圳爱克莱特科技股份有限公司 | Multi-controller IP grouping method, system and readable medium |
| CN111970256A (en) * | 2020-07-31 | 2020-11-20 | 深圳市研锐智能科技有限公司 | Intelligent isolation and information exchange network brake system |
| CN112805969A (en) * | 2018-12-28 | 2021-05-14 | 松下电器(美国)知识产权公司 | Statistical information generation device, statistical information generation method, and program |
| CN112910963A (en) * | 2021-01-18 | 2021-06-04 | 翰克偲诺水务集团有限公司 | Method and system for cross-domain data interaction between local area network and Internet of water treatment equipment |
| CN113383521A (en) * | 2019-03-15 | 2021-09-10 | 雷诺股份公司 | Reducing attack surfaces in a communication system |
| CN114553577A (en) * | 2022-02-28 | 2022-05-27 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | Network interaction system and method based on multi-host double-isolation security architecture |
| CN115277221A (en) * | 2022-07-29 | 2022-11-01 | 深圳市风云实业有限公司 | Transmission method and isolation device based on transparent data landing and protocol isolation |
| CN115567498A (en) * | 2022-10-12 | 2023-01-03 | 山东首瀚信息科技有限公司 | System based on one-way reliable network security transmission protocol |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127761A (en) * | 2006-08-16 | 2008-02-20 | 北京城市学院 | Unidirectional protocol isolation method and device in network |
| CN101383813A (en) * | 2007-09-03 | 2009-03-11 | 深圳市维信联合科技有限公司 | Method and system for network uni-directional forwarding |
| CN101986638A (en) * | 2010-09-16 | 2011-03-16 | 珠海市鸿瑞软件技术有限公司 | Gigabit one-way network isolation device |
| CN102843352A (en) * | 2012-05-15 | 2012-12-26 | 广东电网公司茂名供电局 | Cross-physical isolation data transparent transmission system and method between intranet and extranet |
-
2014
- 2014-11-17 CN CN201410652474.4A patent/CN104363231B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127761A (en) * | 2006-08-16 | 2008-02-20 | 北京城市学院 | Unidirectional protocol isolation method and device in network |
| CN101383813A (en) * | 2007-09-03 | 2009-03-11 | 深圳市维信联合科技有限公司 | Method and system for network uni-directional forwarding |
| CN101986638A (en) * | 2010-09-16 | 2011-03-16 | 珠海市鸿瑞软件技术有限公司 | Gigabit one-way network isolation device |
| CN102843352A (en) * | 2012-05-15 | 2012-12-26 | 广东电网公司茂名供电局 | Cross-physical isolation data transparent transmission system and method between intranet and extranet |
Non-Patent Citations (1)
| Title |
|---|
| 唐晋: "网络单向隔离控制系统的设计与实现", 《中国优秀硕士论文全文数据库信息科技辑》 * |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9973532B2 (en) | 2015-03-06 | 2018-05-15 | Garrison Technology Ltd | Secure control of insecure device |
| CN105007272A (en) * | 2015-07-21 | 2015-10-28 | 陈巨根 | Information exchange system with safety isolation |
| CN105162803A (en) * | 2015-09-30 | 2015-12-16 | 深圳市金城保密技术有限公司 | Safe information output method and safe information output system of secret-relating network |
| US10242198B2 (en) | 2015-12-03 | 2019-03-26 | Garrison Technology Ltd | Secure booting of a computing system based on write request and power-up management |
| CN107948165A (en) * | 2017-11-29 | 2018-04-20 | 成都东方盛行电子有限责任公司 | A kind of safety based on proprietary protocol send broadcast system and method |
| CN107948165B (en) * | 2017-11-29 | 2023-10-20 | 成都东方盛行电子有限责任公司 | Secure broadcast system and method based on private protocol |
| CN108429729A (en) * | 2018-01-19 | 2018-08-21 | 昆明理工大学 | Data communication isolating system and its partition method under industrial big data acquisition environment |
| CN108429729B (en) * | 2018-01-19 | 2023-07-18 | 昆明理工大学 | Data communication isolation system and isolation method in industrial big data acquisition environment |
| CN109347794A (en) * | 2018-09-06 | 2019-02-15 | 国家电网有限公司 | A kind of Web server safety defense method |
| CN109756475A (en) * | 2018-11-27 | 2019-05-14 | 中国船舶重工集团公司第七0九研究所 | Data transmission method and device in a kind of unilateral network |
| CN109756475B (en) * | 2018-11-27 | 2021-07-16 | 中国船舶重工集团公司第七0九研究所 | Data transmission method and device in unidirectional network |
| CN112805969A (en) * | 2018-12-28 | 2021-05-14 | 松下电器(美国)知识产权公司 | Statistical information generation device, statistical information generation method, and program |
| CN112805969B (en) * | 2018-12-28 | 2023-08-22 | 松下电器(美国)知识产权公司 | Statistical information generation device, statistical information generation method, and program |
| CN113383521B (en) * | 2019-03-15 | 2023-07-18 | 雷诺股份公司 | Reducing attack surface in communication system |
| CN113383521A (en) * | 2019-03-15 | 2021-09-10 | 雷诺股份公司 | Reducing attack surfaces in a communication system |
| CN110061999A (en) * | 2019-04-28 | 2019-07-26 | 华东师范大学 | A kind of network data security analysis ancillary equipment based on ZYNQ |
| CN110365649A (en) * | 2019-06-17 | 2019-10-22 | 北京旷视科技有限公司 | Data transmission method, data insertion equipment, data output apparatus and system |
| CN111770210B (en) * | 2020-06-05 | 2021-09-21 | 深圳爱克莱特科技股份有限公司 | Multi-controller grouping method and readable medium |
| CN111770210A (en) * | 2020-06-05 | 2020-10-13 | 深圳爱克莱特科技股份有限公司 | Multi-controller IP grouping method, system and readable medium |
| CN111970256A (en) * | 2020-07-31 | 2020-11-20 | 深圳市研锐智能科技有限公司 | Intelligent isolation and information exchange network brake system |
| CN112910963A (en) * | 2021-01-18 | 2021-06-04 | 翰克偲诺水务集团有限公司 | Method and system for cross-domain data interaction between local area network and Internet of water treatment equipment |
| CN114553577A (en) * | 2022-02-28 | 2022-05-27 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | Network interaction system and method based on multi-host double-isolation security architecture |
| CN114553577B (en) * | 2022-02-28 | 2023-09-26 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | Network interaction system and method based on multi-host double-isolation secret architecture |
| CN115277221A (en) * | 2022-07-29 | 2022-11-01 | 深圳市风云实业有限公司 | Transmission method and isolation device based on transparent data landing and protocol isolation |
| CN115277221B (en) * | 2022-07-29 | 2024-06-07 | 深圳市风云实业有限公司 | Transmission method and isolation equipment based on transparent data landing and protocol isolation |
| CN115567498A (en) * | 2022-10-12 | 2023-01-03 | 山东首瀚信息科技有限公司 | System based on one-way reliable network security transmission protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104363231B (en) | 2017-09-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104363231A (en) | Network security isolation and information exchange method and system based on one-way channel | |
| CN101013962B (en) | Integrated security switch | |
| CN104272656B (en) | The executable method of computing system, computer and computer readable storage medium | |
| CN106487719B (en) | System and method for externalizing network functions via packet relay | |
| CN101473598B (en) | Communicating packets between forwarding contexts using virtual interfaces | |
| US7555774B2 (en) | Inline intrusion detection using a single physical port | |
| US8908704B2 (en) | Switch with dual-function management port | |
| CN104486336A (en) | Device for safely isolating and exchanging industrial control networks | |
| CN100373867C (en) | Massive parallel processing apparatus and method for network isolation and information exchange module | |
| CN104767752A (en) | Distributed network isolating system and method | |
| CN103401774B (en) | A kind of message forwarding method based on pile system and equipment | |
| CN108881328B (en) | Data packet filtering method and device, gateway equipment and storage medium | |
| CN104202300A (en) | Data communication method and device based on network isolating device | |
| CN101820383B (en) | Method and device for restricting remote access of switcher | |
| CN106534168A (en) | TCPIP protocol stack safety processing system based on FPGA | |
| CN104040527A (en) | Connecting layer-2 domains over layer-3 networks | |
| CN102647370B (en) | Communication method for communicating WiFi network with ZigBee network | |
| CN102571738A (en) | Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof | |
| CN1777142A (en) | Method for realizing data communication utilizing virtual network adapting card in network environment simulating | |
| CN104168257A (en) | Data isolation device based on non-network mode, and method and system thereof | |
| CN105471907A (en) | Openflow based virtual firewall transmission control method and system | |
| CN105791252A (en) | UDP (User Datagram Protocol) IP (Intellectual Property) core based on FPGA (Field Programmable Gate Array) | |
| CN108055244A (en) | A kind of dual processor system network security partition method based on SRIO interfacings | |
| CN108833430B (en) | Topology protection method of software defined network | |
| EP3200398A1 (en) | Automated mirroring and remote switch port analyzer (rspan)/encapsulated remote switch port analyzer (erspan) functions using fabric attach (fa) signaling |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |