CN106657003A - Flexible and software-definable network security isolation method - Google Patents
Flexible and software-definable network security isolation method Download PDFInfo
- Publication number
- CN106657003A CN106657003A CN201610995528.6A CN201610995528A CN106657003A CN 106657003 A CN106657003 A CN 106657003A CN 201610995528 A CN201610995528 A CN 201610995528A CN 106657003 A CN106657003 A CN 106657003A
- Authority
- CN
- China
- Prior art keywords
- networks
- host computer
- network
- fictitious host
- network security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention relates to the technical field of the security isolation and information-exchange technology for a computer network information system and particularly relates to a network security isolation method in the field of multi-system security interconnection. The invention relates to a flexible and software-definable network security isolation method. According to the method, through the protocol conversion among a plurality of virtual hosts, the data exchange in the network isolation state is realized for freely defined networks. Meanwhile, in the software definition mode, a plurality of different virtual hosts can be in network connection with a network to be subjected to network security isolation. Moreover, the network security isolation and the network information exchange can be realized among virtual hosts.
Description
Technical field
The present invention relates to computer network information system security isolation and technical field of information interaction, more particularly to multisystem
The network security partition method of safety interconnection.
Background technology
In traditional network security isolated system, 2+1 isolated systems are adopted mostly(Dual host system, using special between main frame
With hardware and private communication protocol)Or the system of systems of three-level three(Three host computer systems, using specialized hardware and private communication between main frame
Agreement), the system is only oriented to one-to-one network security isolation requirement between two networks, two for being only connected in two end main frames
Realize that network security is isolated between individual different network.In the face of between multiple different networks, and network structure is when changing, should
System cannot be suitable for, accordingly, it would be desirable to a kind of network security partition method that can freely define flexible change.
The content of the invention
In order to solve above-mentioned technical problem, it is an object of the invention to provide it is a kind of it is flexible, can software definition network
Security isolation method, the method by software definition mode, with multiple different fictitious host computers and the net for needing network security to isolate
Network is connected, and the isolation of structure network security is exchanged with information between fictitious host computer.
In order to realize above-mentioned purpose, following technical scheme is present invention employs:
It is a kind of it is flexible, can software definition network security partition method, the method comprises the following steps:
1)When A networks need to carry out data exchange with B networks in the way of network security isolation, determined by software by host
Adopted module enables fictitious host computer VMA, fictitious host computer VMB;Wherein fictitious host computer VMA carries out network service with A networks, virtual main
Machine VMB carries out network service with B networks;
2)By being entered using private communication protocol between host software definition module definition fictitious host computer VMA and fictitious host computer VMB
Row data are ferried;
3)When fictitious host computer VMA is received from the exchange data of A networks, ferried to virtual by the private communication protocol for defining
Main frame VMB, is sent the ferry-boat data of reception to B networks by fictitious host computer VMB by general purpose network protocol;
4)In the face of other network security isolation switching requirements such as C networks, D networks, then all can be by the software definition mould in host
The fictitious host computer that block definition is attached thereto, and the ferry-boat of the private communication protocol data between different fictitious host computers is completed, with flexible
Adapt to Multi net voting and the network security isolation requirement in the case of complex network.
The present invention, by protocol conversion between multiple fictitious host computers, is freely determining as a result of above-mentioned technical scheme
The data exchange under Network Isolation is realized between the network of justice;And by software definition mode, with multiple different fictitious host computers and need
Want the network that network security is isolated to be connected, and network security isolation built between fictitious host computer to exchange with information.
Description of the drawings
Fig. 1 is concrete methods of realizing figure of the present invention.
Specific embodiment
The specific embodiment of the present invention is made a detailed explanation below in conjunction with the accompanying drawings.
It is as shown in Figure 1 it is a kind of flexible, can software definition network security partition method, the method includes following step
Suddenly:
1)When A networks need to carry out data exchange with B networks in the way of network security isolation, determined by software by host
Adopted module enables fictitious host computer VMA, fictitious host computer VMB;Wherein fictitious host computer VMA carries out network service with A networks, virtual main
Machine VMB carries out network service with B networks;
2)By being entered using private communication protocol between host software definition module definition fictitious host computer VMA and fictitious host computer VMB
Row data are ferried;
3)When fictitious host computer VMA is received from the exchange data of A networks, ferried to virtual by the private communication protocol for defining
Main frame VMB, is sent the ferry-boat data of reception to B networks by fictitious host computer VMB by general purpose network protocol;
4)In the face of other network security isolation switching requirements such as C networks, D networks, then all can be by the software definition mould in host
The fictitious host computer that block definition is attached thereto, and the ferry-boat of the private communication protocol data between different fictitious host computers is completed, with flexible
Adapt to Multi net voting and the network security isolation requirement in the case of complex network.
Claims (1)
1. it is a kind of it is flexible, can software definition network security partition method, it is characterised in that the method comprises the following steps:
1)When A networks need to carry out data exchange with B networks in the way of network security isolation, determined by software by host
Adopted module enables fictitious host computer VMA, fictitious host computer VMB;Wherein fictitious host computer VMA carries out network service with A networks, virtual main
Machine VMB carries out network service with B networks;
2)By being entered using private communication protocol between host software definition module definition fictitious host computer VMA and fictitious host computer VMB
Row data are ferried;
3)When fictitious host computer VMA is received from the exchange data of A networks, ferried to virtual by the private communication protocol for defining
Main frame VMB, is sent the ferry-boat data of reception to B networks by fictitious host computer VMB by general purpose network protocol;
4)In the face of other network security isolation switching requirements such as C networks, D networks, then all can be by the software definition mould in host
The fictitious host computer that block definition is attached thereto, and the ferry-boat of the private communication protocol data between different fictitious host computers is completed, with flexible
Adapt to Multi net voting and the network security isolation requirement in the case of complex network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610995528.6A CN106657003A (en) | 2016-11-11 | 2016-11-11 | Flexible and software-definable network security isolation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610995528.6A CN106657003A (en) | 2016-11-11 | 2016-11-11 | Flexible and software-definable network security isolation method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106657003A true CN106657003A (en) | 2017-05-10 |
Family
ID=58805855
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610995528.6A Pending CN106657003A (en) | 2016-11-11 | 2016-11-11 | Flexible and software-definable network security isolation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106657003A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104363159A (en) * | 2014-07-02 | 2015-02-18 | 北京邮电大学 | Virtual open network building system and method based on software definition network |
| CN105227344A (en) * | 2015-08-21 | 2016-01-06 | 武汉烽火网络有限责任公司 | Based on software defined network analogue system and the method for OpenStack |
| CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
-
2016
- 2016-11-11 CN CN201610995528.6A patent/CN106657003A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104363159A (en) * | 2014-07-02 | 2015-02-18 | 北京邮电大学 | Virtual open network building system and method based on software definition network |
| CN105227344A (en) * | 2015-08-21 | 2016-01-06 | 武汉烽火网络有限责任公司 | Based on software defined network analogue system and the method for OpenStack |
| CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3364605A1 (en) | Data centre network system and signal transmission system | |
| CN103546299A (en) | 50 Gb/s ethernet using serializer/deserializer lanes | |
| CN102291524B (en) | Wall splicing system | |
| CN102742228A (en) | Ethernet node port virtualizer | |
| EP2174229A4 (en) | Delegating network processor operations to star topology serial bus interfaces | |
| EP2928108B1 (en) | System, method and apparatus for multi-lane auto-negotiation over reduced lane media | |
| CN104639437A (en) | Forwarding method and apparatus of broadcast messages in stack system | |
| CN107770027B (en) | Implementation method for providing GRE tunnel service based on OpenStack architecture | |
| US8565226B1 (en) | Data transmission system used between multiple servers, data interface device, and data transmission method | |
| CN108023743B (en) | Port auto-negotiation method and device | |
| CN109150829B (en) | Software-defined cloud network trusted data distribution method, readable storage medium and terminal | |
| CN102710496B (en) | For the data transmission system between multiple server, DIU data interface unit and data transmission method | |
| CN101425945A (en) | System or local area network implementing method for computer | |
| CN106657003A (en) | Flexible and software-definable network security isolation method | |
| CN104113434A (en) | Data center network redundancy control device by adopting multi-chassis cluster system | |
| CN104598403A (en) | Cluster storage system based on PCIE (peripheral component interface express) switch | |
| CN102546840B (en) | Method, device and system for binding virtual serial port and physical serial port | |
| CN103457880A (en) | Switch system and method of operating a switch | |
| CN102841875A (en) | Host computer with intelligent bus interface and security system | |
| CN106453389A (en) | Network isolation method based on combination of firewall and gatekeeper | |
| CN104917704B (en) | 10GBase R PCS and 40GBase R PCS method and system are multiplexed in same framework | |
| CN1972314B (en) | Serial interface simulation method on Ethernet interface and component applying the same | |
| KR102456630B1 (en) | In-vehicle controller and method of controlling data transmission for the same | |
| CN103491030A (en) | Method and equipment for processing data | |
| CN107888346B (en) | CSI-RS mapping and transmission method and communication equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170510 |
|
| RJ01 | Rejection of invention patent application after publication |