CN117879901A - System for data isolation and data transmission method - Google Patents
System for data isolation and data transmission method Download PDFInfo
- Publication number
- CN117879901A CN117879901A CN202311774370.6A CN202311774370A CN117879901A CN 117879901 A CN117879901 A CN 117879901A CN 202311774370 A CN202311774370 A CN 202311774370A CN 117879901 A CN117879901 A CN 117879901A
- Authority
- CN
- China
- Prior art keywords
- unit
- data
- network
- isolation
- external network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 75
- 230000005540 biological transmission Effects 0.000 title claims abstract description 53
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000012545 processing Methods 0.000 claims abstract description 22
- 238000004891 communication Methods 0.000 claims description 6
- 238000012550 audit Methods 0.000 claims description 5
- 238000007781 pre-processing Methods 0.000 claims description 4
- 238000012546 transfer Methods 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 2
- 230000001010 compromised effect Effects 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 12
- 238000013461 design Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 230000005856 abnormality Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 235000013421 Kaempferia galanga Nutrition 0.000 description 2
- 244000062241 Kaempferia galanga Species 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 101100498818 Arabidopsis thaliana DDR4 gene Proteins 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to the technical field of computer network security, and discloses a system for data isolation, which comprises: the device comprises an external network unit, an isolation unit and an internal network unit; the external network unit is used for processing non-secret-related data and sending the data to the isolation unit; the isolation unit is used for receiving the data sent by the external network unit and forwarding the data to the internal network unit; the intranet unit is used for processing the secret-related data and receiving the data forwarded by the isolation unit. Therefore, the isolation unit can ensure that data can only be transmitted to the intranet unit by the extranet unit, so that the safe unidirectional transmission of the intranet and extranet data is realized, the data of the intranet unit is ensured not to be compromised, the problem of data transmission of a confidential network and a non-confidential network is effectively solved, and meanwhile, the equipment and labor cost are not required to be wasted. The application also discloses a data transmission method for data isolation.
Description
Technical Field
The present application relates to the field of computer network security technologies, for example, to a system for data isolation and a data transmission method.
Background
According to the computer information system international networking privacy management regulations, computer information systems related to national privacy must not be directly or indirectly connected to the internet or other public information networks.
At present, when the secret-related network and the Internet network are connected, the non-secret-related network is firstly adopted to be physically isolated from the Internet, and then the two-way gateway is adopted to isolate the secret-related network and the non-secret-related network. The scheme completely isolates the non-secret-related network from the Internet by a physical isolation mode, so that any possible network attack and data leakage are avoided. Then, through the technology of a two-way gateway, the secret-related network and the non-secret-related network are isolated, so that secret-related data cannot be transmitted from the secret-related network to the non-secret-related network.
In the process of implementing the embodiments of the present disclosure, it is found that at least the following problems exist in the related art:
through the physical isolation mode, the security of non-secret-related networks and the Internet can be more thoroughly protected, but the implementation difficulty is high, and more equipment and manpower are required to be input.
It should be noted that the information disclosed in the foregoing background section is only for enhancing understanding of the background of the present application and thus may include information that does not form the prior art that is already known to those of ordinary skill in the art.
Disclosure of Invention
The following presents a simplified summary in order to provide a basic understanding of some aspects of the disclosed embodiments. This summary is not an extensive overview, and is intended to neither identify key/critical elements nor delineate the scope of such embodiments, but is intended as a prelude to the more detailed description that follows.
The embodiment of the disclosure provides a system for data isolation and a data transmission method, so that the problem of data transmission of secret-related networks and non-secret-related networks is effectively solved under the condition of not wasting manpower and material resources.
In some embodiments, the system comprises: the device comprises an external network unit, an isolation unit and an internal network unit;
the external network unit is used for processing non-secret-related data and sending the data to the isolation unit;
the isolation unit is used for receiving the data sent by the external network unit and forwarding the data to the internal network unit;
the intranet unit is used for processing the secret-related data and receiving the data forwarded by the isolation unit.
Optionally, the external network unit is further configured to obtain external data, where the external data includes file data; and/or temporarily storing the external data; and/or preprocessing the external data.
Optionally, the external network unit is further configured to record a data operation log.
Optionally, the isolation unit includes an audit module;
and the auditing module is used for auditing the identity of the intranet unit and the extranet unit by utilizing an encryption processing algorithm so as to ensure that the data is only forwarded to the intranet unit by the extranet unit.
Optionally, the auditing module is further configured to output an exception alert in response to a data transmission exception, where the data transmission exception includes forwarding, by the intranet unit, the data to the extranet unit.
Optionally, the external network unit comprises an external network host and an external network unit tera-network card module; the intranet unit comprises an intranet host and an intranet unit tera-network card module; the isolation unit comprises an isolation host, an auditing module, a unidirectional sending module and a unidirectional receiving module.
Optionally, the external network host, the internal network host and the isolation host all adopt Feiteng company D2000/8 processors;
the external network unit tera-network card module, the internal network unit tera-network card module, the unidirectional transmission module and the unidirectional receiving module all adopt WX1820AL network controllers of a network communication company.
Optionally, the system further comprises: the power supply unit comprises an external network power supply and an internal network power supply;
the external network power supply is used for supplying power to the external network unit, the isolation host, the auditing module and the unidirectional transmission module;
the intranet power supply is used for supplying power to the intranet unit and the unidirectional receiving module.
Optionally, the external network unit is connected with the internet through a tera-network port, the internet is connected with a plurality of external network users, the internal network unit is connected with a secret network through a tera-network port, and the secret network is connected with a plurality of internal network users.
In some embodiments, the method comprises:
the external network unit sends data to the isolation unit, and the external network unit is used for processing non-secret-related data;
the isolation unit forwards the data sent by the external network unit to the internal network unit, and the internal network unit is used for processing the secret-related data.
The embodiment of the disclosure provides a system for data isolation and a data transmission method, which can realize the following technical effects: the isolation unit can ensure that data can only be transmitted to the intranet unit by the extranet unit, so that the safe unidirectional transmission of the intranet and extranet data is realized, the data of the intranet unit is ensured not to be compromised, the problem of data transmission of a confidential network and a non-confidential network is effectively solved, and meanwhile, the equipment and labor cost are not required to be wasted.
The foregoing general description and the following description are exemplary and explanatory only and are not restrictive of the application.
Drawings
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which like reference numerals refer to similar elements, and in which:
FIG. 1 is a schematic diagram of a system for data isolation provided by an embodiment of the present disclosure;
fig. 2 is a flowchart of a data transmission method for data isolation according to an embodiment of the present disclosure.
Detailed Description
So that the manner in which the features and techniques of the disclosed embodiments can be understood in more detail, a more particular description of the embodiments of the disclosure, briefly summarized below, may be had by reference to the appended drawings, which are not intended to be limiting of the embodiments of the disclosure. In the following description of the technology, for purposes of explanation, numerous details are set forth in order to provide a thorough understanding of the disclosed embodiments. However, one or more embodiments may still be practiced without these details. In other instances, well-known structures and devices may be shown simplified in order to simplify the drawing.
The terms first, second and the like in the description and in the claims of the embodiments of the disclosure and in the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate in order to describe embodiments of the present disclosure. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion.
The term "plurality" means two or more, unless otherwise indicated.
In the embodiment of the present disclosure, the character "/" indicates that the front and rear objects are an or relationship. For example, A/B represents: a or B.
The term "and/or" is an associative relationship that describes an object, meaning that there may be three relationships. For example, a and/or B, represent: a or B, or, A and B.
The term "corresponding" may refer to an association or binding relationship, and the correspondence between a and B refers to an association or binding relationship between a and B.
Referring to fig. 1, a system for data isolation includes an external network unit, an isolation unit, and an internal network unit.
And the external network unit is used for processing the non-secret-related data and sending the data to the isolation unit. The external network unit is used as a non-secret-related area and is responsible for connecting with an external internet network to process non-secret-related information data. As an important component of the non-secret-related area, the external network element plays a critical role within the organization. The main responsibility of the system is to connect with an external Internet network, so that the system can acquire external information and data in time, the system is connected with the external Internet, a large amount of non-secret information data is processed, and powerful support is provided for daily operation of an organization.
And the isolation unit is used for receiving the data sent by the external network unit and forwarding the data to the internal network unit. The isolation unit is used as a key node for unidirectional data transmission, so that data can flow unidirectionally from the external network to the internal network, unauthorized access and data leakage are effectively prevented, and the data security of the internal network unit is ensured.
In addition, the isolation unit can also conduct auditing according to preset software application rules. This means that only authorized and audited applications can run on the intranet unit. The auditing mechanism ensures that the application software of the intranet unit is safe and reliable, and further enhances the security of the network.
For intranet users, the isolation unit provides the function of logging in and downloading intranet unit application software. And the user downloads the data to the intranet unit under the monitoring of the isolation unit. This mode of operation is both convenient and secure, since the user can only download data from the isolation unit, but not directly from the external network, avoiding potential security risks.
And the intranet unit is used for processing the secret-related data and receiving the data forwarded by the isolation unit. The intranet unit is used as a secret-related area and is responsible for being connected with a secret network to process secret-related information data. The intranet unit can be deployed in the authorities such as enterprises, institutions, and the like, and particularly relates to a network for transmitting secret information. In this application scenario, the network security device needs to have high reliability and stability to ensure security and stability of the network. At the same time, these devices also need to have powerful encryption and protection functions to prevent information from being stolen or tampered with.
It should be noted that, the hardware designs of the external network unit and the internal network unit are identical, i.e. they have the same hardware architecture and function module. The design mode enables the external network unit and the internal network unit to have high similarity in hardware, so that the external network unit and the internal network unit can be completely multiplexed. Because the hardware designs of the external network unit and the internal network unit are the same, the hardware can be used in two different network environments only by developing the hardware once. This avoids the waste of repeated development hardware, thereby reducing development costs. In addition, the multiplexing hardware design can also reduce the later maintenance cost. Since the hardware designs of the external network unit and the internal network unit are the same, the maintenance modes of the external network unit and the internal network unit are the same. This means that only one hardware device needs to be maintained to maintain both the external network unit and the internal network unit. This reduces maintenance effort and thus maintenance costs.
In order to realize multiplexing of the external network unit and the internal network unit, only different application software needs to be deployed to endow different application permission levels. This means that different application software can be selected for deployment according to different network environments and usage requirements. The flexibility enables the external network unit and the internal network unit to adapt to different network environments and use requirements, so that the adaptability and usability of the external network unit and the internal network unit are improved.
By adopting the system for data isolation provided by the embodiment of the disclosure, the isolation unit can ensure that data can only be transmitted to the intranet unit by the extranet unit, so that the safe unidirectional transmission of the intranet and extranet data is realized, the data of the intranet unit is ensured not to be divulged, the problem of data transmission of secret-related networks and non-secret-related networks is effectively solved, and meanwhile, the equipment and labor cost are not required to be wasted.
Optionally, the external network unit is further configured to obtain external data, where the external data includes file data; and/or temporarily storing the external data; and/or preprocessing the external data.
First, the external network unit can temporarily store the external file in the external network area and selectively preprocess the external file. This process may involve format conversion, content filtering, and security checking to ensure that the file can accurately and safely reach the target location during transmission.
Second, the external network element deploys a data transfer application software system. The system is responsible for managing the transmission, storage and access control of the files, and ensures the safety and the integrity of the data. In addition, the system also supports a plurality of data transmission protocols so as to meet the requirements of different service scenes.
After the data transmission application software system is deployed, the external network unit authorizes the data transmission permission. This means that only authorized users or systems can send data, thereby ensuring the security and confidentiality of the data.
Optionally, the external network unit is further configured to record a data operation log.
The external network unit also has a powerful log recording function. It details all data transmissions and operations through the external network element, providing valuable clues to network security auditing. When a security event occurs, the log records of the isolation unit help an administrator to quickly locate the problem and take countermeasures in time.
Optionally, the isolation unit includes an audit module.
The auditing module performs identity auditing on the intranet unit and the extranet unit by using an encryption processing algorithm so as to ensure that data is only forwarded to the intranet unit by the extranet unit, and prevents unauthorized access and data leakage by strictly authenticating the network. By adopting the encryption processing algorithm, the transmission and storage of the data can be protected, the data cannot be stolen or tampered in the transmission process, and meanwhile, the safety of the data in the storage process can be ensured.
Optionally, the auditing module is further configured to respond to the data transmission abnormality and output an abnormality reminder. In order to find and solve the problem of abnormal data transmission in time, a perfect data transmission monitoring system needs to be established. The system can monitor the state and abnormal condition of data transmission in real time, and immediately output an abnormal prompt once the abnormal condition is found. Therefore, measures can be taken in time to solve the problem, and the problem is prevented from being further enlarged. The data transmission abnormality comprises that the data is forwarded to the external network unit by the internal network unit.
Optionally, the external network unit comprises an external network host and an external network unit tera-network card module; the intranet unit comprises an intranet host and an intranet unit tera network card module; the isolation unit comprises an isolation host, an auditing module, a unidirectional sending module and a unidirectional receiving module.
The external network unit comprises an external network host and an external network unit tera network card module. The external network host is used as a core device of the network and is responsible for being connected with the global Internet to realize data transmission and exchange. The external network unit tera network card module is a key component of the external network host, which provides a transmission rate of up to tera, and ensures high-speed and stable data transmission.
The intranet unit comprises an intranet host and an intranet unit tera-network card module. The intranet host is used as core equipment of the internal network and is responsible for management and data transmission of the internal network. The intranet unit tera network card module also provides high-speed data transmission capability, and ensures data interaction between the intranet host and each terminal device.
The isolation unit comprises an isolation host, an auditing module, a unidirectional sending module and a unidirectional receiving module. The isolation host is core equipment of the isolation unit and is responsible for realizing isolation of an internal network and an external network and ensuring safe transmission of data. The auditing module is auxiliary equipment for isolating the host, and is used for auditing the identity of the intranet unit and the extranet unit by utilizing an encryption processing algorithm so as to ensure that data is only forwarded to the intranet unit by the extranet unit. The unidirectional sending module and the unidirectional receiving module are key components for realizing unidirectional data transmission, ensure unidirectional data flow and further enhance data security.
Optionally, the external network host, the internal network host and the isolation host all adopt Feiteng company D2000/8 processors, the processors integrate 8 Feiteng independently developed high-performance processor cores FTC663, are compatible with a 64-bit ARMv8 instruction set, have a main frequency of 2.0-2.3GHz and TDP power consumption of 25W, support Feiteng independently defined processor security architecture specification PSPA1.0, can meet the requirements on performance and security and reliability in more complex scenes, and are loaded with a domestic Galangal kylin operating system; the mainboard adopts a surface-mounted DDR4 memory particle form, the capacity can reach 32GB, and the mainboard has high reliability and stability; the M.2 system disk slot supporting 1 PCIE x4 has high capacity and high read-write speed; the domestic Kunlun firmware is adopted to support the working connection between the Galangal kylin operating system and the Feiteng processor.
The external network unit tera network card module, the internal network unit tera network card module, the unidirectional transmitting module and the unidirectional receiving module all adopt WX1820AL network controllers of a network communication company, and the WX1820AL has multiple functions of local area network performance acceleration, network security, network fusion, network virtualization, data center bridging and the like. The multi-megameter KR signal is led out from the WX1820 chip, and the SFP+ interface is connected with the multi-megameter optical module, so that the network bandwidth can reach 10Gbps. The external network tera-net port and the internal network tera-net port adopt tera-bi-directional optical modules (SONT company model: XP-3G 10-10F), so that the external network unit is connected with the Internet, and the internal network unit is connected with the network interface of the secret area, thereby realizing data transmission. The unidirectional transmitting module adopts a tera transmitting optical module (model of ADOP company: AO-SFP-10 GB-XR-TI), the unidirectional receiving module adopts a tera receiving optical module (model of ADOP company: AO-SFP-10 GB-XR-RI), and the unidirectional transmitting and receiving modules are used in a transmitting and receiving pair mode, so that the unidirectional data transmission function is realized.
Optionally, the system further comprises: the power supply unit comprises an external network power supply and an internal network power supply.
The external network power supply and the internal network power supply are two independent power supply units which are respectively used for supplying power to different network units. The external network power supply is mainly used for supplying power to the external network unit, the isolation host, the auditing module and the unidirectional transmitting module, and the internal network power supply is mainly used for supplying power to the internal network unit and the unidirectional receiving module. The independent design of the external network power supply and the internal network power supply can ensure the stable operation of network equipment, and can improve the safety of the network. If the external network power supply fails, the internal network power supply can continue to provide power for the internal network equipment, so that the normal operation of the network is ensured. Likewise, if the intranet power supply fails, the extranet power supply can also continue to provide power for the extranet equipment, so that the stable operation of the network is ensured.
In addition, the design of the external network power supply and the internal network power supply can also improve the reliability of the network. If a certain network device fails, the normal operation of the network can be ensured by switching to the standby power supply. Meanwhile, the stability and reliability of the power supply system can also be ensured by periodically checking and maintaining the power supply device.
Optionally, the external network unit is connected with the internet through a tera-network port, the internet is connected with a plurality of external network users, the internal network unit is connected with a secret network through a tera-network port, and the secret network is connected with a plurality of internal network users.
The multi-megafiber is a high-speed and high-capacity fiber transmission technology and has the advantages of high transmission speed, long transmission distance, strong anti-interference capability and the like. In the external network unit, the tera-megafiber is widely applied to connecting with an Internet network, so that the data transmission speed is faster and more stable, and meanwhile, the reliability and the safety of the network are ensured. Intranet units are an important component of an internal network, and generally use tera-megafibers as a main way to connect to a private network.
The application of the megafiber in the security network can effectively prevent data leakage and external attack. Meanwhile, due to the high-speed and high-capacity transmission characteristics, the stability and the high efficiency of the internal network can be ensured. In addition, the tera-fiber may also provide higher bandwidth and lower latency, making the internal network more reliable and efficient.
As shown in conjunction with fig. 2, an embodiment of the present disclosure provides a method for a gateway for data isolation, including:
and S01, the external network unit sends data to the isolation unit.
The external network unit is used for processing non-secret-related data.
S02, the isolation unit forwards the data sent by the external network unit to the internal network unit.
The intranet unit is used for processing secret-related data.
Optionally, before the external network unit sends the data to the isolation unit in S01, the method further includes:
s001, the external network unit acquires external data. Wherein the external data includes file data.
And/or S002, temporarily storing external data;
and/or, S003, preprocessing the external data.
Optionally, after the external network unit sends the data to the isolation unit in S01, the method further includes:
and S011, the external network unit records a data operation log.
Optionally, the isolation unit includes an audit module; the step S02, where the isolating unit forwards the data sent by the external network unit to the internal network unit, includes:
s021, the auditing module receives the data sent by the external network unit and performs identity auditing on the internal network unit and the external network unit by using an encryption processing algorithm;
s022, the auditing module forwards the data sent by the external network unit to the internal network unit when ensuring that the data is forwarded by the external network unit to the internal network unit.
Optionally, in S021, the auditing module receives the data sent by the external network unit, and uses an encryption processing algorithm to audit the identity of the internal network unit and the external network unit, where the method further includes:
s0211, the auditing module responds to the data transmission abnormality and outputs an abnormality prompt. The data transmission abnormality comprises forwarding of the data from the intranet unit to the extranet unit.
Optionally, the external network unit comprises an external network host and an external network unit tera-network card module; the intranet unit comprises an intranet host and an intranet unit tera-network card module; the isolation unit comprises an isolation host, an auditing module, a unidirectional sending module and a unidirectional receiving module.
Optionally, the external network host, the internal network host and the isolation host all adopt Feiteng company D2000/8 processors;
the external network unit tera-network card module, the internal network unit tera-network card module, the unidirectional transmission module and the unidirectional receiving module all adopt WX1820AL network controllers of a network communication company.
Optionally, the power supply unit includes an external network power supply and an internal network power supply, and the method further includes:
s004, the external network power supply supplies power for the external network unit, the isolation host, the auditing module and the unidirectional transmitting module;
s005, the intranet power supply supplies power for the intranet unit and the unidirectional receiving module.
By adopting the gateway method for data isolation provided by the embodiment of the disclosure, when an external network user needs to transfer data into an internal network, the external network user logs in the application system software of an external network unit and uploads the data; the isolation unit judges and examines according to the software application rule, and the intranet user logs in the application software of the intranet unit to download the data. Therefore, the external network user has no authority to download data from the internal network, unidirectional transmission of the data from the external network to the internal network is realized, and information security is ensured not to be revealed. Meanwhile, carriers such as optical discs and the like do not need to be manually moved from a non-confidential area to a confidential area, and equipment and labor cost are not wasted.
The above description and the drawings illustrate embodiments of the disclosure sufficiently to enable those skilled in the art to practice them. Other embodiments may involve structural, logical, electrical, process, and other changes. The embodiments represent only possible variations. Individual components and functions are optional unless explicitly required, and the sequence of operations may vary. Portions and features of some embodiments may be included in, or substituted for, those of others. Moreover, the terminology used in the present application is for the purpose of describing embodiments only and is not intended to limit the claims. As used in the description of the embodiments and the claims, the singular forms "a," "an," and "the" (the) are intended to include the plural forms as well, unless the context clearly indicates otherwise. Similarly, the term "and/or" as used in this application is meant to encompass any and all possible combinations of one or more of the associated listed. Furthermore, when used in this application, the terms "comprises," "comprising," and/or "includes," and variations thereof, mean that the stated features, integers, steps, operations, elements, and/or components are present, but that the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof is not precluded. Without further limitation, an element defined by the phrase "comprising one …" does not exclude the presence of other like elements in a process, method or apparatus comprising such elements. In this context, each embodiment may be described with emphasis on the differences from the other embodiments, and the same similar parts between the various embodiments may be referred to each other. For the methods, products, etc. disclosed in the embodiments, if they correspond to the method sections disclosed in the embodiments, the description of the method sections may be referred to for relevance.
Those of skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. The skilled artisan may use different methods for each particular application to achieve the described functionality, but such implementation should not be considered to be beyond the scope of the embodiments of the present disclosure. It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the embodiments disclosed herein, the disclosed methods, articles of manufacture (including but not limited to devices, apparatuses, etc.) may be practiced in other ways. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the units may be merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form. The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to implement the present embodiment. In addition, each functional unit in the embodiments of the present disclosure may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. In the description corresponding to the flowcharts and block diagrams in the figures, operations or steps corresponding to different blocks may also occur in different orders than that disclosed in the description, and sometimes no specific order exists between different operations or steps. For example, two consecutive operations or steps may actually be performed substantially in parallel, they may sometimes be performed in reverse order, which may be dependent on the functions involved. Each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Claims (10)
1. A system for data isolation, comprising: the device comprises an external network unit, an isolation unit and an internal network unit;
the external network unit is used for processing non-secret-related data and sending the data to the isolation unit;
the isolation unit is used for receiving the data sent by the external network unit and forwarding the data to the internal network unit;
the intranet unit is used for processing the secret-related data and receiving the data forwarded by the isolation unit.
2. The system of claim 1, wherein the external network element is further configured to obtain external data, the external data comprising file data; and/or temporarily storing the external data; and/or preprocessing the external data.
3. The system of claim 2, wherein the extranet unit is further configured to record a data operation log.
4. The system of claim 1, wherein the isolation unit comprises an audit module;
and the auditing module is used for auditing the identity of the intranet unit and the extranet unit by utilizing an encryption processing algorithm so as to ensure that the data is only forwarded to the intranet unit by the extranet unit.
5. The system of claim 4, wherein the auditing module is further configured to output an exception alert in response to a data transfer exception, the data transfer exception including the data being forwarded by the intranet unit to the extranet unit.
6. The system of claim 1, wherein the external network element comprises an external network host and an external network element trillion network card module; the intranet unit comprises an intranet host and an intranet unit tera-network card module; the isolation unit comprises an isolation host, an auditing module, a unidirectional sending module and a unidirectional receiving module.
7. The system of claim 6, wherein the extranet host, the intranet host, and the quarantine host each employ a Feiteng corporation D2000/8 processor;
the external network unit tera-network card module, the internal network unit tera-network card module, the unidirectional transmission module and the unidirectional receiving module all adopt WX1820AL network controllers of a network communication company.
8. The system of claim 6, wherein the system further comprises: the power supply unit comprises an external network power supply and an internal network power supply;
the external network power supply is used for supplying power to the external network unit, the isolation host, the auditing module and the unidirectional transmission module;
the intranet power supply is used for supplying power to the intranet unit and the unidirectional receiving module.
9. The system of claim 1, wherein the external network element is connected to the internet via a tera-portal, the internet is connected to a plurality of external network users, the internal network element is connected to a secure network via a tera-portal, and the secure network is connected to a plurality of internal network users.
10. A data transmission method for data isolation, the method comprising:
the external network unit sends data to the isolation unit, and the external network unit is used for processing non-secret-related data;
the isolation unit forwards the data sent by the external network unit to the internal network unit, and the internal network unit is used for processing the secret-related data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311774370.6A CN117879901A (en) | 2023-12-21 | 2023-12-21 | System for data isolation and data transmission method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311774370.6A CN117879901A (en) | 2023-12-21 | 2023-12-21 | System for data isolation and data transmission method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117879901A true CN117879901A (en) | 2024-04-12 |
Family
ID=90593829
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311774370.6A Pending CN117879901A (en) | 2023-12-21 | 2023-12-21 | System for data isolation and data transmission method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117879901A (en) |
-
2023
- 2023-12-21 CN CN202311774370.6A patent/CN117879901A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7650510B2 (en) | Method and apparatus for in-line serial data encryption | |
| EP2319225B1 (en) | Secure high performance multi-level security database systems and methods | |
| CN109561071B (en) | Data flow control's external terminal protective equipment and protection system | |
| US10931641B1 (en) | Hardware control logic based data forwarding control method and system | |
| TW201234186A (en) | Methods and apparatus for access data recovery from a malfunctioning device | |
| CN101901559B (en) | Safety control method for USB (Universal Serial Bus) interface | |
| CN101320356A (en) | Data storage method and device | |
| CN105049412A (en) | Secure data exchange method, device and equipment among different networks | |
| CN101685484A (en) | Computer and data exchange method of operating system thereof | |
| CN104581008A (en) | Information security protection system and method for video monitoring system | |
| CN109218308A (en) | A kind of data high-speed secure exchange method based on intelligent network adapter | |
| CN113886862A (en) | Trusted computing system and resource processing method based on trusted computing system | |
| CN113067800A (en) | One-way isolation optical gate device | |
| WO2016136223A1 (en) | Interconnection device, management device, resource-disaggregated computer system, method, and program | |
| CN117879901A (en) | System for data isolation and data transmission method | |
| CN100471107C (en) | Data one-way transmission system based on one-way isolated hardware channel | |
| CN102662873A (en) | Device for realizing insulation blocking of storage carrier data | |
| RU2313127C2 (en) | Device for protecting informational resources of a computer network | |
| CN102184370A (en) | Document security system based on microfiltration drive model | |
| CN201403104Y (en) | Network fixation safety isolation and data exchange system | |
| CN101640595B (en) | Method, device and system for controlling switching of isolation card | |
| CN110046946A (en) | Electronic certificate management equipment and system | |
| CN115914206A (en) | Method for realizing safe transmission of internal and external isolation file data of cloud desktop based on network disk |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |