CN106998333A - A kind of bilateral network security isolation system and method - Google Patents

A kind of bilateral network security isolation system and method Download PDF

Info

Publication number
CN106998333A
CN106998333A CN201710374477.XA CN201710374477A CN106998333A CN 106998333 A CN106998333 A CN 106998333A CN 201710374477 A CN201710374477 A CN 201710374477A CN 106998333 A CN106998333 A CN 106998333A
Authority
CN
China
Prior art keywords
data
intranet
outer net
processing module
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710374477.XA
Other languages
Chinese (zh)
Inventor
王继志
杨光
陈丽娟
杨英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Computer Science Center National Super Computing Center in Jinan
Shandong Computer Science Center
Original Assignee
Shandong Computer Science Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Computer Science Center filed Critical Shandong Computer Science Center
Priority to CN201710374477.XA priority Critical patent/CN106998333A/en
Publication of CN106998333A publication Critical patent/CN106998333A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention discloses a kind of bilateral network security isolation system and method, system includes outer net processing module, Intranet processing module and transitional region, the outer net processing module accessing external network is simultaneously connected by unidirectional data link with Intranet processing module, the Intranet processing module access Intranet is simultaneously connected by the unidirectional data link of belt switch with transitional region, and the transitional region is connected by the unidirectional data link of belt switch with outer net processing module.When outer net inwardly nets transmission data, outer network data is transmitted directly to Intranet processing module by outer net processing module by unidirectional data link;When Intranet outwards nets transmission data, intranet data is first sent to transitional region by the unidirectional data link of belt switch and carries out transition by Intranet processing module, and then transit data is then forwarded to outer net processing module by transitional region by the unidirectional data link of belt switch.The present invention is capable of the network of security isolation different safety class, and ensures the bidirectional data communication between different safety class networks.

Description

A kind of bilateral network security isolation system and method
Technical field
The present invention relates to a kind of bilateral network security isolation system and method, belong to technical field of network security.
Background technology
With the application popularization of internet, network security is faced with formidable challenges, and various security incidents emerge in an endless stream.Face This situation, for the internal network of a tissue, it is desirable to both can connect to the enterprising row information interaction in internet, again can be as far as possible Avoid the various network attacks from internet.Under the defence of the safety means such as traditional firewall, intruding detection system, net Network security isolation equipment has gradually manifested important effect.
Network security xegregating unit is capable of the Intranet of separating tissues and the connection of outer net, and the data flow for passing in and out Intranet is carried out Check, filter out the malicious code for seeking entry into Intranet, and attempt to flow out to the sensitive information of outer net, and by intranet and extranet Physical isolation, shield the attack based on network connection, the Intranet for protective tissue plays an important role.
Current network security xegregating unit is divided into unidirectional and two-way two kinds.Unilateral network security isolation equipment only allows outer net Data enter Intranet, do not allow intranet data to flow out outer net, and thus the sensitive data in strict guarantee Intranet will not be revealed To outer net.And bilateral network security isolation equipment allows the Mutual data transmission between internal, external network, pass through strict data content Check to prevent the leakage of sensitive data.
The security of unilateral network security isolation equipment is, based on classical BLP security models, can be demonstrate,proved under BLP models Bright is that safe but current bilateral network security isolation equipment is actually to violate BLP security models, it is impossible to theoretically Prove that current bilateral network security isolation equipment is safe.Therefore, new bilateral network security isolation system how is designed, Both the requirement of security model had been met, bidirectional data communication can be realized again, has just turned into a difficult point.
The content of the invention
For above-mentioned deficiency, the invention provides a kind of bilateral network security isolation system and method, its can safely every From the network of different safety class, and ensure the bidirectional data communication between different safety class networks.
The present invention solves its technical problem and adopted the technical scheme that:
A kind of bilateral network security isolation system of the present invention, it is characterized in that, including outer net processing module, Intranet processing mould Block and transitional region, the outer net processing module accessing external network are simultaneously connected, institute by unidirectional data link with Intranet processing module State Intranet processing module access Intranet and be connected by the unidirectional data link of belt switch with transitional region, the transitional region is led to The unidirectional data link for crossing belt switch is connected with outer net processing module.
Preferably, data are transmitted directly to Intranet processing module by the outer net processing module by unidirectional data link, The Intranet processing module sends the data to transitional region by the unidirectional data link of belt switch and carries out transition, the transition Transit data is sent to outer net processing module by region by the unidirectional data link of belt switch.
Preferably, the outer net processing module includes authentication module, outer net data buffer area, outer net protocol conversion mould Block and malicious code filtering module, the authentication module to external user to carry out authentication, if passing through certification Then allow external user to log in outer net processing module, otherwise refuse the connection request of external user;The outer net data buffer area The data and Intranet that Intranet is sent to store outer net are sent to the data of outer net;The outer net protocol conversion module to by Application layer data in the network packet of Intranet is issued to outer net according to ICP/IP protocol to be parsed or incited somebody to action according to ICP/IP protocol The data that Intranet is sent to outer net are packaged as network packet;The malicious code filtering module to outer net to issue Intranet Application layer data carries out Malicious Code Detection and filters out malicious code wherein that may be present in network packet.
Preferably, the Intranet processing module includes intranet data buffer area, Intranet protocol conversion module and sensitive information Filtering module, the data and Intranet that the intranet data buffer area is sent to Intranet to store outer net are sent to the number of outer net According to;The Intranet protocol conversion module applies the number of plies in the network packet to issue outer net to Intranet according to ICP/IP protocol According to being parsed or the data that outer net is sent to Intranet be packaged as into network packet according to ICP/IP protocol;The sensitive information Application layer data carries out sensitive information detection and filters out it in network packet of the filtering module to issue outer net to Intranet In sensitive information that may be present.
Preferably, the transitional region includes transit data buffer area, system reducing module and data encryption module, described Transit data buffer area is sent to transit data during outer network data to storing intranet;The data encryption module is to internal The data that net is sent to outer net are encrypted;The system reducing module is to empty the data buffer area in transitional region and incite somebody to action Transitional region is reduced to original state.
The present invention a kind of bilateral network security isolation method, it is characterized in that, outer net to Intranet send data when outer net at Outer network data is transmitted directly to Intranet processing module by reason module by unidirectional data link;Intranet is into during outer net transmission data Intranet data is first sent to transitional region by the unidirectional data link of belt switch and carries out transition, then transition by net processing module Transit data is then forwarded to outer net processing module by region by the unidirectional data link of belt switch.
Further, the process that the outer net sends data to Intranet comprises the following steps:
Step 101:Authentication module of the external user into outer net processing module carries out authentication, if by recognizing Card then allows external user logging in network processing module, otherwise refuses the connection request of external user;
Step 102:External user will be sent to the number of Intranet user to outer net processing module according to ICP/IP protocol transmission According to;
Step 103:Outer net protocol conversion module will be sent in the network packet of Intranet user according to ICP/IP protocol Application layer data parses and is stored in outer net data buffer area;
Step 104:Application layer data in the external network data buffer area of malicious code filtering module carries out malicious code inspection Survey, outer net data buffer area is restored again into after filtering out malicious code wherein that may be present;
Step 105:Data in the outer net data buffer area that outer net processing module will be filtered by malicious code pass through list Intranet processing module is given to data link transmission;
Step 106:The data received are stored in the intranet data buffer area in Intranet processing module by Intranet processing module;
Step 107:Intranet protocol conversion module in Intranet processing module is by the data received according to ICP/IP protocol weight Newly it is packaged as after network packet being sent to Intranet user;
The process that the Intranet sends data to outer net comprises the following steps:
Step 201:Intranet user will need the data for being transferred to external user to be transferred to according to ICP/IP protocol at Intranet Manage module;
Step 202:Intranet processing module will be transferred to the interior netting index of the data deposit Intranet processing module of external user According to buffer area;
Step 203:Intranet protocol conversion module will be transferred to the network packet of external user according to ICP/IP protocol Middle application layer data parses and is stored in intranet data buffer area;
Step 204:Sensitive information filtering module in Intranet processing module is to will be transferred in intranet data buffer area Application layer data carries out sensitive information detection in the network packet of external user, filters out sensitive information wherein that may be present After be restored again into intranet data buffer area;
Step 205:Intranet processing module closes the switch of the unidirectional data link for the belt switch being connected with filtration zone, Data in the intranet data buffer area that will be filtered by sensitive information are transferred to transition by the unidirectional data link of belt switch Region;
Step 206:Intranet processing module finishes data transfer the unidirectional number for disconnecting the belt switch being connected with transitional region According to the switch of link;
Step 207:The data received are stored in the transit data buffer area in transitional region by transitional region;
Step 208:Data encryption module in transitional region generates a data encryption key at random, uses block encryption Data in transit data buffer area are encrypted algorithm, and use the encryption of the public key encryption of the external user data close Key;
Step 209:The switch of the unidirectional data link for the belt switch that transitional region closure is connected with outer net processing module;
Step 210:Transitional region together opens the data and key after encryption by the band being connected with outer net processing module The unidirectional data link of pass is sent to outer net processing module;
Step 211:Data are sent, and transitional region disconnects the one-way data for the belt switch being connected with outer net processing module The switch of link, while activation system recovery module empties the transit data buffer area in transitional region, and by transitional region also Originally it was original state;
Step 212:The Intranet user received is transferred to the data deposit outer net processing of external user by outer net processing module Outer net data buffer area in module;
Step 213:Outer net protocol conversion module in outer net processing module is according to ICP/IP protocol by outer net data buffer storage Intranet user is transferred to the data of external user and is packaged as after network packet being sent to external user in area;
Step 214:External user is received after data, first with the private key ciphertext data encryption key of oneself, then is added with data Close secret key decryption data, obtain the data that Intranet user is sent.
The beneficial effects of the invention are as follows:
The system of the present invention includes outer net processing module, Intranet processing module and transitional region, wherein outer net processing module It is connected by unidirectional data link with Intranet processing module;Unidirectional data link and transition of the Intranet processing module by belt switch Region is connected;Transitional region is connected by the unidirectional data link of belt switch with outer net processing module, passes through double one-way data chains Road is added to realize the two-way communication of the data between different safety class networks by the system reducing and data of transitional region It is close to operate to realize that data flow into lower security grade outer net from high safety grade Intranet.The present invention is used for different safety class networks Between security isolation, realize data double-way communication on the premise of ensure data safety.
The present invention can not only security isolation different safety class network, and ensure between different safety class networks Bidirectional data communication, and the security of system is ensure that, while ensureing the safety of bidirectional data communication again.
Brief description of the drawings
With reference to Figure of description, the present invention will be described.
Fig. 1 is the structure chart of the bilateral network security isolation system of the present invention.
Embodiment
For the technical characterstic for illustrating this programme can be understood, below by embodiment, and its accompanying drawing is combined, to this hair It is bright to be described in detail.Following disclosure provides many different embodiments or example is used for realizing the different knots of the present invention Structure.In order to simplify disclosure of the invention, hereinafter the part and setting of specific examples are described.In addition, the present invention can be with Repeat reference numerals and/or letter in different examples.This repetition is that for purposes of simplicity and clarity, itself is not indicated Relation between various embodiments are discussed and/or set.It should be noted that part illustrated in the accompanying drawings is not necessarily to scale Draw.Present invention omits the description to known assemblies and treatment technology and process to avoid being unnecessarily limiting the present invention.
As shown in figure 1, a kind of bilateral network security isolation system of the present invention, it includes outer net processing module, at Intranet Manage module and transitional region, the outer net processing module accessing external network (with outer net two-way communication) and by unidirectional data link with Intranet processing module is connected, the Intranet processing module access Intranet (with Intranet two-way communication) and the unidirectional number for passing through belt switch It is connected according to link with transitional region, the transitional region is connected by the unidirectional data link of belt switch with outer net processing module.
Preferably, data are transmitted directly to Intranet processing module by the outer net processing module by unidirectional data link, The Intranet processing module sends the data to transitional region by the unidirectional data link of belt switch and carries out transition, the transition Transit data is sent to outer net processing module by region by the unidirectional data link of belt switch.
Preferably, the outer net processing module includes authentication module, outer net data buffer area, outer net protocol conversion mould Block and malicious code filtering module, the authentication module to external user to carry out authentication, if passing through certification Then allow external user to log in outer net processing module, otherwise refuse the connection request of external user;The outer net data buffer area The data and Intranet that Intranet is sent to store outer net are sent to the data of outer net;The outer net protocol conversion module to by Application layer data in the network packet of Intranet is issued to outer net according to ICP/IP protocol to be parsed or incited somebody to action according to ICP/IP protocol The data that Intranet is sent to outer net are packaged as network packet;The malicious code filtering module to outer net to issue Intranet Application layer data carries out Malicious Code Detection and filters out malicious code wherein that may be present in network packet.
Preferably, the Intranet processing module includes intranet data buffer area, Intranet protocol conversion module and sensitive information Filtering module, the data and Intranet that the intranet data buffer area is sent to Intranet to store outer net are sent to the number of outer net According to;The Intranet protocol conversion module applies the number of plies in the network packet to issue outer net to Intranet according to ICP/IP protocol According to being parsed or the data that outer net is sent to Intranet be packaged as into network packet according to ICP/IP protocol;The sensitive information Application layer data carries out sensitive information detection and filters out it in network packet of the filtering module to issue outer net to Intranet In sensitive information that may be present.
Preferably, the transitional region includes transit data buffer area, system reducing module and data encryption module, described Transit data buffer area is sent to transit data during outer network data to storing intranet;The data encryption module is to internal The data that net is sent to outer net are encrypted;The system reducing module is to empty the data buffer area in transitional region and incite somebody to action Transitional region is reduced to original state.
The outer net processing module of the present invention be connected by unidirectional data link with Intranet processing module, i.e., permission data from Outer net processing module enters Intranet processing module by the unidirectional data link;The unidirectional number that Intranet processing module passes through belt switch It is connected according to link with transitional region, i.e., only allows data to enter from Intranet processing module by the unidirectional data link of the belt switch Transitional region;Transitional region is connected by the unidirectional data link of belt switch with outer net processing module, i.e., only allow data from mistake Cross region and outer net processing module is entered by the unidirectional data link of the belt switch;The present invention is in current bilateral network security isolation A kind of new bilateral network security isolation system is devised on the basis of system architecture, the requirement of security model, and energy had both been met Realize bidirectional data communication.
A kind of bilateral network security isolation method of the present invention, when outer net inwardly nets transmission data, outer net processing module is led to Cross unidirectional data link and outer network data is transmitted directly to Intranet processing module;When Intranet outwards nets transmission data, Intranet is handled Intranet data is first sent to transitional region by the unidirectional data link of belt switch and carries out transition by module, and then transitional region is led to Transit data is then forwarded to outer net processing module by the unidirectional data link for crossing belt switch.
Further, the outer net sends the process of data (i.e. when the user in outer net needs to use to Intranet to Intranet When data are transmitted at family) comprise the following steps:
Step 101:Authentication module of the external user into outer net processing module carries out authentication, if by recognizing Card then allows external user logging in network processing module, otherwise refuses the connection request of external user;
Step 102:External user will be sent to the number of Intranet user to outer net processing module according to ICP/IP protocol transmission According to;
Step 103:Outer net protocol conversion module will be sent in the network packet of Intranet user according to ICP/IP protocol Application layer data parses and is stored in outer net data buffer area;
Step 104:Application layer data in the external network data buffer area of malicious code filtering module carries out malicious code inspection Survey, outer net data buffer area is restored again into after filtering out malicious code wherein that may be present;
Step 105:Data in the outer net data buffer area that outer net processing module will be filtered by malicious code pass through list Intranet processing module is given to data link transmission;
Step 106:The data received are stored in the intranet data buffer area in Intranet processing module by Intranet processing module;
Step 107:Intranet protocol conversion module in Intranet processing module is by the data received according to ICP/IP protocol weight Newly it is packaged as after network packet being sent to Intranet user.
The Intranet sends the process of data (i.e. when the user in Intranet needs to transmit data to external user to outer net When) comprise the following steps:
Step 201:Intranet user will need the data for being transferred to external user to be transferred to according to ICP/IP protocol at Intranet Manage module;
Step 202:Intranet processing module will be transferred to the interior netting index of the data deposit Intranet processing module of external user According to buffer area;
Step 203:Intranet protocol conversion module will be transferred to the network packet of external user according to ICP/IP protocol Middle application layer data parses and is stored in intranet data buffer area;
Step 204:Sensitive information filtering module in Intranet processing module is to will be transferred in intranet data buffer area Application layer data carries out sensitive information detection in the network packet of external user, filters out sensitive information wherein that may be present After be restored again into intranet data buffer area;
Step 205:Intranet processing module closes the switch of the unidirectional data link for the belt switch being connected with filtration zone, Data in the intranet data buffer area that will be filtered by sensitive information are transferred to transition by the unidirectional data link of belt switch Region;
Step 206:Intranet processing module finishes data transfer the unidirectional number for disconnecting the belt switch being connected with transitional region According to the switch of link;
Step 207:The data received are stored in the transit data buffer area in transitional region by transitional region;
Step 208:Data encryption module in transitional region generates a data encryption key at random, uses block encryption Data in transit data buffer area are encrypted algorithm (such as aes algorithm), and use the public key encryption of the external user number According to encryption key;
Step 209:The switch of the unidirectional data link for the belt switch that transitional region closure is connected with outer net processing module;
Step 210:Transitional region together opens the data and key after encryption by the band being connected with outer net processing module The unidirectional data link of pass is sent to outer net processing module;
Step 211:Data are sent, and transitional region disconnects the one-way data for the belt switch being connected with outer net processing module The switch of link, while activation system recovery module empties the transit data buffer area in transitional region, and by transitional region also Originally it was original state;
Step 212:The Intranet user received is transferred to the data deposit outer net processing of external user by outer net processing module Outer net data buffer area in module;
Step 213:Outer net protocol conversion module in outer net processing module is according to ICP/IP protocol by outer net data buffer storage Intranet user is transferred to the data of external user and is packaged as after network packet being sent to external user in area;
Step 214:External user is received after data, first with the private key ciphertext data encryption key of oneself, then is added with data Close secret key decryption data, obtain the data that Intranet user is sent.
The present invention realizes the two-way communication of the data between different safety class networks by double unidirectional data links, and Realize that data flow into lower security grade from high safety grade Intranet by the system reducing and data encryption operation of transitional region Outer net, ensures the safety of data on the premise of data double-way communication is realized, can be applied between different safety class networks Security isolation.
Simply the preferred embodiment of the present invention described above, for those skilled in the art, Without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications are also regarded as this hair Bright protection domain.

Claims (7)

1. a kind of bilateral network security isolation system, it is characterized in that, including outer net processing module, Intranet processing module and transition region Domain, the outer net processing module accessing external network is simultaneously connected by unidirectional data link with Intranet processing module, the Intranet processing Module accesses Intranet and is connected by the unidirectional data link of belt switch with transitional region, and the transitional region passes through belt switch Unidirectional data link is connected with outer net processing module.
2. a kind of bilateral network security isolation system according to claim 1, it is characterized in that, the outer net processing module is led to Cross unidirectional data link and data are transmitted directly to Intranet processing module, the unidirectional number that the Intranet processing module passes through belt switch Transitional region is sent the data to according to link and carries out transition, and the transitional region is by the unidirectional data link of belt switch by transition Data are sent to outer net processing module.
3. a kind of bilateral network security isolation system according to claim 1 or 2, it is characterized in that, the outer net handles mould Block includes authentication module, outer net data buffer area, outer net protocol conversion module and malicious code filtering module, the identity Authentication module allows external user to log in outer net processing mould to carry out authentication to external user if by certification Block, otherwise refuses the connection request of external user;The outer net data buffer area is sent to the data of Intranet to store outer net The data of outer net are sent to Intranet;The outer net protocol conversion module to outer net according to ICP/IP protocol to issue Intranet Application layer data is parsed or the data that Intranet is sent to outer net is packaged as into net according to ICP/IP protocol in network packet Network packet;Application layer data is disliked in network packet of the malicious code filtering module to issue Intranet to outer net Meaning code detection simultaneously filters out malicious code wherein that may be present.
4. a kind of bilateral network security isolation system according to claim 1 or 2, it is characterized in that, the Intranet handles mould Block includes intranet data buffer area, Intranet protocol conversion module and sensitive information filtering module, and the intranet data buffer area is used The data and Intranet of Intranet are sent to store outer net and are sent to the data of outer net;The Intranet protocol conversion module be used to according to ICP/IP protocol is issued application layer data in the network packet of outer net to Intranet and parsed or will be outer according to ICP/IP protocol The data that net is sent to Intranet are packaged as network packet;Net of the sensitive information filtering module to issue outer net to Intranet Application layer data carries out sensitive information detection and filters out sensitive information wherein that may be present in network packet.
5. a kind of bilateral network security isolation system according to claim 1 or 2, it is characterized in that, the transitional region bag Transit data buffer area, system reducing module and data encryption module are included, the transit data buffer area is sent out to storing intranet Give transit data during outer network data;The data encryption module is encrypted to be sent to the data of outer net to Intranet; The system reducing module is to empty the data buffer area in transitional region and transitional region is reduced into original state.
6. a kind of bilateral network security isolation method, it is characterized in that, outer net passes through to outer net processing module during Intranet transmission data Outer network data is transmitted directly to Intranet processing module by unidirectional data link;Intranet to outer net send data when Intranet processing module Intranet data is first sent to by the unidirectional data link of belt switch by transitional region and carries out transition, then transitional region passes through band Transit data is then forwarded to outer net processing module by the unidirectional data link of switch.
7. a kind of bilateral network security isolation method according to claim 6, it is characterized in that,
The process that the outer net sends data to Intranet comprises the following steps:
Step 101:Authentication module of the external user into outer net processing module carries out authentication, if by certification Allow external user logging in network processing module, otherwise refuse the connection request of external user;
Step 102:External user will be sent to the data of Intranet user to outer net processing module according to ICP/IP protocol transmission;
Step 103:Outer net protocol conversion module will be sent in the network packet of Intranet user according to ICP/IP protocol and apply Layer data parses and is stored in outer net data buffer area;
Step 104:Application layer data in the external network data buffer area of malicious code filtering module carries out Malicious Code Detection, mistake Outer net data buffer area is restored again into after filtering malicious code wherein that may be present;
Step 105:Data in the outer net data buffer area that outer net processing module will be filtered by malicious code are by unidirectionally counting Intranet processing module is given according to link transmission;
Step 106:The data received are stored in the intranet data buffer area in Intranet processing module by Intranet processing module;
Step 107:Intranet protocol conversion module in Intranet processing module beats the data received according to ICP/IP protocol again Wrap to be sent to Intranet user after network packet;
The process that the Intranet sends data to outer net comprises the following steps:
Step 201:The data that Intranet user will need to be transferred to external user are transferred to Intranet processing mould according to ICP/IP protocol Block;
Step 202:The intranet data that Intranet processing module will be transferred to the data deposit Intranet processing module of external user delays Deposit area;
Step 203:Intranet protocol conversion module will be transferred in the network packet of external user according to ICP/IP protocol should Parsed with layer data and be stored in intranet data buffer area;
Step 204:Sensitive information filtering module in Intranet processing module in intranet data buffer area to that will be transferred to outer net Application layer data carries out sensitive information detection in the network packet of user, filters out after sensitive information wherein that may be present again It is stored in intranet data buffer area;
Step 205:Intranet processing module closes the switch of the unidirectional data link for the belt switch being connected with filtration zone, will be through The data crossed in the intranet data buffer area of sensitive information filtering are transferred to transitional region by the unidirectional data link of belt switch;
Step 206:Intranet processing module finishes data transfer on the one-way data chain for disconnecting the belt switch being connected with transitional region The switch on road;
Step 207:The data received are stored in the transit data buffer area in transitional region by transitional region;
Step 208:Data encryption module in transitional region generates a data encryption key at random, uses block encryption algorithm Data in transit data buffer area are encrypted, and use the encryption key of the public key encryption of the external user data;
Step 209:The switch of the unidirectional data link for the belt switch that transitional region closure is connected with outer net processing module;
Step 210:Data and key after encryption are together passed through the belt switch that is connected with outer net processing module by transitional region Unidirectional data link is sent to outer net processing module;
Step 211:Data are sent, and transitional region disconnects the unidirectional data link for the belt switch being connected with outer net processing module Switch, while activation system recovery module empties the transit data buffer area in transitional region, and transitional region is reduced to Original state;
Step 212:The data that the Intranet user received is transferred to external user are stored in outer net processing module by outer net processing module In outer net data buffer area;
Step 213:Outer net protocol conversion module in outer net processing module is according to ICP/IP protocol by outer net data buffer area The data that Intranet user is transferred to external user are packaged as after network packet being sent to external user;
Step 214:External user is received after data, first with the private key ciphertext data encryption key of oneself, then close with data encryption Key ciphertext data, obtains the data that Intranet user is sent.
CN201710374477.XA 2017-05-24 2017-05-24 A kind of bilateral network security isolation system and method Pending CN106998333A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710374477.XA CN106998333A (en) 2017-05-24 2017-05-24 A kind of bilateral network security isolation system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710374477.XA CN106998333A (en) 2017-05-24 2017-05-24 A kind of bilateral network security isolation system and method

Publications (1)

Publication Number Publication Date
CN106998333A true CN106998333A (en) 2017-08-01

Family

ID=59435980

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710374477.XA Pending CN106998333A (en) 2017-05-24 2017-05-24 A kind of bilateral network security isolation system and method

Country Status (1)

Country Link
CN (1) CN106998333A (en)

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107809392A (en) * 2017-10-18 2018-03-16 珠海许继芝电网自动化有限公司 A kind of data transmission method across forward and reverse isolation load balancing and high reliability
CN107888599A (en) * 2017-11-17 2018-04-06 中国航空工业集团公司西安航空计算技术研究所 Intercommunication system and method between a kind of avionics height secure network domain
CN108390778A (en) * 2018-02-10 2018-08-10 浙江财经大学 A kind of computer network security prior-warning device
CN108833395A (en) * 2018-06-07 2018-11-16 北京网迅科技有限公司杭州分公司 A kind of outer net access authentication system and authentication method based on hardware access card
CN110290060A (en) * 2019-07-15 2019-09-27 腾讯科技(深圳)有限公司 A kind of internetwork communication method, apparatus and storage medium
CN110381008A (en) * 2018-04-13 2019-10-25 武汉梓金山科技有限公司 A kind of Dynamic Defense System of Network Security and method based on big data
CN110545324A (en) * 2019-09-04 2019-12-06 北京百度网讯科技有限公司 Data processing method, device, system, network equipment and storage medium
CN110933025A (en) * 2019-10-21 2020-03-27 武汉神库小匠科技有限公司 Multi-source heterogeneous data cross-domain synchronous shared storage method, device, equipment and medium
CN111556062A (en) * 2020-05-06 2020-08-18 国网电力科学研究院有限公司 Network security isolation device with one-way import function and method
CN112468571A (en) * 2020-11-24 2021-03-09 中国联合网络通信集团有限公司 Intranet and extranet data synchronization method and device, electronic equipment and storage medium
CN113824669A (en) * 2020-06-18 2021-12-21 深圳市桑威科技有限公司 External computer network early warning equipment and method
CN114024753A (en) * 2021-11-08 2022-02-08 中铁信安(北京)信息安全技术有限公司 Data communication bidirectional ferry isolation device and method
CN114465821A (en) * 2022-04-02 2022-05-10 浙江国利网安科技有限公司 Data transmission system and data transmission method
CN114500068A (en) * 2022-02-10 2022-05-13 广州云羲网络科技有限公司 Information data exchange system based on safety isolation network gate
CN114553528A (en) * 2022-02-22 2022-05-27 成都睿智兴华信息技术有限公司 Internal and external network data safety transmission system and transmission method thereof
CN114615082A (en) * 2022-04-07 2022-06-10 西安热工研究院有限公司 System and method for simulating TCP duplex safety communication by using forward and reverse network gates
CN114710360A (en) * 2022-04-15 2022-07-05 北京全路通信信号研究设计院集团有限公司 Audit-based inside-out data secure transmission method and system and electronic equipment
CN114766086A (en) * 2019-12-19 2022-07-19 西门子交通有限责任公司 Transmission device for transmitting data
CN115242446A (en) * 2022-06-22 2022-10-25 中国电子科技集团公司第五十二研究所 Cloud desktop one-way data importing system and method under intranet environment
CN115242432A (en) * 2022-06-13 2022-10-25 中国电子科技集团公司第三十研究所 Cross-domain time synchronization device and method
CN114553528B (en) * 2022-02-22 2024-04-19 成都睿智兴华信息技术有限公司 Internal and external network data safety transmission system and transmission method thereof

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491072A (en) * 2013-09-06 2014-01-01 北京信息控制研究所 Boundary access control method based on double one-way separation gatekeepers
CN104363221A (en) * 2014-11-10 2015-02-18 青岛微智慧信息有限公司 Network safety isolation file transmission control method
US20150088934A1 (en) * 2013-09-20 2015-03-26 Open Text S.A. Hosted application gateway architecture with multi-level security policy and rule promulgations
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
CN106341397A (en) * 2016-08-25 2017-01-18 柏盟(北京)科技发展有限公司 Industrial safety isolation GAP

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491072A (en) * 2013-09-06 2014-01-01 北京信息控制研究所 Boundary access control method based on double one-way separation gatekeepers
US20150088934A1 (en) * 2013-09-20 2015-03-26 Open Text S.A. Hosted application gateway architecture with multi-level security policy and rule promulgations
CN104363221A (en) * 2014-11-10 2015-02-18 青岛微智慧信息有限公司 Network safety isolation file transmission control method
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
CN106341397A (en) * 2016-08-25 2017-01-18 柏盟(北京)科技发展有限公司 Industrial safety isolation GAP

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李旋,吴其聪: "一种数据加密与完整性保护的网闸实现方法", 《南通大学学报(自然科学版)》 *
郑炜: "基于MIPS_CPU的千兆物理隔离网闸的系统研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107809392A (en) * 2017-10-18 2018-03-16 珠海许继芝电网自动化有限公司 A kind of data transmission method across forward and reverse isolation load balancing and high reliability
CN107888599A (en) * 2017-11-17 2018-04-06 中国航空工业集团公司西安航空计算技术研究所 Intercommunication system and method between a kind of avionics height secure network domain
CN107888599B (en) * 2017-11-17 2020-10-27 中国航空工业集团公司西安航空计算技术研究所 Two-way communication system and method between high-low security network domains of avionics
CN108390778A (en) * 2018-02-10 2018-08-10 浙江财经大学 A kind of computer network security prior-warning device
CN110381008A (en) * 2018-04-13 2019-10-25 武汉梓金山科技有限公司 A kind of Dynamic Defense System of Network Security and method based on big data
CN110381008B (en) * 2018-04-13 2022-02-25 海南波克科技有限公司 Network security dynamic defense system and method based on big data
CN108833395A (en) * 2018-06-07 2018-11-16 北京网迅科技有限公司杭州分公司 A kind of outer net access authentication system and authentication method based on hardware access card
CN110290060B (en) * 2019-07-15 2021-12-14 腾讯科技(深圳)有限公司 Cross-network communication method, device and storage medium
CN110290060A (en) * 2019-07-15 2019-09-27 腾讯科技(深圳)有限公司 A kind of internetwork communication method, apparatus and storage medium
CN110545324A (en) * 2019-09-04 2019-12-06 北京百度网讯科技有限公司 Data processing method, device, system, network equipment and storage medium
CN110933025A (en) * 2019-10-21 2020-03-27 武汉神库小匠科技有限公司 Multi-source heterogeneous data cross-domain synchronous shared storage method, device, equipment and medium
CN114766086A (en) * 2019-12-19 2022-07-19 西门子交通有限责任公司 Transmission device for transmitting data
CN111556062A (en) * 2020-05-06 2020-08-18 国网电力科学研究院有限公司 Network security isolation device with one-way import function and method
CN113824669A (en) * 2020-06-18 2021-12-21 深圳市桑威科技有限公司 External computer network early warning equipment and method
CN112468571B (en) * 2020-11-24 2022-02-01 中国联合网络通信集团有限公司 Intranet and extranet data synchronization method and device, electronic equipment and storage medium
CN112468571A (en) * 2020-11-24 2021-03-09 中国联合网络通信集团有限公司 Intranet and extranet data synchronization method and device, electronic equipment and storage medium
CN114024753A (en) * 2021-11-08 2022-02-08 中铁信安(北京)信息安全技术有限公司 Data communication bidirectional ferry isolation device and method
CN114500068A (en) * 2022-02-10 2022-05-13 广州云羲网络科技有限公司 Information data exchange system based on safety isolation network gate
CN114500068B (en) * 2022-02-10 2024-01-09 广州云羲网络科技有限公司 Information data exchange system based on safety isolation gatekeeper
CN114553528A (en) * 2022-02-22 2022-05-27 成都睿智兴华信息技术有限公司 Internal and external network data safety transmission system and transmission method thereof
CN114553528B (en) * 2022-02-22 2024-04-19 成都睿智兴华信息技术有限公司 Internal and external network data safety transmission system and transmission method thereof
CN114465821A (en) * 2022-04-02 2022-05-10 浙江国利网安科技有限公司 Data transmission system and data transmission method
CN114615082B (en) * 2022-04-07 2023-09-12 西安热工研究院有限公司 System and method for simulating TCP duplex safety communication by using forward and reverse gatekeepers
CN114615082A (en) * 2022-04-07 2022-06-10 西安热工研究院有限公司 System and method for simulating TCP duplex safety communication by using forward and reverse network gates
CN114710360A (en) * 2022-04-15 2022-07-05 北京全路通信信号研究设计院集团有限公司 Audit-based inside-out data secure transmission method and system and electronic equipment
CN114710360B (en) * 2022-04-15 2024-01-19 北京全路通信信号研究设计院集团有限公司 Audit-based inside-to-outside data security transmission method and system and electronic equipment
CN115242432B (en) * 2022-06-13 2023-05-16 中国电子科技集团公司第三十研究所 Cross-domain time synchronization device and method
CN115242432A (en) * 2022-06-13 2022-10-25 中国电子科技集团公司第三十研究所 Cross-domain time synchronization device and method
CN115242446A (en) * 2022-06-22 2022-10-25 中国电子科技集团公司第五十二研究所 Cloud desktop one-way data importing system and method under intranet environment

Similar Documents

Publication Publication Date Title
CN106998333A (en) A kind of bilateral network security isolation system and method
CN103491072B (en) A kind of border access control method based on double unidirection insulation network brakes
CN108965215B (en) Dynamic security method and system for multi-fusion linkage response
CN106060003A (en) Network boundary unidirectional isolated transmission device
CN106506540A (en) A kind of intranet data transmission method of attack resistance and system
CN107026874A (en) One kind instruction signature and verification method and system
CN109241087A (en) A kind of data processing method and terminal of alliance's chain
CN107172020A (en) A kind of network data security exchange method and system
CN104994094B (en) Virtual platform safety protecting method based on virtual switch, device and system
CN107070907A (en) Intranet and extranet data unidirectional transmission method and system
CN110011813A (en) A kind of data hiding transmission method based on block chain
CN106209883A (en) Based on link selection and the multi-chain circuit transmission method and system of broken restructuring
CN106488452A (en) A kind of mobile terminal safety access authentication method of combination fingerprint
CN107493292A (en) The information transmission system and method for isomery multichannel security isolation
CN109035519A (en) A kind of biometric devices and method
CN108259446A (en) A kind of method and device based on isolation network transmission data
CN100547996C (en) Intranet and extranet information safety transmission system and method
CN109617875A (en) A kind of the secure accessing platform and its implementation of terminal communication network
CN103457953A (en) Handling mechanism preventing 802.1X protocol attack under security access mode of port
CN109150906A (en) A kind of real-time data communication safety method
CN108696535A (en) Network security protection system based on SDN and method
CN206193795U (en) Computer intelligent information secure processing device
CN102833067B (en) Trilateral authentication method and system and authentication state management method of terminal equipment
CN201878191U (en) Security access device for video
CN108023884A (en) A kind of encryption method of Networks and information security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170801

RJ01 Rejection of invention patent application after publication