CN111131280A - Internal and external network isolation system - Google Patents
Internal and external network isolation system Download PDFInfo
- Publication number
- CN111131280A CN111131280A CN201911388860.6A CN201911388860A CN111131280A CN 111131280 A CN111131280 A CN 111131280A CN 201911388860 A CN201911388860 A CN 201911388860A CN 111131280 A CN111131280 A CN 111131280A
- Authority
- CN
- China
- Prior art keywords
- network
- internal
- external network
- computer
- intranet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
Abstract
The invention discloses an internal and external network isolation system, which comprises a computer capable of being connected with an internal network and an external network simultaneously, and an isolation device, wherein the computer is connected with the internal network and the external network through the isolation device; the isolating device comprises a CPU, an exchange chip and an internal and external network switch, wherein the CPU is respectively connected with the exchange chip and the internal and external network switch, and the exchange chip is provided with a plurality of network interfaces which are respectively connected with the CPU, a computer, an internal network and an external network. The invention can not only realize the physical isolation of the internal network and the external network, but also prevent the false start of the computer caused by the false insertion of the network cable interface so as to ensure that the internal information of the enterprise is not transmitted in the external network and realize the safety protection of the enterprise information.
Description
Technical Field
The invention discloses an internal and external network isolation system, relates to the technical field of network information security, and particularly relates to physical isolation of network security.
Background
The internet application technology is rapidly developed, and a computer information network covers all the fields of society, provides resource sharing, brings great convenience and faces the threat of information security leakage. The outer network is full of unsafe factors, an attacker can attack the inner network equipment through the outer network as a bridge, steal confidential information and data of enterprises, threaten the information security of the enterprises, and bring huge losses to the enterprises and the country once information security accidents occur.
Although there are various kinds of security device protection in computer network architecture, due to the openness of network architecture, the security of network devices and data becomes an important issue affecting the normal operation of network. In the face of various information vulnerabilities and security threats, no network security device can completely and independently guarantee the security of an information system.
Aiming at the problems, an internal network and external network physical isolation method is adopted, so that a terminal user respectively accesses an internal network and an external network, and the internal network terminal and the external network terminal have no physical link, thereby ensuring the absolute safety of network information. The physical isolation of the internal network and the external network can be used as an important link in an information security guarantee system, and is the most safe and effective method for solving the problem that a secret-related network and a public network are isolated from each other and avoiding information leakage at present.
The traditional scheme of physical isolation of the internal network and the external network is to use two computers which are respectively connected into the internal network and the external network, and the two computers are not physically connected, so that the isolation of the internal network and the external network is ensured. Two hard disks are used on one computer, one hard disk is used when being accessed to an intranet, the other hard disk is used when being accessed to an extranet, different hard disk modes are started through an isolation card for physical isolation, and the intranet or the extranet is selected through manual switching on the isolation card.
Although the two methods can ensure the physical isolation of the internal network and the external network, both have certain defects. Firstly, the scheme of using two computers increases equipment, improves cost and causes resource waste. Secondly, the network interface of the existing isolation card cannot identify the intranet or the extranet, and the network cable of the computer is mistakenly plugged, so that the extranet is accessed to the intranet hard disk, and the isolation fails.
Disclosure of Invention
In order to solve the problems, the invention provides a novel system capable of realizing the isolation of an internal network and an external network, wherein the isolation and the flexible switching of the internal network and the external network are realized by arranging two hard disks on a computer and additionally arranging an isolation device between the computer and the internal network and the external network.
The invention adopts the following technical scheme: an internal and external network isolation system comprises a computer which can be connected with an internal network and an external network simultaneously, and the system also comprises an isolation device, wherein the computer is connected with the internal network and the external network through the isolation device; the isolating device comprises a CPU, an exchange chip and an internal and external network switch, wherein the CPU is respectively connected with the exchange chip and the internal and external network switch, and the exchange chip is provided with a plurality of ports which are respectively connected with the CPU, the computer, the internal network and the external network.
Furthermore, the exchange chip is respectively connected with the internal network, the external network and the internal and external network ports of the computer through the PHY. .
Further, a port of the switch chip is an SGMII interface.
Furthermore, the computer isolation device is connected with two hard disks, namely an internal network hard disk and an external network hard disk, which are used for storing the internal network and the external network; the hard disk is also connected with the computer.
Furthermore, the isolating device is also provided with a power module, which comprises a power chip and a power interface which are connected in sequence and is used for providing power for the isolating device and the hard disk.
The invention can not only realize the physical isolation of the internal network and the external network, but also prevent the false start of the computer caused by the false insertion of the network cable interface so as to ensure that the internal information of the enterprise is not transmitted in the external network and realize the safety protection of the enterprise information.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a block diagram of an intranet and extranet isolation system according to an embodiment of the present invention;
FIG. 2 is a diagram of an isolation device in an Intranet and Extranet isolation system according to an embodiment;
fig. 3 is a schematic diagram of a boot process of the intranet and extranet isolation system according to the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The internal and external network isolation system provided by this embodiment, as shown in fig. 1, includes a computer capable of connecting an internal network and an external network simultaneously, and the system further includes an isolation device, through which the computer connects the internal network and the external network. The isolating device comprises a CPU, an exchange chip and an internal and external network switch, wherein the CPU is respectively connected with the exchange chip and the internal and external network switch, the exchange chip is provided with a plurality of network interfaces which are respectively connected with the CPU, the internal and external network ports of the computer, the internal network and the external network.
The CPU is a core component of the isolation device, configures an internal chip of the isolation device, receives a starting mode command, outputs a hard disk power supply signal corresponding to a starting network, verifies the network communication state through an IP (Internet protocol) bound with a CPU (Central processing Unit) network interface and judges the correctness of the connected network, and controls the hard disk power supply state.
In this embodiment, the isolation between the internal network and the external network is achieved by adding an isolation device on the computer, and the isolation device may be in the form of a board card, is arranged inside the computer, or may be an independent device, and is connected with the computer through a network cable. Selecting a network system which is started up and enters through an internal and external network selector switch: an intranet starting system or an extranet starting system, or no network starting.
Usually, the switch chip is connected to the intranet and the extranet and the intranet and extranet ports of the computer through PHY. Preferably, the port of the switching chip is an SGMII interface.
In some embodiments, the computer isolation device is connected with two hard disks, namely an internal network hard disk and an external network hard disk, which are used for internal network and external network storage; the two hard disks are connected to the computer at the same time, as shown in fig. 2. The hard disk and the computer can be connected through a data line, and can also be integrated in a case of the computer.
In this case, the power module in the isolation device includes a power chip and a power interface, which are connected in sequence, and are used for providing power for the isolation device and the hard disk. The power interface comprises an input power supply of an isolating device and an output power supply of the hard disk, the isolating device supplies power through a power supply of the computer, a large 4P power supply is output, the proper power supply used by a chip in the board is output through a power conversion chip in the board, and the interface power supply of the hard disk is output through a switch circuit. The control signal of the switch circuit is provided by the CPU, the CPU integrates the network state, and the system starting mode outputs a proper control signal to control the corresponding hard disk power supply.
The work flow of the intranet and extranet isolation system of the present embodiment is shown in fig. 3.
Firstly, selecting a network system which is started up and enters through an internal and external network selector switch: the internal network starting system or the external network starting system or the network-free starting system.
If the intranet system is selected, an intranet network cable is connected into an intranet interface of the isolation device, the intranet physical layer chip PHY is connected with a CPU network port after passing through the exchange chip, an intranet IP address is bound to the CPU network port, matching is carried out through the bound IP of the intranet network and the CPU network port, if port communication is normal, the intranet network is judged to be correct, an intranet hard disk control signal is output, and the intranet hard disk is started. If the port communication is abnormal, the non-intranet network is judged, and the hard disk power supply is not started.
If the external network system is selected, an external network cable is accessed to an external network interface of the isolation device, the external network system is connected with a CPU network port through an external network physical layer chip PHY and an exchange chip, the external network IP address binding is carried out on the CPU network port, the external network IP address binding is carried out through the binding IP of the external network and the CPU network port, the external network is matched through the binding IP of the external network and the CPU network port, if the port communication is normal, the external network is judged to be correct, an external network hard disk control signal is output, and an external network hard disk is. If the port communication is abnormal, the non-extranet network is judged, and the hard disk power supply is not started.
Therefore, the network-free system, the internal network system and the external network system can be started through the selection of the internal and external network selector switch. The intranet system is started, the CPU outputs an intranet hard disk power switch signal, the extranet system is started, and the CPU outputs an extranet hard disk power switch signal.
CPU, intranet, extranet and computer net mouth communicate through exchanging the chip, CPU is last to dispose two net gapes, correspond intranet and extranet respectively, and the net gape that corresponds links to each other with exchanging the chip, the intranet network links to each other with exchanging the chip through PHY chip, extranet network links to each other with exchanging the chip after passing PHY chip, computer network interface links to each other with exchanging the chip after passing PHY chip, same VLAN can be divided to CPU intranet interface, intranet network and computer intranet network interface simultaneously, CPU extranet interface, extranet network and computer extranet network interface can divide into same VLAN.
Internal network and extranet physical isolation can ensure internal information safety, and the technical scheme of this embodiment of adoption can practice thrift the cost in business, avoids the wasting of resources, and simultaneously, intranet and extranet switch on same computer, have improved work efficiency. The internal and external network isolation device can automatically identify the internal and external networks and judge the communication states of the internal and external networks, thereby improving the reliability and safety of the system and preventing the information safety leakage caused by the false start of the system hard disk due to the mistaken plugging of the network cable. Meanwhile, the situation that the access of an intranet hard disk system threatens information safety during work can be prevented.
The technical means disclosed in the invention scheme are not limited to the technical means disclosed in the above embodiments, but also include the technical scheme formed by any combination of the above technical features.
Claims (5)
1. An internal and external network isolation system is characterized by comprising a computer which can be connected with an internal network and an external network simultaneously, and an isolation device, wherein the computer is connected with the internal network and the external network through the isolation device; the isolating device comprises a CPU, an exchange chip and an internal and external network switch, wherein the CPU is respectively connected with the exchange chip and the internal and external network switch, and the exchange chip is provided with a plurality of ports which are respectively connected with the CPU, the computer, the internal network and the external network.
2. The intranet and extranet isolation system of claim 1, wherein the switch chip is connected to the intranet, extranet and computer intranet and extranet ports through PHY.
3. The intranet and extranet isolation system of claim 1 or 2, wherein the port of the switch chip is an SGMII interface.
4. The intranet and extranet isolation system of claim 1, wherein the computer isolation device is connected with two hard disks, namely an intranet hard disk and an extranet hard disk, for intranet and extranet storage; and the hard disk is connected with the computer at the same time.
5. The intranet and extranet isolation system of claim 4, wherein the isolation device is further provided with a power module comprising a power chip and a power interface which are connected in sequence, and used for providing power for the isolation device and the hard disk.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911388860.6A CN111131280A (en) | 2019-12-30 | 2019-12-30 | Internal and external network isolation system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911388860.6A CN111131280A (en) | 2019-12-30 | 2019-12-30 | Internal and external network isolation system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111131280A true CN111131280A (en) | 2020-05-08 |
Family
ID=70504465
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911388860.6A Pending CN111131280A (en) | 2019-12-30 | 2019-12-30 | Internal and external network isolation system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131280A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112351013A (en) * | 2020-10-28 | 2021-02-09 | 南京熊猫电子股份有限公司 | Internal and external network isolation wired and wireless transmission equipment with industrial control machine control system |
| CN112422578A (en) * | 2020-11-25 | 2021-02-26 | 衡阳朗迈科技有限公司 | Simple internal and external network data safe transmission switching device and method based on Internet of things |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1688129A (en) * | 2005-04-18 | 2005-10-26 | 梁雁文 | Network isolating device based on PCI bus and its method |
| CN201608722U (en) * | 2010-03-16 | 2010-10-13 | 山东渔翁信息技术股份有限公司 | Secure physical isolation device for network |
| CN202424768U (en) * | 2011-11-04 | 2012-09-05 | 杭州德道网络技术有限公司 | Network safety isolator |
| US20160285913A1 (en) * | 2015-03-27 | 2016-09-29 | International Business Machines Corporation | Creating network isolation between virtual machines |
| US20170164160A1 (en) * | 2015-07-28 | 2017-06-08 | International Business Machines Corporation | Communicating with isolated mobile devices in indoor positioning systems |
| CN206619144U (en) * | 2017-04-10 | 2017-11-07 | 张庆栋 | A kind of computer network security isolation card |
-
2019
- 2019-12-30 CN CN201911388860.6A patent/CN111131280A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1688129A (en) * | 2005-04-18 | 2005-10-26 | 梁雁文 | Network isolating device based on PCI bus and its method |
| CN201608722U (en) * | 2010-03-16 | 2010-10-13 | 山东渔翁信息技术股份有限公司 | Secure physical isolation device for network |
| CN202424768U (en) * | 2011-11-04 | 2012-09-05 | 杭州德道网络技术有限公司 | Network safety isolator |
| US20160285913A1 (en) * | 2015-03-27 | 2016-09-29 | International Business Machines Corporation | Creating network isolation between virtual machines |
| US20170164160A1 (en) * | 2015-07-28 | 2017-06-08 | International Business Machines Corporation | Communicating with isolated mobile devices in indoor positioning systems |
| CN206619144U (en) * | 2017-04-10 | 2017-11-07 | 张庆栋 | A kind of computer network security isolation card |
Non-Patent Citations (1)
| Title |
|---|
| 王 子,徐澄宇: "正向隔离装置在电力信息外网中的应用", 《电脑开发与应用》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112351013A (en) * | 2020-10-28 | 2021-02-09 | 南京熊猫电子股份有限公司 | Internal and external network isolation wired and wireless transmission equipment with industrial control machine control system |
| CN112422578A (en) * | 2020-11-25 | 2021-02-26 | 衡阳朗迈科技有限公司 | Simple internal and external network data safe transmission switching device and method based on Internet of things |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10769089B1 (en) | Combination write blocking systems with connection interface control devices and methods | |
| US7958282B2 (en) | Method, apparatus and system for serial attached SCSI (SAS) zoning management of a domain using initiator isolation | |
| US8621202B2 (en) | Externally managed security and validation processing device | |
| CN102436559B (en) | A kind of state switching method and system | |
| CN108491727B (en) | Safety processor integrating general calculation, trusted calculation and password calculation | |
| CN104349304A (en) | Information processing method and electronic equipment | |
| CN111131280A (en) | Internal and external network isolation system | |
| US7409563B2 (en) | Method and apparatus for preventing un-authorized attachment of computer peripherals | |
| CN101685484A (en) | Computer and data exchange method of operating system thereof | |
| CN104735176A (en) | PXE booting method and device and server single board | |
| CN111030980A (en) | Linux transparent network equipment platform implementation method, device and storage medium | |
| CN101420299B (en) | Method for enhancing stability of intelligent cipher key equipment and intelligent cipher key equipment | |
| US8737419B2 (en) | Network concentrator and method of controlling the same | |
| CN2684479Y (en) | Security isolation apparatus for unidirectional connection network | |
| CN111093125B (en) | Method, device and storage medium for realizing trunk optical fiber protection of optical line terminal | |
| CN100353330C (en) | Disk mirroring method based on IP network | |
| CN112866061A (en) | NCSI (network control information system) testing method, device, equipment and medium of onboard network port | |
| CN112995070B (en) | Double-card switching system and method | |
| US20140317320A1 (en) | Universal serial bus devices supporting super speed and non-super speed connections for communication with a host device and methods using the same | |
| CN100362793C (en) | Physic separated controlling circuit and computer system of physic separated network | |
| KR20000058227A (en) | Security system and method managing separately information of internal network and external network | |
| CN101800649A (en) | Physical isolation card | |
| US20030131137A1 (en) | Method and apparatus for utilizing a management port to provide system management | |
| KR200420506Y1 (en) | Network switching apparatus for providing security function about mobile storage device and security computer system using by the network switching apparatus | |
| KR100999666B1 (en) | Apparatus and method for information security management of wireless terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200508 |
|
| RJ01 | Rejection of invention patent application after publication |