CN111404963A - Unidirectional transmission system and method based on virtualization technology - Google Patents
Unidirectional transmission system and method based on virtualization technology Download PDFInfo
- Publication number
- CN111404963A CN111404963A CN202010228695.4A CN202010228695A CN111404963A CN 111404963 A CN111404963 A CN 111404963A CN 202010228695 A CN202010228695 A CN 202010228695A CN 111404963 A CN111404963 A CN 111404963A
- Authority
- CN
- China
- Prior art keywords
- data
- virtualization
- terminal
- virtualization terminal
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a one-way transmission system and a one-way transmission method based on virtualization technology, which are used for solving the problems that hardware equipment such as an optical network gate is high in cost, is easy to have production and manufacturing monopoly, is inconvenient to popularize and apply in a large quantity, and is low in data transmission efficiency when data packets are adopted for transmission. The system comprises a dual network card server; the first virtualization terminal is bound with a first network card in the server and used for receiving data input by an external network; the second virtualization terminal is bound with a second network card in the server and used for outputting data to the intranet; and the data ferry module is used for carrying out data movement between the first virtualization terminal and the second virtualization terminal. The system adopts the universal server, realizes the one-way import of the internal and external networks by means of the virtualization technology, realizes the safety isolation of the website, and also improves the performance of data transmission.
Description
Technical Field
The application relates to the technical field of intranet safety protection, in particular to a one-way transmission system and a one-way transmission method based on a virtualization technology.
Background
In the process of cross-network transmission, the intranet system inputs extranet data into the intranet system through the unidirectional lead-in system in order to ensure the safety of data transmission.
At present, hardware devices such as an optical network gate or a boundary system are generally adopted in the industry as a one-way import system for connecting two independent host systems and isolating the two independent host systems, so that no physical connection, logical connection and information transmission protocol for communication exist between the two host systems, no information exchange according to the protocol exists, and no protocol ferry exists in a data file form, thereby ensuring the safety of an internal host of an intranet system.
However, hardware devices such as optical network gates are high in cost, problems of production and manufacturing monopoly are prone to occur in the actual application process, the hardware devices are not convenient to popularize and apply in a large amount, and when data transmission is performed through data packets, situations such as device downtime caused by flow bottlenecks can occur, and the efficiency of data transmission is affected.
Disclosure of Invention
The embodiment of the application provides a one-way transmission system and a one-way transmission method based on a virtualization technology, which are used for solving the problems that hardware equipment such as an optical network gate is high in cost, monopoly in production and manufacture is easy to occur, great popularization and application are inconvenient, and the data transmission efficiency is low when data packets are adopted for transmission.
An embodiment of the present application provides a unidirectional transmission system based on a virtualization technology, including:
a dual network card server;
the first virtualization terminal is bound with a first network card in the server and used for receiving data input by an external network;
the second virtualization terminal is bound with a second network card in the server and used for outputting data to the intranet;
and the data ferry module is used for carrying out data movement between the first virtualization terminal and the second virtualization terminal.
In one example, the data ferry module is configured to move data of the first virtualization terminal to the second virtualization terminal in a single direction.
In one example, the first virtualized terminal is configured to receive data input by an external network via at least any one of the following protocols: FTP, HTTP, SSH, mail protocol.
In one example, the data ferry module is further configured to verify content of the data received by the first virtualization terminal according to a preset data verification rule.
In one example, the data ferry module is further configured to filter data received by the first virtualization terminal according to a preset file size requirement.
In one example, the data ferry module is further configured to filter data received by the first virtualization terminal according to a preset data format requirement.
In one example, the data ferry module is further configured to delete data that fails to be screened or verified.
The embodiment of the application provides a unidirectional transmission method based on a virtualization technology, which is a dual network card server pre-constructed with a first virtualization terminal and a second virtualization terminal, and the method comprises the following steps:
the data ferrying module determines the data of the external network input received by the first virtualization terminal;
moving the data to the first virtualized terminal;
and determining that the data is output to the intranet through the second virtualization terminal.
In one example, the method further comprises: and determining a corresponding server side in the server according to a data transmission protocol adopted by the first virtualization terminal for receiving the external network data.
In one example, before moving the data to the first virtualized terminal, the method further comprises: and verifying the content of the data input by the external network received by the first virtualization terminal according to a preset data verification rule.
The embodiment of the application provides a unidirectional transmission system and a method based on virtualization technology, which at least have the following beneficial effects;
two virtualization terminals are built in the double-network-card server and are respectively communicated with the outer network and the inner network through the two network cards, so that the two virtualization terminals do not have any physical connection, logical connection and the like, all network connections with potential attack possibility to the inner network are logically blocked, external attack cannot directly invade and damage the inner network, and the safety of the inner network is guaranteed.
The system realizes one-way data transmission between the two virtualization terminals through the data ferry module, avoids physical connection between the two virtualization terminals, and cannot further modify the logic of the data ferry module even if an attacker invades the virtualization terminal connected with an external network, thereby damaging the system of the internal network.
And compared with hardware equipment such as an optical network gate, the system has the advantages of low cost of the one-way transmission scheme, short research and development period, convenience for quick online and convenience for popularization and use.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic structural diagram of a unidirectional transmission system based on a virtualization technology according to an embodiment of the present application;
fig. 2 is a flowchart of a unidirectional transmission method based on a virtualization technology according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 1 is a schematic structural diagram of a unidirectional transmission system based on a virtualization technology according to an embodiment of the present disclosure, where the system mainly includes a server 100, the server 100 is a dual-network card server and includes a first network card 111 and a second network card 112, and the server 100 further includes a data ferry module 130, a first virtualization terminal 121, and a second virtualization terminal 122.
Specifically, the server 100 may construct the first virtualization terminal 121 and the second virtualization terminal 122 in advance based on a virtualization technology, and respectively bind the first virtualization terminal 121 and the first network card 111, and bind the second virtualization terminal 122 and the second network card 112.
The first virtualization terminal 121 can interact with the external network through the first network card 111, and the second virtualization terminal 122 can interact with the internal network through the second network card 112. Thus, the server 100 can implement data transmission between the external network and the internal network through the dual network card and the two virtualized terminals.
Specifically, the server 100 may receive a data packet input from the external network through the first virtualization terminal 121, obtain corresponding data, and output the data to the internal network through the second virtualization terminal 122.
The data ferry module 130 can control the first virtualization terminal 121 and the second virtualization terminal 122. The data ferry module 130 may specifically perform data movement between the first virtualization terminal 121 and the second virtualization terminal 122 through operations of cutting and pasting, so as to implement data transmission between the external network and the internal network by the server 100.
In one embodiment, the data ferry module 130 can move data of the first virtualization terminal 121 connected to the external network only to the second virtualization terminal 122 connected to the internal network in one direction, and cannot move data from the second virtualization terminal 122 to the first virtualization terminal 121.
In the embodiment of the application, two virtualized terminals are built in the dual-network-card server and are respectively communicated with the external network and the internal network through the two network cards, so that any physical connection, logical connection and the like do not exist between two independent systems (namely the two virtualized terminals), all network connections with potential attack possibility on the internal network are logically blocked, external attacks cannot directly invade and damage the internal network, and the safety of the internal network is guaranteed.
The system realizes one-way data transmission between the two virtualization terminals through the data ferry module, avoids physical connection between the two virtualization terminals, and cannot further modify the logic of the data ferry module even if an attacker invades the virtualization terminal connected with an external network, thereby damaging the system of the internal network.
And compared with hardware equipment such as an optical network gate, the system has the advantages of low cost of the one-way transmission scheme, short research and development period, convenience for quick online and convenience for popularization and use.
In one embodiment, the first virtualization terminal 121 connected to the external network may receive data input by the external network through a File Transfer Protocol (FTP), a HyperText Transfer Protocol (HTTP), a Secure Shell Protocol (SSH), a mail Protocol, and the like. Similarly, the intranet may also use FTP, HTTP, SSH, mail protocol, etc. to read data through the second network card 112.
Compared with the traditional optical network gate which can only transmit data through FTP, the application can support various data transmission protocols by constructing the virtual terminal in the dual-network card server, is convenient for receiving external network data, enhances the flexibility of data cross-network transmission, and is favorable for popularization and use of the system.
In one embodiment, the server 100 may determine the pre-installed server according to a data transmission protocol used by the first virtualization terminal 121 to receive the extranet data. For example, when data is transmitted through the FTP, a corresponding server side providing the FTP service in the server can be determined; when data are transmitted through the SSH protocol, a corresponding server does not need to be installed in the server; and so on.
In one embodiment, the data ferry module 130 may check the content of the data in the first virtualization terminal 121 according to a preset data check rule. If the verification passes, the data ferry module 130 may move the data to the second virtualization terminal 122, and if the verification does not pass, the data ferry module 130 may determine not to move the data to the second virtualization terminal 122.
Specifically, the preset data verification rule may include: determining whether illegal and forbidden sensitive words exist in the data according to a sensitive word bank prestored in a database; determining whether the data content conforms to a corresponding theme according to a preset theme; and so on. The data verification rule can be flexibly set according to needs, and the data verification rule is not limited in the application.
The data input by the external network is verified through the data ferry module, so that the legality and the compliance of the data content input by the external network can be determined, illegal and forbidden content does not exist in the data output to the internal network, and the good network environment of the internal network is ensured.
In an embodiment, the data ferry module 130 may filter the data of the external network received by the first virtualization terminal 121 according to a preset file size requirement. If the data size meets the predetermined file size requirement, the data ferry module 130 may move the data to the second virtualization terminal 122, and if the data size does not meet the predetermined file size requirement, the data ferry module 130 may determine not to move the data to the second virtualization terminal 122. Through screening the data size, the size of the data output to the intranet can be standardized, the performance of data transmission is improved, and meanwhile the workload of the data ferrying module is reduced.
In an embodiment, the data ferry module 130 may filter the data of the external network received by the first virtualization terminal 121 according to a preset data format requirement. If the data format meets the predetermined data format requirement, the data ferry module 130 may move the data to the second virtualization terminal 122, and if the data format does not meet the predetermined data format requirement, the data ferry module 130 may determine not to move the data to the second virtualization terminal 122. The data format may include doc format, txt text format, and the like. By screening the data formats, the data formats output to the intranet can be standardized, and the intranet can conveniently check and process the received data.
In one embodiment, the data ferry module 130 may delete data that fails the screening or verification. The data that does not pass the screening or the verification is the unqualified data, and by deleting the data, the memory space occupied by the data can be released, and the operation performance of the first virtualization terminal 121 is improved.
Based on the same inventive concept, the unidirectional transmission system based on the virtualization technology provided in the embodiment of the present application further provides a corresponding unidirectional transmission method based on the virtualization technology, as shown in fig. 2.
Fig. 2 is a schematic flowchart of a unidirectional transmission method based on a virtualization technology according to an embodiment of the present application, which includes the specific steps of:
s201: the data ferry module determines data input by an external network and received by the first virtualization terminal.
S202: the data is moved to the first virtualized terminal.
S203: and determining that the data is output to the intranet through the second virtualization terminal.
In an embodiment, the server may further determine the corresponding server according to a data transmission protocol used by the first virtualization terminal to receive the extranet data.
In an embodiment, the server may further check, by the data ferry module, content of data input by the external network, which is received by the first virtualization terminal, according to a preset data check rule.
The system and the method provided by the embodiment of the application are corresponding, so the method also has the similar beneficial technical effects as the corresponding system, and the specific scheme and the beneficial technical effects of the system are explained in detail above, so the details are not repeated here.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A unidirectional transmission system based on virtualization technology, comprising:
a dual network card server;
the first virtualization terminal is bound with a first network card in the server and used for receiving data input by an external network;
the second virtualization terminal is bound with a second network card in the server and used for outputting data to the intranet;
and the data ferry module is used for carrying out data movement between the first virtualization terminal and the second virtualization terminal.
2. The system of claim 1, wherein the data ferry module is configured to move data of the first virtualization terminal to the second virtualization terminal in a single direction.
3. The system of claim 1, wherein the first virtualization terminal is configured to receive data incoming from the external network via at least one of the following protocols: FTP, HTTP, SSH, mail protocol.
4. The system according to claim 1, wherein the data ferry module is further configured to check content of the data received by the first virtualization terminal according to a preset data check rule.
5. The system of claim 1, wherein the data ferry module is further configured to filter data received by the first virtualization terminal according to a preset file size requirement.
6. The system of claim 1, wherein the data ferry module is further configured to filter data received by the first virtualization terminal according to a preset data format requirement.
7. The system of any one of claims 4, 5, or 6, wherein the data ferry module is further configured to delete data that fails screening or verification.
8. A unidirectional transmission method based on virtualization technology, applied to the system of any one of claims 1 to 7, wherein a dual network card server with a first virtualization terminal and a second virtualization terminal is pre-constructed, the method comprising:
the data ferrying module determines the data of the external network input received by the first virtualization terminal;
moving the data to the first virtualized terminal;
and determining that the data is output to the intranet through the second virtualization terminal.
9. The method of claim 8, further comprising:
and determining a corresponding server side in the server according to a data transmission protocol adopted by the first virtualization terminal for receiving the external network data.
10. The system of claim 1, wherein prior to moving the data to the first virtualized terminal, the method further comprises:
and verifying the content of the data input by the external network received by the first virtualization terminal according to a preset data verification rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010228695.4A CN111404963A (en) | 2020-03-27 | 2020-03-27 | Unidirectional transmission system and method based on virtualization technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010228695.4A CN111404963A (en) | 2020-03-27 | 2020-03-27 | Unidirectional transmission system and method based on virtualization technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111404963A true CN111404963A (en) | 2020-07-10 |
Family
ID=71432925
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010228695.4A Pending CN111404963A (en) | 2020-03-27 | 2020-03-27 | Unidirectional transmission system and method based on virtualization technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111404963A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102263702A (en) * | 2011-08-26 | 2011-11-30 | 郝晓力 | Inter-network data switching system and inter-network data switch thereof |
| CN102938761A (en) * | 2012-10-22 | 2013-02-20 | 苏州互盟信息存储技术有限公司 | One-way data exchange device and method for physical isolation among networks at different security levels |
| CN109768923A (en) * | 2018-12-26 | 2019-05-17 | 浪潮软件集团有限公司 | A kind of unidirectional gateway of security isolation and method |
-
2020
- 2020-03-27 CN CN202010228695.4A patent/CN111404963A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102263702A (en) * | 2011-08-26 | 2011-11-30 | 郝晓力 | Inter-network data switching system and inter-network data switch thereof |
| CN102938761A (en) * | 2012-10-22 | 2013-02-20 | 苏州互盟信息存储技术有限公司 | One-way data exchange device and method for physical isolation among networks at different security levels |
| CN109768923A (en) * | 2018-12-26 | 2019-05-17 | 浪潮软件集团有限公司 | A kind of unidirectional gateway of security isolation and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111352889B (en) | Equipment management method, equipment, device and medium based on MCTP (Multi-port technology protocol) | |
| CN101867417B (en) | Unidirectional transmission method based on optical fiber multi-way coupling | |
| CN111556136A (en) | Data interaction method between internal containers of power edge Internet of things agent | |
| CN109768970A (en) | It is a kind of based on configurable puppy parc generation method | |
| CN110741573A (en) | Method and system for selectively propagating transactions using network coding in a blockchain network | |
| CN114124929B (en) | Cross-network data processing method and device | |
| CN109862039B (en) | Cross-network isolation one-way introduction system and data introduction method based on radio frequency technology | |
| CN104216761A (en) | Method for using shared device in device capable of operating two operation systems | |
| CN105141603A (en) | Communication data transmission method and system | |
| CN113259268A (en) | Network port and serial port data forwarding gateway and method supporting redundancy architecture | |
| CN115639954A (en) | Data transmission method, device, equipment and medium | |
| CN107040613A (en) | A kind of message transmitting method and system | |
| US20120041998A1 (en) | Network Interface for Accelerating XML Processing | |
| CN101272396A (en) | Direct access type small-volume network memory device and network storage method | |
| CN100508653C (en) | Method and system for radio terminal wire accessing interconnected network | |
| CN100353330C (en) | Disk mirroring method based on IP network | |
| CN111404963A (en) | Unidirectional transmission system and method based on virtualization technology | |
| CN108289117B (en) | Multi-party access system based on FPGA and processing method | |
| CN113872826B (en) | Network card port stability testing method, system, terminal and storage medium | |
| WO2022111326A9 (en) | Data transmission method and apparatus, electronic device and storage medium | |
| CN112532603B (en) | Cross-domain file exchange leading-in device and method based on exchange authorization file | |
| CN102089750B (en) | System to connect a serial SCSI array controller to a storage area network | |
| CN114116574A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN103118023B (en) | A kind of method and system of the data of transmission specification in a network | |
| EP3631640B1 (en) | Communication between field programmable gate arrays |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200710 |