CN111901418B - External terminal protection equipment and system based on unidirectional file transfer protocol - Google Patents

External terminal protection equipment and system based on unidirectional file transfer protocol Download PDF

Info

Publication number
CN111901418B
CN111901418B CN202010736022.XA CN202010736022A CN111901418B CN 111901418 B CN111901418 B CN 111901418B CN 202010736022 A CN202010736022 A CN 202010736022A CN 111901418 B CN111901418 B CN 111901418B
Authority
CN
China
Prior art keywords
data
file
module
stored
external
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010736022.XA
Other languages
Chinese (zh)
Other versions
CN111901418A (en
Inventor
褚峨维
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhongke Qilin Information Engineering Co ltd
Original Assignee
Beijing Zhongke Qilin Information Engineering Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhongke Qilin Information Engineering Co ltd filed Critical Beijing Zhongke Qilin Information Engineering Co ltd
Priority to CN202010736022.XA priority Critical patent/CN111901418B/en
Publication of CN111901418A publication Critical patent/CN111901418A/en
Application granted granted Critical
Publication of CN111901418B publication Critical patent/CN111901418B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/16File or folder operations, e.g. details of user interfaces specifically adapted to file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention discloses an external terminal protection device and a system based on a unidirectional file transfer protocol, wherein the device comprises: the file monitoring module is used for receiving data to be stored in the external equipment and transmitting the data to be stored to the file output module through a one-way file transmission protocol; the file output module outputs the data to be stored to a protected host according to a user instruction; the unidirectional file transfer protocol means that only the file monitoring module can transfer encrypted data to be stored to the file output module, and the file monitoring module cannot transfer data to any device except the file output module. The invention can achieve the aim of carrying out safety protection on the protected host without installing safety protection software on the protected host, greatly reduces the safety risk of the system and comprehensively solves the potential safety hazard possibly generated by each interface.

Description

External terminal protection equipment and system based on unidirectional file transfer protocol
Technical Field
The invention belongs to the technical field of computer security, and particularly relates to external terminal protection equipment and system based on a unidirectional file transfer protocol.
Background
In recent years, computer and network technologies have been developed at a high speed, so as to greatly promote popularization of networks, and when people increasingly enjoy the convenience brought by the network traffic, new threats are brought to data traffic security in computers used by people in production/life, such as common traffic attacks, hacking, unauthorized access, impersonation of legal users, damage of data integrity, interference to normal operation of systems, propagation of viruses by networks, interception by man in the middle, and the like.
There are many technical means for solving the problems of flow control and information security of an intranet computer network, for example, a host is provided with and uses network security products such as flow control software, a firewall, an antivirus, an intrusion detection system, etc., but various network security events still occur frequently after the above measures are taken. According to statistics, 70% of computer crimes are caused by illegal use of key resources such as a host by internal personnel, the real threat from the outside is only 30%, the internal personnel lack of safety consciousness when using the host, are positioned at the rear end of a firewall, are not normalized when being connected with various external devices, are implanted into a trojan backdoor, so that abnormal data flow and even network paralysis are caused, and misoperation or deliberate damage of a system can cause bad influence and even great loss to institutions, enterprises and institutions and the like.
Meanwhile, for some special devices, such as a host equipped with special software control, and devices of engineer stations/operator stations in some industrial fields, the host/devices often have no network flow control software and security protection software adapted to the system in the market due to system specificity, or the compatibility problem of the original software of the host is easily caused by installing the flow control software or security software, and even the performance is affected. In addition, the operating system is not basically updated after the host of the engineer station/the workstation is on line, and the malicious code preventing software version and the malicious code library are not always updated in time even if the security software is installed, so that the comprehensive security protection effect is not achieved.
Disclosure of Invention
Based on this, the present invention provides an external terminal protection device and system based on unidirectional file transfer protocol to solve the above problem, so as to implement the connection of each interface of the protected host, and ensure that the USB interface or serial device using the protected host must be completed through the external terminal protection device, so that the purpose of protecting the USB interface or serial port of the protected host can be achieved without installing security protection software on the protected host.
The first aspect of the present invention provides an external terminal protection device based on unidirectional file transfer protocol, comprising:
the file monitoring module is used for providing at least one external interface to access at least one external device, storing data to be stored in the accessed external device and transmitting the data to be stored to the file output module through a unidirectional file transmission protocol;
the file output module is used for providing at least one internal interface to be connected with the protected host computer, and outputting the data to be stored to the protected host computer through the at least one internal interface according to a user instruction;
the unidirectional file transfer protocol means that only the file monitoring module can transfer encrypted data to be stored to the file output module, and the file monitoring module cannot transfer data to any device except the file output module.
According to a preferred embodiment of the present invention, the file monitoring module and the file output module respectively correspond to a blockchain node, and after the data to be stored in the external device is stored in the file monitoring module, description information of the data to be stored is recorded in a blockchain public ledger, and transmission of the data to be stored between the file monitoring module and the file output module is performed through a P2P link.
According to a preferred embodiment of the present invention, the file monitoring module is further configured to detect security authentication of an external device accessed through the external interface according to a first preset security policy.
According to a preferred embodiment of the present invention, the file monitoring module is further configured to perform security detection on data to be stored transmitted by an external device accessed through the external interface according to a second preset security policy.
According to a preferred embodiment of the present invention, the file monitoring module includes:
the data detection module is used for detecting the security authentication of the external equipment accessed through the external interface according to a first preset security policy to obtain a first detection result; the security detection is carried out on the data to be stored, which are transmitted by the external equipment accessed through the external interface, according to a second preset security policy, and a second detection result is obtained;
the data storage module is used for storing data to be stored in the accessed external equipment according to the storage instruction of the main control module;
the security file service module is used for carrying out unidirectional file transmission management on the data to be stored in the data storage module;
the main control module is used for controlling data transmission with the external equipment according to the first detection result of the data detection module and controlling storage of the data to be stored according to the second detection result of the data detection module.
According to a preferred embodiment of the present invention, the security document service module includes:
the extraction module is used for extracting the index information of the data to be stored;
the encryption module is used for respectively carrying out encryption processing on the index information and the data to be stored according to a preset encryption protocol;
and the transmission module is used for transmitting the encrypted index information or the encrypted data to be stored to the file output module.
According to a preferred embodiment of the present invention, the file output module includes:
the first decryption module is used for decrypting the encrypted index information according to the encryption protocol and transmitting the decrypted index information to a protected host through an internal interface;
the file transmission module is used for receiving a file acquisition request sent by the protected host and acquiring corresponding encrypted data to be stored from the transmission module according to the file acquisition request;
and the second decryption module is used for decrypting the encrypted data to be stored according to the encryption protocol and transmitting the decrypted data to be stored to a protected host through an internal interface.
According to a preferred embodiment of the present invention, if the external device fails the security authentication, the master control module sets the external device as an unlicensed access device, and maintains a physical disconnection state of a line between the external device and the external interface; and/or
And if the external equipment passes the security authentication, the main control module confirms that the external equipment is the permission access equipment, and the physical connection of the circuit between the external equipment and the external interface is connected.
According to a preferred embodiment of the present invention, if the data to be stored transmitted by the external device does not pass the security detection, the main control module disconnects the transmission of the data to be stored to the data storage module;
and if the data to be stored transmitted by the external equipment passes the security detection, the main control module sends a storage instruction to the data storage module.
A second aspect of the present invention provides a protection system based on a unidirectional file transfer protocol, including:
the external equipment is suitable for carrying out data interaction with the protected host through the external terminal protection equipment;
a protected host; and
the external terminal protection device based on the unidirectional file transfer protocol as described in any one of the above,
the external terminal protection equipment is externally connected to the protected host, so that the one or more external devices communicate with the protected host through the external terminal protection equipment.
The technical scheme provided by the invention has at least one or more of the following technical effects: the method can realize the takeover of each data interface of the protected host, ensure that the data communication using each interface of the protected host is completed through an external terminal, and realize the aim of carrying out safety protection on the protected host without installing safety protection software on the protected host. In the invention, the one-way file transmission protocol ensures that the external equipment can only transmit the encrypted data to the protected host, the security of data transmission is ensured, the authority of the external equipment to acquire the data from the protected host is limited, the system security risk is greatly reduced, and the potential safety hazard possibly generated by each interface is comprehensively solved.
Drawings
Fig. 1 is a schematic view of an application scenario of a protection system of an external terminal protection device based on a unidirectional file transfer protocol of the present invention;
FIG. 2 is a schematic diagram of an external terminal protection device based on a unidirectional file transfer protocol according to the present invention;
FIG. 3 is a schematic diagram of another structure of an external terminal protection device based on a unidirectional file transfer protocol according to the present invention;
FIG. 4 is a schematic diagram of a security document service module and a document output module according to the present invention;
FIG. 5 is a schematic diagram of data transmission of an external terminal protection device based on a unidirectional file transfer protocol according to the present invention;
fig. 6 is a schematic diagram of a network deployment of the external terminal protection system based on the unidirectional file transfer protocol of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The term "and/or" is herein merely an association relation describing an associated object, meaning that three relations may exist, e.g. "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
The invention provides external terminal protection equipment based on a unidirectional file transfer protocol, which comprises: the file monitoring module provides at least one external interface accessed to at least one external device, stores data to be stored in the accessed external device, and transmits the data to be stored to the file output module through a unidirectional file transmission protocol; the file output module provides at least one internal interface connected with the corresponding interface of the protected host computer and outputs the data to be stored to the protected host computer through the at least one internal interface according to a user instruction. In the invention, the unidirectional file transfer protocol means that the file monitoring module can only transfer the encrypted data to be stored to the file output module, and the file monitoring module can not transfer the data to any device except the file output module. Therefore, the invention provides the terminal protection equipment in a hardware mode, the purpose of carrying out safety protection on the protected host can be achieved without installing safety protection software on the protected host, the external equipment is ensured to only transmit encrypted data to the protected host through the unidirectional file transmission protocol, the permission of the external equipment to acquire data from the protected host is limited while the safety of data transmission is ensured, the system safety risk is greatly reduced, and the potential safety hazards possibly generated by each interface are comprehensively solved.
It should be noted that the term "module" as used herein refers to a hardware module, i.e., a hardware module formed by tangible electronic components such as circuits, data processing devices, memories, and buffers. The document monitoring module and the document output module in the invention can be physically or functionally independent component combinations, or can be physically or functionally integrated integral component combinations. For example, as one embodiment, the file monitoring module is formed by a file monitoring control board, the file output module is formed by a file output control board, and the file monitoring control board and the file output control board are both circuit boards integrated with electronic components and are connected in a limited or wireless manner. In other embodiments, the document detection control module and the document output control module may be integrated on a single circuit board. Therefore, the key of the present invention is the data transmission mode between the file monitoring module and the file outputting module, but not limited to the combination mode of the electronic components forming the respective modules in space or physical connection.
Fig. 1 is an application scenario of an embodiment of an external terminal protection device based on a unidirectional file transfer protocol of the present invention.
As shown in fig. 1, the external terminal protection device based on the unidirectional file transfer protocol is provided with internal interfaces corresponding to the types of interfaces of the protected device/host, and meanwhile, external interfaces corresponding to the types are also provided, each internal interface is used for connecting the protected device/host, and each external interface is used for connecting external devices needing to perform data interaction with the protected device/host. The external terminal protection device is externally connected to the protected device/host, each interface (such as UC1 and UC2 of USB port, CC0 of COM port, and net port EC 0) on the protected device/host to be protected is connected to the internal interface of the corresponding type through various types of connecting lines, for example, interfaces UC1 and UC2 of the protected device/host are respectively connected to internal USB ports UA4 and UA3 of the external terminal protection device, serial port CC0 is connected to internal serial port CA2, and net port EC0 is connected to internal net port EA 2. All external devices (USB flash disk, CD-ROM, serial port connection device, etc.) are connected to all external interfaces on the external terminal protection device, and can perform data communication with the protected device/host through the external terminal protection device, for example, the external USB flash disk device is accessed through the external interface UA1 of the external terminal protection device, the USB CD-ROM is accessed through the external interface UA2, and the serial port connection device is accessed through the external interface CA 1. The external devices such as the USB flash disk, the USB CD-ROM and the serial port connection device need to carry out data communication with the protected host, can not be directly connected to the protected host, and must transfer communication through the corresponding external interfaces of the external terminal protection device.
Fig. 2 is a schematic diagram illustrating an internal configuration of an external terminal protection device based on a unidirectional file transfer protocol according to the above embodiment of the present invention. The external terminal protection device based on the unidirectional file transfer protocol comprises: a document monitoring module 10 and a document output module 11. The file monitoring module 10 establishes a connection with the file output module 11 through a unidirectional file transfer protocol in a connection line (such as a bus) or wireless communication manner such as WiFi, 4G, etc.
The file monitoring module 10 provides an external interface 100 for accessing a plurality of external devices, stores data to be stored in the external devices transmitted through the external interface 100, and transmits the data to be stored to the file output module 11 through a unidirectional file transmission protocol; the file output module 11 provides a plurality of internal interfaces 110 connected with corresponding interfaces of the protected host, and outputs the data to be stored, which is transmitted by the file monitoring module 10, to the protected host through the internal interfaces 110 according to a user instruction. Wherein the unidirectional file transfer protocol means that only the file monitoring module 10 can transfer encrypted data to be stored to the file output module 11, and the file monitoring module 10 cannot transfer data to any device other than the file output module 11. The invention ensures that the external equipment can only transmit the encrypted data to the protected host through the unidirectional file transmission protocol, limits the authority of the external equipment to acquire the data from the protected host while ensuring the safety of data transmission, greatly reduces the safety risk of the system and comprehensively solves the potential safety hazard possibly generated by each interface.
In a specific embodiment, data is transferred between the file monitoring module 10 and the file outputting module 11 via a unidirectional file transfer protocol. Setting the file monitoring module 10 and the file output module 11 to correspond to a block chain node respectively, and after the data to be stored in the external equipment is stored in the file monitoring module 10, recording the description information of the data to be stored in a block chain public account book, wherein the data to be stored is transmitted between the file monitoring module 10 and the file output module 11 through a P2P link.
Specifically, in the process of storing the data to be stored, the file monitoring module 10 serves as a blockchain node, firstly calculates a hash value of the data to be stored, and transmits the data to be stored to the memory of the file monitoring module 10, and meanwhile, a blockchain transaction of a data storage type, namely, a data storage transaction is constructed. The data store transaction is then broadcast consensus written into the blockchain public ledger. The data storage transaction comprises description information of data to be stored and transaction signature; the description information comprises a data file name, the data hash value, a custom file description, a storable node list, a downloadable user list and a file storage position list; the file storage position list is a storage target node list of the data to be stored at this time.
Data transmission between nodes is carried out between two block chain nodes (a file monitoring module 10 and a file output module 11) through a p2p link. Specifically, the file monitoring module 10 sends a transmission handshake request to the file output module 11, where the transmission handshake request includes a segmentation scheme of data storage transactions and file transmissions.
After receiving the transmission handshake request, the file output module 11 verifies the data storage transaction, including verifying the validity of the description information and the correctness of the transaction signature; the validity of the verification description information is particularly calculated as a hash value of the data to be stored again, and if the verification description information is consistent with the hash value in the data storage transaction. Then the data transmission is considered legal; otherwise, the data transmission is illegal, and the data transmission fails. If the data storage transaction verification is passed, the handshake is successful, and the file output module 11 sends a reply of agreeing to the handshake to the file monitoring module 10; if the data storage transaction is not verified, a reply to the refusal handshake is sent to the file monitoring module 10. If the file monitoring module 10 receives a reply of agreeing to handshake, the data to be stored is transmitted to the file output module 11 according to the segmented transmission scheme. If the file monitoring module 10 receives a reply rejecting the handshake, the data transmission is aborted.
The file monitoring module 10 sends subfiles in the data to be stored one by one according to a segmented transmission scheme; the segmentation scheme comprises the size of data, the number of data segments into subfiles, and the size and number of each subfile. The file output module 11 stores the received subfiles one by one, maintains an array to store the numbers of the received subfiles, and records the numbers in the array when each subfile is received; because the file may be lost due to network reasons during transmission, the file output module 11 traverses the array when receiving the last subfile or overtime, if the array has a missing number, which indicates that the subfile is not received, the missing subfile number is sent to the file monitoring module 10, and the file monitoring module 10 sends the corresponding subfile again until the file output module 11 collects all the files. The timeout refers to that the last sub-file is not received when the preset transmission time is reached, and if the timeout or the missing sub-file exceeds three times, the transmission fails. The transmission time is a configuration item in a node configuration file.
According to another embodiment of the present invention, when an external device accesses the external interface 100, the file monitoring module 10 detects security authentication of the external device accessed through the external interface 100 according to a first preset security policy. If the external equipment does not pass the security authentication, setting the external equipment as unlicensed access equipment, and keeping a line physical disconnection state between the external equipment and the protected host; and/or if the external device passes the security authentication, confirming that the external device is a licensed access device, and connecting the physical connection of the line between the external device and the protected host. Therefore, the invention can realize the physical isolation type safety authentication of the external equipment and improve the safety performance of the protection system. Further, after the external device passes the security authentication, the file monitoring module 10 performs security detection on the data to be stored transmitted by the external device accessed through the external interface 100 according to a second preset security policy. After the data to be stored passes the security detection, the data to be stored is stored, and the data to be stored is transmitted to the file output module 11 through the unidirectional file transmission protocol.
Fig. 3 is a schematic diagram of a specific structure of an external terminal protection device based on a unidirectional file transfer protocol according to the present invention. Wherein:
the file monitoring module 10 includes: the system comprises a data detection module 101, a data storage module 102, a security file service module 103 and a main control module 104.
The data detection module 101 detects the security authentication of the external device accessed through the external interface 100 according to a first preset security policy, and obtains a first detection result; the security detection is carried out on the data to be stored transmitted by the external equipment accessed through the external interface 100 according to a second preset security policy, and a second detection result is obtained;
in this embodiment, the security functions implemented by the external terminal protection device include, but are not limited to, authority setting and security policy setting of the external terminal protection device by an administrator in advance; the first preset security policy or the second preset security policy includes, but is not limited to: enabling data import (e.g., USB interface), enabling data export (e.g., USB interface), USB access device restrictions (e.g., vendor ID based USB device, i.e., vendor identification code, and/or Product ID, i.e., product identification code), data import disinfection policies, data export black and white list control policies, data export format control policies, enabling serial access policies, USB interface insertion protection, enabling network communication auditing, enabling firewall functionality, setting serial command black and white lists, etc.
In a preferred embodiment, the first preset security policy or the second preset security policy includes: after the administrator sets each security policy, the related security policies are executed one by the external terminal protection device.
In a preferred embodiment, the first preset security policy or the second preset security policy includes: the administrator also controls whether the external terminal protection device enters a monitoring protection mode, and the mode monitors the connection between the external terminal protection device and the protected host computer and alarms under abnormal conditions.
In a preferred embodiment, the first preset security policy or the second preset security policy: when the abnormal alarm or interface access condition needs to be recorded for the subsequent administrator to inquire, the internal memory is also used for further recording the alarm information or the interface access log information.
The data storage module 102 stores data to be stored in the accessed external equipment according to the storage instruction of the main control module 104; the internal memory of the data storage module 102 as a protection device may be specifically a hardware memory D. The storage instruction is an instruction that the main control module 104 determines that the external device passes the security authentication and that the data transmitted by the external device passes the security detection and then sends out to-be-stored data in the external device to execute storage. The data to be stored is the data which is determined according to the user operation or the preset storage strategy and needs to be transmitted to the protected host from the external equipment. The user operation may be a user selection operation of data. The preset storage policy may be a preset policy for storing data of some storage addresses of the external device. For example, the preset storage policy may be to store data in the storage area a of the external device, and then the user needs to store the data in the storage area a of the external device before transmitting the data from the external device to the protected host through the external terminal protection device of the present invention.
The data storage module 102 may further store a first preset security policy and a second preset security policy; the data detection module 101 carries out security authentication on external devices accessed by different types of external interfaces 100 by reading a first preset security policy stored in the data storage module 102; and performing security detection on the data to be stored transmitted by the external devices accessed by the different types of external interfaces 100 by reading the second preset security policy stored in the data storage module 102.
The secure file service module 103 performs unidirectional file transmission management on the data to be stored in the data storage module 102; that is, the data to be stored is encrypted, and the encrypted data to be stored is controlled to be transmitted only by the file monitoring module 10 to the file output module 11, and the file monitoring module 10 is controlled not to transmit the data to any device other than the file output module 11.
The main control module 104 controls data transmission with external equipment according to a first detection result of the data detection module 101, and if the external equipment does not pass the security authentication, the main control module 104 sets the external equipment as non-permitted access equipment, and maintains a physical disconnection state of a circuit between the external equipment and the external interface 100; and/or if the external device passes the security authentication, the master control module 104 confirms that the external device is a licensed access device, and connects the physical connection of the line between the external device and the external interface 100.
In one embodiment, as shown in fig. 4, the security file service module 103 includes:
the extraction module is used for extracting the index information of the data to be stored; wherein the index information is an indexed sequential file consisting of data files. The index information records keys of data to be stored and addresses of corresponding records on the disk.
The encryption module is used for respectively carrying out encryption processing on the index information and the data to be stored according to a preset encryption protocol; in the present invention, the encryption protocol includes an encryption algorithm and a key. And the encryption module encrypts the index information and the data to be stored through an encryption algorithm and a secret key.
And the transmission module is used for transmitting the encrypted index information or the encrypted data to be stored to the file output module 11.
Correspondingly, the file output module 11 includes:
the first decryption module decrypts the encrypted index information according to the encryption protocol and transmits the decrypted index information to the protected host through an internal interface;
the file transmission module is used for receiving a file acquisition request sent by the protected host and acquiring corresponding encrypted data to be stored from the transmission module according to the file acquisition request;
and the second decryption module is used for decrypting the encrypted data to be stored according to the encryption protocol and transmitting the decrypted data to be stored to a protected host through an internal interface.
Further, the file monitoring module 101 further includes: a forwarding interface, configured to forward the data traffic of the external interface 100 to the data storage module; as shown in fig. 5, the in-pair USB interfaces UA3 and UA4 of the file output module 11 are connected to the USB port of the protected host, the forwarding interfaces UB1 and UB2 of the file monitoring module 10 are respectively connected to the in-pair USB interface UB3 for transferring data, the external USB interfaces UA1 and UA2 are inserted into the USB disk or the mobile storage medium of the external device to be connected, and the CTRL port is used as a transmission interface of the bus interface connection file output control board. The main control module 104 further comprises hardware control logic, which is used for realizing the on-off of physical lines between each external interface and external equipment. If the external device fails the security authentication, the hardware control logic in the main control module 104 keeps a state of disconnecting the physical lines of the external interface and the forwarding interface accessed by the external device, so as to filter and inhibit the data transmission after the external device is accessed; if the external device passes the security authentication, the hardware control logic in the main control module 104 communicates with the physical lines of the external interface and the forwarding interface, which are accessed by the external device.
The main control module 104 also controls the storage of the data to be stored according to the second detection result of the data detection module 101. If the data to be stored transmitted by the external device does not pass the security detection, the main control module 104 disconnects the transmission of the data to be stored to the data storage module; the hardware control logic in the main control module 104 keeps the state of disconnecting the physical lines of the external interface and the forwarding interface accessed by the external device, so as to filter and inhibit the data transmission after the external device is accessed; if the data to be stored transmitted by the external device passes the security detection, the main control module 104 sends a storage instruction to the data storage module.
As shown in fig. 5, when Data in the USB disk of the external device needs to be imported to the protected host, the main control module 104 controls the hardware control logic to connect the physical line between UA1 and UB1, copy the Data1 in the USB disk into the buffer of the file monitoring control board, during which the hardware control logic keeps the physical line of the forwarding interface UB1 (connected to the system control board) and UB3 (connected to the internal USB storage) in a disconnected state, and keeps the physical line of the internal USB interface UA3 (connected to the protected host) and UB3 in a disconnected state.
After the hardware control logic turns off the switch of the physical circuit between UA1 and UB1, turns on the physical circuit between UB1 and UB3, stores the Data transmitted by UB1 into the internal USB memory through the UB3 interface, and the Data detection module 101 performs security detection on the Data1 in the buffer memory, so that the Data detection module 101 performs security detection such as disinfection on the USB memory inserted by UA1 in the protected host isolation state. After Data1 passes the security detection, the master control module 104 controls copying of the Data1 to the Data storage module 102 for storage, and the hardware control logic controls the physical connection between UA1 and UB1, and between UA2 and UB2 to be in a disconnected state. The secure file service module 103 transmits the stored data to the file output module 11 through a unidirectional transport protocol. Then, the file output module 11 sends the requested data to be stored to the protected host according to the file acquisition request sent by the protected host.
Fig. 6 is a network deployment embodiment of the protection system based on unidirectional file transfer protocol of the present invention. The protection system includes one or more external devices; a protected host; and the external terminal protection equipment based on the unidirectional file transmission protocol is externally connected to the protected host, so that the one or more external devices communicate with the protected host through the external terminal protection equipment in an interface manner. Here, the external terminal protection device based on the unidirectional file transfer protocol is described above, and will not be described again.
Further, the protection system further comprises a control center for remotely controlling the external terminal protection equipment, wherein the control center is composed of a server, a management workstation and other nodes, and is connected to the network port EA1 of the external terminal protection equipment through a network switching node.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functionality of some or all of the means for photograph entry of text, the computing device, and the computer-readable storage medium according to embodiments of the present invention may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present invention can also be implemented as an apparatus or device program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present invention may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.

Claims (9)

1. An external terminal protection device based on a unidirectional file transfer protocol, the device comprising:
the file monitoring module is used for providing at least one external interface to access at least one external device, storing data to be stored in the accessed external device and transmitting the data to be stored to the file output module through a unidirectional file transmission protocol;
the file output module is used for providing at least one internal interface to be connected with the protected host computer, and outputting the data to be stored to the protected host computer through the at least one internal interface according to a user instruction;
the file monitoring module and the file output module respectively correspond to a block chain node, after the data to be stored in the external equipment is stored in the file monitoring module, the description information of the data to be stored is recorded in a block chain public account book, and the data to be stored is transmitted between the file monitoring module and the file output module through a P2P link;
the unidirectional file transfer protocol means that only the file monitoring module can transfer encrypted data to be stored to the file output module, and the file monitoring module cannot transfer data to any device except the file output module.
2. The device of claim 1, wherein the file monitoring module is further configured to detect security authentication of an external device accessed through the external interface according to a first preset security policy.
3. The device of claim 2, wherein the file monitoring module is further configured to perform security detection on data to be stored transmitted by an external device accessed through the external interface according to a second preset security policy.
4. The apparatus of claim 3, wherein the file monitoring module comprises:
the data detection module is used for detecting the security authentication of the external equipment accessed through the external interface according to a first preset security policy to obtain a first detection result; the security detection is carried out on the data to be stored, which are transmitted by the external equipment accessed through the external interface, according to a second preset security policy, and a second detection result is obtained;
the data storage module is used for storing data to be stored in the accessed external equipment according to the storage instruction of the main control module;
the security file service module is used for carrying out unidirectional file transmission management on the data to be stored in the data storage module;
the main control module is used for controlling data transmission with the external equipment according to the first detection result of the data detection module and controlling storage of the data to be stored according to the second detection result of the data detection module.
5. The apparatus of claim 4, wherein the secure file service module comprises:
the extraction module is used for extracting the index information of the data to be stored;
the encryption module is used for respectively carrying out encryption processing on the index information and the data to be stored according to a preset encryption protocol;
and the transmission module is used for transmitting the encrypted index information or the encrypted data to be stored to the file output module.
6. The apparatus of claim 5, wherein the file output module comprises:
the first decryption module is used for decrypting the encrypted index information according to the encryption protocol and transmitting the decrypted index information to a protected host through an internal interface;
the file transmission module is used for receiving a file acquisition request sent by the protected host and acquiring corresponding encrypted data to be stored from the transmission module according to the file acquisition request;
and the second decryption module is used for decrypting the encrypted data to be stored according to the encryption protocol and transmitting the decrypted data to be stored to a protected host through an internal interface.
7. The device of claim 4, wherein if the external device fails the security authentication, the master control module sets the external device to be an unlicensed access device, and maintains a physical disconnection state of a line between the external device and the external interface; and/or
And if the external equipment passes the security authentication, the main control module confirms that the external equipment is the permission access equipment, and the physical connection of the circuit between the external equipment and the external interface is connected.
8. The device of claim 4, wherein if the data to be stored transmitted by the external device does not pass the security detection, the master control module disconnects transmission of the data to be stored to the data storage module;
and if the data to be stored transmitted by the external equipment passes the security detection, the main control module sends a storage instruction to the data storage module.
9. A protection system based on a unidirectional file transfer protocol, comprising:
the external equipment is suitable for carrying out data interaction with the protected host through the external terminal protection equipment;
a protected host; and
the external terminal protection device based on one-way file transfer protocol according to any one of claim 1 to 8,
the external terminal protection equipment is externally connected to the protected host, so that the one or more external devices communicate with the protected host through the external terminal protection equipment.
CN202010736022.XA 2020-07-28 2020-07-28 External terminal protection equipment and system based on unidirectional file transfer protocol Active CN111901418B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010736022.XA CN111901418B (en) 2020-07-28 2020-07-28 External terminal protection equipment and system based on unidirectional file transfer protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010736022.XA CN111901418B (en) 2020-07-28 2020-07-28 External terminal protection equipment and system based on unidirectional file transfer protocol

Publications (2)

Publication Number Publication Date
CN111901418A CN111901418A (en) 2020-11-06
CN111901418B true CN111901418B (en) 2023-06-30

Family

ID=73191101

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010736022.XA Active CN111901418B (en) 2020-07-28 2020-07-28 External terminal protection equipment and system based on unidirectional file transfer protocol

Country Status (1)

Country Link
CN (1) CN111901418B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113411335B (en) * 2021-06-18 2022-03-08 滁州学院 Network security monitoring system based on big data
CN114154609A (en) * 2021-12-21 2022-03-08 福建省气象信息中心(福建省气象档案馆) One-way safe transmission simple device of private protocol

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018032377A1 (en) * 2016-08-13 2018-02-22 深圳市樊溪电子有限公司 Read-only security file storage system for block chain, and method thereof

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2724297C (en) * 2010-12-14 2013-11-12 Xtreme Mobility Inc. System and method for authenticating transactions through a mobile device
CN103491072B (en) * 2013-09-06 2017-03-15 中国航天系统科学与工程研究院 A kind of border access control method based on double unidirection insulation network brakes
CN104363221A (en) * 2014-11-10 2015-02-18 青岛微智慧信息有限公司 Network safety isolation file transmission control method
CN105812387A (en) * 2016-05-09 2016-07-27 北京航天数控系统有限公司 Unidirectional safe data exchange device
CN107749840B (en) * 2017-09-27 2020-06-05 北京机电工程研究所 One-way data secure transmission and cooperative processing system and method based on one-way gatekeeper
CN107819775A (en) * 2017-11-16 2018-03-20 深圳市风云实业有限公司 Gateway device and data transmission method
CN109543475B (en) * 2018-10-29 2020-07-07 北京博衍思创信息科技有限公司 External terminal protection device and protection system
CN111125801A (en) * 2019-12-27 2020-05-08 北京安天网络安全技术有限公司 USB-based automatic switching one-way remote file transmission method and device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018032377A1 (en) * 2016-08-13 2018-02-22 深圳市樊溪电子有限公司 Read-only security file storage system for block chain, and method thereof

Also Published As

Publication number Publication date
CN111901418A (en) 2020-11-06

Similar Documents

Publication Publication Date Title
CN109561071B (en) Data flow control's external terminal protective equipment and protection system
CN109543475B (en) External terminal protection device and protection system
US10678913B2 (en) Apparatus and method for enhancing security of data on a host computing device and a peripheral device
US5692124A (en) Support of limited write downs through trustworthy predictions in multilevel security of computer network communications
EP2834957B1 (en) Anti-tamper device, system, method, and computer-readable medium
CN109522760B (en) Data forwarding control method and system based on hardware control logic
KR101754308B1 (en) Method for management sensitive data of mobile and escrow server for performing the method
CN102799831B (en) Information safety protection system of application system based on database and information safety protection method
CN111901418B (en) External terminal protection equipment and system based on unidirectional file transfer protocol
WO2018164503A1 (en) Context awareness-based ransomware detection
KR101534566B1 (en) Apparatus and method for security control of cloud virtual desktop
US8954624B2 (en) Method and system for securing input from an external device to a host
CN111898167A (en) External terminal protection equipment and protection system including identity information verification
Xing et al. A protecting mechanism against double spending attack in blockchain systems
JP6981078B2 (en) Secure elements, computer programs, devices, servers and device monitoring methods
CN111885179B (en) External terminal protection device and protection system based on file monitoring service
CN111859434A (en) External terminal protection device and protection system for providing confidential file transmission
CN111898105A (en) External terminal protection equipment with user tracing function and protection system
CN111885178A (en) External terminal protection equipment and protection system including voice information verification
KR101292760B1 (en) E-drm security management system and security method thereof
CN111859344A (en) External terminal protection equipment and protection system including face information verification
CN104462941A (en) Information protection method and device for currency detecting module

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant