CN112104637A - Security gateway isolation method and method for sending extranet data to intranet - Google Patents

Security gateway isolation method and method for sending extranet data to intranet Download PDF

Info

Publication number
CN112104637A
CN112104637A CN202010945545.5A CN202010945545A CN112104637A CN 112104637 A CN112104637 A CN 112104637A CN 202010945545 A CN202010945545 A CN 202010945545A CN 112104637 A CN112104637 A CN 112104637A
Authority
CN
China
Prior art keywords
gateway
configuration file
isolation
security
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010945545.5A
Other languages
Chinese (zh)
Inventor
王文海
孙优贤
魏强
谢辰承
嵇月强
张晓东
徐斌
汪洲
张稳稳
赵璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Uwntek Automation System Co ltd
Zhejiang University ZJU
Original Assignee
Hangzhou Uwntek Automation System Co ltd
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Uwntek Automation System Co ltd, Zhejiang University ZJU filed Critical Hangzhou Uwntek Automation System Co ltd
Priority to CN202010945545.5A priority Critical patent/CN112104637A/en
Publication of CN112104637A publication Critical patent/CN112104637A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a security gateway isolation method and a method for sending extranet data to an intranet, wherein the security gateway isolation method comprises the following steps: s11, establishing connection between the user and the isolation gateway: logging in by using a computer provided with a linux operating system through a management program; s12, writing a configuration file: writing the configuration information required by the user; s13, importing the gateway: importing the configuration file written in the step S12 into a gateway; s14, judging whether the configuration file passes: if the configuration file passes the preset time, restarting the computer, and enabling the configuration file to take effect; if not, the process goes to step S12 to rewrite the configuration file. The invention realizes the complete isolation of the gateway by compiling the configuration file and importing the configuration file into the gateway; when the data of the external network is sent to the internal network, the gateway into which the configuration file is introduced enables reliable data of the external network to be sent to the internal network, and the safety of data transmission in the industrial control system is guaranteed.

Description

Security gateway isolation method and method for sending extranet data to intranet
Technical Field
The invention relates to the field of industrial control devices and system function safety and information safety, in particular to a safety gateway isolation method and a method for sending extranet data to an intranet.
Background
Industrial control systems such as a data acquisition and monitoring System (SCADA), a Distributed Control System (DCS), a Process Control System (PCS), a Programmable Logic Controller (PLC) and the like are widely used in the fields of industry, energy, traffic, water conservancy, municipal administration and the like, and are used for controlling the operation of production equipment. Once the information security of the industrial control system has a leak, the method causes great hidden danger to industrial production operation and national economic security. With the development of computer and network technologies, especially the deep integration of informatization and industrialization, industrial control system products increasingly adopt general protocols, general hardware and general software, and are connected with public networks such as MIS networks and the Internet in various ways, so that threats such as viruses and trojans are diffused to the industrial control system, and the safety problem of the industrial control system is increasingly highlighted. The virus events of the 'earthquake net' which occur in 2010 fully reflect the severe situation of the information safety of the industrial control system.
The industrial network safety isolation gateway is a emerging network isolation product specially applied to the industrial field in recent years, adopts a 2+1 three-module architecture, is internally provided with a double-host system, and an isolation unit establishes a safety channel through a bus technology so as to safely realize rapid data exchange. Unlike the gatekeeper, the industrial network security isolation gateway provides applications specific to the security protection of the control network, and thus it only provides common communication functions of the control network, such as OPC, Modbus, etc., and does not provide general internet functions.
Disclosure of Invention
In order to overcome the defects of the technology, the invention provides a security gateway isolation method and a method for sending extranet data to an intranet.
The technical scheme adopted by the invention for overcoming the technical problems is as follows:
a security gateway isolation method comprises the following steps:
s11, establishing connection between the user and the isolation gateway: logging in by using a computer provided with a linux operating system through a management program;
s12, writing a configuration file: writing the configuration information required by the user;
s13, importing the gateway: importing the configuration file written in the step S12 into a gateway;
s14, judging whether the configuration file passes: if the configuration file passes the preset time, restarting the computer, and enabling the configuration file to take effect; if not, the process goes to step S12 to rewrite the configuration file.
Further, when the user logs in step S11, the login authority includes four types of account login authorities, which are an authorized administrator, an authorized user, an authorized auditor, and an authorized security officer, respectively. Wherein, the authorized administrator at least has the functions of configuring management port parameters, configuring log system parameters and modifying passwords; the authorized user mainly refers to an authorized control station or an authorized operation station, and isolated communication can be performed between the authorized control station and the authorized operation station; the authorized auditor has the authority of checking by the log system; authorized security officers have the functions of configuring security policies, viewing security policies, and backing up security configurations. In the security gateway isolation method, different operation interfaces are displayed when different account authorities log in, and an authorized administrator logs in and has functions of modifying parameters of a management port, modifying a user password, uploading security isolation configuration files and viewing logs; the authorized auditor logs in and has the function of checking the system flow log; authorizing a security clerk to log in may modify the security parameters upload configuration files, view current security parameters, modify passwords, and synchronize configuration files.
Further, the step S12 specifically includes:
determining configuration information required by a user;
compiling a configuration file according to an XML document format;
and converting the written configuration file through a conversion tool and uploading the converted configuration file to the gateway.
Further, in step S12, the start flag of the configuration file is iGateConf, and under the start flag, one or more of the following configuration items are loaded: configuration of a file header, binding of a MAC address and an IP address, setting of an IP white list, access frequency control, SNET protocol type filtering, service access control and generation of cfg files.
Further, the step S13 specifically includes:
the configuration file to be uploaded is placed in a current directory of a client, and is converted into an iGateWay.en format through a configuration file conversion and encryption program;
and when the current directory of the file is confirmed, executing the operation of importing the file into the gateway.
The invention also discloses a method for sending the data of the external network to the internal network, which at least comprises the following steps of information isolation:
s21, the external network sends a data packet to the gateway isolated by the security gateway isolation method;
s22, judging whether the quintuple is in the white list: if yes, jumping to the next step; if not, discarding the data packet;
s23, judging whether the application layer protocol field meets a white list: if yes, the gateway forwards the data packet to the intranet; if not, the data packet is discarded.
Furthermore, the range of the network segments accessible by the internal network and the external network is limited through the IP access control list, so that the network segments in the preset range can access each other.
Further, in step S23, the gateway encrypts the data via a private protocol, and reconstructs and reassembles the extranet data packet to forward the data to the intranet.
Further, the five-tuple includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol, where the source IP address refers to a source IP in a data packet received by the security isolation device; the destination IP address refers to a destination IP in a data packet received by the safety isolation equipment; the source port refers to a source port number in a data packet received by the security isolation device; the destination port refers to a destination port number in a data packet received by the security isolation device; the protocol number in the transport layer protocol refers to the protocol type of the data packet received by the security isolation device, such as TCP, UDP, and the like. The quintuple can distinguish different sessions and the corresponding session is unique.
Further, for users with different login permissions, the gateway divides different areas, and the corresponding user can only access the corresponding security domain. And on the original basis, the access control aiming at different user identities is added. The three types of administrator users all have corresponding identity sensitive marks, wherein an authorized administrator is admin, an authorized security administrator is security, an authorized auditor is editor, and when different identity users access the gateway, access control can be performed on different users.
The invention has the beneficial effects that:
the invention realizes the complete isolation of the gateway by compiling the configuration file and importing the configuration file into the gateway; when the data of the external network is sent to the internal network, the gateway into which the configuration file is introduced enables reliable data of the external network to be sent to the internal network, and the safety of data transmission in the industrial control system is guaranteed.
The invention also realizes physical isolation, electrical isolation and information isolation by designing the security gateway. The safety gateway module adopts an internal cascade power supply to realize power supply isolation, realizes signal line isolation by ensuring an isolation distance, and realizes base port layout isolation by ensuring the distance between an external network interface and an internal network interface; and the external network input and the internal network output of the security gateway module are provided with independent isolation transformers to realize electrical isolation.
Drawings
Fig. 1 is a schematic diagram of a security gateway isolation method and a method for sending extranet data to an intranet according to an embodiment of the present invention.
Detailed Description
In order to facilitate a better understanding of the invention for those skilled in the art, the invention will be described in further detail with reference to the accompanying drawings and specific examples, which are given by way of illustration only and do not limit the scope of the invention.
Examples 1,
As shown in fig. 1, the present embodiment provides a security gateway isolation method, including the following steps:
s11, establishing connection between the user and the isolation gateway: the computer with the linux operating system is used and logged in through a management program.
When the user logs in, the user login authority comprises four types of account login authorities, namely an authorization administrator, an authorization user, an authorization auditor and an authorization security officer. Wherein, the authorized administrator at least has the functions of configuring management port parameters, configuring log system parameters and modifying passwords; the authorized user mainly refers to an authorized control station or an authorized operation station, and isolated communication can be performed between the authorized control station and the authorized operation station; the authorized auditor has the authority of checking by the log system; authorized security officers have the functions of configuring security policies, viewing security policies, and backing up security configurations.
In this embodiment, the login through the management program refers to login through any one of an authorized administrator, an authorized auditor, and an authorized security officer. And displaying different operation interfaces when different account authorities log in. The authorized administrator login has the functions of modifying the parameters of the management port, modifying the password of the user, uploading a security isolation configuration file and viewing a log; the authorized auditor login has the function of checking the system flow log; the authorized security officer login can modify the security parameter uploading configuration file, view the current security parameters, modify the password and synchronize the configuration file.
S12, writing a configuration file: and writing the configuration information required by the user.
Specifically, the configuration information required by the user is determined, then the configuration file is written according to the XML document format, and the written configuration file is converted by the conversion tool and then uploaded to the gateway.
In this embodiment, the start flag bit of the configuration file is iGateConf, and one or more of the following configuration items are loaded under the start flag bit: configuration of a file header, binding of a MAC address and an IP address, setting of an IP white list, access frequency control, SNET protocol type filtering, service access control and generation of cfg files. The Header is mainly used for describing the overall configuration of the configuration file and the configuration information of the gateway internal network, the beginning mark of the Header is Header, and a format version (format vsn) and a Magic field (Magic) need to be noted at the same time; the MAC address binding rule can bind the corresponding relation between the IP of the host and the MAC address, ARP deception is prevented, and if the option is not configured, the filtering rule can not take effect; the IP access control list limits the range of network segments accessible by the internal network and the external network, only network segments in the rules can be accessed mutually, namely the network segments belonging to the IP white list can be accessed mutually, the starting mark is IPSegList, and each rule should indicate the starting IP, the ending IP and the mask information; the access frequency control limits the maximum frequency of the access of the corresponding network segment, the maximum frequency is calculated by taking seconds as a counting interval, the starting mark is IPRateList, and each rule should indicate the starting IP, the ending IP, mask information and the access frequency; brdfead filtering is one of SNET protocol Type filtering, which filters the Type field of the brdfead structure at the beginning of the network packet application layer data, and should be between Min and Max (including Min and Max); the starting sign of the service access control is a serviceList which mainly limits a service end protocol (TCP/UDP), a port number, a client rule and an application layer rule; after the XML document is filled in, the conversion script is operated in the linux environment, and the configuration file, namely the cfg file, can be obtained.
S13, importing the gateway: the configuration file written in step S12 is imported into the gateway.
Specifically, a configuration file to be uploaded is placed in a current directory of a client, and is converted into iGateWay.en through a configuration file conversion and encryption program; and when the current directory of the file is confirmed, executing the operation of importing the file into the gateway.
S14, judging whether the configuration file passes: if the configuration file passes the preset time, restarting the computer, and enabling the configuration file to take effect; if not, the process goes to step S12 to rewrite the configuration file.
On the basis of the security gateway isolation method, at least the following functions can be completed, specifically:
IP address access control function: an IP address filtering module, a basic communication module, a data ferrying module between network cards and a log counting module are needed to be used for detecting the IP of a data packet source, filtering IP addresses outside a white list and recording abnormal access to a database through the log counting module.
MAC address filtering module function: the MAC address filtering module, the basic communication module, the inter-network card data ferrying module and the log counting module are required to be used for realizing the filtering of MAC addresses outside a white list by MAC address detection in an ARP request and recording abnormal access to a database through the log counting module.
Access frequency control function: an access frequency control module, a basic communication module, a data ferrying module between network cards and a log counting module are required to be used for counting the access times of IP addresses in unit time to prevent DDOS attack, and abnormal access is recorded in a database through the log counting module.
Data packet tamper-proof function: a data packet compliance detection module, a basic communication module, a data ferrying module between network cards and a data packet reconstruction module are required to be used for carrying out compliance detection on a data packet passing through a gateway and reconstructing the data packet to prevent an attacker from forging the data packet to damage the data packet.
The management port and the client communication encryption function: the basic communication module, the inter-network card data ferry module and the communication encryption module are used for encrypting the transmitted data packet and decrypting the received data packet so as to realize the communication encryption function.
Examples 2,
The embodiment provides a method for sending extranet data to an intranet, which at least passes information isolation. In this embodiment, the security gateway isolation measures preferably include physical isolation and electrical isolation in addition to information isolation.
In the embodiment, a safety gateway isolation module is arranged, wherein the safety gateway isolation module respectively adopts an internal cascade power supply and an external power distribution power supply, and the internal cascade power supply and the external power distribution power supply are from different power supply systems, so that power supply isolation is realized; on the layout of the safety gateway base, signal lines are mutually isolated, the isolation distance is ensured to be larger than 4mm (larger than 2mm, and the isolation withstand voltage is larger than 2 KV) on the wiring, and meanwhile, isolation transformers are arranged in the safety gateway module, so that the signal lines of an internal network and an external network are ensured to be isolated; the external network interface of the base is a 1 x 2 RJ45 port, the internal network interface is a 4x1 RJ45 port, the distance between the two ports is far larger than 12mm (larger than 2mm is met, and the isolation withstand voltage is larger than 2 KV), and the isolation characteristic of the interface part is ensured; the external network input and the internal network output of the security gateway module are provided with independent isolation transformers, the isolation withstand voltage is more than 2KV, and the isolation requirement between external signals and internal signals is guaranteed.
In this embodiment, the information isolation at least includes the following steps:
s21, the external network sends the data packet to the gateway isolated by the security gateway isolation method described in embodiment 1.
S22, judging whether the quintuple is in the white list: if yes, jumping to the next step; if not, the data packet is discarded.
The quintuple comprises an IP address, a source port, a destination IP address, a destination port and a transport layer protocol, wherein the source IP address refers to a source IP in a data packet received by the safety isolation equipment; the destination IP address refers to a destination IP in a data packet received by the safety isolation equipment; the source port refers to a source port number in a data packet received by the security isolation device; the destination port refers to a destination port number in a data packet received by the security isolation device; the protocol number in the transport layer protocol refers to the protocol type of the data packet received by the security isolation device, such as TCP, UDP, and the like. The quintuple can distinguish different sessions and the corresponding session is unique.
S23, judging whether the application layer protocol field meets a white list: if so, the gateway forwards the data packet to the intranet, and specifically, the gateway forwards the data packet to the intranet through encryption of a private protocol, deconstruction and reassembly of an extranet data packet; if not, the data packet is discarded.
In this embodiment, for users with different login permissions, the gateway performs division of different areas, and the corresponding user can only access the corresponding security domain. And on the original basis, the access control aiming at different user identities is added. The three types of administrator users all have corresponding identity sensitive marks, wherein an authorized administrator is admin, an authorized security administrator is security, an authorized auditor is editor, and when different identity users access the gateway, access control can be performed on different users.
The foregoing merely illustrates the principles and preferred embodiments of the invention and many variations and modifications may be made by those skilled in the art in light of the foregoing description, which are within the scope of the invention.

Claims (10)

1. A security gateway isolation method is characterized by comprising the following steps:
s11, establishing connection between the user and the isolation gateway: logging in by using a computer provided with a linux operating system through a management program;
s12, writing a configuration file: writing the configuration information required by the user;
s13, importing the gateway: importing the configuration file written in the step S12 into a gateway;
s14, judging whether the configuration file passes: if the configuration file passes the preset time, restarting the computer, and enabling the configuration file to take effect; if not, the process goes to step S12 to rewrite the configuration file.
2. The security gateway isolation method of claim 1, wherein the user login in step S11 includes four types of account login permissions, which are an authorized administrator, an authorized user, an authorized auditor, and an authorized security clerk.
3. The security gateway isolation method according to claim 1, wherein the step S12 specifically includes:
determining configuration information required by a user;
compiling a configuration file according to an XML document format;
and converting the written configuration file through a conversion tool and uploading the converted configuration file to the gateway.
4. The security gateway isolation method of claim 1, wherein in step S12, a start flag of the configuration file is iGateConf, and under the flag, one or more of the following configuration items are loaded: configuration of a file header, binding of a MAC address and an IP address, setting of an IP white list, access frequency control, SNET protocol type filtering, service access control and generation of cfg files.
5. The security gateway isolation method according to claim 1, wherein the step S13 specifically includes:
the configuration file to be uploaded is placed in a current directory of a client, and is converted into an iGateWay.en format through a configuration file conversion and encryption program;
and when the current directory of the file is confirmed, executing the operation of importing the file into the gateway.
6. A method for sending data of an external network to an internal network is characterized by at least comprising the following steps of information isolation:
s21, the external network sends a data packet to the gateway isolated by the security gateway isolation method of any claim 1 to 5;
s22, judging whether the quintuple is in the white list: if yes, jumping to the next step; if not, discarding the data packet;
s23, judging whether the application layer protocol field meets a white list: if yes, the gateway forwards the data packet to the intranet; if not, the data packet is discarded.
7. The method of sending extranet data to intranet according to claim 6 wherein the range of the intranet and extranet accessible network segments is limited by IP access control list so that the network segments within the preset range can access each other.
8. The method according to claim 6, wherein in step S23, the gateway forwards the data to the intranet by encrypting according to a proprietary protocol, and by deconstructing and reassembling the extranet data packet.
9. The method according to claim 6, wherein the five-tuple comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol; the quintuple can distinguish different sessions and the corresponding session is unique.
10. The method for sending extranet data to the intranet according to claim 6, wherein the gateway divides different regions for users with different login permissions, and the corresponding user can only access the corresponding security domain.
CN202010945545.5A 2020-09-10 2020-09-10 Security gateway isolation method and method for sending extranet data to intranet Pending CN112104637A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010945545.5A CN112104637A (en) 2020-09-10 2020-09-10 Security gateway isolation method and method for sending extranet data to intranet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010945545.5A CN112104637A (en) 2020-09-10 2020-09-10 Security gateway isolation method and method for sending extranet data to intranet

Publications (1)

Publication Number Publication Date
CN112104637A true CN112104637A (en) 2020-12-18

Family

ID=73752214

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010945545.5A Pending CN112104637A (en) 2020-09-10 2020-09-10 Security gateway isolation method and method for sending extranet data to intranet

Country Status (1)

Country Link
CN (1) CN112104637A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113115241A (en) * 2021-04-07 2021-07-13 青岛容商天下网络有限公司 Industrial Internet system based on industrial brain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6012100A (en) * 1997-07-14 2000-01-04 Freegate Corporation System and method of configuring a remotely managed secure network interface
CN102843352A (en) * 2012-05-15 2012-12-26 广东电网公司茂名供电局 Cross-physical isolation data transparent transmission system and method between intranet and extranet
CN103593439A (en) * 2013-11-15 2014-02-19 太仓市同维电子有限公司 Method for storing temporary data in configuration file
CN104767752A (en) * 2015-04-07 2015-07-08 西安汇景倬元信息技术有限公司 Distributed network isolating system and method
CN105721188A (en) * 2014-12-04 2016-06-29 北京神州泰岳信息安全技术有限公司 Firewall strategy check method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6012100A (en) * 1997-07-14 2000-01-04 Freegate Corporation System and method of configuring a remotely managed secure network interface
CN102843352A (en) * 2012-05-15 2012-12-26 广东电网公司茂名供电局 Cross-physical isolation data transparent transmission system and method between intranet and extranet
CN103593439A (en) * 2013-11-15 2014-02-19 太仓市同维电子有限公司 Method for storing temporary data in configuration file
CN105721188A (en) * 2014-12-04 2016-06-29 北京神州泰岳信息安全技术有限公司 Firewall strategy check method and system
CN104767752A (en) * 2015-04-07 2015-07-08 西安汇景倬元信息技术有限公司 Distributed network isolating system and method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
东方电子: "《实时隔离网关DF-NS310SV4.3.1用户使用手册》", 《URL:HTTPS://WWW.DOC88.COM/P-0959362565961.HTML?R=1》 *
王旭辰等: "核电厂辐射监测信息管理系统现场调试", 《仪器仪表用户》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113115241A (en) * 2021-04-07 2021-07-13 青岛容商天下网络有限公司 Industrial Internet system based on industrial brain
CN113115241B (en) * 2021-04-07 2022-11-15 青岛容商天下网络有限公司 Industrial Internet system based on industrial brain

Similar Documents

Publication Publication Date Title
Pliatsios et al. A survey on SCADA systems: secure protocols, incidents, threats and tactics
CN109510841B (en) Safety isolation gateway of control device and system
Fovino et al. An experimental platform for assessing SCADA vulnerabilities and countermeasures in power plants
CN106789015B (en) Intelligent power distribution network communication safety system
US8756411B2 (en) Application layer security proxy for automation and control system networks
Li et al. SCADAWall: A CPI-enabled firewall model for SCADA security
WO2003107156A2 (en) METHOD FOR CONFIGURING AND COMMISSIONING CSMs
CN111770092B (en) Numerical control system network security architecture and secure communication method and system
CN101399838A (en) Method, apparatus and system for processing packet
CN108712364B (en) Security defense system and method for SDN (software defined network)
CN113472758B (en) Access control method, device, terminal, connector and storage medium
CN110855707A (en) Internet of things communication pipeline safety control system and method
CN111988328A (en) Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station
Watson et al. Interoperability and security challenges of industry 4.0
CN115549932A (en) Safety access system and access method for massive heterogeneous Internet of things terminals
Cai et al. Review of cyber-security challenges and measures in smart substation
CN114499976B (en) Data exchange method for realizing cross-network exchange
Silveira et al. Security analysis of digitized substations: A systematic review of GOOSE messages
Wanying et al. The study of security issues for the industrial control systems communication protocols
Khosroshahi et al. Security technology by using firewall for smart grid
CN112104637A (en) Security gateway isolation method and method for sending extranet data to intranet
CN117614729A (en) Cross-domain network access method, system, device and readable storage medium
CN200962603Y (en) A trustable boundary security gateway
CN116248302A (en) SSL VPN communication tunnel module, application monitoring module and mobile terminal safety access system
CN205647582U (en) Cloud safe gateway and cloud safety coefficient

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20201218

WD01 Invention patent application deemed withdrawn after publication