CN111901418A - External terminal protection equipment and system based on one-way file transfer protocol - Google Patents

External terminal protection equipment and system based on one-way file transfer protocol Download PDF

Info

Publication number
CN111901418A
CN111901418A CN202010736022.XA CN202010736022A CN111901418A CN 111901418 A CN111901418 A CN 111901418A CN 202010736022 A CN202010736022 A CN 202010736022A CN 111901418 A CN111901418 A CN 111901418A
Authority
CN
China
Prior art keywords
data
module
file
stored
external
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010736022.XA
Other languages
Chinese (zh)
Other versions
CN111901418B (en
Inventor
褚峨维
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhongke Qilin Information Engineering Co Ltd
Original Assignee
Beijing Zhongke Qilin Information Engineering Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhongke Qilin Information Engineering Co Ltd filed Critical Beijing Zhongke Qilin Information Engineering Co Ltd
Priority to CN202010736022.XA priority Critical patent/CN111901418B/en
Publication of CN111901418A publication Critical patent/CN111901418A/en
Application granted granted Critical
Publication of CN111901418B publication Critical patent/CN111901418B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/16File or folder operations, e.g. details of user interfaces specifically adapted to file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Human Computer Interaction (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an external terminal protection device and a system based on a unidirectional file transfer protocol, wherein the device comprises: the file monitoring module is used for receiving data to be stored in external equipment and transmitting the data to be stored to the file output module through a one-way file transmission protocol; the file output module outputs the data to be stored to a protected host according to a user instruction; the unidirectional file transmission protocol refers to that only the file monitoring module can transmit encrypted data to be stored to the file output module, and the file monitoring module cannot transmit data to any device except the file output module. The invention can achieve the purpose of carrying out safety protection on the protected host without installing safety protection software on the protected host, greatly reduces the safety risk of the system and comprehensively solves the potential safety hazard possibly generated by each interface.

Description

External terminal protection equipment and system based on one-way file transfer protocol
Technical Field
The invention belongs to the technical field of computer security, and particularly relates to an external terminal protection device and system based on a one-way file transfer protocol.
Background
In recent years, computers and network technologies have been developed at a high speed, so that popularization of networks is greatly promoted, and people increasingly enjoy convenience brought by network traffic, and meanwhile, new threats are brought to data traffic safety in computers used by people in production/life, such as common traffic attacks, hacking, unauthorized access, spoofing as legal users, data integrity destruction, system normal operation interference, virus propagation by using networks, interception by middlemen and the like.
Many technical means for solving the problems of flow control and information security of the intranet computer network exist, for example, network security products such as flow control software, firewalls, antivirus systems, intrusion detection systems and the like are installed and used in a host, but various network security events still occur frequently after the measures are taken. According to statistics, 70% of computer crimes are caused by that internal personnel illegally use key resources such as a host and the like, the true threat from the outside is only 30%, the internal personnel lack safety consciousness when using the host, are positioned at the rear end of a firewall, are accessed to various external equipment without specifications and are implanted into a trojan rear door, so that abnormal data flow and even network paralysis are caused, misoperation or deliberate damage of a system can cause severe influence and even major loss to organs, enterprises and public institutions and the like.
Meanwhile, for some special devices, such as hosts equipped with special software control, and devices of engineer stations/worker stations in some industrial fields, these hosts/devices often have no network flow control software and security protection software adapted to such systems on the market due to system specificity, or the original software of the hosts is easily subjected to compatibility problems and even performance is affected due to the installation of flow control software or security software. In addition, after the hosts of the engineer stations/the workstation stations are on line, the operating system is basically not upgraded, even if the security software is installed, the anti-malicious code software version and the malicious code library are not updated in time, and the comprehensive security protection effect cannot be achieved.
Disclosure of Invention
Based on the above, the invention provides an external terminal protection device and system based on a unidirectional file transfer protocol, which solve the above problems, so as to realize the take-over of each interface of the protected host, ensure that the use of the USB interface or the serial port device of the protected host must be completed through the external terminal protection device, and achieve the purpose of protecting the USB interface or the serial port of the protected host without installing safety protection software on the protected host.
The invention provides an external terminal protection device based on a unidirectional file transfer protocol, which comprises:
the file monitoring module is used for providing at least one external interface to access at least one external device, storing data to be stored in the accessed external device and transmitting the data to be stored to the file output module through a one-way file transmission protocol;
the file output module is used for providing at least one internal interface to connect with a protected host, and outputting the data to be stored to the protected host through the at least one internal interface according to a user instruction;
the unidirectional file transmission protocol refers to that only the file monitoring module can transmit encrypted data to be stored to the file output module, and the file monitoring module cannot transmit data to any device except the file output module.
According to a preferred embodiment of the present invention, the file monitoring module and the file output module correspond to a blockchain node, after the data to be stored in the external device is stored in the file monitoring module, the description information of the data to be stored is recorded in a blockchain public ledger, and the transmission of the data to be stored between the file monitoring module and the file output module is performed through a P2P link.
According to a preferred embodiment of the present invention, the file monitoring module is further configured to detect security authentication of an external device accessed through the external interface according to a first preset security policy.
According to a preferred embodiment of the present invention, the file monitoring module is further configured to perform security detection on data to be stored, which is transmitted from an external device accessed through the external interface, according to a second preset security policy.
According to a preferred embodiment of the present invention, the document monitoring module includes:
the data detection module is used for detecting the security authentication of the external equipment accessed through the external interface according to a first preset security policy to obtain a first detection result; according to a second preset security policy, security detection is carried out on data to be stored transmitted by external equipment accessed through the external interface, and a second detection result is obtained;
the data storage module is used for storing the data to be stored in the accessed external equipment according to the storage instruction of the main control module;
the security file service module is used for carrying out one-way file transmission management on the data to be stored in the data storage module;
and the main control module is used for controlling data transmission between the main control module and the external equipment according to a first detection result of the data detection module and controlling storage of the data to be stored according to a second detection result of the data detection module.
According to a preferred embodiment of the present invention, the secure file service module includes:
the extraction module is used for extracting the index information of the data to be stored;
the encryption module is used for respectively encrypting the index information and the data to be stored according to a preset encryption protocol;
and the transmission module is used for transmitting the encrypted index information or the encrypted data to be stored to the file output module.
According to a preferred embodiment of the present invention, the file output module includes:
the first decryption module is used for decrypting the encrypted index information according to the encryption protocol and transmitting the decrypted index information to the protected host through the internal interface;
the file transmission module is used for receiving a file acquisition request sent by the protected host and acquiring corresponding encrypted data to be stored from the transmission module according to the file acquisition request;
and the second decryption module is used for decrypting the encrypted data to be stored according to the encryption protocol and transmitting the decrypted data to be stored to the protected host through the internal interface.
According to a preferred embodiment of the present invention, if the external device fails the security authentication, the main control module sets the external device as an unauthorized access device, and maintains a physical disconnection state of a line between the external device and the external interface; and/or
And if the external equipment passes the security authentication, the main control module confirms that the external equipment is the authorized access equipment and connects the physical connection of the line between the external equipment and the external interface.
According to a preferred embodiment of the present invention, if the data to be stored transmitted from the external device fails to pass the security detection, the main control module disconnects the transmission of the data to be stored to the data storage module;
and if the data to be stored transmitted by the external equipment passes security detection, the main control module sends a storage instruction to the data storage module.
The second aspect of the present invention provides a protection system based on a unidirectional file transfer protocol, including:
one or more external devices, wherein the external devices are suitable for data interaction with a protected host through the external terminal protection device;
a protected host; and
the external terminal protection device based on the one-way file transfer protocol,
the external terminal protection device is externally connected to the protected host, so that the one or more external devices are in interface communication with the protected host through the external terminal protection device.
Through the technical scheme of the invention, the invention at least has one or more of the following technical effects: the data communication of each interface of the protected host can be ensured to be completed through the external terminal, so that the purpose of carrying out safety protection on the protected host can be achieved without installing safety protection software on the protected host. In addition, the invention ensures that the external equipment can only transmit the encrypted data to the protection host through the one-way file transmission protocol, ensures the security of data transmission, limits the authority of the external equipment to acquire the data from the protected host, greatly reduces the system safety risk, and comprehensively solves the potential safety hazard possibly generated by each interface.
Drawings
FIG. 1 is a schematic view of an application scenario of a protection system of an external terminal protection device based on a one-way file transfer protocol according to the present invention;
FIG. 2 is a schematic structural diagram of an external terminal protection device based on a unidirectional file transfer protocol according to the present invention;
FIG. 3 is another schematic structural diagram of an external terminal protection device based on a unidirectional file transfer protocol according to the present invention;
FIG. 4 is a schematic diagram of a security document service module and a document output module according to the present invention;
FIG. 5 is a schematic diagram of data transmission of the external terminal protection device based on the one-way file transfer protocol according to the present invention;
fig. 6 is a schematic diagram of network deployment of the external terminal protection system based on the unidirectional file transfer protocol according to the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., "a and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The invention provides an external terminal protection device based on a one-way file transfer protocol, which comprises: the file monitoring module provides at least one external interface for accessing at least one external device, stores data to be stored in the accessed external device, and transmits the data to be stored to the file output module through a one-way file transmission protocol; the file output module provides at least one internal interface connected with the corresponding interface of the protected host, and outputs the data to be stored to the protected host through the at least one internal interface according to a user instruction. In the invention, the unidirectional file transmission protocol refers to that only the file monitoring module can transmit encrypted data to be stored to the file output module, and the file monitoring module cannot transmit data to any device except the file output module. Therefore, the invention provides the terminal protection equipment in the hardware mode, the purpose of carrying out safety protection on the protected host can be achieved without installing safety protection software on the protected host, the external equipment can only transmit encrypted data to the protected host through the one-way file transmission protocol, the permission of the external equipment for acquiring the data from the protected host is limited while the safety of data transmission is ensured, the system safety risk is greatly reduced, and the potential safety hazard possibly generated by each interface is comprehensively solved.
It should be noted that the "module" referred to in the present invention is a hardware module, i.e., a hardware module composed of tangible electronic components such as a circuit, a data processing device, a memory, and a buffer. The document monitoring module and the document output module in the invention can be physically or functionally independent component combinations, and can also be physically or functionally integrated component combinations. For example, as an embodiment, the document monitoring module is composed of a document monitoring control board, the document output module is composed of a document output control board, and the document monitoring control board and the document output control board are both circuit boards integrated with electronic components and are connected in a limited or wireless manner. In other embodiments, the document detection control module and the document output control module may also be integrated on a single circuit board. Therefore, the key of the invention lies in the data transmission mode between the file monitoring module and the file output module, but not limited to the combination mode of the electronic components forming the respective modules in space or physical connection.
Fig. 1 is an application scenario of an external terminal protection device based on a unidirectional file transfer protocol according to an embodiment of the present invention.
As shown in fig. 1, an external terminal protection device based on a unidirectional file transfer protocol is provided with internal interfaces corresponding to types of interfaces of a protected device/host, and also provides external interfaces corresponding to types, where each internal interface is used to connect the protected device/host, and the external interfaces are used to connect external devices that need to perform data interaction with the protected device/host. The external terminal protection device is externally connected to a protected device/host, and each interface (such as UC1 and UC2 of a USB port, CC0 of a COM port, and internet access EC0) of the protected device/host which needs to be protected is connected to its corresponding type of internal interface through various types of connecting lines, for example, the interfaces UC1 and UC2 of the protected device/host are respectively connected to the internal USB ports UA4 and UA3 of the external terminal protection device, the serial port CC0 is connected to the internal serial port CA2, and the internet access EC0 is connected to the internal internet access EA 2. And various external devices (such as a U disk, an optical drive, a serial port connection device and the like) are all connected to each external interface on the external terminal protection device, and can carry out data communication with the protected device/host through the external terminal protection device, for example, the external U disk device is connected through an external interface UA1 of the external terminal protection device, the USB optical drive is connected through an external interface UA2, and the serial port connection device is connected through an external interface CA 1. The external devices such as the USB flash disk, the USB CD-ROM and the serial port connecting device need to carry out data communication with the protected host, cannot be directly connected to the protected host, and need to be switched to communicate through the corresponding external interface of the external terminal protection device.
Fig. 2 is a schematic view of an internal structure of the external terminal protection device based on the unidirectional file transfer protocol according to the above embodiment of the present invention. The external terminal protection device based on the one-way file transfer protocol comprises: a file monitoring module 10 and a file output module 11. The file monitoring module 10 establishes connection with the file output module 11 through a unidirectional file transfer protocol in a connection line (such as a bus) or in a wireless communication manner of WiFi, 4G, and the like.
The file monitoring module 10 provides an external interface 100 for accessing a plurality of external devices, stores data to be stored in the external devices transmitted through the external interface 100, and transmits the data to be stored to the file output module 11 through a one-way file transmission protocol; the file output module 11 provides a plurality of internal interfaces 110 connected to corresponding interfaces of the protected host, and outputs the data to be stored transmitted from the file monitoring module 10 to the protected host through the internal interfaces 110 according to the user instruction. The unidirectional file transmission protocol refers to that only the file monitoring module 10 can transmit encrypted data to be stored to the file output module 11, and the file monitoring module 10 cannot transmit data to any device other than the file output module 11. The invention ensures that the external equipment can only transmit the encrypted data to the protection host through the one-way file transmission protocol, limits the permission of the external equipment to acquire the data from the protected host while ensuring the safety of data transmission, greatly reduces the safety risk of the system, and comprehensively solves the potential safety hazard possibly generated by each interface.
In a specific embodiment, data transmission between the file monitoring module 10 and the file output module 11 is realized by a one-way file transfer protocol. The file monitoring module 10 and the file output module 11 are respectively corresponding to a block chain node, after data to be stored in the external device is stored in the file monitoring module 10, description information of the data to be stored is recorded in a block chain public account book, and transmission of the data to be stored between the file monitoring module 10 and the file output module 11 is performed through a P2P link.
Specifically, in the storage process of the data to be stored, the file monitoring module 10 serves as a block chain node, the hash value of the data to be stored is calculated first, the data to be stored is transmitted to the memory of the file monitoring module 10, and meanwhile, a block chain transaction of a data storage type, that is, a data storage transaction, is constructed. And then, broadcasting and identifying the data storage transaction and writing the data storage transaction into the block chain public ledger. The data storage transaction comprises description information and a transaction signature of data to be stored; the description information comprises a data file name, the data hash value, a user-defined file description, a storable node list, a downloadable user list and a file storage position list; the file storage position list is a storage target node list of the data to be stored at this time.
Data transmission between two blockchain nodes (the file monitoring module 10 and the file output module 11) is carried out through a p2p link. Specifically, the file monitoring module 10 sends a transmission handshake request to the file output module 11, where the transmission handshake request includes a segmentation scheme of data storage transaction and file transmission.
After receiving the transmission handshake request, the file output module 11 verifies the data storage transaction, including verifying the validity of the description information and the correctness of the transaction signature; the validity of the verification description information is specifically to recalculate the hash value of the data to be stored, if the hash value is consistent with the hash value in the data storage transaction. The data transmission is considered to be legal; otherwise, the data transmission is illegal and fails. If the data storage transaction is verified to be successful, the file output module 11 sends a reply of agreeing to handshake to the file monitoring module 10; if the data storage transaction verification fails, a reply rejecting the handshake is sent to the document monitoring module 10. If the file monitoring module 10 receives a reply of the agreement handshake, the data to be stored is transmitted to the file output module 11 according to the segmented transmission scheme. If the document monitoring module 10 receives a reply rejecting the handshake, the data transfer is aborted.
The file monitoring module 10 sends subfiles in the data to be stored one by one according to a segmented transmission scheme; the segmentation scheme includes the size of the data, the number of subfiles into which the data is segmented, and the size and number of each subfile. The file output module 11 stores the received subfiles one by one, maintains an array and stores the numbers of the received subfiles, and records the numbers in the array when receiving one subfile; because the file may cause data loss due to network reasons during transmission, the file output module 11 receives the last subfile or traverses the array when the time is out, if the missing number exists in the array, which indicates that the subfile is not received, the missing subfile number is sent to the file monitoring module 10, and the file monitoring module 10 sends the corresponding subfile again until the file output module 11 collects all the files. The overtime refers to that the preset transmission time is reached but the last subfile is not received, and if the overtime or the missing subfile exceeds three times, the transmission fails. The transmission time is a configuration item in a node configuration file.
According to another embodiment of the present invention, when an external device accesses the external interface 100, the document monitoring module 10 first detects the security authentication of the external device accessed through the external interface 100 according to a first preset security policy. If the external equipment does not pass the security authentication, setting the external equipment as the non-permission access equipment, and keeping the line physical disconnection state between the external equipment and the protected host; and/or if the external equipment passes the security authentication, confirming that the external equipment is the authorized access equipment, and connecting the physical connection of the line between the external equipment and the protected host. Therefore, the invention can realize the physical isolation type safety authentication of the external equipment and improve the safety performance of the protection system. Further, after the external device passes the security authentication, the file monitoring module 10 performs security detection on the data to be stored transmitted by the external device accessed through the external interface 100 according to a second preset security policy. And storing the data to be stored after the data to be stored passes the security detection, and transmitting the data to be stored to the file output module 11 through a one-way file transmission protocol.
Fig. 3 is a schematic diagram of a specific internal structure of an external terminal protection device based on a unidirectional file transfer protocol according to the present invention. Wherein:
the document monitoring module 10 includes: the system comprises a data detection module 101, a data storage module 102, a secure file service module 103 and a main control module 104.
The data detection module 101 detects security authentication of external equipment accessed through the external interface 100 according to a first preset security policy to obtain a first detection result; performing security detection on data to be stored transmitted by an external device accessed through the external interface 100 according to a second preset security policy to obtain a second detection result;
in this embodiment, the security function implemented by the external terminal protection device includes, but is not limited to, the administrator performs permission setting and security policy setting on the external terminal protection device in advance; the first preset security policy or the second preset security policy includes but is not limited to: enabling data import (such as a USB interface), enabling data export (such as a USB interface), USB access device restriction (such as Vendor ID and/or Product ID based on USB devices, i.e. Product ID), data import antivirus policy, data export blacklist control policy, data export format control policy, enabling serial access policy, USB interface insertion protection, enabling network communication audit, enabling firewall function, setting serial command blacklist and whitelist, etc.
In a preferred embodiment, the first preset security policy or the second preset security policy includes: after the administrator sets each security policy, the related security policies are executed one by the external terminal protection device.
In a preferred embodiment, the first preset security policy or the second preset security policy includes: and the administrator also controls whether the external terminal protection equipment enters a monitoring protection mode, the mode monitors the connection between the external terminal protection equipment and the protected host, and an alarm is given under the abnormal condition.
In a preferred embodiment, the first preset security policy or the second preset security policy: when abnormal alarm or interface access condition needs to be recorded for subsequent inquiry of an administrator, the internal memory is also used for further recording the alarm information or interface access log information.
The data storage module 102 is used for storing data to be stored in the accessed external equipment according to the storage instruction of the main control module 104; the internal memory of the data storage module 102 as a guard device may specifically be a hardware memory D. The storage instruction is an instruction for executing storage of data to be stored in the external device, which is sent by the main control module 104 after determining that the external device passes security authentication and data transmitted by the external device passes security detection. The data to be stored is data which is determined according to user operation or a preset storage strategy and is required to be transmitted to the protected host from the external equipment. The user operation may be a selection operation of the data by the user. The preset storage policy may be a preset policy for storing data of some storage addresses of the external device. For example, the preset storage policy may be to store data in a storage area a of the external device, and before the data is transmitted from the external device to the protected host through the external terminal protection device of the present invention, a user needs to store the data in the storage area a of the external device.
The data storage module 102 may further store a first preset security policy and a second preset security policy; the data detection module 101 performs security authentication on external devices accessed by different types of external interfaces 100 by reading a first preset security policy stored in the data storage module 102; and performing security detection on data to be stored transmitted by external devices accessed by different types of external interfaces 100 by reading a second preset security policy stored in the data storage module 102.
The security file service module 103 is used for performing one-way file transmission management on the data to be stored in the data storage module 102; namely, the data to be stored is encrypted, and the encrypted data to be stored is controlled to be transmitted only from the file monitoring module 10 to the file output module 11, and the file monitoring module 10 is controlled not to transmit data to any device except the file output module 11.
The main control module 104 is configured to control data transmission with an external device according to a first detection result of the data detection module 101, and if the external device fails to pass security authentication, the main control module 104 sets the external device as an unauthorized access device and maintains a physical disconnection state of a line between the external device and the external interface 100; and/or if the external device passes the security authentication, the main control module 104 confirms that the external device is a device allowing access, and connects the physical connection of the line between the external device and the external interface 100.
In one embodiment, as shown in fig. 4, the secure file service module 103 includes:
the extraction module is used for extracting the index information of the data to be stored; the index information is an indexed sequential file composed of data files. The index information records the key of the data to be stored and the corresponding recorded address on the disk.
The encryption module is used for respectively encrypting the index information and the data to be stored according to a preset encryption protocol; in the present invention, the encryption protocol includes an encryption algorithm and a key. And the encryption module encrypts the index information and the data to be stored through an encryption algorithm and a key.
And the transmission module is used for transmitting the encrypted index information or the encrypted data to be stored to the file output module 11.
Correspondingly, the file output module 11 includes:
the first decryption module is used for decrypting the encrypted index information according to the encryption protocol and transmitting the decrypted index information to the protected host through the internal interface;
the file transmission module is used for receiving a file acquisition request sent by the protected host and acquiring corresponding encrypted data to be stored from the transmission module according to the file acquisition request;
and the second decryption module is used for decrypting the encrypted data to be stored according to the encryption protocol and transmitting the decrypted data to be stored to the protected host through the internal interface.
Further, the file monitoring module 101 further includes: a forwarding interface, configured to forward data traffic of the external interface 100 to the data storage module; as shown in fig. 5, the internal USB interfaces UA3 and UA4 of the file output module 11 are connected to USB ports of the protected host, the forwarding interfaces UB1 and UB2 of the file monitoring module 10 are respectively connected to the internal USB interface UB3 for unloading data, the external USB interfaces UA1 and UA2 are inserted into a USB disk or a removable storage medium of an external device to be accessed, and the CTRL port is used as a bus interface to connect to a transmission interface of the file output control board. The main control module 104 further includes a hardware control logic for implementing connection and disconnection of a physical line between each external interface and an external device. If the external device fails the security authentication, the hardware control logic in the main control module 104 maintains the state of disconnecting the physical lines of the external interface and the forwarding interface accessed by the external device, so as to perform filtering prohibition on the data transmission accessed by the external device; if the external device passes the security authentication, the hardware control logic in the main control module 104 communicates the physical lines of the external interface and the forwarding interface accessed by the external device.
The main control module 104 further controls the storage of the data to be stored according to the second detection result of the data detection module 101. If the data to be stored transmitted from the external device does not pass the security detection, the main control module 104 disconnects the transmission of the data to be stored to the data storage module; the hardware control logic in the main control module 104 maintains the state of disconnecting the physical lines of the external interface and the forwarding interface accessed by the external device, so as to perform filtering prohibition on data transmission after the external device is accessed; if the data to be stored transmitted from the external device passes security detection, the main control module 104 sends a storage instruction to the data storage module.
As shown in fig. 5, when Data in the USB disk of the external device needs to be imported into the protected host, the main control module 104 controls the hardware control logic to connect the physical line between UA1 and UB1, and copies the Data1 in the USB disk into the buffer of the file monitoring control board, during which the hardware control logic keeps the physical line between the forwarding interface UB1 (connected to the system control board) and UB3 (connected to the internal USB storage) in a disconnected state, and keeps the physical line between the internal USB interface UA3 (connected to the protected host) and UB3 in a disconnected state.
After the hardware control logic is started, the switch of the physical line between the UA1 and the UB1 is switched off, the physical line between the UB1 and the UB3 is switched on, Data transmitted by the UB1 are stored in the internal USB memory through the UB3 interface, the Data detection module 101 carries out security detection on the Data1 in the cache, and the Data detection module 101 carries out security detection such as antivirus on the USB memory inserted in the UA1 under the isolation state of the protected host. After Data1 passes security check, the master module 104 controls to copy Data1 to the Data storage module 102 for storage, and during this period, the hardware control logic controls the physical connections between UA1 and UB1, and between UA2 and UB2 to be in a disconnected state. The secure file service module 103 transmits the stored data to the file output module 11 through a unidirectional transmission protocol. After that, the file output module 11 sends the requested data to be stored to the protected host according to the file acquisition request sent by the protected host.
Fig. 6 is a network deployment embodiment of the protection system based on the unidirectional file transfer protocol according to the present invention. The guard system includes one or more external devices; a protected host; and the external terminal protection equipment based on the unidirectional file transmission protocol is externally connected to the protected host, so that the one or more external equipment is in interface communication with the protected host through the external terminal protection equipment. Here, the external terminal protection device based on the unidirectional file transfer protocol is as described above, and is not described herein again.
Furthermore, the protection system also comprises a control center for remotely controlling the external terminal protection equipment, wherein the control center consists of a server, a management workstation and other nodes and is connected to the internet access EA1 of the external terminal protection equipment through a network switching node.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the text-enabled photograph entry apparatus, computing device, and computer-readable storage medium according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.

Claims (10)

1. An external terminal protection device based on a one-way file transfer protocol, the device comprising:
the file monitoring module is used for providing at least one external interface to access at least one external device, storing data to be stored in the accessed external device and transmitting the data to be stored to the file output module through a one-way file transmission protocol;
the file output module is used for providing at least one internal interface to connect with a protected host, and outputting the data to be stored to the protected host through the at least one internal interface according to a user instruction;
the unidirectional file transmission protocol refers to that only the file monitoring module can transmit encrypted data to be stored to the file output module, and the file monitoring module cannot transmit data to any device except the file output module.
2. The device of claim 1, wherein the file monitoring module and the file output module correspond to a blockchain node, respectively, after the data to be stored in the external device is stored in the file monitoring module, description information of the data to be stored is recorded in a blockchain public ledger, and transmission of the data to be stored between the file monitoring module and the file output module is performed through a P2P link.
3. The device of claim 1, wherein the file monitoring module is further configured to detect a security authentication of an external device accessed through the external interface according to a first preset security policy.
4. The device according to claim 3, wherein the file monitoring module is further configured to perform security detection on data to be stored transmitted from an external device accessed through the external interface according to a second preset security policy.
5. The apparatus of claim 4, wherein the document monitoring module comprises:
the data detection module is used for detecting the security authentication of the external equipment accessed through the external interface according to a first preset security policy to obtain a first detection result; according to a second preset security policy, security detection is carried out on data to be stored transmitted by external equipment accessed through the external interface, and a second detection result is obtained;
the data storage module is used for storing the data to be stored in the accessed external equipment according to the storage instruction of the main control module;
the security file service module is used for carrying out one-way file transmission management on the data to be stored in the data storage module;
and the main control module is used for controlling data transmission between the main control module and the external equipment according to a first detection result of the data detection module and controlling storage of the data to be stored according to a second detection result of the data detection module.
6. The apparatus of claim 5, wherein the secure file service module comprises:
the extraction module is used for extracting the index information of the data to be stored;
the encryption module is used for respectively encrypting the index information and the data to be stored according to a preset encryption protocol;
and the transmission module is used for transmitting the encrypted index information or the encrypted data to be stored to the file output module.
7. The apparatus of claim 6, wherein the file output module comprises:
the first decryption module is used for decrypting the encrypted index information according to the encryption protocol and transmitting the decrypted index information to the protected host through the internal interface;
the file transmission module is used for receiving a file acquisition request sent by the protected host and acquiring corresponding encrypted data to be stored from the transmission module according to the file acquisition request;
and the second decryption module is used for decrypting the encrypted data to be stored according to the encryption protocol and transmitting the decrypted data to be stored to the protected host through the internal interface.
8. The device according to claim 5, wherein if the external device fails the security authentication, the main control module sets the external device as an unlicensed access device, and maintains a physical disconnection state of a line between the external device and the external interface; and/or
And if the external equipment passes the security authentication, the main control module confirms that the external equipment is the authorized access equipment and connects the physical connection of the line between the external equipment and the external interface.
9. The device according to claim 5, wherein if the data to be stored transmitted from the external device fails the security detection, the main control module disconnects the transmission of the data to be stored to the data storage module;
and if the data to be stored transmitted by the external equipment passes security detection, the main control module sends a storage instruction to the data storage module.
10. A unidirectional file transfer protocol based protection system comprising:
one or more external devices, wherein the external devices are suitable for data interaction with a protected host through the external terminal protection device;
a protected host; and
an add-on terminal protection device based on a unidirectional file transfer protocol according to any of claims 1 to 9,
the external terminal protection device is externally connected to the protected host, so that the one or more external devices are in interface communication with the protected host through the external terminal protection device.
CN202010736022.XA 2020-07-28 2020-07-28 External terminal protection equipment and system based on unidirectional file transfer protocol Active CN111901418B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010736022.XA CN111901418B (en) 2020-07-28 2020-07-28 External terminal protection equipment and system based on unidirectional file transfer protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010736022.XA CN111901418B (en) 2020-07-28 2020-07-28 External terminal protection equipment and system based on unidirectional file transfer protocol

Publications (2)

Publication Number Publication Date
CN111901418A true CN111901418A (en) 2020-11-06
CN111901418B CN111901418B (en) 2023-06-30

Family

ID=73191101

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010736022.XA Active CN111901418B (en) 2020-07-28 2020-07-28 External terminal protection equipment and system based on unidirectional file transfer protocol

Country Status (1)

Country Link
CN (1) CN111901418B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113411335A (en) * 2021-06-18 2021-09-17 滁州学院 Network security monitoring system based on big data
CN114154609A (en) * 2021-12-21 2022-03-08 福建省气象信息中心(福建省气象档案馆) One-way safe transmission simple device of private protocol

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120150742A1 (en) * 2010-12-14 2012-06-14 Xtreme Mobility Inc. System and Method for Authenticating Transactions Through a Mobile Device
CN103491072A (en) * 2013-09-06 2014-01-01 北京信息控制研究所 Boundary access control method based on double one-way separation gatekeepers
CN104363221A (en) * 2014-11-10 2015-02-18 青岛微智慧信息有限公司 Network safety isolation file transmission control method
CN105812387A (en) * 2016-05-09 2016-07-27 北京航天数控系统有限公司 Unidirectional safe data exchange device
WO2018032377A1 (en) * 2016-08-13 2018-02-22 深圳市樊溪电子有限公司 Read-only security file storage system for block chain, and method thereof
CN107749840A (en) * 2017-09-27 2018-03-02 北京机电工程研究所 The unidirectional safe transmission of data and coprocessing system and method based on unidirectional gateway
CN107819775A (en) * 2017-11-16 2018-03-20 深圳市风云实业有限公司 Gateway device and data transmission method
CN109543475A (en) * 2018-10-29 2019-03-29 北京博衍思创信息科技有限公司 A kind of circumscribed terminal protection equipment and guard system
CN111125801A (en) * 2019-12-27 2020-05-08 北京安天网络安全技术有限公司 USB-based automatic switching one-way remote file transmission method and device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120150742A1 (en) * 2010-12-14 2012-06-14 Xtreme Mobility Inc. System and Method for Authenticating Transactions Through a Mobile Device
CN103491072A (en) * 2013-09-06 2014-01-01 北京信息控制研究所 Boundary access control method based on double one-way separation gatekeepers
CN104363221A (en) * 2014-11-10 2015-02-18 青岛微智慧信息有限公司 Network safety isolation file transmission control method
CN105812387A (en) * 2016-05-09 2016-07-27 北京航天数控系统有限公司 Unidirectional safe data exchange device
WO2018032377A1 (en) * 2016-08-13 2018-02-22 深圳市樊溪电子有限公司 Read-only security file storage system for block chain, and method thereof
CN107749840A (en) * 2017-09-27 2018-03-02 北京机电工程研究所 The unidirectional safe transmission of data and coprocessing system and method based on unidirectional gateway
CN107819775A (en) * 2017-11-16 2018-03-20 深圳市风云实业有限公司 Gateway device and data transmission method
CN109543475A (en) * 2018-10-29 2019-03-29 北京博衍思创信息科技有限公司 A kind of circumscribed terminal protection equipment and guard system
CN111125801A (en) * 2019-12-27 2020-05-08 北京安天网络安全技术有限公司 USB-based automatic switching one-way remote file transmission method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113411335A (en) * 2021-06-18 2021-09-17 滁州学院 Network security monitoring system based on big data
CN114154609A (en) * 2021-12-21 2022-03-08 福建省气象信息中心(福建省气象档案馆) One-way safe transmission simple device of private protocol

Also Published As

Publication number Publication date
CN111901418B (en) 2023-06-30

Similar Documents

Publication Publication Date Title
CN109543475B (en) External terminal protection device and protection system
CN109561071B (en) Data flow control's external terminal protective equipment and protection system
KR102313544B1 (en) Data forwarding control method and system based on hardware control logic
EP2834957B1 (en) Anti-tamper device, system, method, and computer-readable medium
US7743413B2 (en) Client apparatus, server apparatus and authority control method
KR101373542B1 (en) System for Privacy Protection which uses Logical Network Division Method based on Virtualization
CN102799831B (en) Information safety protection system of application system based on database and information safety protection method
RU2628925C1 (en) System and method for protected transmission of audio-data from microphone to processes
CN111901418B (en) External terminal protection equipment and system based on unidirectional file transfer protocol
RU130429U1 (en) TERMINAL AND PROTECTED COMPUTER SYSTEM INCLUDING TERMINAL
US7565690B2 (en) Intrusion detection
CN111898167A (en) External terminal protection equipment and protection system including identity information verification
CN111885179B (en) External terminal protection device and protection system based on file monitoring service
KR101425726B1 (en) Linked network security system and method based on virtualization in the separate network environment
CN111859434A (en) External terminal protection device and protection system for providing confidential file transmission
CN111898105A (en) External terminal protection equipment with user tracing function and protection system
CN111859473A (en) External terminal protection equipment and protection system based on space detection
CN111885178A (en) External terminal protection equipment and protection system including voice information verification
JP2019012442A (en) Secure element, computer program, device, server, and file information matching method
CN111859453A (en) File safety protection method of external protection equipment and external protection equipment
CN111859344A (en) External terminal protection equipment and protection system including face information verification
KR101292760B1 (en) E-drm security management system and security method thereof
KR20020004059A (en) Server security method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant