CN112104637A - Security gateway isolation method and method for sending extranet data to intranet - Google Patents

Security gateway isolation method and method for sending extranet data to intranet Download PDF

Info

Publication number
CN112104637A
CN112104637A CN202010945545.5A CN202010945545A CN112104637A CN 112104637 A CN112104637 A CN 112104637A CN 202010945545 A CN202010945545 A CN 202010945545A CN 112104637 A CN112104637 A CN 112104637A
Authority
CN
China
Prior art keywords
gateway
configuration file
security
isolation
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010945545.5A
Other languages
Chinese (zh)
Inventor
王文海
孙优贤
魏强
谢辰承
嵇月强
张晓东
徐斌
汪洲
张稳稳
赵璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Uwntek Automation System Co ltd
Zhejiang University ZJU
Original Assignee
Hangzhou Uwntek Automation System Co ltd
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Uwntek Automation System Co ltd, Zhejiang University ZJU filed Critical Hangzhou Uwntek Automation System Co ltd
Priority to CN202010945545.5A priority Critical patent/CN112104637A/en
Publication of CN112104637A publication Critical patent/CN112104637A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种安全网关隔离方法及外网数据发送至内网的方法,所述安全网关隔离方法,包括:S11、建立用户与隔离网关之间的连接:使用安装有linux操作系统的计算机并通过管理程序登录;S12、编写配置文件:对用户所需配置信息进行写入;S13、导入网关:将步骤S12中编写完成的配置文件导入网关中;S14、判断配置文件是否通过:如果通过,则重启计算机,配置文件生效;如果未通过,则跳转至步骤S12重新编写配置文件。本发明通过编写配置文件并导入到网关中,实现了网关的完全隔离;当外网数据发送至内网时,通过上述已经导入配置文件的网关,使得可靠的外网数据的才能发送至内网,保证了工业控制系统中数据传输的安全性。

Figure 202010945545

The invention discloses a security gateway isolation method and a method for sending data from an external network to an internal network. The security gateway isolation method includes: S11, establishing a connection between a user and an isolation gateway: using a computer installed with a linux operating system And log in through the management program; S12, write a configuration file: write the configuration information required by the user; S13, import the gateway: import the configuration file written in step S12 into the gateway; S14, judge whether the configuration file passes: if passed , restart the computer, and the configuration file takes effect; if it fails, jump to step S12 to rewrite the configuration file. The present invention realizes the complete isolation of the gateway by writing the configuration file and importing it into the gateway; when the external network data is sent to the internal network, the above-mentioned gateway that has imported the configuration file enables reliable external network data to be sent to the internal network. , to ensure the security of data transmission in the industrial control system.

Figure 202010945545

Description

一种安全网关隔离方法及外网数据发送至内网的方法A security gateway isolation method and a method for sending external network data to an internal network

技术领域technical field

本发明涉及工业控制装置及系统功能安全与信息安全领域,特别涉及一种安全网关隔离方法及外网数据发送至内网的方法。The invention relates to the field of industrial control device and system functional security and information security, in particular to a method for isolating a security gateway and a method for sending data from an external network to an internal network.

背景技术Background technique

数据采集与监控(SCADA)、分布式控制系统(DCS)、过程控制系统(PCS)、可编程逻辑控制器(PLC)等工业控制系统广泛运用于工业、能源、交通、水利及市政等领域,用于控制生产设备的运行。一旦工业控制系统信息安全出现漏洞,将对工业生产运行和国家经济安全造成重大隐患。随着计算机和网络技术的发展,特别是信息化与工业化深度融合,工业控制系统产品越来越多地采用通用协议、通用硬件和通用软件,以各种方式与MIS网络、因特网等公共网络连接,造成病毒、木马等威胁向工业控制系统扩散,工业控制系统安全问题日益突出。2010年发生的“震网”病毒事件,充分反映出工业控制系统信息安全面临严峻的形势。Data acquisition and monitoring and control (SCADA), distributed control system (DCS), process control system (PCS), programmable logic controller (PLC) and other industrial control systems are widely used in industry, energy, transportation, water conservancy and municipal and other fields. Used to control the operation of production equipment. Once there is a loophole in the information security of the industrial control system, it will cause major hidden dangers to the operation of industrial production and national economic security. With the development of computer and network technology, especially the in-depth integration of informatization and industrialization, industrial control system products increasingly use general protocols, general hardware and general software to connect with public networks such as MIS networks and the Internet in various ways. , causing threats such as viruses and Trojans to spread to the industrial control system, and the security problem of the industrial control system has become increasingly prominent. The "Stuxnet" virus incident in 2010 fully reflects the severe situation facing the information security of industrial control systems.

工业网络安全隔离网关是近几年新兴的一种专门应用于工业领域的网络隔离产品,采用“2+1”的三模块架构,内置双主机系统,隔离单元通过总线技术建立安全通道以安全地实现快速数据交换。与网闸不同的是,工业网络安全隔离网关提供的应用专门针对控制网络的安全防护,因此它只提供控制网络常用通信功能如OPC、Modbus等,而不提供通用互联网功能。The industrial network security isolation gateway is a new network isolation product specially used in the industrial field in recent years. It adopts a "2+1" three-module architecture and has a built-in dual host system. The isolation unit establishes a secure channel through bus technology to safely Enables fast data exchange. Different from the gatekeeper, the application provided by the industrial network security isolation gateway is specially aimed at the security protection of the control network, so it only provides the common communication functions of the control network such as OPC, Modbus, etc., but does not provide the general Internet function.

发明内容SUMMARY OF THE INVENTION

本发明为了克服以上技术的不足,提供了一种安全网关隔离方法及外网数据发送至内网的方法。In order to overcome the deficiencies of the above technologies, the present invention provides a method for isolating a security gateway and a method for sending data from an external network to an internal network.

本发明克服其技术问题所采用的技术方案是:The technical scheme adopted by the present invention to overcome its technical problems is:

一种安全网关隔离方法,包括如下步骤:A security gateway isolation method, comprising the following steps:

S11、建立用户与隔离网关之间的连接:使用安装有linux操作系统的计算机并通过管理程序登录;S11. Establish a connection between the user and the isolation gateway: use a computer installed with the Linux operating system and log in through the management program;

S12、编写配置文件:对用户所需配置信息进行写入;S12, write a configuration file: write the configuration information required by the user;

S13、导入网关:将步骤S12中编写完成的配置文件导入网关中;S13, import gateway: import the configuration file written in step S12 into the gateway;

S14、判断配置文件是否通过:如果通过,则重启计算机,配置文件生效;如果未通过,则跳转至步骤S12重新编写配置文件。S14. Determine whether the configuration file is passed: if it passes, restart the computer, and the configuration file takes effect; if it fails, jump to step S12 to rewrite the configuration file.

进一步地,所述步骤S11中用户登录时,包括四类账号登录权限,分别为授权管理员、授权用户、授权审计员和授权安全员。其中,授权管理员至少具有配置管理口参数、配置日志系统参数和密码修改的功能;授权用户主要是指授权的控制站或授权操作站,相互之间可以进行隔离通信;授权审计员具有日志系统查看的权限;授权安全员具有配置安全策略、查看安全策略以及备份安全配置的功能。在本发明安全网关隔离方法中,不同的账户权限登录时,显示不同的操作界面,授权管理员登陆具有管理口参数修改、用户密码修改、上传安全隔离配置文件以及日志查看功能;授权审计员登录具有查看系统流量日志功能;授权安全员登录可以修改安全参数上传配置文件、查看当前安全参数、修改密码和同步配置文件。Further, when the user logs in in the step S11, four types of account login rights are included, namely, an authorized administrator, an authorized user, an authorized auditor, and an authorized security officer. Among them, authorized administrators at least have the functions of configuring management port parameters, configuring log system parameters and password modification; authorized users mainly refer to authorized control stations or authorized operation stations, which can communicate with each other in isolation; authorized auditors have a log system View permissions; authorized security officers have the functions of configuring security policies, viewing security policies, and backing up security configurations. In the security gateway isolation method of the present invention, when different account rights log in, different operation interfaces are displayed, and the authorized administrator login has functions of management port parameter modification, user password modification, uploading security isolation configuration file and log viewing; authorized auditor login It has the function of viewing system traffic logs; authorized security officers can log in to modify security parameters, upload configuration files, view current security parameters, change passwords, and synchronize configuration files.

进一步地,所述步骤S12具体包括:Further, the step S12 specifically includes:

确定用户所需的配置信息;Determine the configuration information required by the user;

按照XML文档格式编写配置文件;Write configuration files in XML document format;

将编写好的配置文件通过转换工具转换后上传至网关。Convert the prepared configuration file through the conversion tool and upload it to the gateway.

进一步地,所述步骤S12中,配置文件的开始标志位为iGateConf,在该标志位下,载入下列几项配置项中的一项或多项:文件头的配置、MAC地址与IP地址绑定、IP白名单设置、访问频率控制、SNET协议类型过滤、服务访问控制、cfg文件的生成。Further, in the step S12, the start flag of the configuration file is iGateConf, and under this flag, one or more of the following configuration items are loaded: the configuration of the file header, the binding of the MAC address and the IP address configuration, IP whitelist settings, access frequency control, SNET protocol type filtering, service access control, and cfg file generation.

进一步地,所述步骤S13具体包括:Further, the step S13 specifically includes:

将所需上传的配置文件放在客户端的当前目录,通过配置文件转换和加密程序,转成iGateWay.en格式;Put the configuration file to be uploaded in the current directory of the client, and convert it into iGateWay.en format through the configuration file conversion and encryption program;

当确认该文件存在当前目录时,执行导入到网关的操作。When it is confirmed that the file exists in the current directory, the import to the gateway is performed.

本发明还公开了一种外网数据发送至内网的方法,至少经过信息隔离,所述信息隔离至少包括如下步骤:The invention also discloses a method for sending data from an external network to an internal network, which at least undergoes information isolation, and the information isolation includes at least the following steps:

S21、外网发送数据包至经上述任一项所述的安全网关隔离方法隔离后的网关;S21, the external network sends the data packet to the gateway isolated by the security gateway isolation method described in any one of the above;

S22、判断五元组是否在白名单内:若是,则跳转至下一步;若否,则丢弃数据包;S22, judging whether the quintuple is in the whitelist: if so, jump to the next step; if not, discard the data packet;

S23、判断应用层协议字段是否满足白名单:若是,则网关转发数据包至内网;若否,则丢弃数据包。S23. Determine whether the application layer protocol field satisfies the whitelist: if yes, the gateway forwards the data packet to the intranet; if not, discards the data packet.

进一步地,通过IP访问控制列表限制内外网可访问网段的范围,使得在预设范围内的网段能相互访问。Further, the range of accessible network segments within the internal and external networks is restricted through the IP access control list, so that the network segments within the preset range can access each other.

进一步地,所述步骤S23中,所述网关通过私有协议加密、通过解构并重组外网数据包,将数据转发至内网。Further, in the step S23, the gateway encrypts the data through a private protocol, and forwards the data to the internal network by deconstructing and reorganizing the data packets of the external network.

进一步地,所述五元组包括源IP地址、源端口、目的IP地址、目的端口和传输层协议,其中,源IP地址是指安全隔离设备接收到的数据包中的来源IP;目的IP地址是指安全隔离设备接收到的数据包中的目的IP;源端口是指安全隔离设备接收到的数据包中的来源端口号;目的端口是指安全隔离设备接收到的数据包中的目的端口号;传输层协议中的协议号是指安全隔离设备接收到的数据包的协议类型,例如TCP、UDP等。五元组能够区分不同会话,并且对应的会话是唯一的。Further, the quintuple includes a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol, wherein the source IP address refers to the source IP in the data packet received by the security isolation device; the destination IP address refers to the destination IP in the data packet received by the security isolation device; source port refers to the source port number in the data packet received by the security isolation device; destination port refers to the destination port number in the data packet received by the security isolation device ;The protocol number in the transport layer protocol refers to the protocol type of the data packet received by the security isolation device, such as TCP, UDP, etc. The quintuple can distinguish different sessions, and the corresponding session is unique.

进一步地,针对不同登录权限的用户,网关进行不同区域的划分,对应的用户只能访问相应的安全域。并在原有的基础上,增加了针对不同用户身份的访问控制。三类管理员用户都有对应的身份敏感标记,其中授权管理员为admin,授权安全员为security,授权审计员为auditor,在不同身份用户访问网关时,会对不同用户进行访问控制,例如,授权管理员无法访问网关主程序以及管理口控制程序的所在区域,对该区域文件没有查看、删除、修改等权限,但是具有对各自区域内数据库的读取、修改的权限。Further, for users with different login rights, the gateway divides different areas, and corresponding users can only access corresponding security domains. On the basis of the original, access control for different user identities has been added. The three types of administrator users have corresponding identity sensitive tags. The authorized administrator is admin, the authorized security officer is security, and the authorized auditor is auditor. When users with different identities access the gateway, access control is performed for different users. For example, Authorized administrators cannot access the area where the gateway main program and the management port control program are located, and have no rights to view, delete, and modify files in this area, but have the rights to read and modify databases in their respective areas.

本发明的有益效果是:The beneficial effects of the present invention are:

本发明通过编写配置文件并导入到网关中,实现了网关的完全隔离;当外网数据发送至内网时,通过上述已经导入配置文件的网关,使得可靠的外网数据的才能发送至内网,保证了工业控制系统中数据传输的安全性。The present invention realizes complete isolation of the gateway by writing the configuration file and importing it into the gateway; when the external network data is sent to the internal network, the above-mentioned gateway that has imported the configuration file enables reliable external network data to be sent to the internal network. , to ensure the security of data transmission in the industrial control system.

本发明还通过对安全网关进行设计,实现物理隔离、电气隔离和信息隔离。其中,安全网关模块采用内部的级联电源实现电源隔离,通过保证隔离间距实现信号线隔离,通过保证外部网络接口与内部网络接口之间的间距实现底座网口布局隔离;安全网关模块的外部网络输入和内部网络输出均设置有独立的隔离变压器,实现电气隔离。The invention also realizes physical isolation, electrical isolation and information isolation by designing the security gateway. Among them, the security gateway module uses the internal cascade power supply to realize power isolation, realizes the isolation of signal lines by ensuring the isolation distance, and realizes the layout isolation of the base network port by ensuring the distance between the external network interface and the internal network interface; the external network of the security gateway module Both the input and the internal network output are provided with independent isolation transformers to achieve electrical isolation.

附图说明Description of drawings

图1为本发明实施例所述的一种安全网关隔离方法及外网数据发送至内网的方法的示意图。FIG. 1 is a schematic diagram of a method for isolating a security gateway and a method for sending data from an external network to an internal network according to an embodiment of the present invention.

具体实施方式Detailed ways

为了便于本领域人员更好的理解本发明,下面结合附图和具体实施例对本发明做进一步详细说明,下述仅是示例性的不限定本发明的保护范围。In order to facilitate those skilled in the art to better understand the present invention, the present invention will be described in further detail below with reference to the accompanying drawings and specific embodiments. The following are only exemplary and do not limit the protection scope of the present invention.

实施例1、Embodiment 1,

如图1所示,本实施例提供了一种安全网关隔离方法,包括如下步骤:As shown in FIG. 1, this embodiment provides a security gateway isolation method, including the following steps:

S11、建立用户与隔离网关之间的连接:使用安装有linux操作系统的计算机并通过管理程序登录。S11. Establish a connection between the user and the isolation gateway: use a computer installed with a linux operating system and log in through a management program.

用户登录时,包括四类账号登录权限,分别为授权管理员、授权用户、授权审计员和授权安全员。其中,授权管理员至少具有配置管理口参数、配置日志系统参数和密码修改的功能;授权用户主要是指授权的控制站或授权操作站,相互之间可以进行隔离通信;授权审计员具有日志系统查看的权限;授权安全员具有配置安全策略、查看安全策略以及备份安全配置的功能。When a user logs in, there are four types of account login permissions, namely authorized administrator, authorized user, authorized auditor, and authorized security officer. Among them, authorized administrators at least have the functions of configuring management port parameters, configuring log system parameters and password modification; authorized users mainly refer to authorized control stations or authorized operation stations, which can communicate with each other in isolation; authorized auditors have a log system View permissions; authorized security officers have the functions of configuring security policies, viewing security policies, and backing up security configurations.

本实施例中,所述通过管理程序登录是指通过授权管理员、授权审计员或授权安全员中的任一种登录。不同的账户权限登录时,显示不同的操作界面。所述授权管理员登陆具有管理口参数修改、用户密码修改、上传安全隔离配置文件以及日志查看功能;所述授权审计员登录具有查看系统流量日志功能;所述授权安全员登录可以修改安全参数上传配置文件、查看当前安全参数、修改密码和同步配置文件。In this embodiment, the logging in through the management program refers to logging in through any one of an authorized administrator, an authorized auditor, or an authorized security officer. When logging in with different account permissions, different operation interfaces are displayed. The authorized administrator login has the functions of management port parameter modification, user password modification, uploading security isolation configuration files and log viewing; the authorized auditor login has the function of viewing system traffic logs; the authorized security officer login can modify security parameters and upload Configure files, view current security parameters, change passwords, and synchronize configuration files.

S12、编写配置文件:对用户所需配置信息进行写入。S12, write a configuration file: write the configuration information required by the user.

具体是,先确定用户所需的配置信息,然后按照XML文档格式编写配置文件,再将编写好的配置文件通过转换工具转换后上传至网关。Specifically, the configuration information required by the user is determined first, then the configuration file is written according to the XML document format, and the written configuration file is converted by the conversion tool and uploaded to the gateway.

本实施例中,所述配置文件的开始标志位为iGateConf,在该标志位下,载入下列几项配置项中的一项或多项:文件头的配置、MAC地址与IP地址绑定、IP白名单设置、访问频率控制、SNET协议类型过滤、服务访问控制、cfg文件的生成。其中,文件头主要用来描述配置文件的整体构成情况,以及网关内部网络的配置信息,文件头开始的标志为Header,需要同时注明格式版本(FormatVsn)和魔术字段(Magic);MAC地址绑定规则会绑定主机IP和MAC地址的对应关系,防止ARP欺骗,如没有对该选项进行配置,则该过滤规则不会生效;IP访问控制列表限制了内外网可访问网段的范围,只有在规则内的网段才能相互访问,即属于IP白名单内的才能相互访问,开始标志为IPSegList,每条规则应注明起始IP、结束IP、以及掩码信息;访问频率控制限制对应网段访问的最大频率,按秒为计数间隔进行计算,开始的标志为IPRateList,每条规则应注明起始IP、结束IP、掩码信息、及访问频率;BrdHead过滤是SNET协议类型过滤中的一种,其针对网络包应用层数据开头的BrdHead结构体的Type字段进行过滤,应该在Min和Max之间(包含Min和Max);服务访问控制的开始标志为ServiceList,主要限制服务端协议(TCP/UDP)、端口号及客户端规则和应用层规则;填写完XML文档后,在linux环境中运行转换脚本,即可获得配置文件,即cfg文件。In this embodiment, the start flag bit of the configuration file is iGateConf, and under this flag bit, one or more of the following configuration items are loaded: configuration of the file header, binding of MAC address and IP address, IP whitelist settings, access frequency control, SNET protocol type filtering, service access control, cfg file generation. Among them, the file header is mainly used to describe the overall composition of the configuration file and the configuration information of the gateway's internal network. The beginning of the file header is Header, and the format version (FormatVsn) and the magic field (Magic) need to be indicated at the same time; MAC address binding The specified rule will bind the corresponding relationship between the host IP and MAC address to prevent ARP spoofing. If this option is not configured, the filtering rule will not take effect; IP access control lists limit the range of accessible network segments on the internal and external networks, only Only the network segments in the rule can access each other, that is, those belonging to the IP whitelist can access each other. The start flag is IPSegList, and each rule should indicate the start IP, end IP, and mask information; access frequency control limits the corresponding network The maximum frequency of segment access, calculated in seconds as the count interval, the start flag is IPRateList, and each rule should indicate the start IP, end IP, mask information, and access frequency; BrdHead filtering is in the SNET protocol type filtering. One, which filters the Type field of the BrdHead structure at the beginning of the network packet application layer data, which should be between Min and Max (including Min and Max); the start flag of service access control is ServiceList, which mainly restricts the server-side protocol ( TCP/UDP), port number, client rules and application layer rules; after filling in the XML document, run the conversion script in the linux environment to obtain the configuration file, that is, the cfg file.

S13、导入网关:将步骤S12中编写完成的配置文件导入网关中。S13. Import the gateway: import the configuration file prepared in step S12 into the gateway.

具体是,将所需上传的配置文件放在客户端的当前目录,通过配置文件转换和加密程序,转成iGateWay.en;当确认该文件存在当前目录时,执行导入到网关的操作。Specifically, put the configuration file to be uploaded in the current directory of the client, and convert it into iGateWay.en through the configuration file conversion and encryption program; when it is confirmed that the file exists in the current directory, the operation of importing to the gateway is performed.

S14、判断配置文件是否通过:如果通过,则重启计算机,配置文件生效;如果未通过,则跳转至步骤S12重新编写配置文件。S14. Determine whether the configuration file is passed: if it passes, restart the computer, and the configuration file takes effect; if it fails, jump to step S12 to rewrite the configuration file.

在上述所述的安全网关隔离方法的基础上,至少还可以完成下列功能,具体是:On the basis of the security gateway isolation method described above, at least the following functions can be completed, specifically:

IP地址访问控制功能:需要使用IP地址过滤模块、基本通信模块、网卡间数据摆渡模块和日志统计模块,实现对数据包源IP的检测,实现对白名单外IP地址的过滤,并通过日志统计模块将异常访问记录到数据库中。IP address access control function: need to use IP address filtering module, basic communication module, data transfer module between network cards and log statistics module to detect the source IP of data packets, filter IP addresses outside the whitelist, and pass the log statistics module Log abnormal access to the database.

MAC地址过滤模块功能:需要使用MAC地址过滤模块、基本通信模块、网卡间数据摆渡模块和日志统计模块,实现ARP请求中的MAC地址检测实现对白名单外MAC地址的过滤,并通过日志统计模块将异常访问记录到数据库中。Function of MAC address filtering module: MAC address filtering module, basic communication module, inter-NIC data transfer module and log statistics module are required to implement MAC address detection in ARP requests to filter MAC addresses outside the whitelist, and the log statistics module will Abnormal access is logged to the database.

访问频率控制功能:需要使用访问频率控制模块、基本通信模块、网卡间数据摆渡模块和日志统计模块,对单位时间内IP地址的访问次数统计防止DDOS攻击,并通过日志统计模块将异常访问记录到数据库中。Access frequency control function: need to use the access frequency control module, basic communication module, data ferry module between network cards and log statistics module to count the number of accesses to IP addresses per unit time to prevent DDOS attacks, and record abnormal access to the log statistics module. in the database.

数据包防篡改功能:需要使用数据包合规性检测模块、基本通信模块、网卡间数据摆渡模块和数据包重构模块,对经过网关的数据包进行合规性检测并重构防止攻击者伪造数据包进行破坏。Data packet anti-tampering function: It is necessary to use the data packet compliance detection module, the basic communication module, the inter-NIC data transfer module and the data packet reconstruction module to perform compliance detection and reconstruction on the data packets passing through the gateway to prevent attackers from forging packets are destroyed.

管理口与客户端通信加密功能:需要使用基本通信模块、网卡间数据摆渡模块和通信加密模块,对发送的数据包进行加密并对接收到的数据包进行解密从而实现通信加密的功能。The communication encryption function between the management port and the client side: It is necessary to use the basic communication module, the data ferry module between network cards and the communication encryption module to encrypt the sent data packets and decrypt the received data packets to realize the function of communication encryption.

实施例2、Embodiment 2,

本实施例提供了一种外网数据发送至内网的方法,至少经过信息隔离。本实施例优选,安全网关隔离措施中,除了信息隔离,还包括物理隔离和电气隔离。This embodiment provides a method for sending data from an external network to an internal network, at least through information isolation. Preferably, in this embodiment, in addition to information isolation, the security gateway isolation measures also include physical isolation and electrical isolation.

本实施例中,通过设置安全网关隔离模块,所述安全网关隔离模块分别采用内部的级联电源和外部的配电电源,内部级联电源和外部配电电源来自不同的电源系统,实现电源隔离;在安全网关底座的布局上,信号线之间相互隔离,布线上保证了隔离间距均大于4mm(满足大于2mm,隔离耐压>2KV),同时安全网关模块内部均有隔离变压器,从而保证了内部网络和外部网络的信号线隔离;底座的外部网络接口为1×2的RJ45口,内部网络接口为4x1的RJ45口,两者之间的间距远大于12mm(满足大于2mm,隔离耐压>2KV),保证了接口部分的隔离特性;安全网关模块的外部网络输入和内部网络输出均设置有独立的隔离变压器,隔离耐压>2KV,保证了外部信号和内部信号之间的隔离要求。In this embodiment, by setting a security gateway isolation module, the security gateway isolation module adopts an internal cascade power supply and an external power distribution power supply respectively, and the internal cascade power supply and the external power distribution power supply come from different power supply systems, so as to realize power supply isolation. ;In the layout of the security gateway base, the signal lines are isolated from each other, and the wiring ensures that the isolation distance is greater than 4mm (to meet the requirements of greater than 2mm, isolation withstand voltage > 2KV), and there are isolation transformers inside the security gateway module to ensure that The signal lines of the internal network and the external network are isolated; the external network interface of the base is a 1×2 RJ45 port, and the internal network interface is a 4x1 RJ45 port. 2KV) to ensure the isolation characteristics of the interface part; the external network input and internal network output of the security gateway module are equipped with independent isolation transformers, isolation withstand voltage > 2KV, to ensure the isolation requirements between external signals and internal signals.

本实施例中,所述信息隔离至少包括如下步骤:In this embodiment, the information isolation includes at least the following steps:

S21、外网发送数据包至经实施例1所述的安全网关隔离方法隔离后的网关。S21. The external network sends a data packet to the gateway isolated by the security gateway isolation method described in Embodiment 1.

S22、判断五元组是否在白名单内:若是,则跳转至下一步;若否,则丢弃数据包。S22. Determine whether the quintuple is in the whitelist: if so, skip to the next step; if not, discard the data packet.

其中,所述五元组包括IP地址、源端口、目的IP地址、目的端口和传输层协议,源IP地址是指安全隔离设备接收到的数据包中的来源IP;目的IP地址是指安全隔离设备接收到的数据包中的目的IP;源端口是指安全隔离设备接收到的数据包中的来源端口号;目的端口是指安全隔离设备接收到的数据包中的目的端口号;传输层协议中的协议号是指安全隔离设备接收到的数据包的协议类型,例如TCP、UDP等。五元组能够区分不同会话,并且对应的会话是唯一的。Wherein, the quintuple includes IP address, source port, destination IP address, destination port and transport layer protocol, the source IP address refers to the source IP in the data packet received by the security isolation device; the destination IP address refers to the security isolation device Destination IP in the data packet received by the device; source port refers to the source port number in the data packet received by the security isolation device; destination port refers to the destination port number in the data packet received by the security isolation device; transport layer protocol The protocol number in refers to the protocol type of the data packet received by the security isolation device, such as TCP, UDP, etc. The quintuple can distinguish different sessions, and the corresponding session is unique.

S23、判断应用层协议字段是否满足白名单:若是,则网关转发数据包至内网,具体地,所述网关通过私有协议加密、通过解构并重组外网数据包,将数据转发至内网;若否,则丢弃数据包。S23, determine whether the application layer protocol field satisfies the whitelist: if so, the gateway forwards the data packet to the intranet, and specifically, the gateway encrypts the data packet through a private protocol, deconstructs and reorganizes the extranet data packet, and forwards the data to the intranet; If not, drop the packet.

本实施例中,针对不同登录权限的用户,网关进行不同区域的划分,对应的用户只能访问相应的安全域。并在原有的基础上,增加了针对不同用户身份的访问控制。三类管理员用户都有对应的身份敏感标记,其中授权管理员为admin,授权安全员为security,授权审计员为auditor,在不同身份用户访问网关时,会对不同用户进行访问控制,例如,授权管理员无法访问网关主程序以及管理口控制程序的所在区域,对该区域文件没有查看、删除、修改等权限,但是具有对各自区域内数据库的读取、修改的权限。In this embodiment, for users with different login rights, the gateway divides different areas, and corresponding users can only access corresponding security domains. On the basis of the original, access control for different user identities has been added. The three types of administrator users have corresponding identity sensitive tags. The authorized administrator is admin, the authorized security officer is security, and the authorized auditor is auditor. When users with different identities access the gateway, access control is performed for different users. For example, Authorized administrators cannot access the area where the gateway main program and the management port control program are located, and have no rights to view, delete, and modify files in this area, but have the rights to read and modify databases in their respective areas.

以上仅描述了本发明的基本原理和优选实施方式,本领域人员可以根据上述描述做出许多变化和改进,这些变化和改进应该属于本发明的保护范围。The above only describes the basic principles and preferred embodiments of the present invention, and those skilled in the art can make many changes and improvements based on the above description, and these changes and improvements should belong to the protection scope of the present invention.

Claims (10)

1. A security gateway isolation method is characterized by comprising the following steps:
s11, establishing connection between the user and the isolation gateway: logging in by using a computer provided with a linux operating system through a management program;
s12, writing a configuration file: writing the configuration information required by the user;
s13, importing the gateway: importing the configuration file written in the step S12 into a gateway;
s14, judging whether the configuration file passes: if the configuration file passes the preset time, restarting the computer, and enabling the configuration file to take effect; if not, the process goes to step S12 to rewrite the configuration file.
2. The security gateway isolation method of claim 1, wherein the user login in step S11 includes four types of account login permissions, which are an authorized administrator, an authorized user, an authorized auditor, and an authorized security clerk.
3. The security gateway isolation method according to claim 1, wherein the step S12 specifically includes:
determining configuration information required by a user;
compiling a configuration file according to an XML document format;
and converting the written configuration file through a conversion tool and uploading the converted configuration file to the gateway.
4. The security gateway isolation method of claim 1, wherein in step S12, a start flag of the configuration file is iGateConf, and under the flag, one or more of the following configuration items are loaded: configuration of a file header, binding of a MAC address and an IP address, setting of an IP white list, access frequency control, SNET protocol type filtering, service access control and generation of cfg files.
5. The security gateway isolation method according to claim 1, wherein the step S13 specifically includes:
the configuration file to be uploaded is placed in a current directory of a client, and is converted into an iGateWay.en format through a configuration file conversion and encryption program;
and when the current directory of the file is confirmed, executing the operation of importing the file into the gateway.
6. A method for sending data of an external network to an internal network is characterized by at least comprising the following steps of information isolation:
s21, the external network sends a data packet to the gateway isolated by the security gateway isolation method of any claim 1 to 5;
s22, judging whether the quintuple is in the white list: if yes, jumping to the next step; if not, discarding the data packet;
s23, judging whether the application layer protocol field meets a white list: if yes, the gateway forwards the data packet to the intranet; if not, the data packet is discarded.
7. The method of sending extranet data to intranet according to claim 6 wherein the range of the intranet and extranet accessible network segments is limited by IP access control list so that the network segments within the preset range can access each other.
8. The method according to claim 6, wherein in step S23, the gateway forwards the data to the intranet by encrypting according to a proprietary protocol, and by deconstructing and reassembling the extranet data packet.
9. The method according to claim 6, wherein the five-tuple comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol; the quintuple can distinguish different sessions and the corresponding session is unique.
10. The method for sending extranet data to the intranet according to claim 6, wherein the gateway divides different regions for users with different login permissions, and the corresponding user can only access the corresponding security domain.
CN202010945545.5A 2020-09-10 2020-09-10 Security gateway isolation method and method for sending extranet data to intranet Pending CN112104637A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010945545.5A CN112104637A (en) 2020-09-10 2020-09-10 Security gateway isolation method and method for sending extranet data to intranet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010945545.5A CN112104637A (en) 2020-09-10 2020-09-10 Security gateway isolation method and method for sending extranet data to intranet

Publications (1)

Publication Number Publication Date
CN112104637A true CN112104637A (en) 2020-12-18

Family

ID=73752214

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010945545.5A Pending CN112104637A (en) 2020-09-10 2020-09-10 Security gateway isolation method and method for sending extranet data to intranet

Country Status (1)

Country Link
CN (1) CN112104637A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113115241A (en) * 2021-04-07 2021-07-13 青岛容商天下网络有限公司 Industrial Internet system based on industrial brain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6012100A (en) * 1997-07-14 2000-01-04 Freegate Corporation System and method of configuring a remotely managed secure network interface
CN102843352A (en) * 2012-05-15 2012-12-26 广东电网公司茂名供电局 Cross-physical isolation data transparent transmission system and method between intranet and extranet
CN103593439A (en) * 2013-11-15 2014-02-19 太仓市同维电子有限公司 Method for storing temporary data in configuration file
CN104767752A (en) * 2015-04-07 2015-07-08 西安汇景倬元信息技术有限公司 Distributed network isolating system and method
CN105721188A (en) * 2014-12-04 2016-06-29 北京神州泰岳信息安全技术有限公司 Firewall strategy check method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6012100A (en) * 1997-07-14 2000-01-04 Freegate Corporation System and method of configuring a remotely managed secure network interface
CN102843352A (en) * 2012-05-15 2012-12-26 广东电网公司茂名供电局 Cross-physical isolation data transparent transmission system and method between intranet and extranet
CN103593439A (en) * 2013-11-15 2014-02-19 太仓市同维电子有限公司 Method for storing temporary data in configuration file
CN105721188A (en) * 2014-12-04 2016-06-29 北京神州泰岳信息安全技术有限公司 Firewall strategy check method and system
CN104767752A (en) * 2015-04-07 2015-07-08 西安汇景倬元信息技术有限公司 Distributed network isolating system and method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
东方电子: "《实时隔离网关DF-NS310SV4.3.1用户使用手册》", 《URL:HTTPS://WWW.DOC88.COM/P-0959362565961.HTML?R=1》 *
王旭辰等: "核电厂辐射监测信息管理系统现场调试", 《仪器仪表用户》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113115241A (en) * 2021-04-07 2021-07-13 青岛容商天下网络有限公司 Industrial Internet system based on industrial brain
CN113115241B (en) * 2021-04-07 2022-11-15 青岛容商天下网络有限公司 Industrial Internet system based on industrial brain

Similar Documents

Publication Publication Date Title
JP7393514B2 (en) Methods and systems for efficient cyber protection of mobile devices
US7769994B2 (en) Content inspection in secure networks
US9584531B2 (en) Out-of band IP traceback using IP packets
KR100695827B1 (en) Integrated security device and how it works
Hu et al. A comprehensive security architecture for SDN
Alcaraz et al. Critical control system protection in the 21st century
Wilson et al. Trust but verify: Auditing the secure Internet of things
CN116055254B (en) Safe and trusted gateway system, control method, medium, equipment and terminal
US20250141854A1 (en) Efficient SSL/TLS Proxy
JP2016528809A (en) Packet classification for network routing
CN109510841B (en) Safety isolation gateway of control device and system
CN102387135A (en) User identity filtering method and firewall
CN111385326B (en) Rail transit communication system
CN114124436B (en) APN access trusted computing management system based on electric power Internet of things universal terminal
CN113472758B (en) Access control method, device, terminal, connector and storage medium
CN111641639A (en) IPv6 network safety protection system
Wanying et al. The study of security issues for the industrial control systems communication protocols
Nagendra et al. Securing ultra-high-bandwidth science DMZ networks with coordinated situational awareness
US20160344750A1 (en) Apparatus and Method for Characterizing the Risk of a User Contracting Malicious Software
CN112104637A (en) Security gateway isolation method and method for sending extranet data to intranet
CN117614729A (en) Cross-domain network access method, system, device and readable storage medium
Nagendra et al. Coordinated dataflow protection for ultra-high bandwidth science networks
Zeng-gang et al. Research and design on distributed firewall based on LAN
Yu Study on intrusion IPv6 detection system on LINUX
Zhang et al. Research on Secure Communication Methods for High-Speed Cross-Network Data Exchange

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20201218