CN114553501A - Method and system for safely transmitting isolation data of ultra-high-speed network - Google Patents

Method and system for safely transmitting isolation data of ultra-high-speed network Download PDF

Info

Publication number
CN114553501A
CN114553501A CN202210109627.5A CN202210109627A CN114553501A CN 114553501 A CN114553501 A CN 114553501A CN 202210109627 A CN202210109627 A CN 202210109627A CN 114553501 A CN114553501 A CN 114553501A
Authority
CN
China
Prior art keywords
host
event
ferry
communication
control module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210109627.5A
Other languages
Chinese (zh)
Inventor
俞沛峰
黄园
李建桦
黄启春
刘伏亮
李雷
吴云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ningbo Wande Hi Tech Intelligent Technology Co ltd
Original Assignee
Ningbo Wande Hi Tech Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ningbo Wande Hi Tech Intelligent Technology Co ltd filed Critical Ningbo Wande Hi Tech Intelligent Technology Co ltd
Priority to CN202210109627.5A priority Critical patent/CN114553501A/en
Publication of CN114553501A publication Critical patent/CN114553501A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/15Interconnection of switching modules
    • H04L49/1515Non-blocking multistage, e.g. Clos
    • H04L49/1523Parallel switch fabric planes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a safe transmission method of isolation data of an ultra-high speed network, which comprises the following steps: connecting a first host with first main equipment, and connecting a second host with second main equipment; the first main equipment is connected with the first main control module, the second main equipment is connected with the second main control module, the first main control module is connected with one end of the parallel data exchange module, and the second main control module is connected with the other end of the parallel data exchange module; performing enumeration operation between a first main control module and a first host, and performing enumeration operation between a second main control module and a second host at the same time; if the enumeration operation is successful, the parallel data exchange module ferries the transmission data between the first main control module and the second main control module; and if the enumeration operation fails, the parallel data exchange module disconnects the communication between the first main device and the second main device. The transmission method realizes the ultra-high speed transmission of data under the condition of network security isolation, and has extremely short data exchange delay and extremely high security performance.

Description

Method and system for safely transmitting isolation data of ultra-high-speed network
Technical Field
The invention relates to the technical field of data transmission, in particular to a method and a system for safely transmitting isolation data of an ultra-high-speed network.
Background
With the continuous development of information construction in China, the level of integration of construction and application of information system software is increased day by day, various basic services and applications based on a public network are enriched day by day, and how to provide the services for the system application in a private network is limited by the current situation that the private network is physically isolated from an external network. Especially, in some special networks, the internal network and the external network are physically separated from the network layer for the reason of security, but the two networks are both provided with equipment in the same machine room and are very close to each other, and because the networks are not communicated, the host on the external network cannot use the service provided by the host on the internal network, and the host on the internal network cannot use the service provided by the host on the external network.
According to the requirements of the technical specification of the key energy consumption unit energy consumption online monitoring system-end equipment, the data exchange between the data access end and the data sending end of the energy consumption online monitoring end equipment needs to have a safety isolation function, and in addition, according to the stipulation of the technical requirement of the safety of network and terminal isolation products: the data exchange rate of network isolated products needs to be greater than 1000 Mbps. Then, a network security transmission device with bandwidth larger than 1Gbps is timed, and the internal network and the external network can be connected through the security transmission device.
Disclosure of Invention
The invention aims to solve the technical problem of providing a method and a system for safely transmitting the isolation data of the ultra-high-speed network, which can realize the ultra-high-speed transmission of the data under the condition of network safety isolation and have extremely short data exchange delay and extremely high safety performance.
In a first aspect, an embodiment of the present application provides a method for securely transmitting isolated data in an ultra-high speed network, where the method includes the following steps:
s1, connecting the first host with the first main device, and connecting the second host with the second main device; the first main equipment is connected with the first main control module, the second main equipment is connected with the second main control module, the first main control module is connected with one end of the parallel data exchange module, and the second main control module is connected with the other end of the parallel data exchange module;
s2, performing enumeration operation between the first main control module and the first host, and performing enumeration operation between the second main control module and the second host;
s3, if the enumeration operation is successful, the parallel data exchange module ferries the transmission data between the first main control module and the second main control module; if the enumeration operation fails, the parallel data exchange module disconnects the communication between the first main device and the second main device; the transmission data between the first main control module and the second main control module is file transmission data, or TCP transmission data, or UDP transmission data, and the parallel data exchange module ferries the transmission data between the first main control module and the second main control module by the following specific processes:
s31, when the first main control module sends transmission data to the second main control module, or the second main control module sends transmission data to the first main control module, firstly, the parallel data exchange module reads the configuration of the ferry channel;
s32, then, the parallel data exchange module creates a ferry channel, wherein the ferry channel is a file ferry channel, a TCP ferry channel or a UDP ferry channel;
s33, the parallel data exchange module creates a ferry request queue and then waits for a ferry request;
s34, after the parallel data exchange module obtains the ferry request, judging whether the transmission data needs to be encrypted or not, if so, encrypting the transmission data, and sending the encrypted transmission data to the ferry device;
s35, if the first main control module sends the transmission data to the second main control module, the parallel data exchange module transmits the transmission data in the ferry device to the second main control module, and the second host takes the transmission data in the second main control module through the second main device; if the second main control module sends transmission data to the first main control module, the parallel data exchange module transmits the transmission data in the ferry device to the first main control module, and the first host takes away the transmission data in the first main control module through the first main device.
In step S32, when the created ferry channel is a file ferry channel, the specific process includes the following steps:
a.1, if the created ferry channel is a file ferry channel, the parallel data exchange module enters a circular detection file directory mode to judge whether a new file exists;
and A.2, if a new file exists, reading the file information, and carrying out safety rule detection on the file information, namely sequentially filtering the file name, the file type and the content keywords of the file, after the filtering is finished, enabling the parallel data exchange module to enter a mode of circularly reading a file data block, and finally sending the file data to a ferry request queue.
In step S32, when the created ferry channel is a TCP ferry channel, the specific process includes the following steps:
b.1, if the created ferry channel is a TCP communication ferry channel, the parallel data exchange module detects whether the C/S end of the first main control module or the second main control module is a client or a server (namely the source or the destination of the data), and if the C/S end is the client, the step B.2 is carried out; if the terminal is the server, entering step B.4;
b.2, when the C/S end of the first main control module or the second main control module is detected to be a client, firstly the parallel data exchange module waits for a communication event, if no communication event exists, the parallel data exchange module continues to wait for the communication event, if the communication event exists, whether the event source is a first host or a second host is judged, and when the event source is the first host, the step B.3.1 is carried out; when the event source is the second host, entering step B.3.2;
b.3.1, if the event source is the first host, judging the event type, if the event type is that the first host is disconnected with the parallel data exchange module, detecting whether a communication link between the parallel data exchange module and the second host exists, and if not, returning to the step B.2 to continue waiting for the communication event; if yes, disconnecting the communication link between the parallel data exchange module and the second host; if the event type is that the first host sends data to the parallel data exchange module, security rule detection is carried out, namely, IP address filtering is detected firstly, and if the IP address is filtered, the step B.2 is returned to continue waiting for the communication event; if the IP address is released, detecting the filtering of the MAC address, and if the MAC address is filtered, returning to the step B.2 to continue waiting for the communication event; if the MAC address is released, transmitting the transmission data to the second host, and then returning to the step B.2 to continue waiting for the communication event; if the event type is that the first host computer and the parallel data exchange module establish a communication link, security rule detection is carried out, namely, IP address filtering is detected firstly, and if the IP address is filtered, the step B.2 is returned to continue waiting for the communication event; if the IP address is released, detecting the filtering of the MAC address, and if the MAC address is filtered, returning to the step B.2 to continue waiting for the communication event; if the MAC address is released, establishing a communication link between the parallel data exchange module and the second host, sending an event that the link establishment is successful or failed to a ferry request queue, and returning to the step B.2 to continue waiting for the communication event; if the event does not conform to the type, returning to the step B.2 for waiting for the communication event;
b.3.2, if the event source is the second host, judging the event type, and if the event type is that the communication link between the parallel data exchange module and the second host is disconnected, sending the event with the disconnected link to a ferry request queue; if not, judging whether the event type is data communication, if so, carrying out safety rule detection, namely detecting IP address filtering, and if so, returning to the step B.2 to continue waiting for the communication event; if the IP address is released, detecting the filtering of the MAC address, and if the MAC address is filtered, returning to the step B.2 to continue waiting for the communication event; if the MAC address is released, sending communication data to a ferry request queue, and returning to the step B.2 to continue waiting for a communication event; if the event does not conform to the above type, return to step b.2 to wait for the communication event.
B.4, when the parallel data exchange module detects that the C/S end of the first main control module or the second main control module is a server, monitoring a TCP port and waiting for a communication event, and if no communication event exists, continuing to wait for the communication event; if the communication event exists, judging whether the event source is a first host or a second host, and entering the step B.5.1 when the event source is the first host; when the event source is the second host, entering step B.5.2;
b.5.1, if the event source is a first host, judging the event type, if the event type is that the first host establishes a link with the parallel data exchange module, performing security rule detection, namely, firstly performing IP address filtering, if the IP address is filtered, returning to the step B.4 for waiting for the communication event, if the IP address is released, performing MAC address filtering, if the MAC address is filtered, returning to the step B.4 for continuing waiting for the communication event, if the MAC address is released, judging whether the connection number established by the first host is full, if the connection number is not full, sending a request for establishing connection between the first host and the parallel data exchange module to a ferry request queue, if the connection number is full, disconnecting the external communication connection and returning to the step B.4 for continuing waiting for the communication event; if the event type is that the first host is disconnected from the parallel data exchange module, sending the event that the first host is disconnected from the parallel data exchange module to a ferry request queue, and returning to the step B.4 to continue waiting for the communication event; if the event is data communication, security rule detection is carried out, namely, IP address filtering is carried out firstly, if the IP address is filtered, the step B.4 is returned to for continuing to wait for the communication event, if the IP address is released, MAC address filtering is carried out, if the MAC address is filtered, the step B.4 is returned to for continuing to wait for the communication event; if the MAC address is released, sending communication data to a ferry request queue; if the event does not conform to the above type, return to step b.4 to wait for the communication event.
B.5.2, if the event source is the second host, judging the event type, and if the event type is that the second host is disconnected with the data interaction module, disconnecting the communication link between the first host and the parallel data exchange module; if the event type is data communication, security rule detection is carried out, namely IP address filtering is carried out firstly, if the IP address is filtered, the step B.4 is returned to wait for the communication event, if the IP address is released, MAC address filtering is carried out, if the MAC address is filtered, the step B.4 is returned to wait for the communication event, and if the MAC address is released, communication data are sent to the first host; if the event does not conform to the above type, return to step b.4 to wait for the communication event.
In step S32, when the created ferry channel is a UDP ferry channel, the specific process includes the following steps:
c.1, if the created ferry channel is a UDP ferry channel, monitoring a UDP port by a parallel data exchange module, waiting for a communication event, if no communication event exists, continuing to wait for the communication event, if the communication event exists, judging whether an event source is an opposite-end host or a local-end host, and if the local-end host is a first host, judging that the opposite-end host is a second host; if the local host is the second host, the opposite host is the first host;
c.2, if the event source is the host of the home terminal, performing safety rule detection, namely, firstly performing IP address filtration, if the IP address is filtered, returning to the step C.1 for waiting for the communication event, if the IP address is released, performing MAC address filtration, if the MAC address is filtered, returning to the step C.1 for waiting for the communication event, if the MAC address is released, sending communication data to a ferry request queue, and returning to the step C.1 for waiting for the communication event;
and C.3, if the event source is the opposite-end host, carrying out safety rule detection, namely, firstly carrying out IP address filtering, returning to the step C.1 for waiting for the communication event if the IP address is filtered, carrying out MAC address filtering if the IP address is released, returning to the step C.1 for waiting for the communication event if the MAC address is filtered, and sending communication data to the local-end host and returning to the step C.1 for waiting for the communication event if the MAC address is released.
In step S34, the specific method of determining whether the transmission data needs to be encrypted is: firstly, judging whether full-text encryption is needed to be carried out on transmission data, if so, carrying out full-text encryption on the transmission data, and sending the encrypted transmission data to a ferry device; if not, judging whether fixed block encryption is needed to be carried out on the transmission data, if so, carrying out fixed block encryption on the ferry data, and sending the encrypted ferry data to the ferry device; and if not, judging whether random block encryption is needed to be carried out on ferry data, if so, carrying out random block encryption on the ferry data, and sending the encrypted ferry data to the ferry device.
The invention has the beneficial effects that: by adopting the method for safely transmitting the isolation data of the ultra-high-speed network, the parallel data exchange module is used as a unique and safe data interaction channel for the communication of the two hosts and is responsible for transmitting data between the two hosts under different networks, so that the data communication between the host of the trusted network end and the host of the untrusted network end is realized, and the safe data transmission of the two hosts is realized on the premise that two network links are disconnected; the transmission method realizes the ultra-high speed transmission of data under the condition of network security isolation, and has extremely short data exchange delay and extremely high security performance.
In a second aspect, an embodiment of the present application provides an ultra-high speed network isolated data security transmission system, which includes a first host, a first host connected to the first host, a second host connected to the second host, and a security transmission device connected between the first host and the second host, the safety transmission device comprises a first main control module connected with a first main device, a parallel data exchange module and a second main control module connected with a second main device, the first main control module comprises a first controller, the second main control module comprises a second controller, the first controller is connected with one end of the parallel data exchange module, the second controller is connected with the other end of the parallel data exchange module, the first controller can respond to a data request of the first host and exchange data with the second controller through the parallel data exchange module; the second controller can respond to the data request of the second host and exchange data with the first controller through the parallel data exchange module.
Preferably, the first master device includes a first USB power interface and a first USB communication interface, the first master control module includes a first slave power interface and a first slave communication interface, the first USB power interface is connected to the first slave power interface, the first USB communication interface is connected to the first slave communication interface, and with this structure, the first USB power interface is connected to the first slave power interface, so that the first master device provides power to the first master control module; the first USB communication interface is connected with the first slave communication interface, so that the first master device provides an information request of the first host for the first master control module.
Preferably, the second master device includes a second USB power interface and a second USB communication interface, the second master control module includes a second slave power interface and a second slave communication interface, the second USB power interface is connected to the second slave power interface, the second USB communication interface is connected to the second slave communication interface, and with this configuration, the second USB power interface is connected to the second slave power interface, so that the second master device provides power to the second master control module; the second USB communication interface is connected with the second slave communication interface, so that the second master device provides an information request of the second host for the second master control module.
Preferably, the parallel data exchange module comprises a programmable I/O port, one end of which is connected with the first controller and the other end of which is connected with the second controller, and the programmable I/O port comprises 32 bidirectional data lines for data transmission and 16 configurable control lines for logic control of a data transmission channel.
By adopting the ultra-high-speed network isolation data security transmission system, the parallel data exchange module is used as the only and secure data interaction channel for the communication of the two hosts, the data exchange between the two hosts is realized on hardware, the ultra-high-speed transmission of data under the network security isolation condition is realized, the data exchange delay is extremely short, and the security performance is extremely high.
Drawings
FIG. 1 is a flow chart of a method for secure transmission of isolated data in an ultra-high speed network according to the present invention;
FIG. 2 is a specific flowchart of file ferry when the created ferry channel is a file ferry channel in the present invention;
FIG. 3 is a specific flowchart of TCP ferry when the ferry tunnel created by the present invention is a TCP ferry tunnel;
FIG. 4 is a specific flowchart of UDP ferry when the ferry channel created by the present invention is a UDP ferry channel;
fig. 5 is a schematic structural diagram of an ultra-high speed network isolated data security transmission device according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings in combination with specific embodiments so that those skilled in the art can practice the invention with reference to the description, and the scope of the invention is not limited to the specific embodiments.
The embodiment of the application provides a method for safely transmitting isolated data of an ultra-high-speed network, which comprises the following steps as shown in fig. 1:
s1, connecting the first host with the first main device, and connecting the second host with the second main device; the first main equipment is connected with the first main control module, the second main equipment is connected with the second main control module, the first main control module is connected with one end of the parallel data exchange module, and the second main control module is connected with the other end of the parallel data exchange module; the first host is equivalent to an intranet host, and the second host is equivalent to an extranet host;
s2, performing enumeration operation between the first main control module and the first host, and performing enumeration operation between the second main control module and the second host;
through enumeration, the first host can obtain information such as a PID value, a VID value, endpoint information, a packet length and the like of the first main control module; the second host can obtain the information of PID value, VID value, endpoint information, packet length and the like of the second main control module; the PID value and VID value obtained by the first host computer credential enumeration are loaded to the first main control module driver, and after the enumeration is successful, the first host computer can obtain the control right of the first pair of main control modules; similarly, the second host can obtain the control right of the second pair of main control modules; the first main control module and the second main control module are equivalent to USB peripherals, wherein the VID value is manufacturer ID (with uniqueness) of the USB peripherals, the PID value is product identification code (manufacturer self-definition) of the USB peripherals, the host distinguishes different USB peripherals through different VIDs and PIDs, and the endpoint information is a corresponding port number loaded to a host USB root hub by the USB peripherals.
S3, if the enumeration operation is successful, the parallel data exchange module ferries (one-way transmission) the transmission data between the first main control module and the second main control module; if the enumeration operation fails, the parallel data exchange module disconnects the communication between the first main device and the second main device; the transmission data between the first main control module and the second main control module is file transmission data, or TCP transmission data, or UDP transmission data, and the parallel data exchange module ferries the transmission data between the first main control module and the second main control module by the following specific processes:
s31, when the first main control module sends transmission data to the second main control module, or the second main control module sends transmission data to the first main control module, firstly, the parallel data exchange module reads the configuration of the ferry channel;
s32, then, the parallel data exchange module creates a ferry channel, wherein the ferry channel is a file ferry channel, a TCP ferry channel or a UDP ferry channel;
s33, the parallel data exchange module creates a ferry request queue and then waits for a ferry request;
s34, after the parallel data exchange module obtains the ferry request, judging whether the transmission data needs to be encrypted or not, if so, encrypting the transmission data, and sending the encrypted transmission data to the ferry device;
s35, if the first main control module sends the transmission data to the second main control module, the parallel data exchange module transmits the transmission data in the ferry device to the second main control module, and the second host takes the transmission data in the second main control module through the second main device; if the second main control module sends transmission data to the first main control module, the parallel data exchange module transmits the transmission data in the ferry device to the first main control module, and the first host takes away the transmission data in the first main control module through the first main device.
File transfers, TCP transfers, and UDP transfers are oriented to different data ferrying application scenarios for users.
Aiming at the application scene of a user, a document needs to be ferred from one network to another network safely, and when the document needs to be verified safely, file transmission can meet the requirements of the user. The file transmission is characterized in that two networks can be completely isolated, and the safe ferry of the file can be completed without any protocol communication.
The application scenario for the user is that a TCP protocol communication needs to be established from one network to another network, such as access to a database, access to a server and the like, and when the link safety is required, the TCP transmission can meet the user requirements. The TCP transmission is characterized in that sensitive information such as a source address, a destination address and the like in a TCP message can be erased after ferrying through the parallel data exchange module, and the parallel data exchange module realizes the safe transmission of the isolation data of the ultra-high-speed network.
According to the application scenario of a user, UDP protocol communication needs to be established from one network to another network, for example, audio streams and video streams are transmitted, and when the link safety is required, UDP transmission can meet the user requirements. The UDP transmission is characterized in that sensitive information such as a source address, a destination address and the like in the UDP message can be erased after ferrying through the parallel data exchange module, and the parallel data exchange module realizes the safe transmission of the isolation data of the ultra-high speed network.
In step S32, when the created ferry channel is a file ferry channel, as shown in fig. 2, the specific process includes the following steps:
a.1, if the created ferry channel is a file ferry channel, the parallel data exchange module enters a circular detection file directory mode to judge whether a new file exists;
and A.2, if a new file exists, reading the file information, and carrying out safety rule detection on the file information, namely sequentially filtering the file name, the file type and the content keywords of the file, after the filtering is finished, enabling the parallel data exchange module to enter a mode of circularly reading a file data block, and finally sending the file data to a ferry request queue.
In step S32, when the created ferry channel is a TCP ferry channel, as shown in fig. 3, the specific process includes the following steps:
b.1, if the created ferry channel is a TCP communication ferry channel, the parallel data exchange module detects whether the C/S end of the first main control module or the second main control module is a client or a server (namely the source or the destination of the data), and if the C/S end is the client, the step B.2 is carried out; if the terminal is the server, entering step B.4;
b.2, when the C/S end of the first main control module or the second main control module is detected to be a client, firstly the parallel data exchange module waits for a communication event, if no communication event exists, the parallel data exchange module continues to wait for the communication event, if the communication event exists, whether the event source is a first host or a second host is judged, and when the event source is the first host, the step B.3.1 is carried out; when the event source is the second host, entering step B.3.2;
b.3.1, if the event source is the first host, judging the event type, if the event type is that the first host is disconnected with the parallel data exchange module, detecting whether a communication link between the parallel data exchange module and the second host exists, and if not, returning to the step B.2 to continue waiting for the communication event; if yes, disconnecting the communication link between the parallel data exchange module and the second host; if the event type is that the first host sends data to the parallel data exchange module, safety rule detection is carried out, namely, IP address filtration is detected firstly, and if the IP address is filtered, the step B.2 is returned to continue waiting for the communication event; if the IP address is released, detecting the filtering of the MAC address, and if the MAC address is filtered, returning to the step B.2 to continue waiting for the communication event; if the MAC address is released, transmitting transmission data to the second host, and then returning to the step B.2 to continue waiting for the communication event; if the event type is that the first host computer and the parallel data exchange module establish a communication link, security rule detection is carried out, namely, IP address filtering is detected firstly, and if the IP address is filtered, the step B.2 is returned to continue waiting for the communication event; if the IP address is released, detecting the filtering of the MAC address, and if the MAC address is filtered, returning to the step B.2 to continue waiting for the communication event; if the MAC address is released, establishing a communication link between the parallel data exchange module and the second host, sending an event that the link establishment is successful or failed to a ferry request queue, and returning to the step B.2 to continue waiting for the communication event; if the event does not conform to the type, returning to the step B.2 for waiting for the communication event;
b.3.2, if the event source is the second host, judging the event type, and if the event type is that the communication link between the parallel data exchange module and the second host is disconnected, sending the event with the disconnected link to a ferry request queue; if not, judging whether the event type is data communication, if so, carrying out safety rule detection, namely detecting IP address filtering, and if so, returning to the step B.2 to continue waiting for the communication event; if the IP address is released, detecting the filtering of the MAC address, and if the MAC address is filtered, returning to the step B.2 to continue waiting for the communication event; if the MAC address is released, sending communication data to a ferry request queue, and returning to the step B.2 to continue waiting for a communication event; if the event does not conform to the above type, return to step b.2 to wait for the communication event.
B.4, when the parallel data exchange module detects that the C/S end of the first main control module or the second main control module is a server, monitoring a TCP port and waiting for a communication event, and if no communication event exists, continuing to wait for the communication event; if the communication event exists, judging whether the event source is a first host or a second host, and entering the step B.5.1 when the event source is the first host; when the event source is the second host, entering step B.5.2;
b.5.1, if the event source is a first host, judging the event type, if the event type is that the first host establishes a link with the parallel data exchange module, performing security rule detection, namely, firstly performing IP address filtration, if the IP address is filtered, returning to the step B.4 for waiting for the communication event, if the IP address is released, performing MAC address filtration, if the MAC address is filtered, returning to the step B.4 for continuously waiting for the communication event, if the MAC address is released, judging whether the connection number established by the first host is full, if the connection number is not full, sending a request for establishing connection between the first host and the parallel data exchange module to a ferrying request queue, if the connection number is full, disconnecting external communication connection and returning to the step B.4 for continuously waiting for the communication event; if the event type is that the first host is disconnected from the parallel data exchange module, sending the event that the first host is disconnected from the parallel data exchange module to a ferry request queue, and returning to the step B.4 to continue waiting for the communication event; if the event is data communication, security rule detection is carried out, namely, IP address filtering is carried out firstly, if the IP address is filtered, the step B.4 is returned to for continuing to wait for the communication event, if the IP address is released, MAC address filtering is carried out, if the MAC address is filtered, the step B.4 is returned to for continuing to wait for the communication event; if the MAC address is released, sending communication data to a ferry request queue; if the event does not conform to the above type, return to step b.4 to wait for the communication event.
B.5.2, if the event source is the second host, judging the event type, and if the event type is that the second host is disconnected with the data interaction module, disconnecting the communication link between the first host and the parallel data exchange module; if the event type is data communication, security rule detection is carried out, namely IP address filtering is carried out firstly, if the IP address is filtered, the step B.4 is returned to wait for the communication event, if the IP address is released, MAC address filtering is carried out, if the MAC address is filtered, the step B.4 is returned to wait for the communication event, and if the MAC address is released, communication data are sent to the first host; if the event does not conform to the above type, return to step b.4 to wait for the communication event.
In step S32, when the created ferry channel is a UDP ferry channel, as shown in fig. 4, the specific process includes the following steps:
c.1, if the created ferry channel is a UDP ferry channel, monitoring a UDP port by a parallel data exchange module, waiting for a communication event, if no communication event exists, continuing to wait for the communication event, if the communication event exists, judging whether an event source is an opposite-end host or a local-end host, and if the local-end host is a first host, judging that the opposite-end host is a second host; if the local host is the second host, the opposite host is the first host;
c.2, if the event source is the host of the home terminal, performing safety rule detection, namely, firstly performing IP address filtration, if the IP address is filtered, returning to the step C.1 for waiting for the communication event, if the IP address is released, performing MAC address filtration, if the MAC address is filtered, returning to the step C.1 for waiting for the communication event, if the MAC address is released, sending communication data to a ferry request queue, and returning to the step C.1 for waiting for the communication event;
and C.3, if the event source is the opposite-end host, carrying out safety rule detection, namely, firstly carrying out IP address filtering, returning to the step C.1 for waiting for the communication event if the IP address is filtered, carrying out MAC address filtering if the IP address is released, returning to the step C.1 for waiting for the communication event if the MAC address is filtered, and sending communication data to the local-end host and returning to the step C.1 for waiting for the communication event if the MAC address is released.
In step S34, the specific method for determining whether the transmission data needs to be encrypted is: firstly, judging whether full-text encryption is needed to be carried out on transmission data, if so, carrying out full-text encryption on the transmission data, and sending the encrypted transmission data to a ferry device; if not, judging whether fixed block encryption is needed to be carried out on the transmission data, if so, carrying out fixed block encryption on the ferry data, and sending the encrypted ferry data to the ferry device; and if not, judging whether random block encryption is needed to be carried out on ferry data, if so, carrying out random block encryption on the ferry data, and sending the encrypted ferry data to the ferry device.
By adopting the method for safely transmitting the isolation data of the ultra-high-speed network, the parallel data exchange module is used as a unique and safe data interaction channel for the communication of the two hosts and is responsible for transmitting data between the two hosts under different networks, so that the data communication between the host of the trusted network end and the host of the untrusted network end is realized, and the safe data transmission of the two hosts is realized on the premise that two network links are disconnected; the transmission method realizes the ultra-high speed transmission of data under the condition of network security isolation, the theoretical bandwidth is as high as 4Gbps, the data exchange delay is extremely short and can reach about 2ms, and the security performance is extremely high.
The embodiment of the present application further provides a system for transmitting data safely in a super-high speed network isolation, as shown in fig. 5, which includes a first host, a first host connected to the first host, a second host connected to the second host, and a safety transmission device connected between the first host and the second host, the safety transmission device comprises a first main control module connected with a first main device, a parallel data exchange module and a second main control module connected with a second main device, the first main control module comprises a first controller, the second main control module comprises a second controller, the first controller is connected with one end of the parallel data exchange module, the second controller is connected with the other end of the parallel data exchange module, the first controller can respond to a data request of the first host and exchange data with the second controller through the parallel data exchange module; the second controller can respond to the data request of the second host and exchange data with the first controller through the parallel data exchange module.
The first master device comprises a first USB power interface and a first USB communication interface, the first master control module comprises a first slave power interface and a first slave communication interface, the first USB power interface is connected with the first slave power interface, the first USB communication interface is connected with the first slave communication interface, and by adopting the structure, the first USB power interface is connected with the first slave power interface, so that the first master device provides power for the first master control module; the first USB communication interface is connected with the first slave communication interface, so that the first master device provides an information request of the first host for the first master control module.
The second master device comprises a second USB power interface and a second USB communication interface, the second master control module comprises a second slave power interface and a second slave communication interface, the second USB power interface is connected with the second slave power interface, the second USB communication interface is connected with the second slave communication interface, and by adopting the structure, the second USB power interface is connected with the second slave power interface, so that the second master device provides power for the second master control module; the second USB communication interface is connected with the second slave communication interface, so that the second master device provides an information request of the second host for the second master control module.
The parallel data exchange module comprises a programmable I/O port, one end of the programmable I/O port is connected with the first controller, the other end of the programmable I/O port is connected with the second controller, the programmable I/O port comprises 32 bidirectional data lines for data transmission and 16 configurable control lines for logic control of a data transmission channel, and by adopting the structure, ultra-high-speed communication of data between a host at a trusted network end and a host at an untrusted network end can be realized, and the file exchange delay is extremely low, and the reliability is good.
The parallel first main control module and the second main control module respectively comprise an EEPROM (electrically erasable programmable read-only memory) which is used for storing firmware (programs) of the corresponding controller.
By adopting the ultra-high-speed network isolation data security transmission system, the parallel data exchange module is used as the only and secure data interaction channel for the communication of the two hosts, the data exchange between the two hosts is realized on hardware, the ultra-high-speed transmission of data under the network security isolation condition is realized, the data exchange delay is extremely short, and the security performance is extremely high.

Claims (9)

1. A method for safely transmitting isolation data of an ultra-high-speed network is characterized by comprising the following steps: the method comprises the following steps:
s1, connecting the first host with the first main device, and connecting the second host with the second main device; the first main equipment is connected with the first main control module, the second main equipment is connected with the second main control module, the first main control module is connected with one end of the parallel data exchange module, and the second main control module is connected with the other end of the parallel data exchange module;
s2, performing enumeration operation between the first main control module and the first host, and performing enumeration operation between the second main control module and the second host;
s3, if the enumeration operation is successful, the parallel data exchange module ferries the transmission data between the first main control module and the second main control module; if the enumeration operation fails, the parallel data exchange module disconnects the communication between the first main device and the second main device; the transmission data between the first main control module and the second main control module is file transmission data, or TCP transmission data, or UDP transmission data, and the parallel data exchange module ferries the transmission data between the first main control module and the second main control module by the following specific processes:
s31, when the first main control module sends transmission data to the second main control module, or the second main control module sends transmission data to the first main control module, firstly, the parallel data exchange module reads the configuration of the ferry channel;
s32, then, the parallel data exchange module creates a ferry channel, wherein the ferry channel is a file ferry channel, a TCP ferry channel or a UDP ferry channel;
s33, the parallel data exchange module creates a ferry request queue and then waits for a ferry request;
s34, after the parallel data exchange module obtains the ferry request, judging whether the transmission data needs to be encrypted or not, if so, encrypting the transmission data, and sending the encrypted transmission data to the ferry device;
s35, if the first main control module sends the transmission data to the second main control module, the parallel data exchange module transmits the transmission data in the ferry device to the second main control module, and the second host takes the transmission data in the second main control module through the second main device; if the second main control module sends transmission data to the first main control module, the parallel data exchange module transmits the transmission data in the ferry device to the first main control module, and the first host takes away the transmission data in the first main control module through the first main device.
2. The method for the secure transmission of the isolated data in the ultra high speed network according to claim 1, wherein: in step S32, when the created ferry channel is a file ferry channel, the specific process includes the following steps:
a.1, if the created ferry channel is a file ferry channel, the parallel data exchange module enters a circular detection file directory mode to judge whether a new file exists;
and A.2, if a new file exists, reading the file information, and carrying out safety rule detection on the file information, namely sequentially filtering the file name, the file type and the content keywords of the file, after the filtering is finished, enabling the parallel data exchange module to enter a mode of circularly reading a file data block, and finally sending the file data to a ferry request queue.
3. The method for the secure transmission of the isolated data in the ultra high speed network according to claim 1, wherein: in step S32, when the created ferry channel is a TCP ferry channel, the specific process includes the following steps:
b.1, if the created ferry channel is a TCP communication ferry channel, the parallel data exchange module detects whether the C/S end of the first main control module or the second main control module is a client or a server, and if the C/S end is the client, the step B.2 is performed; if the terminal is the server, entering step B.4;
b.2, when the C/S end of the first main control module or the second main control module is detected to be a client, firstly the parallel data exchange module waits for a communication event, if no communication event exists, the parallel data exchange module continues to wait for the communication event, if the communication event exists, whether the event source is a first host or a second host is judged, and when the event source is the first host, the step B.3.1 is carried out; when the event source is the second host, entering step B.3.2;
b.3.1, if the event source is the first host, judging the event type, if the event type is that the first host is disconnected with the parallel data exchange module, detecting whether a communication link between the parallel data exchange module and the second host exists, and if not, returning to the step B.2 to continue waiting for the communication event; if yes, disconnecting the communication link between the parallel data exchange module and the second host; if the event type is that the first host sends data to the parallel data exchange module, security rule detection is carried out, namely, IP address filtering is detected firstly, and if the IP address is filtered, the step B.2 is returned to continue waiting for the communication event; if the IP address is released, detecting the filtering of the MAC address, and if the MAC address is filtered, returning to the step B.2 to continue waiting for the communication event; if the MAC address is released, transmitting the transmission data to the second host, and then returning to the step B.2 to continue waiting for the communication event; if the event type is that the first host computer and the parallel data exchange module establish a communication link, security rule detection is carried out, namely, IP address filtering is detected firstly, and if the IP address is filtered, the step B.2 is returned to continue waiting for the communication event; if the IP address is released, detecting the filtering of the MAC address, and if the MAC address is filtered, returning to the step B.2 to continue waiting for the communication event; if the MAC address is released, establishing a communication link between the parallel data exchange module and the second host, sending an event that the link establishment is successful or failed to a ferry request queue, and returning to the step B.2 to continue waiting for the communication event; if the event does not conform to the type, returning to the step B.2 for waiting for the communication event;
b.3.2, if the event source is the second host, judging the event type, and if the event type is that the communication link between the parallel data exchange module and the second host is disconnected, sending the event with the disconnected link to a ferry request queue; if not, judging whether the event type is data communication, if so, carrying out safety rule detection, namely detecting IP address filtering, and if so, returning to the step B.2 to continue waiting for the communication event; if the IP address is released, detecting the filtering of the MAC address, and if the MAC address is filtered, returning to the step B.2 to continue waiting for the communication event; if the MAC address is released, sending communication data to a ferry request queue, and returning to the step B.2 to continue waiting for a communication event; if the event does not conform to the above type, return to step b.2 to wait for the communication event.
B.4, when the parallel data exchange module detects that the C/S end of the first main control module or the second main control module is a server, monitoring a TCP port and waiting for a communication event, and if no communication event exists, continuing to wait for the communication event; if the communication event exists, judging whether the event source is a first host or a second host, and entering the step B.5.1 when the event source is the first host; when the event source is the second host, entering step B.5.2;
b.5.1, if the event source is a first host, judging the event type, if the event type is that the first host establishes a link with the parallel data exchange module, performing security rule detection, namely, firstly performing IP address filtering, if the IP address is filtered, returning to the step B.4 for waiting for the communication event, if the IP address is released, performing MAC address filtering, if the MAC address is filtered, returning to the step B.4 for continuing waiting for the communication event, if the MAC address is released, judging whether the connection number established by the first host is full, if the connection number is not full, sending a request for establishing connection between the first host and the parallel data exchange module to a ferry request queue, if the connection number is full, disconnecting the external communication connection and returning to the step B.4 for continuing waiting for the communication event; if the event type is that the first host is disconnected from the parallel data exchange module, sending the event that the first host is disconnected from the parallel data exchange module to a ferry request queue, and returning to the step B.4 to continue waiting for the communication event; if the event is data communication, security rule detection is carried out, namely, IP address filtering is carried out firstly, if the IP address is filtered, the step B.4 is returned to for continuing to wait for the communication event, if the IP address is released, MAC address filtering is carried out, if the MAC address is filtered, the step B.4 is returned to for continuing to wait for the communication event; if the MAC address is released, sending communication data to a ferry request queue; if the event does not conform to the above type, return to step b.4 to wait for the communication event.
B.5.2, if the event source is the second host, judging the event type, and if the event type is that the second host is disconnected with the data interaction module, disconnecting the communication link between the first host and the parallel data exchange module; if the event type is data communication, security rule detection is carried out, namely IP address filtering is carried out firstly, if the IP address is filtered, the step B.4 is returned to wait for the communication event, if the IP address is released, MAC address filtering is carried out, if the MAC address is filtered, the step B.4 is returned to wait for the communication event, and if the MAC address is released, communication data are sent to the first host; if the event does not conform to the above type, return to step b.4 to wait for the communication event.
4. The method for the secure transmission of the isolated data in the ultra high speed network according to claim 1, wherein: in step S32, when the created ferry channel is a UDP ferry channel, the specific process includes the following steps:
c.1, if the created ferry channel is a UDP ferry channel, monitoring a UDP port by a parallel data exchange module, waiting for a communication event, if no communication event exists, continuing to wait for the communication event, if the communication event exists, judging whether an event source is an opposite-end host or a local-end host, and if the local-end host is a first host, judging that the opposite-end host is a second host; if the local host is the second host, the opposite host is the first host;
c.2, if the event source is the host of the home terminal, performing safety rule detection, namely, firstly performing IP address filtration, if the IP address is filtered, returning to the step C.1 for waiting for the communication event, if the IP address is released, performing MAC address filtration, if the MAC address is filtered, returning to the step C.1 for waiting for the communication event, if the MAC address is released, sending communication data to a ferry request queue, and returning to the step C.1 for waiting for the communication event;
and C.3, if the event source is the opposite-end host, carrying out safety rule detection, namely, firstly carrying out IP address filtering, returning to the step C.1 for waiting for the communication event if the IP address is filtered, carrying out MAC address filtering if the IP address is released, returning to the step C.1 for waiting for the communication event if the MAC address is filtered, and sending communication data to the local-end host and returning to the step C.1 for waiting for the communication event if the MAC address is released.
5. The method for the secure transmission of the isolated data in the ultra high speed network according to claim 1, wherein: in step S34, the specific method of determining whether the transmission data needs to be encrypted is: firstly, judging whether full-text encryption is needed to be carried out on transmission data, if so, carrying out full-text encryption on the transmission data, and sending the encrypted transmission data to a ferry device; if not, judging whether fixed block encryption is needed to be carried out on the transmission data, if so, carrying out fixed block encryption on the ferry data, and sending the encrypted ferry data to the ferry device; and if not, judging whether random block encryption is needed to be carried out on ferry data, if so, carrying out random block encryption on the ferry data, and sending the encrypted ferry data to the ferry device.
6. A super-high speed network isolation data security transmission system is characterized in that: the safety transmission device comprises a first main machine, a first main device connected with the first main machine, a second main device connected with the second main machine and a safety transmission device connected between the first main device and the second main device, wherein the safety transmission device comprises a first main control module connected with the first main device, a parallel data exchange module and a second main control module connected with the second main device, the first main control module comprises a first controller, the second main control module comprises a second controller, the first controller is connected with one end of the parallel data exchange module, the second controller is connected with the other end of the parallel data exchange module, and the first controller can respond to a data request of the first main machine and exchange data with the second controller through the parallel data exchange module; the second controller can respond to the data request of the second host and exchange data with the first controller through the parallel data exchange module.
7. The ultra high speed network isolated data security transmission system according to claim 6, wherein: the first master device comprises a first USB power interface and a first USB communication interface, the first master control module comprises a first slave power interface and a first slave communication interface, the first USB power interface is connected with the first slave power interface, and the first USB communication interface is connected with the first slave communication interface.
8. The ultra high speed network isolated data security transmission system according to claim 7, wherein: the second master device comprises a second USB power interface and a second USB communication interface, the second master control module comprises a second slave power interface and a second slave communication interface, the second USB power interface is connected with the second slave power interface, and the second USB communication interface is connected with the second slave communication interface.
9. The ultra high speed network isolated data security transmission system according to claim 8, wherein: the parallel data exchange module comprises a programmable I/O port, one end of the programmable I/O port is connected with the first controller, the other end of the programmable I/O port is connected with the second controller, and the programmable I/O port comprises 32 bidirectional data lines for data transmission and 16 configurable control lines for carrying out logic control on a data transmission channel.
CN202210109627.5A 2022-01-29 2022-01-29 Method and system for safely transmitting isolation data of ultra-high-speed network Pending CN114553501A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210109627.5A CN114553501A (en) 2022-01-29 2022-01-29 Method and system for safely transmitting isolation data of ultra-high-speed network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210109627.5A CN114553501A (en) 2022-01-29 2022-01-29 Method and system for safely transmitting isolation data of ultra-high-speed network

Publications (1)

Publication Number Publication Date
CN114553501A true CN114553501A (en) 2022-05-27

Family

ID=81673275

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210109627.5A Pending CN114553501A (en) 2022-01-29 2022-01-29 Method and system for safely transmitting isolation data of ultra-high-speed network

Country Status (1)

Country Link
CN (1) CN114553501A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805363A (en) * 2005-01-14 2006-07-19 北邮英科(北京)信息技术研究所有限公司 Massive parallel processing apparatus and method for network isolation and information exchange module
US7701957B1 (en) * 2004-01-20 2010-04-20 Integrated Device Technology, Inc. Method and apparatus for switching, merging, and demerging data between data communication locations
CN101847190A (en) * 2010-05-31 2010-09-29 北京测腾信息技术有限公司 Method and system for ferrying data safely
US20150032691A1 (en) * 2000-11-02 2015-01-29 Oracle America Inc. Tcp/udp acceleration
CN106341397A (en) * 2016-08-25 2017-01-18 柏盟(北京)科技发展有限公司 Industrial safety isolation GAP
CN112887267A (en) * 2021-01-05 2021-06-01 天津七所精密机电技术有限公司 Network isolation system with message authentication function and method thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150032691A1 (en) * 2000-11-02 2015-01-29 Oracle America Inc. Tcp/udp acceleration
US7701957B1 (en) * 2004-01-20 2010-04-20 Integrated Device Technology, Inc. Method and apparatus for switching, merging, and demerging data between data communication locations
CN1805363A (en) * 2005-01-14 2006-07-19 北邮英科(北京)信息技术研究所有限公司 Massive parallel processing apparatus and method for network isolation and information exchange module
CN101847190A (en) * 2010-05-31 2010-09-29 北京测腾信息技术有限公司 Method and system for ferrying data safely
CN106341397A (en) * 2016-08-25 2017-01-18 柏盟(北京)科技发展有限公司 Industrial safety isolation GAP
CN112887267A (en) * 2021-01-05 2021-06-01 天津七所精密机电技术有限公司 Network isolation system with message authentication function and method thereof

Similar Documents

Publication Publication Date Title
US11616696B2 (en) Transparent auto-negotiation of Ethernet
EP2457357B1 (en) Connection device authentication
CN101729543B (en) Method for improving performance of mobile SSL VPN by utilizing remote Socks5 technology
US20090232152A1 (en) Method and apparatus for aggregating ports
CN104601550B (en) Reverse isolation file transmission system and method based on cluster array
CN106656960B (en) hilscher-based credible data acquisition system and method
CN103248452A (en) Data sending device, data receiving device, terminal and data transmission method
CN101247351B (en) Load sharing method and device
CN110557244A (en) Application data unit encryption method in water conservancy industrial control system
CN111541776A (en) Safe communication device and system based on Internet of things equipment
CN105591817B (en) A kind of negotiation mode processing method and Intelligent Network Element
CN107749863B (en) Method for network security isolation of information system
CN101795187A (en) Method, system and equipment for improving reliability of topologic network of central server
JP2003152806A (en) Switch connection control system for communication path
CN102694808A (en) Processing system and method for internet key exchange (IKE) remote access
CN201657020U (en) Mobile SSL VPN system based on remote Socks 5 agent
CN114553501A (en) Method and system for safely transmitting isolation data of ultra-high-speed network
CN108712398B (en) Port authentication method of authentication server, switch and storage medium
CN111585791A (en) Data synchronization configuration method, system and storage medium
CN101640680B (en) Network access control method, system and device
CN108648386B (en) Intelligent household anti-theft monitoring system and working method thereof
CN108667832B (en) Authentication method based on configuration information, server, switch and storage medium
CN103269348A (en) Network segment-crossing data security exchange device and exchange method
CN105721453A (en) Network isolation system and network videocorder
CN108141358B (en) Method for generating a cryptographic key in a circuit arrangement

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20220527