CN106998333A - A kind of bilateral network security isolation system and method - Google Patents
A kind of bilateral network security isolation system and method Download PDFInfo
- Publication number
- CN106998333A CN106998333A CN201710374477.XA CN201710374477A CN106998333A CN 106998333 A CN106998333 A CN 106998333A CN 201710374477 A CN201710374477 A CN 201710374477A CN 106998333 A CN106998333 A CN 106998333A
- Authority
- CN
- China
- Prior art keywords
- data
- intranet
- outer net
- processing module
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a kind of bilateral network security isolation system and method, system includes outer net processing module, Intranet processing module and transitional region, the outer net processing module accessing external network is simultaneously connected by unidirectional data link with Intranet processing module, the Intranet processing module access Intranet is simultaneously connected by the unidirectional data link of belt switch with transitional region, and the transitional region is connected by the unidirectional data link of belt switch with outer net processing module.When outer net inwardly nets transmission data, outer network data is transmitted directly to Intranet processing module by outer net processing module by unidirectional data link;When Intranet outwards nets transmission data, intranet data is first sent to transitional region by the unidirectional data link of belt switch and carries out transition by Intranet processing module, and then transit data is then forwarded to outer net processing module by transitional region by the unidirectional data link of belt switch.The present invention is capable of the network of security isolation different safety class, and ensures the bidirectional data communication between different safety class networks.
Description
Technical field
The present invention relates to a kind of bilateral network security isolation system and method, belong to technical field of network security.
Background technology
With the application popularization of internet, network security is faced with formidable challenges, and various security incidents emerge in an endless stream.Face
This situation, for the internal network of a tissue, it is desirable to both can connect to the enterprising row information interaction in internet, again can be as far as possible
Avoid the various network attacks from internet.Under the defence of the safety means such as traditional firewall, intruding detection system, net
Network security isolation equipment has gradually manifested important effect.
Network security xegregating unit is capable of the Intranet of separating tissues and the connection of outer net, and the data flow for passing in and out Intranet is carried out
Check, filter out the malicious code for seeking entry into Intranet, and attempt to flow out to the sensitive information of outer net, and by intranet and extranet
Physical isolation, shield the attack based on network connection, the Intranet for protective tissue plays an important role.
Current network security xegregating unit is divided into unidirectional and two-way two kinds.Unilateral network security isolation equipment only allows outer net
Data enter Intranet, do not allow intranet data to flow out outer net, and thus the sensitive data in strict guarantee Intranet will not be revealed
To outer net.And bilateral network security isolation equipment allows the Mutual data transmission between internal, external network, pass through strict data content
Check to prevent the leakage of sensitive data.
The security of unilateral network security isolation equipment is, based on classical BLP security models, can be demonstrate,proved under BLP models
Bright is that safe but current bilateral network security isolation equipment is actually to violate BLP security models, it is impossible to theoretically
Prove that current bilateral network security isolation equipment is safe.Therefore, new bilateral network security isolation system how is designed,
Both the requirement of security model had been met, bidirectional data communication can be realized again, has just turned into a difficult point.
The content of the invention
For above-mentioned deficiency, the invention provides a kind of bilateral network security isolation system and method, its can safely every
From the network of different safety class, and ensure the bidirectional data communication between different safety class networks.
The present invention solves its technical problem and adopted the technical scheme that:
A kind of bilateral network security isolation system of the present invention, it is characterized in that, including outer net processing module, Intranet processing mould
Block and transitional region, the outer net processing module accessing external network are simultaneously connected, institute by unidirectional data link with Intranet processing module
State Intranet processing module access Intranet and be connected by the unidirectional data link of belt switch with transitional region, the transitional region is led to
The unidirectional data link for crossing belt switch is connected with outer net processing module.
Preferably, data are transmitted directly to Intranet processing module by the outer net processing module by unidirectional data link,
The Intranet processing module sends the data to transitional region by the unidirectional data link of belt switch and carries out transition, the transition
Transit data is sent to outer net processing module by region by the unidirectional data link of belt switch.
Preferably, the outer net processing module includes authentication module, outer net data buffer area, outer net protocol conversion mould
Block and malicious code filtering module, the authentication module to external user to carry out authentication, if passing through certification
Then allow external user to log in outer net processing module, otherwise refuse the connection request of external user;The outer net data buffer area
The data and Intranet that Intranet is sent to store outer net are sent to the data of outer net;The outer net protocol conversion module to by
Application layer data in the network packet of Intranet is issued to outer net according to ICP/IP protocol to be parsed or incited somebody to action according to ICP/IP protocol
The data that Intranet is sent to outer net are packaged as network packet;The malicious code filtering module to outer net to issue Intranet
Application layer data carries out Malicious Code Detection and filters out malicious code wherein that may be present in network packet.
Preferably, the Intranet processing module includes intranet data buffer area, Intranet protocol conversion module and sensitive information
Filtering module, the data and Intranet that the intranet data buffer area is sent to Intranet to store outer net are sent to the number of outer net
According to;The Intranet protocol conversion module applies the number of plies in the network packet to issue outer net to Intranet according to ICP/IP protocol
According to being parsed or the data that outer net is sent to Intranet be packaged as into network packet according to ICP/IP protocol;The sensitive information
Application layer data carries out sensitive information detection and filters out it in network packet of the filtering module to issue outer net to Intranet
In sensitive information that may be present.
Preferably, the transitional region includes transit data buffer area, system reducing module and data encryption module, described
Transit data buffer area is sent to transit data during outer network data to storing intranet;The data encryption module is to internal
The data that net is sent to outer net are encrypted;The system reducing module is to empty the data buffer area in transitional region and incite somebody to action
Transitional region is reduced to original state.
The present invention a kind of bilateral network security isolation method, it is characterized in that, outer net to Intranet send data when outer net at
Outer network data is transmitted directly to Intranet processing module by reason module by unidirectional data link;Intranet is into during outer net transmission data
Intranet data is first sent to transitional region by the unidirectional data link of belt switch and carries out transition, then transition by net processing module
Transit data is then forwarded to outer net processing module by region by the unidirectional data link of belt switch.
Further, the process that the outer net sends data to Intranet comprises the following steps:
Step 101:Authentication module of the external user into outer net processing module carries out authentication, if by recognizing
Card then allows external user logging in network processing module, otherwise refuses the connection request of external user;
Step 102:External user will be sent to the number of Intranet user to outer net processing module according to ICP/IP protocol transmission
According to;
Step 103:Outer net protocol conversion module will be sent in the network packet of Intranet user according to ICP/IP protocol
Application layer data parses and is stored in outer net data buffer area;
Step 104:Application layer data in the external network data buffer area of malicious code filtering module carries out malicious code inspection
Survey, outer net data buffer area is restored again into after filtering out malicious code wherein that may be present;
Step 105:Data in the outer net data buffer area that outer net processing module will be filtered by malicious code pass through list
Intranet processing module is given to data link transmission;
Step 106:The data received are stored in the intranet data buffer area in Intranet processing module by Intranet processing module;
Step 107:Intranet protocol conversion module in Intranet processing module is by the data received according to ICP/IP protocol weight
Newly it is packaged as after network packet being sent to Intranet user;
The process that the Intranet sends data to outer net comprises the following steps:
Step 201:Intranet user will need the data for being transferred to external user to be transferred to according to ICP/IP protocol at Intranet
Manage module;
Step 202:Intranet processing module will be transferred to the interior netting index of the data deposit Intranet processing module of external user
According to buffer area;
Step 203:Intranet protocol conversion module will be transferred to the network packet of external user according to ICP/IP protocol
Middle application layer data parses and is stored in intranet data buffer area;
Step 204:Sensitive information filtering module in Intranet processing module is to will be transferred in intranet data buffer area
Application layer data carries out sensitive information detection in the network packet of external user, filters out sensitive information wherein that may be present
After be restored again into intranet data buffer area;
Step 205:Intranet processing module closes the switch of the unidirectional data link for the belt switch being connected with filtration zone,
Data in the intranet data buffer area that will be filtered by sensitive information are transferred to transition by the unidirectional data link of belt switch
Region;
Step 206:Intranet processing module finishes data transfer the unidirectional number for disconnecting the belt switch being connected with transitional region
According to the switch of link;
Step 207:The data received are stored in the transit data buffer area in transitional region by transitional region;
Step 208:Data encryption module in transitional region generates a data encryption key at random, uses block encryption
Data in transit data buffer area are encrypted algorithm, and use the encryption of the public key encryption of the external user data close
Key;
Step 209:The switch of the unidirectional data link for the belt switch that transitional region closure is connected with outer net processing module;
Step 210:Transitional region together opens the data and key after encryption by the band being connected with outer net processing module
The unidirectional data link of pass is sent to outer net processing module;
Step 211:Data are sent, and transitional region disconnects the one-way data for the belt switch being connected with outer net processing module
The switch of link, while activation system recovery module empties the transit data buffer area in transitional region, and by transitional region also
Originally it was original state;
Step 212:The Intranet user received is transferred to the data deposit outer net processing of external user by outer net processing module
Outer net data buffer area in module;
Step 213:Outer net protocol conversion module in outer net processing module is according to ICP/IP protocol by outer net data buffer storage
Intranet user is transferred to the data of external user and is packaged as after network packet being sent to external user in area;
Step 214:External user is received after data, first with the private key ciphertext data encryption key of oneself, then is added with data
Close secret key decryption data, obtain the data that Intranet user is sent.
The beneficial effects of the invention are as follows:
The system of the present invention includes outer net processing module, Intranet processing module and transitional region, wherein outer net processing module
It is connected by unidirectional data link with Intranet processing module;Unidirectional data link and transition of the Intranet processing module by belt switch
Region is connected;Transitional region is connected by the unidirectional data link of belt switch with outer net processing module, passes through double one-way data chains
Road is added to realize the two-way communication of the data between different safety class networks by the system reducing and data of transitional region
It is close to operate to realize that data flow into lower security grade outer net from high safety grade Intranet.The present invention is used for different safety class networks
Between security isolation, realize data double-way communication on the premise of ensure data safety.
The present invention can not only security isolation different safety class network, and ensure between different safety class networks
Bidirectional data communication, and the security of system is ensure that, while ensureing the safety of bidirectional data communication again.
Brief description of the drawings
With reference to Figure of description, the present invention will be described.
Fig. 1 is the structure chart of the bilateral network security isolation system of the present invention.
Embodiment
For the technical characterstic for illustrating this programme can be understood, below by embodiment, and its accompanying drawing is combined, to this hair
It is bright to be described in detail.Following disclosure provides many different embodiments or example is used for realizing the different knots of the present invention
Structure.In order to simplify disclosure of the invention, hereinafter the part and setting of specific examples are described.In addition, the present invention can be with
Repeat reference numerals and/or letter in different examples.This repetition is that for purposes of simplicity and clarity, itself is not indicated
Relation between various embodiments are discussed and/or set.It should be noted that part illustrated in the accompanying drawings is not necessarily to scale
Draw.Present invention omits the description to known assemblies and treatment technology and process to avoid being unnecessarily limiting the present invention.
As shown in figure 1, a kind of bilateral network security isolation system of the present invention, it includes outer net processing module, at Intranet
Manage module and transitional region, the outer net processing module accessing external network (with outer net two-way communication) and by unidirectional data link with
Intranet processing module is connected, the Intranet processing module access Intranet (with Intranet two-way communication) and the unidirectional number for passing through belt switch
It is connected according to link with transitional region, the transitional region is connected by the unidirectional data link of belt switch with outer net processing module.
Preferably, data are transmitted directly to Intranet processing module by the outer net processing module by unidirectional data link,
The Intranet processing module sends the data to transitional region by the unidirectional data link of belt switch and carries out transition, the transition
Transit data is sent to outer net processing module by region by the unidirectional data link of belt switch.
Preferably, the outer net processing module includes authentication module, outer net data buffer area, outer net protocol conversion mould
Block and malicious code filtering module, the authentication module to external user to carry out authentication, if passing through certification
Then allow external user to log in outer net processing module, otherwise refuse the connection request of external user;The outer net data buffer area
The data and Intranet that Intranet is sent to store outer net are sent to the data of outer net;The outer net protocol conversion module to by
Application layer data in the network packet of Intranet is issued to outer net according to ICP/IP protocol to be parsed or incited somebody to action according to ICP/IP protocol
The data that Intranet is sent to outer net are packaged as network packet;The malicious code filtering module to outer net to issue Intranet
Application layer data carries out Malicious Code Detection and filters out malicious code wherein that may be present in network packet.
Preferably, the Intranet processing module includes intranet data buffer area, Intranet protocol conversion module and sensitive information
Filtering module, the data and Intranet that the intranet data buffer area is sent to Intranet to store outer net are sent to the number of outer net
According to;The Intranet protocol conversion module applies the number of plies in the network packet to issue outer net to Intranet according to ICP/IP protocol
According to being parsed or the data that outer net is sent to Intranet be packaged as into network packet according to ICP/IP protocol;The sensitive information
Application layer data carries out sensitive information detection and filters out it in network packet of the filtering module to issue outer net to Intranet
In sensitive information that may be present.
Preferably, the transitional region includes transit data buffer area, system reducing module and data encryption module, described
Transit data buffer area is sent to transit data during outer network data to storing intranet;The data encryption module is to internal
The data that net is sent to outer net are encrypted;The system reducing module is to empty the data buffer area in transitional region and incite somebody to action
Transitional region is reduced to original state.
The outer net processing module of the present invention be connected by unidirectional data link with Intranet processing module, i.e., permission data from
Outer net processing module enters Intranet processing module by the unidirectional data link;The unidirectional number that Intranet processing module passes through belt switch
It is connected according to link with transitional region, i.e., only allows data to enter from Intranet processing module by the unidirectional data link of the belt switch
Transitional region;Transitional region is connected by the unidirectional data link of belt switch with outer net processing module, i.e., only allow data from mistake
Cross region and outer net processing module is entered by the unidirectional data link of the belt switch;The present invention is in current bilateral network security isolation
A kind of new bilateral network security isolation system is devised on the basis of system architecture, the requirement of security model, and energy had both been met
Realize bidirectional data communication.
A kind of bilateral network security isolation method of the present invention, when outer net inwardly nets transmission data, outer net processing module is led to
Cross unidirectional data link and outer network data is transmitted directly to Intranet processing module;When Intranet outwards nets transmission data, Intranet is handled
Intranet data is first sent to transitional region by the unidirectional data link of belt switch and carries out transition by module, and then transitional region is led to
Transit data is then forwarded to outer net processing module by the unidirectional data link for crossing belt switch.
Further, the outer net sends the process of data (i.e. when the user in outer net needs to use to Intranet to Intranet
When data are transmitted at family) comprise the following steps:
Step 101:Authentication module of the external user into outer net processing module carries out authentication, if by recognizing
Card then allows external user logging in network processing module, otherwise refuses the connection request of external user;
Step 102:External user will be sent to the number of Intranet user to outer net processing module according to ICP/IP protocol transmission
According to;
Step 103:Outer net protocol conversion module will be sent in the network packet of Intranet user according to ICP/IP protocol
Application layer data parses and is stored in outer net data buffer area;
Step 104:Application layer data in the external network data buffer area of malicious code filtering module carries out malicious code inspection
Survey, outer net data buffer area is restored again into after filtering out malicious code wherein that may be present;
Step 105:Data in the outer net data buffer area that outer net processing module will be filtered by malicious code pass through list
Intranet processing module is given to data link transmission;
Step 106:The data received are stored in the intranet data buffer area in Intranet processing module by Intranet processing module;
Step 107:Intranet protocol conversion module in Intranet processing module is by the data received according to ICP/IP protocol weight
Newly it is packaged as after network packet being sent to Intranet user.
The Intranet sends the process of data (i.e. when the user in Intranet needs to transmit data to external user to outer net
When) comprise the following steps:
Step 201:Intranet user will need the data for being transferred to external user to be transferred to according to ICP/IP protocol at Intranet
Manage module;
Step 202:Intranet processing module will be transferred to the interior netting index of the data deposit Intranet processing module of external user
According to buffer area;
Step 203:Intranet protocol conversion module will be transferred to the network packet of external user according to ICP/IP protocol
Middle application layer data parses and is stored in intranet data buffer area;
Step 204:Sensitive information filtering module in Intranet processing module is to will be transferred in intranet data buffer area
Application layer data carries out sensitive information detection in the network packet of external user, filters out sensitive information wherein that may be present
After be restored again into intranet data buffer area;
Step 205:Intranet processing module closes the switch of the unidirectional data link for the belt switch being connected with filtration zone,
Data in the intranet data buffer area that will be filtered by sensitive information are transferred to transition by the unidirectional data link of belt switch
Region;
Step 206:Intranet processing module finishes data transfer the unidirectional number for disconnecting the belt switch being connected with transitional region
According to the switch of link;
Step 207:The data received are stored in the transit data buffer area in transitional region by transitional region;
Step 208:Data encryption module in transitional region generates a data encryption key at random, uses block encryption
Data in transit data buffer area are encrypted algorithm (such as aes algorithm), and use the public key encryption of the external user number
According to encryption key;
Step 209:The switch of the unidirectional data link for the belt switch that transitional region closure is connected with outer net processing module;
Step 210:Transitional region together opens the data and key after encryption by the band being connected with outer net processing module
The unidirectional data link of pass is sent to outer net processing module;
Step 211:Data are sent, and transitional region disconnects the one-way data for the belt switch being connected with outer net processing module
The switch of link, while activation system recovery module empties the transit data buffer area in transitional region, and by transitional region also
Originally it was original state;
Step 212:The Intranet user received is transferred to the data deposit outer net processing of external user by outer net processing module
Outer net data buffer area in module;
Step 213:Outer net protocol conversion module in outer net processing module is according to ICP/IP protocol by outer net data buffer storage
Intranet user is transferred to the data of external user and is packaged as after network packet being sent to external user in area;
Step 214:External user is received after data, first with the private key ciphertext data encryption key of oneself, then is added with data
Close secret key decryption data, obtain the data that Intranet user is sent.
The present invention realizes the two-way communication of the data between different safety class networks by double unidirectional data links, and
Realize that data flow into lower security grade from high safety grade Intranet by the system reducing and data encryption operation of transitional region
Outer net, ensures the safety of data on the premise of data double-way communication is realized, can be applied between different safety class networks
Security isolation.
Simply the preferred embodiment of the present invention described above, for those skilled in the art,
Without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications are also regarded as this hair
Bright protection domain.
Claims (7)
1. a kind of bilateral network security isolation system, it is characterized in that, including outer net processing module, Intranet processing module and transition region
Domain, the outer net processing module accessing external network is simultaneously connected by unidirectional data link with Intranet processing module, the Intranet processing
Module accesses Intranet and is connected by the unidirectional data link of belt switch with transitional region, and the transitional region passes through belt switch
Unidirectional data link is connected with outer net processing module.
2. a kind of bilateral network security isolation system according to claim 1, it is characterized in that, the outer net processing module is led to
Cross unidirectional data link and data are transmitted directly to Intranet processing module, the unidirectional number that the Intranet processing module passes through belt switch
Transitional region is sent the data to according to link and carries out transition, and the transitional region is by the unidirectional data link of belt switch by transition
Data are sent to outer net processing module.
3. a kind of bilateral network security isolation system according to claim 1 or 2, it is characterized in that, the outer net handles mould
Block includes authentication module, outer net data buffer area, outer net protocol conversion module and malicious code filtering module, the identity
Authentication module allows external user to log in outer net processing mould to carry out authentication to external user if by certification
Block, otherwise refuses the connection request of external user;The outer net data buffer area is sent to the data of Intranet to store outer net
The data of outer net are sent to Intranet;The outer net protocol conversion module to outer net according to ICP/IP protocol to issue Intranet
Application layer data is parsed or the data that Intranet is sent to outer net is packaged as into net according to ICP/IP protocol in network packet
Network packet;Application layer data is disliked in network packet of the malicious code filtering module to issue Intranet to outer net
Meaning code detection simultaneously filters out malicious code wherein that may be present.
4. a kind of bilateral network security isolation system according to claim 1 or 2, it is characterized in that, the Intranet handles mould
Block includes intranet data buffer area, Intranet protocol conversion module and sensitive information filtering module, and the intranet data buffer area is used
The data and Intranet of Intranet are sent to store outer net and are sent to the data of outer net;The Intranet protocol conversion module be used to according to
ICP/IP protocol is issued application layer data in the network packet of outer net to Intranet and parsed or will be outer according to ICP/IP protocol
The data that net is sent to Intranet are packaged as network packet;Net of the sensitive information filtering module to issue outer net to Intranet
Application layer data carries out sensitive information detection and filters out sensitive information wherein that may be present in network packet.
5. a kind of bilateral network security isolation system according to claim 1 or 2, it is characterized in that, the transitional region bag
Transit data buffer area, system reducing module and data encryption module are included, the transit data buffer area is sent out to storing intranet
Give transit data during outer network data;The data encryption module is encrypted to be sent to the data of outer net to Intranet;
The system reducing module is to empty the data buffer area in transitional region and transitional region is reduced into original state.
6. a kind of bilateral network security isolation method, it is characterized in that, outer net passes through to outer net processing module during Intranet transmission data
Outer network data is transmitted directly to Intranet processing module by unidirectional data link;Intranet to outer net send data when Intranet processing module
Intranet data is first sent to by the unidirectional data link of belt switch by transitional region and carries out transition, then transitional region passes through band
Transit data is then forwarded to outer net processing module by the unidirectional data link of switch.
7. a kind of bilateral network security isolation method according to claim 6, it is characterized in that,
The process that the outer net sends data to Intranet comprises the following steps:
Step 101:Authentication module of the external user into outer net processing module carries out authentication, if by certification
Allow external user logging in network processing module, otherwise refuse the connection request of external user;
Step 102:External user will be sent to the data of Intranet user to outer net processing module according to ICP/IP protocol transmission;
Step 103:Outer net protocol conversion module will be sent in the network packet of Intranet user according to ICP/IP protocol and apply
Layer data parses and is stored in outer net data buffer area;
Step 104:Application layer data in the external network data buffer area of malicious code filtering module carries out Malicious Code Detection, mistake
Outer net data buffer area is restored again into after filtering malicious code wherein that may be present;
Step 105:Data in the outer net data buffer area that outer net processing module will be filtered by malicious code are by unidirectionally counting
Intranet processing module is given according to link transmission;
Step 106:The data received are stored in the intranet data buffer area in Intranet processing module by Intranet processing module;
Step 107:Intranet protocol conversion module in Intranet processing module beats the data received according to ICP/IP protocol again
Wrap to be sent to Intranet user after network packet;
The process that the Intranet sends data to outer net comprises the following steps:
Step 201:The data that Intranet user will need to be transferred to external user are transferred to Intranet processing mould according to ICP/IP protocol
Block;
Step 202:The intranet data that Intranet processing module will be transferred to the data deposit Intranet processing module of external user delays
Deposit area;
Step 203:Intranet protocol conversion module will be transferred in the network packet of external user according to ICP/IP protocol should
Parsed with layer data and be stored in intranet data buffer area;
Step 204:Sensitive information filtering module in Intranet processing module in intranet data buffer area to that will be transferred to outer net
Application layer data carries out sensitive information detection in the network packet of user, filters out after sensitive information wherein that may be present again
It is stored in intranet data buffer area;
Step 205:Intranet processing module closes the switch of the unidirectional data link for the belt switch being connected with filtration zone, will be through
The data crossed in the intranet data buffer area of sensitive information filtering are transferred to transitional region by the unidirectional data link of belt switch;
Step 206:Intranet processing module finishes data transfer on the one-way data chain for disconnecting the belt switch being connected with transitional region
The switch on road;
Step 207:The data received are stored in the transit data buffer area in transitional region by transitional region;
Step 208:Data encryption module in transitional region generates a data encryption key at random, uses block encryption algorithm
Data in transit data buffer area are encrypted, and use the encryption key of the public key encryption of the external user data;
Step 209:The switch of the unidirectional data link for the belt switch that transitional region closure is connected with outer net processing module;
Step 210:Data and key after encryption are together passed through the belt switch that is connected with outer net processing module by transitional region
Unidirectional data link is sent to outer net processing module;
Step 211:Data are sent, and transitional region disconnects the unidirectional data link for the belt switch being connected with outer net processing module
Switch, while activation system recovery module empties the transit data buffer area in transitional region, and transitional region is reduced to
Original state;
Step 212:The data that the Intranet user received is transferred to external user are stored in outer net processing module by outer net processing module
In outer net data buffer area;
Step 213:Outer net protocol conversion module in outer net processing module is according to ICP/IP protocol by outer net data buffer area
The data that Intranet user is transferred to external user are packaged as after network packet being sent to external user;
Step 214:External user is received after data, first with the private key ciphertext data encryption key of oneself, then close with data encryption
Key ciphertext data, obtains the data that Intranet user is sent.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710374477.XA CN106998333A (en) | 2017-05-24 | 2017-05-24 | A kind of bilateral network security isolation system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710374477.XA CN106998333A (en) | 2017-05-24 | 2017-05-24 | A kind of bilateral network security isolation system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106998333A true CN106998333A (en) | 2017-08-01 |
Family
ID=59435980
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710374477.XA Pending CN106998333A (en) | 2017-05-24 | 2017-05-24 | A kind of bilateral network security isolation system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106998333A (en) |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107809392A (en) * | 2017-10-18 | 2018-03-16 | 珠海许继芝电网自动化有限公司 | A kind of data transmission method across forward and reverse isolation load balancing and high reliability |
CN107888599A (en) * | 2017-11-17 | 2018-04-06 | 中国航空工业集团公司西安航空计算技术研究所 | Intercommunication system and method between a kind of avionics height secure network domain |
CN108390778A (en) * | 2018-02-10 | 2018-08-10 | 浙江财经大学 | A kind of computer network security prior-warning device |
CN108833395A (en) * | 2018-06-07 | 2018-11-16 | 北京网迅科技有限公司杭州分公司 | A kind of outer net access authentication system and authentication method based on hardware access card |
CN110290060A (en) * | 2019-07-15 | 2019-09-27 | 腾讯科技(深圳)有限公司 | A kind of internetwork communication method, apparatus and storage medium |
CN110381008A (en) * | 2018-04-13 | 2019-10-25 | 武汉梓金山科技有限公司 | A kind of Dynamic Defense System of Network Security and method based on big data |
CN110545324A (en) * | 2019-09-04 | 2019-12-06 | 北京百度网讯科技有限公司 | Data processing method, device, system, network equipment and storage medium |
CN110933025A (en) * | 2019-10-21 | 2020-03-27 | 武汉神库小匠科技有限公司 | Multi-source heterogeneous data cross-domain synchronous shared storage method, device, equipment and medium |
CN111556062A (en) * | 2020-05-06 | 2020-08-18 | 国网电力科学研究院有限公司 | Network security isolation device with one-way import function and method |
CN112468571A (en) * | 2020-11-24 | 2021-03-09 | 中国联合网络通信集团有限公司 | Intranet and extranet data synchronization method and device, electronic equipment and storage medium |
CN113824669A (en) * | 2020-06-18 | 2021-12-21 | 深圳市桑威科技有限公司 | External computer network early warning equipment and method |
CN114024753A (en) * | 2021-11-08 | 2022-02-08 | 中铁信安(北京)信息安全技术有限公司 | Data communication bidirectional ferry isolation device and method |
CN114465821A (en) * | 2022-04-02 | 2022-05-10 | 浙江国利网安科技有限公司 | Data transmission system and data transmission method |
CN114500068A (en) * | 2022-02-10 | 2022-05-13 | 广州云羲网络科技有限公司 | Information data exchange system based on safety isolation network gate |
CN114553528A (en) * | 2022-02-22 | 2022-05-27 | 成都睿智兴华信息技术有限公司 | Internal and external network data safety transmission system and transmission method thereof |
CN114615082A (en) * | 2022-04-07 | 2022-06-10 | 西安热工研究院有限公司 | System and method for simulating TCP duplex safety communication by using forward and reverse network gates |
CN114710360A (en) * | 2022-04-15 | 2022-07-05 | 北京全路通信信号研究设计院集团有限公司 | Audit-based inside-out data secure transmission method and system and electronic equipment |
CN114766086A (en) * | 2019-12-19 | 2022-07-19 | 西门子交通有限责任公司 | Transmission device for transmitting data |
CN115242446A (en) * | 2022-06-22 | 2022-10-25 | 中国电子科技集团公司第五十二研究所 | Cloud desktop one-way data importing system and method under intranet environment |
CN115242432A (en) * | 2022-06-13 | 2022-10-25 | 中国电子科技集团公司第三十研究所 | Cross-domain time synchronization device and method |
CN114553528B (en) * | 2022-02-22 | 2024-04-19 | 成都睿智兴华信息技术有限公司 | Internal and external network data safety transmission system and transmission method thereof |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
CN104363221A (en) * | 2014-11-10 | 2015-02-18 | 青岛微智慧信息有限公司 | Network safety isolation file transmission control method |
US20150088934A1 (en) * | 2013-09-20 | 2015-03-26 | Open Text S.A. | Hosted application gateway architecture with multi-level security policy and rule promulgations |
CN104486336A (en) * | 2014-12-12 | 2015-04-01 | 冶金自动化研究设计院 | Device for safely isolating and exchanging industrial control networks |
CN106341397A (en) * | 2016-08-25 | 2017-01-18 | 柏盟(北京)科技发展有限公司 | Industrial safety isolation GAP |
-
2017
- 2017-05-24 CN CN201710374477.XA patent/CN106998333A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
US20150088934A1 (en) * | 2013-09-20 | 2015-03-26 | Open Text S.A. | Hosted application gateway architecture with multi-level security policy and rule promulgations |
CN104363221A (en) * | 2014-11-10 | 2015-02-18 | 青岛微智慧信息有限公司 | Network safety isolation file transmission control method |
CN104486336A (en) * | 2014-12-12 | 2015-04-01 | 冶金自动化研究设计院 | Device for safely isolating and exchanging industrial control networks |
CN106341397A (en) * | 2016-08-25 | 2017-01-18 | 柏盟(北京)科技发展有限公司 | Industrial safety isolation GAP |
Non-Patent Citations (2)
Title |
---|
李旋,吴其聪: "一种数据加密与完整性保护的网闸实现方法", 《南通大学学报(自然科学版)》 * |
郑炜: "基于MIPS_CPU的千兆物理隔离网闸的系统研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107809392A (en) * | 2017-10-18 | 2018-03-16 | 珠海许继芝电网自动化有限公司 | A kind of data transmission method across forward and reverse isolation load balancing and high reliability |
CN107888599A (en) * | 2017-11-17 | 2018-04-06 | 中国航空工业集团公司西安航空计算技术研究所 | Intercommunication system and method between a kind of avionics height secure network domain |
CN107888599B (en) * | 2017-11-17 | 2020-10-27 | 中国航空工业集团公司西安航空计算技术研究所 | Two-way communication system and method between high-low security network domains of avionics |
CN108390778A (en) * | 2018-02-10 | 2018-08-10 | 浙江财经大学 | A kind of computer network security prior-warning device |
CN110381008A (en) * | 2018-04-13 | 2019-10-25 | 武汉梓金山科技有限公司 | A kind of Dynamic Defense System of Network Security and method based on big data |
CN110381008B (en) * | 2018-04-13 | 2022-02-25 | 海南波克科技有限公司 | Network security dynamic defense system and method based on big data |
CN108833395A (en) * | 2018-06-07 | 2018-11-16 | 北京网迅科技有限公司杭州分公司 | A kind of outer net access authentication system and authentication method based on hardware access card |
CN110290060B (en) * | 2019-07-15 | 2021-12-14 | 腾讯科技(深圳)有限公司 | Cross-network communication method, device and storage medium |
CN110290060A (en) * | 2019-07-15 | 2019-09-27 | 腾讯科技(深圳)有限公司 | A kind of internetwork communication method, apparatus and storage medium |
CN110545324A (en) * | 2019-09-04 | 2019-12-06 | 北京百度网讯科技有限公司 | Data processing method, device, system, network equipment and storage medium |
CN110933025A (en) * | 2019-10-21 | 2020-03-27 | 武汉神库小匠科技有限公司 | Multi-source heterogeneous data cross-domain synchronous shared storage method, device, equipment and medium |
CN114766086A (en) * | 2019-12-19 | 2022-07-19 | 西门子交通有限责任公司 | Transmission device for transmitting data |
CN111556062A (en) * | 2020-05-06 | 2020-08-18 | 国网电力科学研究院有限公司 | Network security isolation device with one-way import function and method |
CN113824669A (en) * | 2020-06-18 | 2021-12-21 | 深圳市桑威科技有限公司 | External computer network early warning equipment and method |
CN112468571B (en) * | 2020-11-24 | 2022-02-01 | 中国联合网络通信集团有限公司 | Intranet and extranet data synchronization method and device, electronic equipment and storage medium |
CN112468571A (en) * | 2020-11-24 | 2021-03-09 | 中国联合网络通信集团有限公司 | Intranet and extranet data synchronization method and device, electronic equipment and storage medium |
CN114024753A (en) * | 2021-11-08 | 2022-02-08 | 中铁信安(北京)信息安全技术有限公司 | Data communication bidirectional ferry isolation device and method |
CN114500068A (en) * | 2022-02-10 | 2022-05-13 | 广州云羲网络科技有限公司 | Information data exchange system based on safety isolation network gate |
CN114500068B (en) * | 2022-02-10 | 2024-01-09 | 广州云羲网络科技有限公司 | Information data exchange system based on safety isolation gatekeeper |
CN114553528A (en) * | 2022-02-22 | 2022-05-27 | 成都睿智兴华信息技术有限公司 | Internal and external network data safety transmission system and transmission method thereof |
CN114553528B (en) * | 2022-02-22 | 2024-04-19 | 成都睿智兴华信息技术有限公司 | Internal and external network data safety transmission system and transmission method thereof |
CN114465821A (en) * | 2022-04-02 | 2022-05-10 | 浙江国利网安科技有限公司 | Data transmission system and data transmission method |
CN114615082B (en) * | 2022-04-07 | 2023-09-12 | 西安热工研究院有限公司 | System and method for simulating TCP duplex safety communication by using forward and reverse gatekeepers |
CN114615082A (en) * | 2022-04-07 | 2022-06-10 | 西安热工研究院有限公司 | System and method for simulating TCP duplex safety communication by using forward and reverse network gates |
CN114710360A (en) * | 2022-04-15 | 2022-07-05 | 北京全路通信信号研究设计院集团有限公司 | Audit-based inside-out data secure transmission method and system and electronic equipment |
CN114710360B (en) * | 2022-04-15 | 2024-01-19 | 北京全路通信信号研究设计院集团有限公司 | Audit-based inside-to-outside data security transmission method and system and electronic equipment |
CN115242432B (en) * | 2022-06-13 | 2023-05-16 | 中国电子科技集团公司第三十研究所 | Cross-domain time synchronization device and method |
CN115242432A (en) * | 2022-06-13 | 2022-10-25 | 中国电子科技集团公司第三十研究所 | Cross-domain time synchronization device and method |
CN115242446A (en) * | 2022-06-22 | 2022-10-25 | 中国电子科技集团公司第五十二研究所 | Cloud desktop one-way data importing system and method under intranet environment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106998333A (en) | A kind of bilateral network security isolation system and method | |
CN103491072B (en) | A kind of border access control method based on double unidirection insulation network brakes | |
CN108965215B (en) | Dynamic security method and system for multi-fusion linkage response | |
CN106060003A (en) | Network boundary unidirectional isolated transmission device | |
CN106506540A (en) | A kind of intranet data transmission method of attack resistance and system | |
CN107026874A (en) | One kind instruction signature and verification method and system | |
CN109241087A (en) | A kind of data processing method and terminal of alliance's chain | |
CN107172020A (en) | A kind of network data security exchange method and system | |
CN104994094B (en) | Virtual platform safety protecting method based on virtual switch, device and system | |
CN107070907A (en) | Intranet and extranet data unidirectional transmission method and system | |
CN110011813A (en) | A kind of data hiding transmission method based on block chain | |
CN106209883A (en) | Based on link selection and the multi-chain circuit transmission method and system of broken restructuring | |
CN106488452A (en) | A kind of mobile terminal safety access authentication method of combination fingerprint | |
CN107493292A (en) | The information transmission system and method for isomery multichannel security isolation | |
CN109035519A (en) | A kind of biometric devices and method | |
CN108259446A (en) | A kind of method and device based on isolation network transmission data | |
CN100547996C (en) | Intranet and extranet information safety transmission system and method | |
CN109617875A (en) | A kind of the secure accessing platform and its implementation of terminal communication network | |
CN103457953A (en) | Handling mechanism preventing 802.1X protocol attack under security access mode of port | |
CN109150906A (en) | A kind of real-time data communication safety method | |
CN108696535A (en) | Network security protection system based on SDN and method | |
CN206193795U (en) | Computer intelligent information secure processing device | |
CN102833067B (en) | Trilateral authentication method and system and authentication state management method of terminal equipment | |
CN201878191U (en) | Security access device for video | |
CN108023884A (en) | A kind of encryption method of Networks and information security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170801 |
|
RJ01 | Rejection of invention patent application after publication |