CN110730170A - Internal and external network isolation method and system - Google Patents
Internal and external network isolation method and system Download PDFInfo
- Publication number
- CN110730170A CN110730170A CN201910958542.2A CN201910958542A CN110730170A CN 110730170 A CN110730170 A CN 110730170A CN 201910958542 A CN201910958542 A CN 201910958542A CN 110730170 A CN110730170 A CN 110730170A
- Authority
- CN
- China
- Prior art keywords
- network
- cpu
- internal
- fpga
- network packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention particularly relates to an internal and external network isolation method and system. According to the internal and external network isolation method and system, when the internal network and the external network transmit data, a network packet for data transmission is captured and analyzed by the FPGA and then is sent to the CPU; the CPU unit inquires the security strategy of the network packet and processes the network packet according to the network strategy setting of the network packet; the CPU unit directly discards the network packet to be filtered without forwarding; the other network packets which do not need to be filtered are forwarded to the corresponding destination network by the CPU unit; when the data transmission is carried out between the internal network and the external network, the paths passed by the network packet are different, thereby realizing the safety isolation. According to the internal and external network isolation method and system, the network bidirectional property is changed into the unidirectional property, the path of the internal and external network is independent, the original network structure is not required to be changed, the complete isolation and encryption functions of the internal and external networks can be realized, and the safety is greatly improved.
Description
Technical Field
The invention relates to the technical field of circuit design, in particular to an internal and external network isolation method and system.
Background
Network Security (Network Security) includes Network device Security, Network information Security, and Network software Security, and means that hardware, software, and data in the system of the Network system are protected from being damaged, changed, and leaked due to accidental or malicious reasons, the system continuously, reliably, and normally operates, and the Network service is not interrupted. The system has the characteristics of confidentiality, integrity, availability, controllability and auditability.
Security of one, secret
Information is not revealed to unauthorized users, entities or processes, or to characteristics utilized thereby.
Second, integrity
The unauthorized inability of data to change characteristics. I.e. the property that information remains unmodified, not corrupted and lost during storage or transmission.
Third, availability
Features that are accessible and available on demand by authorized entities. I.e. whether the required information can be accessed when required. Such as denial of service in a network environment, disruption of the network and proper operation of the associated system, etc., are all attacks on availability.
Fourth, controllability
The system has control capability on the information dissemination and content.
Fifth, examination ability
Provide basis and means when safety problem occurs
From the perspective of network operation and managers, it is desirable to protect and control the operations of accessing, reading and writing information of local network, avoid the threats of 'trapdoor', virus, illegal access, denial of service, illegal occupation and illegal control of network resources, and prevent and defend the attack of network hackers. For security and secrecy departments, the departments hope to filter and prevent the illegal, harmful or confidential information related to the country, avoid the leakage of confidential information, avoid the harm to the society and cause huge loss to the country.
With the rapid development of computer technology, services processed on a computer are also developed from stand-alone-based mathematical operations, file processing, internal service processing based on a simply connected Intranet, office automation, and the like to enterprise-level computer processing systems based on a complex Intranet (Intranet), an Extranet (Extranet), and the global Internet (Internet), and information sharing and service processing worldwide.
The processing capacity of the system is improved, and meanwhile, the connection capacity of the system is also continuously improved. However, while the connection capability information and the circulation capability are improved, the security problem based on network connection is increasingly highlighted, and the overall network security mainly shows the following aspects: physical security of the network, network topology security, network system security, application system security, network management security, and the like.
In general, system security is in a contradictory relationship with performance and functionality. If a system does not provide any service to the outside world (disconnect), the outside world is unlikely to pose a security threat. However, with the continuous construction and improvement of communication infrastructure in China in recent years, the internet has become an indispensable part of daily life and office work. Enterprises access the international interconnection network to provide services such as online stores and electronic commerce, and the like, namely an internal closed network is built into an open network environment, and various security problems including system level security problems are generated. Especially for some security agencies, internet security is of great importance.
In summary, the importance of computer network security issues goes undoubtedly. At present, a network security system is constructed, on one hand, since the work of authentication, encryption, monitoring, analysis, recording and the like is required, the network efficiency is inevitably influenced, and the flexibility of client application is reduced; on the other hand, the management cost is also increased.
Aiming at the problem of internet security, the invention provides an internal and external network isolation method and system in order to reduce network management cost, improve network management efficiency and reduce the influence on network efficiency and customer application, and realizes internal and external network isolation on the premise of not changing the original internet architecture and facilities.
Disclosure of Invention
The invention provides a simple and efficient internal and external network isolation method and system for making up the defects of the prior art.
The invention is realized by the following technical scheme:
an internal and external network isolation system, characterized in that: when the data transmission is carried out between the internal network and the external network, the network packet of the data transmission is captured and analyzed by the FPGA and then is sent to the CPU unit; the CPU unit inquires the security strategy of the network packet and processes the network packet according to the network strategy setting of the network packet; the CPU unit directly discards the network packet to be filtered without forwarding; the other network packets which do not need to be filtered are forwarded to the corresponding destination network by the CPU unit; when the data transmission is carried out between the internal network and the external network, the paths passed by the network packet are different, thereby realizing the safety isolation.
When the intranet sends data to the extranet, the sent network packet is captured by the intranet FPGA and forwarded to the intranet CPU after being analyzed, the intranet CPU queries the security strategy of the network packet, and if the network packet does not need to be filtered, the intranet CPU forwards the network packet to the extranet FPGA and sends the network packet to the extranet through the extranet FPGA.
When the outer net sends data to the inner net, the sent network packet is captured by the outer net FPGA and is forwarded to the outer net CPU after being analyzed, the outer net CPU queries the security strategy of the network packet, and if the network packet does not need to be filtered, the outer net CPU forwards the network packet to the inner net FPGA and sends the network packet to the outer net through the inner net FPGA.
After the internal network CPU and the external network CPU inquire the security strategy of the network packet, if the network packet is found to be not encrypted and can be communicated in clear, the network packet is directly forwarded; and if the network packet needs to be encrypted, executing an encryption algorithm to encrypt the network packet and then forwarding the network packet.
And the encryption algorithms of the internal network CPU and the external network CPU are respectively set and are respectively and independently executed.
The isolation system of the internal and external network isolation method consists of an internal network FPGA, an internal network strategy CPU, an external network FPGA and an external network strategy CPU; the outer net strategy CPU is connected to an outer net through an outer net FPGA, and the inner net strategy CPU is connected to an inner net through an inner net FPGA; the intranet FPGA is connected to the intranet through an intranet computer network port or an intranet switch network port, and the extranet FPGA is connected to the extranet through an extranet computer network port or an extranet switch network port.
In order to save the overhead and improve the processing speed, a network protocol analysis program is arranged in each of the internal network FPGA and the external network FPGA and is responsible for network protocol analysis.
In order to further improve the security of the isolation system, the internal network strategy CPU and the external network strategy CPU both adopt a domestic Shenwei processor and are responsible for the calculation of an encryption algorithm and the inquiry of the security strategy.
The invention has the beneficial effects that: according to the internal and external network isolation method and system, the network bidirectional property is changed into the unidirectional property, the path of the internal and external network is independent, the original network structure is not required to be changed, the complete isolation and encryption functions of the internal and external networks can be realized, and the safety is greatly improved.
Drawings
FIG. 1 is a schematic diagram of an internal and external network isolation system according to the present invention.
In the figure, a dotted line link is an internal network path, a solid line link is an external network path, and the internal network and the external network pass through different paths to realize safety isolation.
Detailed Description
In order to make the technical problems, technical solutions and advantageous effects to be solved by the present invention more apparent, the present invention is described in detail below with reference to the embodiments. It should be noted that the specific embodiments described herein are only for explaining the present invention and are not used to limit the present invention.
According to the internal and external network isolation method, when the internal network and the external network carry out data transmission, a network packet for data transmission is captured and analyzed by the FPGA and then is sent to the CPU; the CPU unit inquires the security strategy of the network packet and processes the network packet according to the network strategy setting of the network packet; the CPU unit directly discards the network packet to be filtered without forwarding; the other network packets which do not need to be filtered are forwarded to the corresponding destination network by the CPU unit; when the data transmission is carried out between the internal network and the external network, the paths passed by the network packet are different, thereby realizing the safety isolation.
When the intranet sends data to the extranet, the sent network packet is captured by the intranet FPGA and forwarded to the intranet CPU after being analyzed, the intranet CPU queries the security strategy of the network packet, and if the network packet does not need to be filtered, the intranet CPU forwards the network packet to the extranet FPGA and sends the network packet to the extranet through the extranet FPGA.
When the outer net sends data to the inner net, the sent network packet is captured by the outer net FPGA and is forwarded to the outer net CPU after being analyzed, the outer net CPU queries the security strategy of the network packet, and if the network packet does not need to be filtered, the outer net CPU forwards the network packet to the inner net FPGA and sends the network packet to the outer net through the inner net FPGA.
After the internal network CPU and the external network CPU inquire the security strategy of the network packet, if the network packet is found to be not encrypted and can be communicated in clear, the network packet is directly forwarded; and if the network packet needs to be encrypted, executing an encryption algorithm to encrypt the network packet and then forwarding the network packet.
And the encryption algorithms of the internal network CPU and the external network CPU are respectively set and are respectively and independently executed. Because the intranet and the extranet can execute different security encryption strategies, the flexibility and the security are greatly improved.
The isolation system of the internal and external network isolation method consists of an internal network FPGA, an internal network strategy CPU, an external network FPGA and an external network strategy CPU; the outer net strategy CPU is connected to an outer net through an outer net FPGA, and the inner net strategy CPU is connected to an inner net through an inner net FPGA; the intranet FPGA is connected to the intranet through an intranet computer network port or an intranet switch network port, and the extranet FPGA is connected to the extranet through an extranet computer network port or an extranet switch network port.
In order to save the overhead and improve the processing speed, a network protocol analysis program is arranged in each of the internal network FPGA and the external network FPGA and is responsible for network protocol analysis.
In order to further improve the security of the isolation system, the internal network strategy CPU and the external network strategy CPU both adopt a domestic Shenwei processor and are responsible for the calculation of an encryption algorithm and the inquiry of the security strategy.
Compared with the prior art, the internal and external network isolation method and system have the following characteristics:
1. the network bidirectional is changed into unidirectional, the paths of the internal network and the external network are independent, the complete isolation and encryption functions of the internal network and the external network are realized, and the safety is greatly improved;
2. only the intranet of the isolation system needs to be connected to the corresponding intranet computer network port or intranet switch network port; connecting an external network of the isolation system to an external network computer network port or an external network switch network port; the internal and external network isolation can be realized without changing the original network structure, and the network security management cost is reduced;
3. the intranet and the extranet can realize the functions of different security strategies, so that the security of the intranet is greatly improved;
4. the FPGA is used for analyzing the network protocol, so that the overhead is saved compared with a CPU, the processing speed is greatly increased, and the influence on the network efficiency and the client application is reduced;
5. the CPU unit adopts the Shenwei processor, the nationwide production is completed, and the safety of the isolation system is further improved.
The above-described embodiment is only one specific embodiment of the present invention, and general changes and substitutions by those skilled in the art within the technical scope of the present invention are included in the protection scope of the present invention.
Claims (8)
1. An internal and external network isolation method is characterized in that: when the data transmission is carried out between the internal network and the external network, the network packet of the data transmission is captured and analyzed by the FPGA and then is sent to the CPU unit; the CPU unit inquires the security strategy of the network packet and processes the network packet according to the network strategy setting of the network packet; the CPU unit directly discards the network packet to be filtered without forwarding; the other network packets which do not need to be filtered are forwarded to the corresponding destination network by the CPU unit; when the data transmission is carried out between the internal network and the external network, the paths passed by the network packet are different, thereby realizing the safety isolation.
2. The inside-outside network isolation method according to claim 1, wherein: when the intranet sends data to the extranet, the sent network packet is captured by the intranet FPGA and forwarded to the intranet CPU after being analyzed, the intranet CPU queries the security strategy of the network packet, and if the network packet does not need to be filtered, the intranet CPU forwards the network packet to the extranet FPGA and sends the network packet to the extranet through the extranet FPGA.
3. The inside-outside network isolation method according to claim 1, wherein: when the outer net sends data to the inner net, the sent network packet is captured by the outer net FPGA and is forwarded to the outer net CPU after being analyzed, the outer net CPU queries the security strategy of the network packet, and if the network packet does not need to be filtered, the outer net CPU forwards the network packet to the inner net FPGA and sends the network packet to the outer net through the inner net FPGA.
4. The inside-outside network isolation method according to claim 2 or 3, characterized in that: after the internal network CPU and the external network CPU inquire the security strategy of the network packet, if the network packet can be communicated in the clear, the network packet is directly forwarded; and if the network packet needs to be encrypted, executing an encryption algorithm to encrypt the network packet and then forwarding the network packet.
5. The inside-outside network isolation method according to claim 4, wherein: and the encryption algorithms of the internal network CPU and the external network CPU are respectively set and are respectively and independently executed.
6. An isolation system of the internal and external network isolation method according to claims 1 to 5, characterized in that: the system consists of an internal network FPGA, an internal network strategy CPU, an external network FPGA and an external network strategy CPU; the outer net strategy CPU is connected to an outer net through an outer net FPGA, and the inner net strategy CPU is connected to an inner net through an inner net FPGA; the intranet FPGA is connected to the intranet through an intranet computer network port or an intranet switch network port, and the extranet FPGA is connected to the extranet through an extranet computer network port or an extranet switch network port.
7. The isolation system of the internal and external network isolation method according to claim 6, wherein: in order to save the overhead and improve the processing speed, a network protocol analysis program is arranged in each of the internal network FPGA and the external network FPGA and is responsible for network protocol analysis.
8. The isolation system of the internal and external network isolation method according to claim 6, wherein: in order to further improve the security of the isolation system, the internal network strategy CPU and the external network strategy CPU both adopt a domestic Shenwei processor and are responsible for the calculation of an encryption algorithm and the inquiry of the security strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910958542.2A CN110730170A (en) | 2019-10-10 | 2019-10-10 | Internal and external network isolation method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910958542.2A CN110730170A (en) | 2019-10-10 | 2019-10-10 | Internal and external network isolation method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110730170A true CN110730170A (en) | 2020-01-24 |
Family
ID=69219822
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910958542.2A Pending CN110730170A (en) | 2019-10-10 | 2019-10-10 | Internal and external network isolation method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110730170A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112468494A (en) * | 2020-11-26 | 2021-03-09 | 湖北航天信息技术有限公司 | Intranet and extranet internet data transmission method and device |
| CN115001665A (en) * | 2022-08-01 | 2022-09-02 | 北京安盟信息技术股份有限公司 | Data reinforcement method and data transmission system based on data isolation exchange scene |
| CN116471103A (en) * | 2023-05-04 | 2023-07-21 | 深圳市显科科技有限公司 | Internal and external network data security exchange method, device and equipment based on boundary network |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753553A (en) * | 2008-12-08 | 2010-06-23 | 北京财富天湖科技有限公司 | Safety isolating and message switching system and method |
| CN103237036A (en) * | 2013-05-08 | 2013-08-07 | 天津工业大学 | Device for realizing physical partition of internal and external networks |
| CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
| US9313172B1 (en) * | 2011-06-29 | 2016-04-12 | Amazon Technologies, Inc. | Providing access to remote networks via external endpoints |
| CN107493292A (en) * | 2017-09-03 | 2017-12-19 | 深圳市中锐源科技有限公司 | The information transmission system and method for isomery multichannel security isolation |
| CN108055244A (en) * | 2017-11-27 | 2018-05-18 | 珠海市鸿瑞信息技术股份有限公司 | A kind of dual processor system network security partition method based on SRIO interfacings |
-
2019
- 2019-10-10 CN CN201910958542.2A patent/CN110730170A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753553A (en) * | 2008-12-08 | 2010-06-23 | 北京财富天湖科技有限公司 | Safety isolating and message switching system and method |
| US9313172B1 (en) * | 2011-06-29 | 2016-04-12 | Amazon Technologies, Inc. | Providing access to remote networks via external endpoints |
| CN103237036A (en) * | 2013-05-08 | 2013-08-07 | 天津工业大学 | Device for realizing physical partition of internal and external networks |
| CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
| CN107493292A (en) * | 2017-09-03 | 2017-12-19 | 深圳市中锐源科技有限公司 | The information transmission system and method for isomery multichannel security isolation |
| CN108055244A (en) * | 2017-11-27 | 2018-05-18 | 珠海市鸿瑞信息技术股份有限公司 | A kind of dual processor system network security partition method based on SRIO interfacings |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112468494A (en) * | 2020-11-26 | 2021-03-09 | 湖北航天信息技术有限公司 | Intranet and extranet internet data transmission method and device |
| CN112468494B (en) * | 2020-11-26 | 2022-05-17 | 湖北航天信息技术有限公司 | Intranet and extranet internet data transmission method and device |
| CN115001665A (en) * | 2022-08-01 | 2022-09-02 | 北京安盟信息技术股份有限公司 | Data reinforcement method and data transmission system based on data isolation exchange scene |
| CN115001665B (en) * | 2022-08-01 | 2022-11-15 | 北京安盟信息技术股份有限公司 | Data reinforcement method and data transmission system based on data isolation exchange scene |
| CN116471103A (en) * | 2023-05-04 | 2023-07-21 | 深圳市显科科技有限公司 | Internal and external network data security exchange method, device and equipment based on boundary network |
| CN116471103B (en) * | 2023-05-04 | 2023-09-22 | 深圳市显科科技有限公司 | Internal and external network data security exchange method, device and equipment based on boundary network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| HaddadPajouh et al. | A survey on internet of things security: Requirements, challenges, and solutions | |
| US11218446B2 (en) | Secure on-premise to cloud communication | |
| Yan et al. | Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges | |
| EP1481508B1 (en) | Multi-method gateway-based network security systems | |
| KR100695827B1 (en) | Integrated security apparatus and operating method thereof | |
| CN110730170A (en) | Internal and external network isolation method and system | |
| AlSabeh et al. | A survey on security applications of P4 programmable switches and a STRIDE-based vulnerability assessment | |
| Mishra et al. | Software defined internet of things security: Properties, state of the art, and future research | |
| OConnor et al. | PivotWall: SDN-based information flow control | |
| Umar et al. | Mitigating sodinokibi ransomware attack on cloud network using software-defined networking (SDN) | |
| Khosroshahi et al. | Security technology by using firewall for smart grid | |
| EP2321934B1 (en) | System and device for distributed packet flow inspection and processing | |
| Bellovin et al. | Can it really work-problems with extending EINSTEIN 3 to critical infrastructure | |
| Yue et al. | The research of firewall technology in computer network security | |
| Schmitt et al. | Vulnerability assessment of InfiniBand networking | |
| Jadhav et al. | Detection and mitigation of ARP spoofing attack | |
| Hu et al. | Network Virus and Computer Network Security Detection Technology Optimization | |
| Ahmed et al. | Architecture based on tor network for securing the communication of northbound interface in sdn | |
| Mahmood et al. | Securing Industrial Internet of Things (Industrial IoT)-A Reviewof Challenges and Solutions | |
| Yu | Study on intrusion IPv6 detection system on LINUX | |
| Dai | Secure digital library technology research based on VPN | |
| Ohri et al. | Software-Defined Networking Security Challenges and Solutions: A Comprehensive Survey | |
| Rakshitha et al. | A survey on detection and mitigation of zombie attacks in cloud environment | |
| Kaur et al. | Potential Security Requirements in IoT to Prevent Attacks and Threats | |
| Kapuganti et al. | Ensure security for SDN-based Smart Healthcare systems with a Blockchain approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200124 |