CN108471408A - A kind of network security encryption device - Google Patents
A kind of network security encryption device Download PDFInfo
- Publication number
- CN108471408A CN108471408A CN201810204574.9A CN201810204574A CN108471408A CN 108471408 A CN108471408 A CN 108471408A CN 201810204574 A CN201810204574 A CN 201810204574A CN 108471408 A CN108471408 A CN 108471408A
- Authority
- CN
- China
- Prior art keywords
- network
- encryption device
- network security
- security encryption
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2596—Translation of addresses of the same type other than IP, e.g. translation from MAC to MAC addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a kind of network security encryption devices, are connected between protected client and network.Network security encryption device coordinates session key with another protected client.Then, all communications between two client computer are encrypted.The device of the invention is self-configuring, it is locked in oneself in the IP address of its client computer.Accordingly, upon client computer cannot change its IP address after equipment, so the IP address of another client computer cannot be emulated.When from protected host transmission packet, before data packet is transferred in network, safety device is converted into the MAC Address of client computer the MAC Address of their own.The data packet for being addressed to host contains fool proof MAC Address.Data packet is being transferred to client computer.
Description
Technical field
The present invention relates to network security technologies, more specifically to a kind of network security encryption device.
Background technology
Current existing network security product is divided into two classes:(1) fire wall, for example, Janus (Janus) and ANS and
(2) software product, privacy enhanced mail, secrecy http, a password etc..
Fire wall is a kind of special purpose computer, usually runs Unix operating systems.It plays the communication to outputting and inputting
The effect being filtered.Fire wall is placed on as router between LAN (LAN) and the extraneous world.According to source and/or mesh
Ground IP address and TCP port number decide whether that data packet is allowed to pass through.Some fire walls can also encryption data, if communication
Both ends all use same type fire wall.Some fire walls have the characteristics that enter to identify.
Software product is based on such a it is assumed that the calculating for being equipped with software product is safe, it is only necessary to outside
Network is protected.Therefore, this software product can easily be bypassed by disconnecting computer.A kind of common scheme is to work as
When invader is implanted into " Trojan Horse " on computers, it transmits the duplicate of unencryption per treatment to him.Sometimes, i.e.,
Make equally to complete it with for delay voltage it is not possible that during monitored break time in computer.
In addition, there is some to be designed to prevent invasion to keep computer completely to differentiate product.These products are to be based on this
Kind is it is assumed that i.e. they are 100% safety.Once the product is compromised, it is with regard to completely ineffective.Sometimes, a user is not
It is careful to use all other user that endanger the product.
Fire wall is more effective in terms of keeping internet security.However, they are very expensive.Its Price Range in $ 10,
Between 000 to $ 50,000, in addition the price of hardware.They need advanced expert to install and safeguard.It is most of complicated and high
The fire wall of effect needs to safeguard them through specialized training technician or engineer.To the costly of everyone specialized training
Up to $ 10,000, in addition annual $ 60,000 to $ 120,000 salary.
Fire wall must not be without often safeguarding, improving and monitoring, to provide comparable safety.They are only covered
The parts TCP of Internet protocol, are not covered with the parts UDP.Therefore, they cannot be to NFS (network file service) and many visitors
Family machine/server application provides safety.
Fire wall is a kind of full service computer, it can be logined to be safeguarded and be monitored.Therefore, it can be disconnected.
Once fire wall is compromised, it just loses its effect, becomes burden rather than safe assistant.Fire wall only protect LAN with
Connection between WAN (wide area network).It is not protected intrudes into specific host out of LAN.
The purpose of the present invention is to provide a kind of network security encryption devices due to the above reasons, it overcomes existing skill
The shortcomings that network security encryption device of art.
Invention content
The technical problem to be solved in the present invention is, for the above-mentioned existing issue of the prior art, provides a kind of network peace
Full encryption device.
The technical solution adopted by the present invention to solve the technical problems is:A kind of network security encryption device is constructed, is wrapped
Contain:(a) the first network interface being connected at least one specific node, the second network interface (b) being connected on network,
(c) processing circuit being connected on first and second interface, the processing circuit (1) is in the second interface described in
Data packet is transferred to before the network, what is received from least one specific node included in the first interface
The MAC Address of an at least specific node in data packet is converted into the MAC Address of the network security encryption device, (2)
MAC Address included in the network security encryption device out of the network receives data packet is converted into described
The MAC Address of at least one specific node.
In the present invention, first and second network interface is Ethernet interface.
In the present invention, the processing circuit is to included in the data received from least one specific node
User data in packet is encrypted, and included in out of, at least one specific node receives the data packet
IP address holding is not encrypted.
In the present invention, the processing circuit is to included in the data received from least one specific node
In packet including TCP data packet stem TCP data packet is encrypted.
In the present invention, the processing circuit is to included in the data received from least one specific node
In packet including UDP message packet stem UDP message packet is encrypted.
In the present invention, the processing circuit is encrypted the user data using session key and encryption function.
In the present invention, the network security encryption device is kept comprising one or more nodes in the instruction network
The first database of the information of IP address and permanent public key.
In the present invention, the network security encryption device is kept comprising one or more nodes in the instruction network
Second database of the shared session key of IP address and at least one specific node.
In the present invention, one or more nodes in the dynamic data base are not secrecy nodes.
Description of the drawings
Present invention will be further explained below with reference to the attached drawings and examples, in attached drawing:
Fig. 1 is the network security encryption device of the present invention.
Specific implementation mode
As shown in Figure 1, network security encryption device 10 includes first interface 0, it is connected on user rs host 12.Specifically
It says, interface 0 is connected to by cable or electric wire 13 on the network interface of client computer 12.Safety device 10 includes second interface 1,
It is connected in a part for network 100.As shown, interface 1 is connected on Ethernet, so interface 0,1 is that Ethernet connects
Mouthful, such as the super interface of SMC Ethernets.
CPU14 is connected on interface 0,1.CPU is such as Intel 486DX 62-66.Static memory 16 (such as it is fast
Flash EEPROM) it is connected on CPU14, dynamic memory 18 (such as RAM) is connected on CPU14.Optional encrypting module 20
It is encrypted and a large amount of arithmetic operation.Encryption unit is realized with programmable logic array is realized.On the other hand, it encrypts
Module can also be omitted, and function can be realized using software program by CPU14 execution.0 accidental pattern of interface is placed.
In this pattern, interface 0 by user rs host 12 come all communications, send CPU14 on cable 13.Network connection is
By interface 1, interface 1 is arranged to IP address identical with client computer 12.Network security encryption device 10 is by sending it certainly
(rather than client computer) MAC Address is in response to address resolution protocol.By preventing to attempt to Ethernet protocol come other
Road device 10 enters and increases safe coefficient.
CPU wants 4 holding, two database.One database is static database, is stored in fast wipe in ROM16.The database packet
Permanent information containing the secrecy node in related network, i.e. node IP address, enter the time of database, and node is permanently public
Key altogether.
The foregoing is only a preferred embodiment of the present invention, but protection scope of the present invention be not limited to
This, any one skilled in the art in the technical scope disclosed by the present invention, the variation that can readily occur in or replaces
It changes, should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with the protection of claim
Subject to range.
Claims (9)
1. a kind of network security encryption device, which is characterized in that include:(a) first be connected at least one specific node
Network interface, the second network interface (b) being connected on network, the processing electricity (c) being connected on first and second interface
Road, the processing circuit (1) is before the data packet is transferred to the network by the second interface, included in described the
One interface out of at least one specific node receives data packet described in an at least specific node MAC Address conversion
At the MAC Address of the network security encryption device, (2) are included in the net out of the network receives data packet
The MAC Address of the safe encryption device of network is converted into the MAC Address of at least one specific node.
2. network security encryption device as described in claim 1, which is characterized in that first and second network interface be with
Too network interface.
3. network security encryption device as described in claim 1, which is characterized in that the processing circuit is to being included in from described
The user data in the data packet that at least one specific node receives is encrypted, and is included in from described at least one
IP address holding in the data packet that specific node receives is not encrypted.
4. network security encryption device as claimed in claim 3, which is characterized in that the processing circuit is to being included in from described
In the data packet that at least one specific node receives including TCP data packet stem TCP data packet is encrypted.
5. network security encryption device as claimed in claim 3, which is characterized in that the processing circuit is to being included in from described
In the data packet that at least one specific node receives including UDP message packet stem UDP message packet is encrypted.
6. network security encryption device as claimed in claim 3, which is characterized in that the processing circuit using session key and
The user data is encrypted in encryption function.
7. network security encryption device as described in claim 1, which is characterized in that the network security encryption device keeps packet
Containing the first database for indicating the information of the IP address and permanent public key of one or more nodes in the network.
8. network security encryption device as claimed in claim 7, which is characterized in that the network security encryption device keeps packet
Containing one or more IP address of node and the shared session key of at least one specific node in the instruction network
The second database.
9. network security encryption device as claimed in claim 8, which is characterized in that one or more in the dynamic data base
A node is not secrecy node.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810204574.9A CN108471408A (en) | 2018-03-13 | 2018-03-13 | A kind of network security encryption device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810204574.9A CN108471408A (en) | 2018-03-13 | 2018-03-13 | A kind of network security encryption device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108471408A true CN108471408A (en) | 2018-08-31 |
Family
ID=63265250
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810204574.9A Pending CN108471408A (en) | 2018-03-13 | 2018-03-13 | A kind of network security encryption device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108471408A (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1173256A (en) * | 1995-09-18 | 1998-02-11 | 数字保证网络技术股份有限公司 | Network security device |
CN104954136A (en) * | 2015-06-16 | 2015-09-30 | 祝峰 | Network security encryption device under cloud computing environment |
-
2018
- 2018-03-13 CN CN201810204574.9A patent/CN108471408A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1173256A (en) * | 1995-09-18 | 1998-02-11 | 数字保证网络技术股份有限公司 | Network security device |
CN104954136A (en) * | 2015-06-16 | 2015-09-30 | 祝峰 | Network security encryption device under cloud computing environment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Obermaier et al. | Analyzing the security and privacy of cloud-based video surveillance systems | |
JP3466025B2 (en) | Method and apparatus for protecting masquerade attack in computer network | |
KR101164680B1 (en) | Firewall system protecting a community of appliances, appliance participating in the system and method of updating the firewall rules within the system | |
RU2152691C1 (en) | Device for protection of connected computer networks | |
KR19990078198A (en) | Firewall security method and apparatus | |
EP3291501A1 (en) | System and method for using a virtual honeypot in an industrial automation system and cloud connector | |
CA2437548A1 (en) | Apparatus and method for providing secure network communication | |
EP2678991A1 (en) | System and method for interlocking a host and a gateway | |
US9992210B2 (en) | System and method for intrusion detection and suppression in a wireless server environment | |
CN108476138A (en) | Monitor the communication in computer network | |
JP2003526836A (en) | Method, system, server, and apparatus for securing a communication network | |
US8285984B2 (en) | Secure network extension device and method | |
Chomsiri | HTTPS hacking protection | |
TW201242320A (en) | Secure login method | |
WO2019070456A1 (en) | Peripheral cyber-security device | |
CN108471408A (en) | A kind of network security encryption device | |
US20030196082A1 (en) | Security management system | |
Kumar et al. | Security Infrastructure for Cyber Attack Targeted Networks and Services | |
Hurd et al. | Tutorial: Security in electric utility control systems | |
KR20200006035A (en) | Scanned triggered using the provided configuration information | |
Schmidt et al. | Building a demilitarized zone with data encryption for grid environments | |
CN105592021A (en) | Novel internal network security protection method | |
KR20200098181A (en) | Network security system by integrated security network card | |
Mahmood et al. | Securing Industrial Internet of Things (Industrial IoT)-A Reviewof Challenges and Solutions | |
Mishra et al. | A systematic survey on DDoS attack and data confidentiality issue on cloud servers |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180831 |