CN111818057A - Relay distribution transmission system and method for network configuration data - Google Patents

Relay distribution transmission system and method for network configuration data Download PDF

Info

Publication number
CN111818057A
CN111818057A CN202010658242.5A CN202010658242A CN111818057A CN 111818057 A CN111818057 A CN 111818057A CN 202010658242 A CN202010658242 A CN 202010658242A CN 111818057 A CN111818057 A CN 111818057A
Authority
CN
China
Prior art keywords
subsystem
interconnection
configuration data
arbitration
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010658242.5A
Other languages
Chinese (zh)
Other versions
CN111818057B (en
Inventor
陶源
胡巍
李末岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Third Research Institute of the Ministry of Public Security
Original Assignee
Third Research Institute of the Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Third Research Institute of the Ministry of Public Security filed Critical Third Research Institute of the Ministry of Public Security
Priority to CN202010658242.5A priority Critical patent/CN111818057B/en
Publication of CN111818057A publication Critical patent/CN111818057A/en
Application granted granted Critical
Publication of CN111818057B publication Critical patent/CN111818057B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion

Abstract

The invention discloses a relay distribution transmission system and method for network configuration data, in the scheme, a centralized security management center is connected with an arbitration subsystem of a two-system security interconnection device, the configuration data of the arbitration subsystem is directly issued by the centralized security management center, the centralized security management center and the transmission subsystem have no direct data interaction path, the configuration data of the transmission subsystem is issued to the arbitration system by the centralized security management center, and the relay of the arbitration system is distributed to the transmission subsystem through an internal isolation transmission system. The scheme can effectively improve the safety of the configuration data of the transmission subsystem.

Description

Relay distribution transmission system and method for network configuration data
Technical Field
The invention relates to a network security technology, in particular to a network isolation and different-level security domain interconnection technology.
Background
Governments, enterprises, organizations, etc. typically separate the underlying information/business network from the important information/business network for securing the important information/business network and internal data, but thus also form an "information island".
With the deep development of informatization, the realization of interconnection and intercommunication and information sharing among different levels of networks is one of the important subjects of informatization development, and also puts higher requirements on the security of cross-level network interconnection.
However, in the prior art, the security problem of network interconnection cannot be effectively solved by simply deploying devices such as a firewall and a security gateway at the network boundary between systems of different levels, and the internal and external networks and information which are not effectively isolated lack necessary access control measures and other factors in the network transmission process, so that the internal systems and data are easily damaged by security threats.
Disclosure of Invention
Aiming at the problems of the network interconnection technology among the systems with different levels, the invention aims to provide a network configuration data relay distribution transmission system and a network configuration data relay distribution transmission method based on the system, thereby ensuring the security of configuration data in the resource access process.
In order to achieve the above object, the present invention provides a network configuration data relay distribution transmission system, including: a second system safety interconnection device and a centralized safety management center;
the two-system safety interconnection device comprises an interconnection arbitration system, an interconnection subsystem and an internal isolation transmission subsystem;
the interconnection arbitration system can arbitrate whether interconnection access can be carried out according to the security marks of the host and the object; a subject with credibility checking capability is introduced into the system, and the subject is checked to dynamically adjust the object so as to ensure the integrity of the system by using credibility identification and constraint conditions while ensuring the confidentiality of the system;
the interconnection subsystem combines with trusted computing and adopts a white list mechanism to establish a communication path which accords with the safety requirement between safety mechanisms;
the internal isolation transmission subsystem is a system which is used for carrying out credible authentication after the successful verification of the two interconnected parties and establishing an encryption transmission mode by the two interconnected parties after the authentication is passed;
the centralized security management center formulates security marks of the objects and the subjects for natural persons, security protection equipment, key processes and modules in the application system, synchronizes the object and the subject information in the application system into the two-system security interconnection devices after conversion according to a certain conversion rule, and realizes mandatory access control by the two-system security interconnection devices according to the marks.
Furthermore, the centralized security management center comprises a background management page module, a data storage module and a client agent module;
the background management page module is used for managing and configuring the centralized security management center;
the data storage module determines the security level of all object resources in the system according to the requirements of the service system and the importance degree of the object resources, and generates a global object mark list; meanwhile, determining the security label of the main body according to the authority and the role of the user in the service system, and generating a global main body label list;
the client agent module generates and executes the strategy related to the main body according to the requirement of the centralized security management center, and executes the related strategy at the corresponding computing node.
Furthermore, the interconnection arbitration system comprises a configuration data submodule, an information packaging submodule, an auditing submodule and a protocol conversion submodule;
the configuration data submodule carries out identity management, mark management, authorization management and policy management on all subjects and objects;
the information packaging submodule determines the identity, work key and certificate of all legal users in the system and other safety related contents;
the auditing submodule records arbitration results of security mechanisms such as identity authentication, access control and the like;
and the protocol conversion sub-module establishes a corresponding encryption transmission mode according to the adopted communication security mechanism.
Further, the interconnection subsystem comprises an information encapsulation submodule and a protocol conversion submodule;
the information packaging submodule determines the identity, work key and certificate of all legal users in the system and other safety related contents;
the protocol conversion sub-module establishes a corresponding encryption transmission mode according to an adopted communication security mechanism;
and the protocol conversion submodule establishes a corresponding encryption transmission mode according to the user identity, the working key, the certificate and other safety-related contents of the information packaging submodule.
Furthermore, the internal isolation transmission subsystem is composed of an external agent module, an internal agent module and an isolation component, wherein the external agent module is connected with the external information system and provides agent service for interconnection of the external information system and the internal information system; the internal agent module is connected with the internal information system and provides agent service for interconnection of the internal information system and the external information system; the isolation component is connected with the internal agent module and the external agent module and provides policy execution for interconnection of the internal information system and the external information system.
In order to achieve the above object, the present invention provides a network configuration data relay distribution transmission method, including:
(1) when the centralized management center issues the arbitration system user configuration data, the centralized management center directly interacts with the arbitration subsystem to issue the configuration management data;
(2) when the centralized management center issues the configuration data of the interconnection subsystem, the centralized management center interacts with the arbitration subsystem to issue the configuration data of the interconnection subsystem to the arbitration subsystem, and after receiving the configuration data of the interconnection subsystem, the arbitration subsystem issues the configuration data of the interconnection subsystem to the interconnection subsystem through the internal isolation transmission subsystem;
(3) when the centralized management center simultaneously issues the configuration data of the arbitration system and the interconnection subsystem, the centralized management center interacts with the arbitration subsystem and issues the configuration data of the arbitration subsystem and the configuration data of the interconnection subsystem to the arbitration subsystem, the arbitration subsystem identifies the type of the configuration data, the configuration data of the arbitration subsystem is directly processed, and the configuration data of the interconnection subsystem is issued to the interconnection subsystem through the internal isolation transmission subsystem.
According to the relay distribution transmission scheme for the network configuration data, the configuration data of the interconnection subsystem of the two-system safety interconnection device is ensured to be distributed through the isolation transmission subsystem, and the safety of the configuration data of the transmission subsystem can be improved more effectively.
In the scheme, a centralized management center is connected with arbitration subsystems of two system safety interconnection devices, configuration data of the arbitration subsystems are directly issued by the centralized management center, the centralized management center and a transmission subsystem (namely an interconnection subsystem) do not have a direct data interaction path, the configuration data of the transmission subsystem (namely the interconnection subsystem) are issued to the arbitration system by the centralized management center, and relays of the arbitration system are distributed to the transmission subsystem through an internal isolation transmission system.
Drawings
The invention is further described below in conjunction with the appended drawings and the detailed description.
Fig. 1 is a schematic diagram of a network configuration data relay distribution transmission system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a centralized security management center in accordance with an embodiment of the present invention;
fig. 3 is a schematic diagram of a two-system security interconnect device according to an embodiment of the present invention.
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further explained below by combining the specific drawings.
The embodiment takes access control of data exchange between networks (a low security domain and a high security domain) with different security levels as a starting point, and an effective and safe system configuration system is constructed to ensure the security of user configuration in the resource access process.
Referring to fig. 1, there is shown a configuration example of a network configuration data relay distribution transmission system configured according to the present example.
The system is mainly formed by matching two system safety interconnection devices and a centralized safety management center, wherein the two system safety interconnection devices are used for establishing a strict communication safety mechanism (such as one-way information flow, two-way information flow and the like) for two information systems (such as an internal information system and an external information system), and constructing a corresponding encryption transmission mode (such as HTTPS, SFTP, IPsec and the like) according to the safety mechanism to prevent a safety function from being bypassed and tampered.
And the centralized security management center formulates security marks of the objects and the subjects for natural persons, security protection equipment, key processes and modules in the application system, synchronizes the object and the subject information in the application system into the two-system security interconnection devices after conversion according to a certain conversion rule, and realizes mandatory access control by the two-system security interconnection devices according to the marks.
Specifically, as shown in fig. 2, the centralized security management center in the system is mainly formed by mutually matching Browser, DB Base, and management Agent modules, and can implement functions such as system management, security management, and audit management.
By way of example, the system management establishes security labels of the subjects and objects for natural persons, security devices, and key processes and modules in the application system.
For example, the security management here is mainly to synchronize the host and object information in the application system to the existing two-system security interconnection apparatus after being converted according to a certain conversion rule.
For example, the audit management here mainly records the arbitration result of the security mechanisms such as identity authentication, access control, and the like, and the record content includes: event time, type, operational content, etc., ensuring cross-system and immunity to trustworthiness.
The Browser module in the centralized security management center refers to a background management page module of the centralized security management center and is used for managing and configuring the centralized security management center.
The DB Base module in the centralized security management center is a data storage module of the centralized security management center and is used for determining the security level of all object resources in the system according to the requirements of a service system and the importance degree of the object resources to generate a global object mark list; and simultaneously, determining the security marker of the main body according to the authority and the role of the user in the service system, and generating a global main body marker list.
The management Agent module in the centralized security management center is a client Agent of the centralized security management center and is used for generating and executing policies related to a main body according to the requirements of the centralized security management center, wherein the policies include a mandatory access control policy, a level change policy and the like, and a series of related policies such as a file access control policy, a network access control policy, a regional boundary filtering policy, a firewall rule and the like are executed at corresponding computing nodes.
As shown in fig. 3, the two-system security interconnection apparatus in the system specifically includes an interconnection arbitration system, an interconnection subsystem, and an internal isolation transmission subsystem, so that functions such as network security isolation, data verification, and interconnection behavior audit can be realized.
The interconnection arbitration system is used for arbitrating whether interconnection access is available according to the security marks of the host and the object. A main body with credibility checking capability is introduced into the system, and the main body is checked to dynamically adjust the object so that the integrity of the system is protected by using credibility identification and constraint conditions while the confidentiality of the system is ensured.
The interconnection subsystem is a system which combines a trusted computing technology and adopts a white list mechanism to establish a communication path which meets the security requirement between security mechanisms.
The internal isolation transmission subsystem is a system which is used for carrying out credible authentication after the two interconnected parties successfully verify, and establishing an encryption transmission mode after the authentication passes. The system can ensure the integrity and confidentiality of the transmission data of both communication parties.
The two-system safety interconnection device formed by the method can eliminate mutual interference among system components, establish a strict interaction structure and prevent safety functions from being bypassed and tampered. During operation, the interconnection arbitration system first determines whether the two information systems can be interconnected, the interconnection subsystem determines which security mechanism is used for communication between the two information systems (for example, information flow is unidirectional, bidirectional, and the like), and the internal isolation transmission subsystem establishes an encryption transmission mode (for example, HTTPS, SFTP, IPsec, and the like).
By way of example, the interconnection arbitration system in this example includes a configuration data sub-module, an information encapsulation sub-module, an audit sub-module, and a protocol conversion sub-module.
The configuration data submodule in the interconnection arbitration system implements identity management, mark management, authorization management and policy management on all subjects and objects.
The information packaging submodule in the interconnection arbitration system determines the safety-related contents such as the identities, working keys and certificates of all legal users in the system.
The audit submodule in the interconnection arbitration system records arbitration results of security mechanisms such as identity authentication, access control and the like, and the recording content comprises the following steps: event time, type, operational content, etc., ensuring cross-system and immunity to trustworthiness.
The protocol conversion sub-module in the interconnection arbitration system establishes a corresponding encryption transmission mode (for example, HTTPS, SFTP, IPsec and the like) according to an adopted communication security mechanism (for example, unidirectional and bidirectional information flow and the like).
Further, the interconnection subsystem in this example includes an information encapsulation sub-module and a protocol conversion sub-module.
The information packaging submodule in the interconnection subsystem determines the safety-related contents such as the identities, working keys and certificates of all legal users in the system;
the protocol conversion sub-module in the interconnection subsystem establishes a corresponding encryption transmission mode (for example, HTTPS, SFTP, IPsec, etc.) according to the adopted communication security mechanism (for example, unidirectional, bidirectional, etc. information flow).
When the interconnected subsystem formed by the method runs, the protocol conversion sub-module establishes a corresponding encryption transmission mode (such as HTTPS, SFTP, IPsec and the like) according to the user identity, the working key, the certificate and the like of the information packaging sub-module.
Further, the internal isolation transmission subsystem in this example is used for performing trusted authentication after the successful verification of the two interconnected parties, and after the authentication is passed, the two parties establish an encryption transmission mode. The system can ensure the integrity and confidentiality of the transmission data of both communication parties.
The internal isolation transmission subsystem can specifically perform safety protection on interconnection, intercommunication and interoperation between two information systems, ensure authenticity of user identity, safety of operation and resistance to denial, strictly control information flow direction according to a safety strategy, and ensure data safety between the two information systems.
The internal isolation transmission subsystem is composed of an external agent module, an internal agent module and an isolation component.
The external agent module is connected with the external information system and provides agent service for interconnection of the external information system and the internal information system;
the internal agent module is connected with the internal information system and provides agent service for interconnection of the internal information system and the external information system;
the isolation component is connected with the internal agent module and the external agent module and provides policy execution for interconnection of the internal information system and the external information system.
In the formed network configuration data relay distribution transmission system, a centralized security management center is connected with an arbitration subsystem of a two-system security interconnection device, configuration data of the arbitration subsystem is directly issued by the centralized security management center, the centralized security management center and the interconnection subsystem have no direct data interaction path, the configuration data of the interconnection subsystem is issued to the arbitration system by the centralized security management center, and an arbitration system relay is distributed to the interconnection subsystem through an internal isolation transmission system.
Therefore, the operation process of the network configuration data relay distribution transmission system is as follows:
(1) when the centralized management center issues the arbitration system user configuration data, the centralized management center directly interacts with the arbitration subsystem to issue the configuration management data;
(2) when the centralized management center issues the configuration data of the interconnection subsystem, the centralized management center interacts with the arbitration subsystem to issue the configuration data of the interconnection subsystem to the arbitration subsystem, and after receiving the configuration data of the interconnection subsystem, the arbitration subsystem issues the configuration data of the interconnection subsystem to the interconnection subsystem through the internal isolation transmission subsystem;
(3) when the centralized management center simultaneously issues the configuration data of the arbitration system and the interconnection subsystem, the centralized management center interacts with the arbitration subsystem and issues the configuration data of the arbitration subsystem and the configuration data of the interconnection subsystem to the arbitration subsystem, the arbitration subsystem identifies the type of the configuration data, the configuration data of the arbitration subsystem is directly processed, and the configuration data of the interconnection subsystem is issued to the interconnection subsystem through the internal isolation transmission subsystem.
Therefore, the system can ensure that the configuration data of the interconnection subsystem of the two-system safety interconnection device is distributed by the relay of the isolated transmission subsystem, thereby improving the safety of the configuration data of the transmission subsystem.
The following describes, in detail, an implementation process of performing relay distribution and transmission of network configuration data based on the network configuration data relay distribution and transmission system with reference to fig. 1.
The implementation process of the scheme for carrying out network configuration data relay distribution transmission is as follows:
1) and after acquiring the user configuration data, the configuration management module of the centralized security management center interacts with a configuration data submodule of an arbitration subsystem of the two-system security interconnection device.
2) The configuration data submodule receives the configuration data and analyzes the type of the configuration data;
3) if the configuration data type is arbitration subsystem configuration, the configuration data submodule directly processes and configures an arbitration system;
4) if the configuration data type is the transmission subsystem, the configuration data submodule re-encapsulates the configuration data (namely, the configuration data is completed by the information encapsulation submodule), and transmits the configuration data to the protocol conversion submodule of the interconnection system through the protocol conversion submodule, and the protocol conversion submodule of the interconnection subsystem configures the interconnection subsystem after receiving the configuration data;
5) if the configuration data type is a composite type, namely, the arbitration configuration data and the interconnection subsystem configuration data exist, the arbitration subsystem analyzes the configuration data, extracts the arbitration subsystem configuration data to configure the self system, extracts the interconnection subsystem configuration data to re-package, and transmits the configuration data to a protocol conversion module of the interconnection subsystem through the protocol conversion module to configure the interconnection subsystem.
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (6)

1. A network configuration data relay distribution transmission system, comprising: a second system safety interconnection device and a centralized safety management center;
the two-system safety interconnection device comprises an interconnection arbitration system, an interconnection subsystem and an internal isolation transmission subsystem;
the interconnection arbitration system can arbitrate whether interconnection access can be carried out according to the security marks of the host and the object; a subject with credibility checking capability is introduced into the system, and the subject is checked to dynamically adjust the object so as to ensure the integrity of the system by using credibility identification and constraint conditions while ensuring the confidentiality of the system;
the interconnection subsystem combines with trusted computing and adopts a white list mechanism to establish a communication path which accords with the safety requirement between safety mechanisms;
the internal isolation transmission subsystem is a system which is used for carrying out credible authentication after the successful verification of the two interconnected parties and establishing an encryption transmission mode by the two interconnected parties after the authentication is passed;
the centralized security management center formulates security marks of the objects and the subjects for natural persons, security protection equipment, key processes and modules in the application system, synchronizes the object and the subject information in the application system into the two-system security interconnection devices after conversion according to a certain conversion rule, and realizes mandatory access control by the two-system security interconnection devices according to the marks.
2. The network configuration data relay distribution transmission system according to claim 1, wherein the centralized security management center comprises a background management page module, a data storage module, and a client agent module;
the background management page module is used for managing and configuring the centralized security management center;
the data storage module determines the security level of all object resources in the system according to the requirements of the service system and the importance degree of the object resources, and generates a global object mark list; meanwhile, determining the security label of the main body according to the authority and the role of the user in the service system, and generating a global main body label list;
the client agent module generates and executes the strategy related to the main body according to the requirement of the centralized security management center, and executes the related strategy at the corresponding computing node.
3. The network configuration data relay distribution transmission system according to claim 1, wherein the interconnection arbitration system comprises a configuration data sub-module, an information encapsulation sub-module, an audit sub-module and a protocol conversion sub-module;
the configuration data submodule carries out identity management, mark management, authorization management and policy management on all subjects and objects;
the information packaging submodule determines the identity, work key and certificate of all legal users in the system and other safety related contents;
the auditing submodule records arbitration results of security mechanisms such as identity authentication, access control and the like;
and the protocol conversion sub-module establishes a corresponding encryption transmission mode according to the adopted communication security mechanism.
4. The network configuration data relay distribution transmission system according to claim 1, wherein the interconnection subsystem includes an information encapsulation sub-module and a protocol conversion sub-module;
the information packaging submodule determines the identity, work key and certificate of all legal users in the system and other safety related contents;
the protocol conversion sub-module establishes a corresponding encryption transmission mode according to an adopted communication security mechanism;
and the protocol conversion submodule establishes a corresponding encryption transmission mode according to the user identity, the working key, the certificate and other safety-related contents of the information packaging submodule.
5. The network configuration data relay distribution transmission system according to claim 1, wherein the internal isolation transmission subsystem is composed of an external agent module, an internal agent module and an isolation component, the external agent module is connected with the external information system to provide an agent service for interconnecting the external information system and the internal information system; the internal agent module is connected with the internal information system and provides agent service for interconnection of the internal information system and the external information system; the isolation component is connected with the internal agent module and the external agent module and provides policy execution for interconnection of the internal information system and the external information system.
6. The relay distribution transmission method of the network configuration data is characterized by comprising the following steps:
(1) when the centralized management center issues the arbitration system user configuration data, the centralized management center directly interacts with the arbitration subsystem to issue the configuration management data;
(2) when the centralized management center issues the configuration data of the interconnection subsystem, the centralized management center interacts with the arbitration subsystem to issue the configuration data of the interconnection subsystem to the arbitration subsystem, and after receiving the configuration data of the interconnection subsystem, the arbitration subsystem issues the configuration data of the interconnection subsystem to the interconnection subsystem through the internal isolation transmission subsystem;
(3) when the centralized management center simultaneously issues the configuration data of the arbitration system and the interconnection subsystem, the centralized management center interacts with the arbitration subsystem and issues the configuration data of the arbitration subsystem and the configuration data of the interconnection subsystem to the arbitration subsystem, the arbitration subsystem identifies the type of the configuration data, the configuration data of the arbitration subsystem is directly processed, and the configuration data of the interconnection subsystem is issued to the interconnection subsystem through the internal isolation transmission subsystem.
CN202010658242.5A 2020-07-09 2020-07-09 Relay distribution transmission system and method for network configuration data Active CN111818057B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010658242.5A CN111818057B (en) 2020-07-09 2020-07-09 Relay distribution transmission system and method for network configuration data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010658242.5A CN111818057B (en) 2020-07-09 2020-07-09 Relay distribution transmission system and method for network configuration data

Publications (2)

Publication Number Publication Date
CN111818057A true CN111818057A (en) 2020-10-23
CN111818057B CN111818057B (en) 2022-10-28

Family

ID=72842159

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010658242.5A Active CN111818057B (en) 2020-07-09 2020-07-09 Relay distribution transmission system and method for network configuration data

Country Status (1)

Country Link
CN (1) CN111818057B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5864683A (en) * 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
CN101534300A (en) * 2009-04-17 2009-09-16 公安部第一研究所 System protection framework combining multi-access control mechanism and method thereof
CN102255924A (en) * 2011-08-29 2011-11-23 浙江中烟工业有限责任公司 Multi-stage security interconnection platform based on trusted computing and processing flow thereof
CN102325134A (en) * 2011-08-29 2012-01-18 浙江中烟工业有限责任公司 The interconnected component subsystems of three system safety of the interconnected platform of multilevel security
CN202798788U (en) * 2012-03-26 2013-03-13 上海金电网安科技有限公司 Two-tiered networking device based on network isolation
CN106888191A (en) * 2015-12-16 2017-06-23 上海金电网安科技有限公司 Hierarchical protection multilevel security interacted system and its interconnected method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5864683A (en) * 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
CN101534300A (en) * 2009-04-17 2009-09-16 公安部第一研究所 System protection framework combining multi-access control mechanism and method thereof
CN102255924A (en) * 2011-08-29 2011-11-23 浙江中烟工业有限责任公司 Multi-stage security interconnection platform based on trusted computing and processing flow thereof
CN102325134A (en) * 2011-08-29 2012-01-18 浙江中烟工业有限责任公司 The interconnected component subsystems of three system safety of the interconnected platform of multilevel security
CN202798788U (en) * 2012-03-26 2013-03-13 上海金电网安科技有限公司 Two-tiered networking device based on network isolation
CN106888191A (en) * 2015-12-16 2017-06-23 上海金电网安科技有限公司 Hierarchical protection multilevel security interacted system and its interconnected method

Also Published As

Publication number Publication date
CN111818057B (en) 2022-10-28

Similar Documents

Publication Publication Date Title
RU2765567C2 (en) Provider of access to base network
CN101986599B (en) Network security control method based on cloud service and cloud security gateway
US9043589B2 (en) System and method for safeguarding and processing confidential information
US20020053020A1 (en) Secure compartmented mode knowledge management portal
Etalle et al. A posteriori compliance control
CN110069918A (en) A kind of efficient double factor cross-domain authentication method based on block chain technology
CN103761600A (en) Platform and method for e-government affair comprehensive application
CN106911627B (en) A kind of true identity method of controlling security and its system based on eID
CN109150908A (en) A kind of big data platform protective device and its guard method being deployed in gateway
CN104219077A (en) Information management system for middle and small-sized enterprises
RU2415466C1 (en) Method of controlling identification of users of information resources of heterogeneous computer network
CN104506480A (en) Cross-domain access control method and system based on marking and auditing combination
WO2021170049A1 (en) Method and apparatus for recording access behavior
Talib et al. Towards new data access control technique based on multi agent system architecture for cloud computing
CN201491036U (en) Host monitoring and auditing system
Liu et al. DF-RBAC: dynamic and fine-grained role-based access control scheme with smart contract
Shanmugasundaram et al. A comprehensive review on cloud computing security
Wrona et al. Designing medium assurance XML-labelling guards for NATO
CN111818057B (en) Relay distribution transmission system and method for network configuration data
CN116647326A (en) Block chain-based embedded gateway system
Abrams et al. Network Security: Protocol reference model and the trusted computer system evaluation criteria
Sabbari et al. A security model and its strategies for web services
Zhang et al. Formal Modeling and Verification of ICN-IoT Middleware Architecture (S).
Kaushik et al. Cloud computing security: attacks, threats, risk and solutions
Liguori Design and implementation of multilevel security architectures

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant