CN112291208A - Method for safely sharing data among different local area networks - Google Patents
Method for safely sharing data among different local area networks Download PDFInfo
- Publication number
- CN112291208A CN112291208A CN202011108282.9A CN202011108282A CN112291208A CN 112291208 A CN112291208 A CN 112291208A CN 202011108282 A CN202011108282 A CN 202011108282A CN 112291208 A CN112291208 A CN 112291208A
- Authority
- CN
- China
- Prior art keywords
- local area
- host
- area network
- shared
- office
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The application discloses a method for safely sharing data among different local area networks, wherein a firewall is used for configuring an access security control strategy and a method, an industrial local area network appoints a host to access a shared local area network in a one-way mode, a part of hosts appointed in an office local area network access the shared local area network in a two-way mode, the shared local area network appoints the host to transmit data to a data sharing host of the office local area network, and mutual access is not allowed between the office local area network and the industrial local area network. Data are transmitted between the industrial local area network and the office local area network through transfer of the shared local area network, so that the office local area network can obtain the data of the industrial local area network, and data transmission between the networks is realized. Meanwhile, the industrial local area network is isolated from an external network, so that the industrial local area network is prevented from being attacked by network viruses and illegal networks, the data leakage of the industrial local area network is avoided, and the safety of the network is improved.
Description
Technical Field
The present application relates to the field of network security access technologies, and in particular, to a method for securely sharing data between different local area networks.
Background
With the development of computer technology, networks enter thousands of households, and convenience is brought to various aspects of life, work, travel and the like of people. In terms of operation, in order to implement internal resource sharing, a local area network is generally established. A local area network is a computer communication network that interconnects various computers, peripherals, and databases within a local geographic area (e.g., a school, factory, or institution).
In order to avoid the leakage of industrial secrets, the industrial local area network does not link with the Internet or transmit data, and viruses or illegal attacks on the industrial network are prevented. However, in an actual production environment, data sharing between different lans needs to be realized, for example, in a coal mine enterprise, an office lan is needed to obtain industrial lan data, and the industrial lan does not have access to an external network.
At present, double network cards are used for realizing data sharing among different local area networks, the double network cards are used for linking two different networks on one data source host, each network card is provided with an IP address, a subnet mask and a gateway address for linking the networks, data communication is realized by using a self-contained network routing function of windows, the data source host collects data and directly forwards the data to the other network for realizing data sharing, and the host spans between the two networks, so that the host is easy to cause host infection virus or network attack, and does not accord with the safety requirement of an industrial network.
Disclosure of Invention
The application provides a method for safely sharing data among different local area networks, which aims to solve the technical problem that the shared data of the industrial network is unsafe.
In order to solve the technical problem, the embodiment of the application discloses the following technical scheme:
the embodiment of the application discloses a method for safely sharing data among different local area networks, which comprises the following steps: setting a data security sharing system, comprising: office local area networks, shared local area networks, industrial local area networks and firewalls; the office local area network, the industrial local area network and the shared local area network are all connected with the firewall network;
closing the default access rule of the firewall and prohibiting the network data transmission without the protocol rule;
setting a firewall control strategy for the host of the industrial local area network to access the host of the shared local area network in a one-way mode, and forbidding the host of the shared local area network to access the host of the industrial local area network;
and setting a firewall control strategy for the host of the office local area network to access the host of the shared local area network in a two-way mode, allowing the host of the office local area network to access the host of the shared local area network, and allowing the host of the shared local area network to access a specified host of the office local area network.
Optionally, setting a firewall control policy for the industrial lan host to access the shared lan host in one way, and prohibiting the shared lan host from accessing the industrial lan host includes: and setting a protocol rule for the industrial local area network host to access the shared local area network host in an enumeration mode, and forbidding all IP addresses of the shared local area network to access the IP addresses of the industrial virtual network.
Optionally, the protocol rule for the industrial lan host to access the shared lan host is the IP address of the industrial lan host + subnet mask + port to access the IP address of the shared lan host + subnet mask + port number + UDP/TCP protocol rule.
Optionally, a firewall control policy for bidirectional access to the shared lan host by the office lan host is set, and the shared lan host is allowed to access the shared lan host by an appointed host of the office lan, and the shared lan host accesses the appointed host of the office lan, including:
the office local area network comprises an office host and a data sharing host, and data sharing is realized between the office host and the data sharing host through an office data switch;
setting all host IP addresses of an office local area network, subnet masks, port access sharing local area network host IP addresses, subnet masks, port numbers and UDP/TCP protocol rules in an enumeration manner;
and setting the IP address of the regional host of the shared local area network, the subnet mask, the port number and the UDP/TCP protocol rule to forward data to the data sharing host of the office local area network.
Optionally, the shared lan is provided with a shared switch, and data sharing is implemented between hosts of the shared lan through the shared switch.
Compared with the prior art, the beneficial effect of this application is:
the application provides a method for safely sharing data among different local area networks, a shared local area network and a firewall are arranged, an access safety control strategy and a method are configured by using the firewall, mutual access is not allowed between an office local area network and an industrial local area network, the industrial local area network has one-way access to the shared local area network, and industrial data can be transmitted to a host of the shared local area network. The office local area network and the shared local area network form conditional bidirectional data transmission, access control strategies of the industrial local area network are respectively unidirectional access shared networks, a host of the shared local area network transmits data to the office network shared host, mutual access is not allowed between the office network and the industrial network, data transmission between the networks is realized, and the safety of the networks is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a secure and efficient data transmission in an industrial network according to an embodiment of the present application;
fig. 2 is a schematic diagram of multi-unit secure and efficient data transmission in an industrial network according to an embodiment of the present disclosure.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, an embodiment of the present application provides a secure and effective industrial network data transmission method, including:
s100: setting a data security sharing system, comprising: office local area networks, shared local area networks, industrial local area networks and firewalls; the office local area network, the industrial local area network and the sharing local area network are all connected with the firewall network, and the office local area network comprises an office host and a data sharing host; and data sharing is realized among the internal hosts of each local area network through a data switch.
S200: and closing the default access rule of the firewall, prohibiting network data transmission without protocol rules, and prohibiting data transmission between the office local area network and the industrial local area network.
S300: and setting a firewall control strategy for the industrial local area network host to access the shared local area network host in a one-way mode to transmit data, and forbidding the shared local area network host to access the industrial local area network host. Setting the IP address of the host of the industrial local area network, the subnet mask, the IP address of the host of the port access shared local area network, the subnet mask, the port number and the UDP/TCP protocol rule in an enumeration mode, and forbidding all the IP addresses of the shared local area network to access the IP address of the industrial virtual network. The industrial local area network forwards data to the shared local area network through the firewall, and the shared local area network is forbidden to access the industrial local area network.
S400: and setting a firewall control strategy for the host of the office local area network to access the host of the shared local area network in a two-way mode, allowing the host of the office local area network to access the host of the shared local area network, and allowing the host of the shared local area network to access a specified host of the office local area network.
All hosts of the office LAN are allowed to access the shared LAN host, and the shared LAN host accesses a designated host of the office LAN.
Or allowing the data sharing host to access the sharing local area network, realizing data sharing in the office local area network through an office switch, setting the IP address of the specified host in the sharing local area network area, the subnet mask, the port number, the UDP/TCP protocol rule and forwarding the data to the data sharing host in the office local area network, and preventing the access of the host IP and the port which are not set by the firewall to form conditional bidirectional access.
The office local area network comprises an office host and a data sharing host, and data sharing is realized between the office host and the data sharing host through an office data switch. And setting all host IP addresses of the office local area network, subnet masks, port access sharing local area network host IP addresses, subnet masks, port numbers and UDP/TCP protocol rules in an enumeration manner. And setting the IP address of the regional host of the shared local area network, the subnet mask, the port number and the UDP/TCP protocol rule to forward data to the data sharing host of the office local area network.
The application provides a method for safely sharing data among different local area networks, wherein a firewall is used for configuring an access security control strategy and a method, an industrial local area network has one-way right-to-one shared local area network, a part of hosts in an office local area network have two-way access to the shared local area network, the shared local area network designates the hosts to transmit data to a data sharing host of the office local area network, and mutual access is not allowed between the office local area network and the industrial local area network. Data are transmitted between the industrial local area network and the office local area network through transfer of the shared local area network, so that the office local area network can obtain the data of the industrial local area network, and data transmission between the networks is realized. Meanwhile, the industrial local area network is isolated from an external network, so that the industrial local area network is prevented from being attacked by network viruses and illegal networks, the data leakage of the industrial local area network is avoided, and the safety of the network is improved.
As shown in fig. 2, the present application further provides another embodiment, a plurality of network security data transmissions are established in a multi-unit or multi-network environment, an office network switch, an industrial network switch, and a data sharing switch of a mine are connected to a mine firewall, a company office network switch, and a data sharing switch are connected to a company firewall, and the mine office network and the company office network are connected. The mine firewall foundation access transmission strategy is set, the mine office network switch and the industrial network switch can only transmit data to the firewall in a one-way mode, the data is also transmitted in a one-way mode from the firewall to the data sharing switch, the data sharing server under the sharing switch can only transmit the data to the host of the office network through the appointed host, and other hosts cannot receive the data information, so that the network safety is guaranteed. The corporate firewall base access transport policies are also the same for factories and mines. The factory and mine office network and the company office network can mutually access the total server data of the data sharing network, and the requirement of data sharing is met.
The access of the mine firewall and the company firewall allows the specified host IP + port number to access each other: configuring an access host IP address, a subnet mask, a port number to reach a destination network host IP address, a subnet mask, a port number and a UDP/TCP protocol type in each firewall to form bidirectional data access for specifying the host IP address and the port number, wherein the host IP address or the port number which is not set is prevented from being accessed by the firewall.
The method comprises the steps that when gas over-limit alarm occurs underground, an industrial network sends alarm information to an alarm linkage host in a shared network area, the alarm linkage host receives the information and then sends a broadcast instruction to a voice broadcast host in an office network area, a personnel accurate positioning host in the office network sends a personnel alarm instruction, and after receiving the instruction, an office network data sharing host 1 and an office network data sharing host 2 execute related program operation and return instruction information confirmed and executed by the shared network alarm linkage host, and the data transmission of the mine emergency alarm linkage system is completed successfully.
In some embodiments of the present application, the designated host is a host selected by a user according to actual needs. The office lan and the industrial lan may be lans of different natures, such as a home lan and the like. The destination network is the network to which the data is transmitted.
Since the above embodiments are all described by referring to and combining with other embodiments, the same portions are provided between different embodiments, and the same and similar portions between the various embodiments in this specification may be referred to each other. And will not be described in detail herein.
It should be noted that, in the present specification, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a circuit structure, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such circuit structure, article, or apparatus. Without further limitation, the presence of an element identified by the phrase "comprising an … …" does not exclude the presence of other like elements in a circuit structure, article or device comprising the element.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
The above-described embodiments of the present application do not limit the scope of the present application.
Claims (5)
1. A method for safely sharing data among different local area networks is characterized by comprising the following steps:
setting a data security sharing system, comprising: office local area networks, shared local area networks, industrial local area networks and firewalls; the office local area network, the industrial local area network and the shared local area network are all connected with the firewall network;
closing the default access rule of the firewall and prohibiting the network data transmission without the protocol rule;
setting a firewall control strategy for the host of the industrial local area network to access the host of the shared local area network in a one-way mode, and forbidding the host of the shared local area network to access the host of the industrial local area network;
and setting a firewall control strategy for the host of the office local area network to access the host of the shared local area network in a two-way mode, allowing the host of the office local area network to access the host of the shared local area network, and allowing the host of the shared local area network to access a specified host of the office local area network.
2. The method of claim 1, wherein setting a firewall control policy for the industrial lan host to access the shared lan host in one direction and prohibiting the shared lan host from accessing the industrial lan host comprises: and setting a protocol rule for the industrial local area network host to access the shared local area network host in an enumeration mode, and forbidding all IP addresses of the shared local area network to access the IP addresses of the industrial virtual network.
3. The method according to claim 2, wherein the protocol rule for the industrial lan host to access the shared lan host is IP address + subnet mask + port number + UDP/TCP protocol rule.
4. The method as claimed in claim 1, wherein the setting of the firewall control policy for bi-directional access of the office lan host to the shared lan host allows the designated office lan host to access the shared lan host, and the shared lan host accesses the designated office lan host, comprises:
the office local area network comprises an office host and a data sharing host, and data sharing is realized between the office host and the data sharing host through an office data switch;
setting all host IP addresses of an office local area network, subnet masks, port access sharing local area network host IP addresses, subnet masks, port numbers and UDP/TCP protocol rules in an enumeration manner;
and setting the IP address of the regional host of the shared local area network, the subnet mask, the port number and the UDP/TCP protocol rule to forward data to the data sharing host of the office local area network.
5. The method according to claim 1, wherein the shared lan is provided with a shared switch, and the hosts of the shared lan share data through the shared switch.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011108282.9A CN112291208A (en) | 2020-10-16 | 2020-10-16 | Method for safely sharing data among different local area networks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011108282.9A CN112291208A (en) | 2020-10-16 | 2020-10-16 | Method for safely sharing data among different local area networks |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112291208A true CN112291208A (en) | 2021-01-29 |
Family
ID=74497758
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011108282.9A Pending CN112291208A (en) | 2020-10-16 | 2020-10-16 | Method for safely sharing data among different local area networks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112291208A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102130803A (en) * | 2010-10-22 | 2011-07-20 | 新兴铸管股份有限公司 | Local area network website security architecture system |
| US20150249645A1 (en) * | 2014-02-28 | 2015-09-03 | Symantec Corporation | Systems and methods for providing secure access to local network devices |
| CN108055261A (en) * | 2017-12-11 | 2018-05-18 | 中车青岛四方机车车辆股份有限公司 | Industrial network security system deployment method and security system |
| CN109450933A (en) * | 2018-12-18 | 2019-03-08 | 岭澳核电有限公司 | Network system for nuclear power plant's emergency network |
| CN109698837A (en) * | 2019-02-01 | 2019-04-30 | 重庆邮电大学 | A kind of tertiary-structure network based on one-way transmission physical medium and DEU data exchange unit and method |
-
2020
- 2020-10-16 CN CN202011108282.9A patent/CN112291208A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102130803A (en) * | 2010-10-22 | 2011-07-20 | 新兴铸管股份有限公司 | Local area network website security architecture system |
| US20150249645A1 (en) * | 2014-02-28 | 2015-09-03 | Symantec Corporation | Systems and methods for providing secure access to local network devices |
| CN108055261A (en) * | 2017-12-11 | 2018-05-18 | 中车青岛四方机车车辆股份有限公司 | Industrial network security system deployment method and security system |
| CN109450933A (en) * | 2018-12-18 | 2019-03-08 | 岭澳核电有限公司 | Network system for nuclear power plant's emergency network |
| CN109698837A (en) * | 2019-02-01 | 2019-04-30 | 重庆邮电大学 | A kind of tertiary-structure network based on one-way transmission physical medium and DEU data exchange unit and method |
Non-Patent Citations (3)
| Title |
|---|
| 王学奎等: "北京电视台制播网高安全区设计与实现", 《广播与电视技术》 * |
| 蒲阳等: "煤与瓦斯突出防治信息化管理系统构建", 《矿业安全与环保》 * |
| 许园: "网络防火墙在企业公众信息服务中的应用", 《中国电信业》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7131141B1 (en) | Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network | |
| JP4630896B2 (en) | Access control method, access control system, and packet communication apparatus | |
| EP1859354B1 (en) | System for protecting identity in a network environment | |
| US8065402B2 (en) | Network management using short message service | |
| US7296291B2 (en) | Controlled information flow between communities via a firewall | |
| US7263719B2 (en) | System and method for implementing network security policies on a common network infrastructure | |
| US20080133774A1 (en) | Method for implementing transparent gateway or proxy in a network | |
| US20150058925A1 (en) | Secure one-way interface for opc data transfer | |
| JP2003526270A (en) | Network address translation gateway for local area network using local IP address and non-translatable port address | |
| US20060150243A1 (en) | Management of network security domains | |
| KR20220125251A (en) | Programmable Switching Device for Network Infrastructures | |
| Islam et al. | Threat minimization by design and deployment of secured networking model | |
| JP2011199749A (en) | Quarantine network system, quarantine management server, method of relaying remote access to virtual terminal, and program of the same | |
| JP4636345B2 (en) | Security policy control system, security policy control method, and program | |
| US7024686B2 (en) | Secure network and method of establishing communication amongst network devices that have restricted network connectivity | |
| CN114006909B (en) | Method and system for point-to-point unidirectional dynamic private line connection between private cloud tenants | |
| CN110278185A (en) | A kind of isolation of network security and data exchange electric power networks application system | |
| US7447782B2 (en) | Community access control in a multi-community node | |
| CN112291208A (en) | Method for safely sharing data among different local area networks | |
| KR102412933B1 (en) | System and method for providing network separation service based on software-defined network | |
| US20010037384A1 (en) | System and method for implementing a virtual backbone on a common network infrastructure | |
| KR100539760B1 (en) | System and method for inducing installing agent using internet access control | |
| US11233675B2 (en) | System and method for enabling coexisting hotspot and DMZ | |
| CN110278184A (en) | A kind of isolation of network security and data exchange oil field Network of Power application system | |
| CN220605929U (en) | Novel network system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210129 |
|
| WD01 | Invention patent application deemed withdrawn after publication |