CN115694920A - Whole-course encryption high-integration edge computing security gateway suitable for industrial field - Google Patents
Whole-course encryption high-integration edge computing security gateway suitable for industrial field Download PDFInfo
- Publication number
- CN115694920A CN115694920A CN202211240454.7A CN202211240454A CN115694920A CN 115694920 A CN115694920 A CN 115694920A CN 202211240454 A CN202211240454 A CN 202211240454A CN 115694920 A CN115694920 A CN 115694920A
- Authority
- CN
- China
- Prior art keywords
- module
- encryption
- security gateway
- security
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a whole-course encryption high-integration edge computing security gateway suitable for an industrial field, which comprises a routing module with a firewall function, an exchange module, a storage module, an edge computing power module, a high-computing-power security encryption and decryption module, a low-computing-power security encryption and decryption module and an industrial field interface module, wherein the routing module, the exchange module, the storage module, the edge computing power module, the high-computing-power security encryption and decryption module and the industrial field interface module are organic, and the whole-course encryption high-integration edge computing security gateway comprises: the modules are connected through an internal high-speed data bus, and the routing module is used for uniformly coordinating the work of each module in the security gateway. The invention can be used in various fields with network safety connection requirements, such as factories, construction sites, traffic networks and the like, and can powerfully expand the application scenes of corresponding equipment.
Description
Technical Field
The invention relates to network security equipment, in particular to a whole-course encryption high-integration edge computing security gateway suitable for an industrial field.
Background
In an industrial field network, security gateways combining firewall and gateway functions are often used, and the security gateways combine the firewall and gateway functions in a software or hardware manner, and integrate the network functions and the security functions to a certain extent, so that the number of devices is reduced to a certain extent, and the deployment and implementation are facilitated. However, the existing security gateway still has the following problems: 1. the equipment integration level is still low, and network construction and deployment can be completed by network transmission equipment such as a matched switch and the like; 2. the equipment security is relatively poor, and an effective high-strength encryption measure is lacked for the transmission of an external network, so long as high-level encryption transmission is required, no matter how much encryption load is, equipment such as a special encryption machine is required to be added for realization, which can lead to the fact that the high-level encryption transmission capability is only provided on a higher-level core information node, and the high-level encryption operation cannot be operated on a lower-level node and a link which are outside the higher-level core information node, so that the data transmission of the parts is in an unprotected state; 3. the equipment expansibility is poor, and numerous lightweight applications such as statistics, release, forms, data acquisition and the like in an industrial field have extremely low resource occupation but must be realized by additionally purchasing a server and special processing equipment, so that the problems of prominent network interface waste, field equipment waste, difficult integrated implementation and the like are caused; 4. even in projects with relatively small network loads, a large amount of performance-redundant equipment deployment must be carried out for safety, which causes huge waste of project site cost, space and energy consumption; 5. a large amount of redundant equipment is deployed, so that huge burden and fault risk of project field debugging and operation and maintenance are caused.
Disclosure of Invention
Therefore, the invention provides the whole-process encryption high-integration edge computing security gateway which is suitable for the industrial field, the security gateway is more convenient for the construction and maintenance of the industrial field network, the function integration level and the application flexibility of the gateway are greatly improved, and the safety of the whole-process transmission of the security gateway is also greatly improved.
In order to realize the purpose of the invention, the following technical scheme is adopted for realizing the purpose:
the whole-course encryption high-integration edge computing security gateway suitable for the industrial site comprises a routing module with a firewall function, an exchange module, a storage module, an edge computing power module, a high-computing-power security encryption and decryption module, a low-computing-power security encryption and decryption module and an industrial site interface module, wherein the modules are connected through an internal high-speed data bus, and the routing module is used for coordinating the work of the modules in the security gateway in a unified manner.
The security gateway, wherein: the routing module runs on the routing chip with light computing power and is used for coordinating and distributing computing power resources and completing task switching.
The security gateway, wherein: the routing module communicates with other built-in modules at high speed through the switching module or communicates with the switching module of the remote access equipment directly.
The security gateway, wherein: the storage module is used for providing storage support for local processing of the light calculation task of the security gateway access data.
The security gateway, wherein: the high computing power safety encryption and decryption module is used for carrying out hardware encryption and decryption processing on the selected data in the module.
The security gateway, wherein: the low-computing-power safety encryption and decryption module is used for carrying out hardware encryption and decryption processing on data communicated by the industrial field interface module in the module.
The security gateway, wherein: the high-calculation-force security encryption and decryption module is used for establishing an encryption VPN channel through the local proxy service of the routing module and encrypting and decrypting data transmitted through the VPN channel.
Drawings
FIG. 1 is a schematic diagram of an overall architecture of a full-process encryption high-integration edge computing security gateway suitable for an industrial field;
FIG. 2 is a schematic diagram of the overall architecture of the security module;
fig. 3 is a schematic distribution diagram of the high-computation security encryption and decryption module and the low-computation security encryption and decryption module in the security gateway and the security terminal;
FIG. 4 is a schematic diagram of a connection structure between a high-computation-power security encryption/decryption module and a routing module;
FIG. 5 is a schematic diagram of a connection structure between a low-computation-power security encryption/decryption module and a routing module;
FIG. 6 is a schematic diagram of another operation mode of the low-power security encryption/decryption module.
Detailed Description
The following detailed description of the present invention will be made with reference to the accompanying drawings 1-6.
As shown in fig. 1, the whole-process encryption high-integration edge-computing security gateway suitable for the industrial site of the present invention includes a routing module with a firewall function, an exchange module, a storage module, an edge-computing-power module, a high-computing-power security encryption/decryption module, a low-computing-power security encryption/decryption module, and an industrial site interface module.
The modules are connected through a built-in high-speed data bus, and the work of the modules is uniformly coordinated through a firmware program running in the routing module. Therefore, the high-integration edge computing security gateway not only has the functions of a basic routing gateway, a firewall and a switch, but also directly has high-strength hardware encryption and decryption capacity, high storage capacity and high computational power, can meet the requirement of confidential transmission of key data in public network and intranet transmission environments, and can be suitable for light-weight field application and even high-computational-power application of intensive data processing.
The routing module with the firewall function can run on a routing chip with light computing power, computing power resources are coordinately distributed through a Linux system, and task switching is completed. The firewall function and the routing function of the invention are completely operated in one processor and share the CPU and the RAM, so that extra hardware connection is not needed, the most efficient RAM-level data transmission is completely used, and the close combination and the efficient data exchange of the exit firewall function and the routing function are ensured. In addition, the spare computing power of the routing module (when the occupation of the CPU and the RAM is lower than the threshold value) can be used for simultaneously processing the light computing power application of the on-site security gateway access data.
The switching module and the routing module are connected through a 1000BASE-TX (or similar function) interface, so that high-speed data throughput capacity and high flexibility are ensured. The routing module can directly communicate with other built-in equipment at high speed through the switching module, and can also directly communicate with equipment with a remote access switching module. Meanwhile, the remote devices connected to the switching module can also communicate directly through the switching module.
The switching module can support 1000BASE-TX (or higher level) interfaces and 1000BASE-FX (or higher level) interfaces, is compatible with access of low-speed interfaces, and provides multiple options for flexibly configuring the compatibility of a gateway local device and a remote device and the deployment distance of the remote device.
The switching module can support a ring network protocol and a port aggregation function, and lays a foundation for flexibly configuring the connection function of the gateway equipment and expanding the performance of the gateway. The ports of the switch module can support an electrical interface (TX) and an optical interface (FX) and are suitable for different connection devices, connection distances and field environments. The electrical interface may be supplemented with PoE functionality, powering external devices in accordance with standard PoE functionality and handshaking protocols. When performing gateway concatenation, the method may be respectively configured to: a common single-port mode, a high-reliability ring network mode and a multi-port aggregation speed superposition mode. When multi-port aggregation is configured between two transport devices (e.g., between security gateways or between remote devices), the total speed is equal to the sum of the speeds of the ports, while there is some physical redundancy in reliability, but the same link.
The storage module is connected with the routing module through a USB interface, a mSATA interface (or similar functions) interface, and can directly perform read-write operation from a high-speed bus inside the routing module, so that the high-speed data throughput capacity and stable read-write performance are ensured. Storage support may be provided for local processing of the gateway access data for a light duty task.
As shown in fig. 3 and 4, the high-computation-power security encryption/decryption module is connected to the routing module through USB, PCIE, and mSATA (or similar functions) interfaces, and can directly perform high-speed communication from the high-speed bus inside the routing module, thereby ensuring high-speed data throughput and stable encryption/decryption performance. According to the transmission requirement, the high-computation-power security encryption and decryption module can use the hardware computation power of the high-computation-power encryption and decryption module in a local proxy service mode of the routing module to establish an encryption VPN channel. In this mode, all data transmitted through the VPN channel is encrypted and decrypted. Because the encryption and decryption operation is realized by high computing power encryption and decryption module completely, the routing module is only responsible for coordinating data transmission, therefore can provide the real-time encryption and decryption ability in the local system under the condition of not basically occupying the processing computing power of the routing module, can ensure that the key data transmitted by the security gateway is transmitted in a ciphertext mode outside the gateway, and has strong processing capability and anti-monitoring and anti-stealing security capability.
As shown in fig. 5, the low-power secure encryption/decryption module is connected to the routing module through a UART (or similar function) interface, and can directly communicate with the internal bus of the routing module, thereby ensuring a direct data communication link and a stable encryption/decryption performance. The low computing power security encryption and decryption module is actually a micro system with independent operation and processing capability and is provided with a special encryption and decryption algorithm acceleration engine and a special storage space. Therefore, the low-computation-force safety encryption and decryption module can be attached with an industrial field interface module, direct measurement and control communication can be carried out on other industrial field equipment, encryption and decryption processing of algorithms such as AES, RSA, ECC and the like can be carried out on data communicated by the industrial field interface module through hardware acceleration resources in the module, and therefore low-speed real-time encryption and decryption capability in a local system can be provided under the condition that the processing computation force of the routing module is basically not occupied, transmission of key data transmitted by the security gateway in a ciphertext mode outside the gateway can be guaranteed, and the low-computation-force safety encryption and decryption module has high-efficiency processing capability and anti-monitoring and anti-theft security capability.
As shown in fig. 6, in addition to encrypting and decrypting data communicated by the directly connected industrial field interface module, the low-computation-effort security encryption and decryption module may encrypt and decrypt other data sent by the routing module (for example, data of other industrial field interface modules of the local device, partial data sent by the security terminal, or other data deemed to be required to be processed by the local device policy).
As shown in fig. 2, the mode similar to the mode in which the low-computation-effort security encryption/decryption module is attached with the industrial field interface module can be applied to a terminal (in a non-gateway form, similar to the mode in which the low-computation-effort security encryption/decryption module is attached with the industrial field interface module, and is used for single device measurement and control, also referred to as a low-cost terminal or a security terminal) for performing direct measurement and control communication on other devices (other field industrial devices) in the industrial field. The low-cost terminal can encrypt and decrypt the data communicated by the industrial field interface module through hardware in the module, and then carry out encryption communication with the security gateway with the low-computing-force security encryption and decryption module. The method can ensure that the key data transmitted by the terminal and the security gateway are transmitted outside the terminal and the gateway in a ciphertext mode, and has the high-efficiency processing capability and the security capability of preventing interception and stealing.
Therefore, when the security gateway and the security terminal are deployed and used, the low-computation-force encryption and decryption module and the high-computation-force encryption and decryption module on the security terminal and the security gateway can be correspondingly opened respectively according to the field project requirement condition.
In the present invention, the following strategies can be used: the security terminal or the security gateway can also perform network security judgment, and when the network between the security terminal and the security gateway is judged to be a secure network (such as an internal network), the security terminal does not perform encryption processing before transmitting data to the security gateway, or only performs encryption processing on key data (such as data of a product processing technology, a processing parameter, a product structure and the like), so as to save bandwidth and improve data transmission speed.
The security gateway can also determine whether to transmit data in an encryption mode between two security gateways according to the physical distance or the contact ratio of the IP addresses between the gateways which are communicated with each other, for example, the distance between the two security gateways does not exceed a preset distance (for example, 100 kilometers), at the moment, the security gateway can be judged to be in the same city communication, therefore, the communication data can not be encrypted or only the key data can be encrypted, if the distance exceeds the preset distance, the security gateway is considered to be in the non-same city communication, and at the moment, all the communication data are encrypted; for the IP addresses, according to whether the degree of overlap of the IP addresses of the two security gateways reaches or exceeds a predetermined value (for example, the degree of overlap is 90%) in the sequence from the left end to the right, if so, the communication between the two security gateways is considered to be safe, so that the communication data may not be encrypted or only the key data may be encrypted, and if not, the communication is considered to be non-city communication, and at this time, all the communication data are encrypted. Preferably, in order to better take security and transmission bandwidth into account, the two security gateways in the present invention, before communication, first determine both the physical distance and the overlap ratio of the IP addresses, and only when the distance between the two security gateways does not exceed a predetermined distance and both conditions that the overlap ratio of the IP addresses of the two security gateways reaches or exceeds a predetermined value in a sequence from the left end to the right end are met, when the two security gateways communicate, select a data transmission mode that does not encrypt communication data or encrypts only key data.
The invention can form more composite encryption and decryption combinations (such as a security terminal plaintext, a gateway low encryption, a gateway high encryption and a security terminal low encryption, a gateway low decryption and a gateway high encryption which are possible reasonable combination forms and respectively carry out encryption and decryption or do not carry out additional processing according to whether the data source is an external security terminal or a local computer.
Finally, in the external transmission of the security gateway, encryption transmission modes such as a plaintext mode, a high-computation-power encryption mode, a low-computation-power encryption mode, a high-computation-power-low-computation-power composite encryption mode and the like can be adopted, and ciphertext and plaintext of different encryption times are allowed to be transmitted in a mixed mode, and data packet marking recognition processing is respectively carried out. Therefore, the encryption of the full-flow data from the acquisition of the data to the processing of the uploading can be realized, and the transmission safety and the processing burden of the routing module are greatly facilitated to be reduced.
The edge computing module is a high-performance computing system independent of the routing module, and is provided with an independent processor, an operating memory, an external storage, and even an independent computing processing system with an inference accelerator (TPU, optional) and a human-computer interaction interface (HDMI, and the like, optional). The heavy calculation task which is only used for the routing module and cannot be rapidly processed by light calculation power, such as providing a heavy-load task processing server, an AI calculation power mode identification application and the like, can also be used as a human-computer interaction interface of the whole gateway system. The edge calculation module does not participate in the routing processing function and the industrial control data processing function of the routing module. The edge computing module completely carries out data throughput through the IP data packet, and independently processes data and compute intensive tasks.
The edge computation power module and the routing module can be directly connected through a 1000BASE-TX (or similar function) interface or indirectly connected through a switching module. Such connections ensure high data throughput and high flexibility, which also allows for bypassing the routing module for direct communication with the data source while handling heavy network data, thereby reducing the routing module footprint.
All the modules work in a coordinated mode in the high-integration edge computing security gateway to achieve the functions of complete network transmission, safe encryption, data processing service and the like.
The high-integration edge computing security gateway of the invention completely integrates, solves most of service and support requirements in a common network system, is very easy to deploy, and has the advantages of small volume, low energy consumption and low cost.
The high-integration edge computing security gateway can be configured with a switching module with more than two 1000BASE-FX (or higher level) high-speed optical fiber interfaces, and a high-reliability ring network backbone network of an industrial field can be established through the switching module of the high-integration edge computing security gateway by configuring the two optical fiber interfaces into a ring network mode. In the high-reliability ring network backbone network, even if one side of the optical fiber is in fault or damaged, the other side of the optical fiber can be automatically switched to, and the communication of the backbone network is not interrupted. And other 1000BASE-TX (or higher level) high-speed electrical interfaces on the switching module of the high-integration edge computing security gateway can be connected with other devices nearby, such as other subordinate security gateways, other extended servers, storage devices, computers, security devices, and the like.
By deploying the high-integration edge computing security gateway, all functional modules in the high-integration edge computing security gateway are comprehensively utilized. The method can flexibly meet most of service and support requirements in a general network system, so that the whole system has the advantages of use experience and cost performance from the application level.
The highly integrated edge computing security gateway has the following advantages:
1. the firewall, routing gateway, industrial switch and encryption machine core functions are provided, external network architecture and interface connection are simplified, and installation, deployment, use and maintenance are facilitated.
2. The internal data stream can be deeply optimized, and the performance can be improved more conveniently.
3. A light-weight application of synchronous processing of a site to access data to a security gateway may be supported.
4. The method can provide support for intensive computing power and AI computing power application at desktop and cabinet levels, and has strong function expansion capability.
5. And a man-machine interaction interface is provided, so that the total cost of the on-site IT is reduced.
6. The field data can be processed in a centralized mode as a core processing device or in a distributed mode as a convergence processing device.
7. And forming a full-flow encryption application system with the security gateway and the security terminal matched.
8. A high-strength and composite encryption application system with combinable high-and low-computing-power hardware security encryption and decryption capabilities is formed.
The invention can be used in many fields with network safety connection requirements, such as factories, construction sites, traffic networks and the like, and can powerfully expand the application scenes of corresponding equipment.
Claims (7)
1. The utility model provides a high integrated edge calculation security gateway of whole journey encryption that is fit for industrial field which characterized in that: the system comprises a routing module with a firewall function, an exchange module, a storage module, an edge force calculation module, a high force calculation safety encryption and decryption module, a low force calculation safety encryption and decryption module and an industrial field interface module, wherein the modules are connected through a built-in high-speed data bus, and the routing module is used for coordinating the work of the modules in the security gateway in a unified manner.
2. The security gateway of claim 1, wherein: the routing module runs on the routing chip with light computing power and is used for coordinating and distributing computing power resources and completing task switching.
3. The security gateway of claim 1, wherein: the routing module communicates with other built-in modules at high speed through the switching module or communicates with the switching module of the remote access equipment directly.
4. The security gateway of claim 1, wherein: the storage module is used for providing storage support for local processing of the light calculation task of the security gateway access data.
5. The security gateway of claim 1, wherein: the high computing power safety encryption and decryption module is used for carrying out hardware encryption and decryption processing in the module on the selected data.
6. The security gateway of claim 1, wherein: and the low computing power safety encryption and decryption module is used for carrying out hardware encryption and decryption processing on data communicated by the industrial field interface module in the module.
7. The security gateway of claim 1, wherein: the high-calculation-force security encryption and decryption module is used for establishing an encryption VPN channel through the local proxy service of the routing module and encrypting and decrypting data transmitted through the VPN channel.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211240454.7A CN115694920A (en) | 2022-10-11 | 2022-10-11 | Whole-course encryption high-integration edge computing security gateway suitable for industrial field |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211240454.7A CN115694920A (en) | 2022-10-11 | 2022-10-11 | Whole-course encryption high-integration edge computing security gateway suitable for industrial field |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115694920A true CN115694920A (en) | 2023-02-03 |
Family
ID=85063892
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211240454.7A Pending CN115694920A (en) | 2022-10-11 | 2022-10-11 | Whole-course encryption high-integration edge computing security gateway suitable for industrial field |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115694920A (en) |
-
2022
- 2022-10-11 CN CN202211240454.7A patent/CN115694920A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106850611B (en) | Cross-system Internet of things secure communication technology service platform method | |
| CA2777505C (en) | Packet processing system and method | |
| US8296465B2 (en) | Distributed computing bus | |
| CN100594690C (en) | Method and device for safety strategy uniformly treatment in safety gateway | |
| CN110061989B (en) | Data acquisition gateway full-isolation method | |
| CN108809642B (en) | FPGA-based multi-channel data trillion encryption authentication high-speed transmission implementation method | |
| CN101977152A (en) | High-performance network-on-chip system suitable for reconfiguration | |
| CN107465611A (en) | The pretection switch method and device of SDN controllers and Switch control link | |
| CN109150829B (en) | Software-defined cloud network trusted data distribution method, readable storage medium and terminal | |
| Handagala et al. | Network attached FPGAs in the open cloud testbed (OCT) | |
| Kounev et al. | Analysis of an offshore medium voltage DC microgrid environment—Part II: Communication network architecture | |
| CN101471839B (en) | Method for asynchronously implementing IPSec vpn through multi-nuclear | |
| CN212413188U (en) | Vehicle-mounted security gateway | |
| CN115694920A (en) | Whole-course encryption high-integration edge computing security gateway suitable for industrial field | |
| CN108900518B (en) | Credible software-defined cloud network data distribution system | |
| CN110768982A (en) | Network security interconnection device based on homemade SOC | |
| US20070058654A1 (en) | Arrangement and coupling device for securing data access | |
| CN212463237U (en) | Gateway for controlling access to Internet of things based on block chain | |
| JP2023531034A (en) | Service transmission method, device, network equipment and storage medium | |
| Hohmann et al. | Bridge me if you can! evaluating the latency of securing profinet | |
| CN102694792A (en) | Longitudinal encryption device for distribution network | |
| LU504593B1 (en) | Method for deploying longitudinal encryption and authentication device in electrical power system | |
| CN218772121U (en) | Multifunctional encryption edge gateway equipment | |
| CN114243910B (en) | Power distribution network monitoring system and method based on 5G VPDN private network | |
| KR100596384B1 (en) | Interface module for implementing single high speed interface by aggregating plurality of low speed interfaces and communication device including the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |