CN117978447A - System and method for cross-network and cross-domain transmission based on physical isolation - Google Patents

System and method for cross-network and cross-domain transmission based on physical isolation Download PDF

Info

Publication number
CN117978447A
CN117978447A CN202311856248.3A CN202311856248A CN117978447A CN 117978447 A CN117978447 A CN 117978447A CN 202311856248 A CN202311856248 A CN 202311856248A CN 117978447 A CN117978447 A CN 117978447A
Authority
CN
China
Prior art keywords
data packet
data
network
import
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311856248.3A
Other languages
Chinese (zh)
Inventor
周新波
张斓子
苏雳钧
吴泽
刘襄雄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Information Security Research Institute Co ltd
Original Assignee
Xiamen Information Security Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Information Security Research Institute Co ltd filed Critical Xiamen Information Security Research Institute Co ltd
Priority to CN202311856248.3A priority Critical patent/CN117978447A/en
Publication of CN117978447A publication Critical patent/CN117978447A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The system comprises a first security level network, a second security level network, an import front-end processor, one-way transmission equipment and an import server, wherein the import front-end processor, the one-way transmission equipment and the import server are deployed between the first security level network and the second security level network, the import front-end processor receives a request of data of the first security level network and imports a data packet, unpacks, marks, encrypts and repacks the data packet, and then transmits the packed data packet to the one-way transmission equipment; the unidirectional transmission equipment receives the encapsulated data packet and transmits the encapsulated data packet to the importing server; and the import server receives the transmitted data packet, performs unpacking inspection, identification, decryption and repackaging, and transmits the data packet to the second security level network.

Description

System and method for cross-network and cross-domain transmission based on physical isolation
Technical Field
The invention relates to a cross-network data transmission technology, in particular to a system and a method based on physical isolation cross-network cross-domain transmission.
Background
In an actual application scene, due to different security levels of network areas, the security of data transmission between different security level networks needs to be ensured. At present, the existing transmission method is limited by a transmission protocol and hardware equipment, the transmission speed is limited, and meanwhile, the sufficient guarantee of the data security is also lacking.
Disclosure of Invention
Aiming at the technical problems in the prior art, the application provides a system and a method for cross-network and cross-domain transmission based on physical isolation, and aims to solve the defects of the prior method.
According to one aspect of the invention, a system based on physical isolation cross-network cross-domain transmission is provided, which comprises a first security network, a second security network, a leading-in front-end processor, unidirectional transmission equipment and a leading-in server,
The leading-in front-end processor, the unidirectional transmission equipment and the leading-in server are arranged between the first security network and the second security network,
The leading-in front end processor receives the data request of the first security network and leads in the data packet, unpacking checking, marking, encrypting and repackaging are carried out on the data packet, and then the packed data packet is transmitted to the unidirectional transmission equipment;
The unidirectional transmission equipment receives the encapsulated data packet and transmits the encapsulated data packet to the importing server;
And the import server receives the transmitted data packet, performs unpacking inspection, identification, decryption and repackaging, and transmits the data packet to the second security level network.
Preferably, the data packets sent by the first private network have a TCP/IP header comprising structured data of the database, ioT data originating from the message queue, file data based on FTP or WebDAV protocols.
Preferably, after receiving the data packet, the lead-in front-end processor performs unpacking analysis, replaces the TCP/IP header of the data packet sent by the first security level network area with a private protocol, and encrypts and repackages the data.
Preferably, the lead-in front-end processor and the lead-in server have optical gates.
Further preferably, the import front end processor transmits the repackaged data packet to the unidirectional transmission device through the optical gate, and the unidirectional transmission device transmits the data packet to the import server through the optical gate according to the private protocol of the data packet.
Still more preferably, the importing server unpacks the data packet after receiving the data packet transmitted from the optical gate, restores the data packet header into a TCP/IP header packet, decrypts the data, repackages the restored header and the data, performs bidirectional authentication with the second security network based on the IP and MAC addresses, and transmits the data to the second security network.
Preferably, the import front end processor and the import server perform access control on service call by setting a security policy, including time period control, IP address black-and-white list control, request frequency or flow control, request parameter detection and filtering, and service response keyword filtering.
Preferably, the encryption algorithm used by the lead-in front-end processor comprises an SM2 algorithm and an MD5 algorithm.
Preferably, the importing front-end processor judges different file types according to different identifiers, and stores the transmitted data into a second security level network.
According to one aspect of the invention, a method for cross-network cross-domain transmission based on physical isolation is provided, and the implementation steps of the method comprise:
S1, a first security level network transmits data packets which need to be transmitted across networks to an importing front-end processor;
s2, the leading-in front-end processor receives a request of data of the first security network and leads in a data packet, unpacking and checking the data packet, encrypting the identification and repackaging the data packet, and then transmitting the packed data packet to the unidirectional transmission equipment;
S3, the unidirectional transmission equipment receives the encapsulated data packet and transmits the encapsulated data packet to the importing server;
And S4, the importing server receives the data packet transmitted by the unidirectional transmission equipment, performs unpacking inspection, identification recognition, decryption and repackaging, and transmits the data packet to the second security level network.
According to an aspect of the invention, a computing system is proposed, comprising a processor and a memory, the processor being configured to perform the method according to the second aspect.
The application provides a system and a method for cross-network and cross-domain transmission based on physical isolation. The technology has the advantages that:
① Bandwidth resources are fully utilized through optical transmission characteristics, and the bandwidth utilization rate is improved; the optical transmission path greatly improves the transmission speed and meets the requirement of high-speed data transmission.
② The data security is fully considered, key security technologies such as user authentication, authority control parameter filtering, data encryption and the like are utilized in the transmission process, a secure transmission sharing channel is established between the low-security-level network and the high-security-level network, the secure and efficient transmission of data among different network domains is ensured, and a secure and effective technical guarantee is provided for the development of related services such as data acquisition, data sharing, information release and the like of government units and society industries.
③ The system for processing the corresponding service request according to the type of the transmission file is provided, the transmission file is transmitted in different security systems in a one-way and safe way, and after the service data of the first security is processed, the system is used for notifying the corresponding service end of the second security network to carry out the next service processing.
Drawings
The accompanying drawings are included to provide a further understanding of the embodiments and are incorporated in and constitute a part of this specification. The drawings illustrate embodiments and together with the description serve to explain the principles of the invention. Many of the intended advantages of other embodiments and embodiments will be readily appreciated as they become better understood by reference to the following detailed description. The elements of the drawings are not necessarily to scale relative to each other. Like reference numerals designate corresponding similar parts.
FIG. 1 is an exemplary device frame pattern to which an embodiment of the present invention may be applied;
FIG. 2 illustrates a schematic diagram of a system based on physically isolated cross-network cross-domain transport, in accordance with one embodiment of the present invention;
FIG. 3 is a flow chart illustrating the request and import of data by the import server and the second secure network in accordance with a specific embodiment of the present invention
FIG. 4 is a flow chart of a method for cross-network and cross-domain transmission based on physical isolation in accordance with a specific embodiment of the invention;
Fig. 5 shows a schematic structural diagram of a computer device suitable for use in implementing an embodiment of the invention.
Detailed Description
The application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be noted that, for convenience of description, only the portions related to the present application are shown in the drawings.
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments.
FIG. 1 illustrates an exemplary system architecture 100 to which embodiments of the present invention may be applied for a method of processing information or an apparatus for processing information.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
As shown in fig. 1, a system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as a web browser application, a shopping class application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc., may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be various electronic devices with communication capabilities including, but not limited to, smartphones, tablet computers, laptop and desktop computers, and the like.
The server 105 may be a server that provides various services, such as a background information processing server that processes verification request information transmitted by the terminal devices 101, 102, 103. The background information processing server may analyze the received verification request information and obtain a processing result (for example, verification success information for characterizing that the verification request is a legal request).
It should be noted that, the method for processing information provided by the embodiment of the present application is generally performed by the server 105, and accordingly, the device for processing information is generally disposed in the server 105. In addition, the method for transmitting information provided by the embodiment of the present application is generally performed by the terminal devices 101, 102, 103, and accordingly, the means for transmitting information is generally provided in the terminal devices 101, 102, 103. Referring now to FIG. 5, there is illustrated a schematic diagram of a computer system 500 suitable for use in implementing an electronic device of an embodiment of the present application. The electronic device shown in fig. 5 is only an example and should not be construed as limiting the functionality and scope of use of the embodiments of the present application.
Fig. 2 illustrates a system for cross-domain transmission based on physical isolation, according to an embodiment of the present invention, as shown in fig. 2, the system includes a first secure network and a second secure network, a lead-in front-end, a unidirectional transmission device, a lead-in server,
The leading-in front-end processor, the unidirectional transmission equipment and the leading-in server are arranged between the first security network and the second security network,
The leading-in front end processor receives a request of data of the first security network, leads in a data packet, unpacks, encrypts and repackages the data packet, and then transmits the packed data packet to the unidirectional transmission equipment;
The unidirectional transmission equipment receives the encapsulated data packet and transmits the encapsulated data packet to the importing server;
and the import server receives the transmitted data packet, performs unpacking inspection, decryption and repackaging, and transmits the data packet to the second security level network.
The data transmission between different security level networks realizes the data transmission by calling an import front end processor, one-way transmission equipment and an import server which are arranged in the middle of different security levels, and an application server, a database server and a file server in the first security level network send a service calling request to the import server.
The import front-end processor and the import server perform access control on service call by setting a security policy, wherein the access control comprises time period control, IP address black-and-white list control, request frequency or flow control, request parameter detection and filtration and service response keyword filtration.
In one embodiment, the importing front end processor establishes a black-and-white list based on the IP address, filters the IP initiating the service call request, and IP blocks the IP in the black list;
In one embodiment, the lead-in front end processor sets time period control to intercept a service call request sent by the first classified network during non-service;
In one embodiment, in order to prevent malicious call, the lead-in front-end processor performs request frequency control, sets an online threshold and a waiting time of the same IP service call request in a specified time period, and limits the request frequency of each IP address of the first security network;
in one embodiment, the lead-in front-end processor receives a large-flow request at the same time point, and in order to prevent network congestion, performs flow control on the current limitation, intercepts most of the requests, and only allows a part of the requests to truly enter the back-end server, so that the protection service is normally available.
The leading-in front end processor responds to the service call request of the first security network after finishing the security check, receives the structured data packet of the database server, the internet of things (IoT) data packet from the message queue and the file data packet of the file server through the application port, and performs various processing and conversion
In a specific embodiment, the import front end processor performs unpacking analysis on the received data packet, replaces the TCP/IP header of the data packet sent by the first classified network area with a private protocol, and encrypts, marks and repackages the data.
In one embodiment, the lead-in front end processor encrypts data based on SM2 algorithm and MD5 algorithm, MD5 is designed by the american cryptologist ronard-lewvister (Ronald LINN RIVEST), and is a common cryptographic hash function, and the MD5 algorithm regards all files as individual text files, and can convert the input message information into a 128-bit hash value through an irreversible string change algorithm. The SM2 algorithm is an asymmetric cryptographic encryption algorithm based on elliptic curves. By exchanging the public key and the private key, the secret transmission of the data is realized.
The encryption process specifically comprises the steps of leading-in a front-end processor to encrypt an unpacked data file, and generating a data encryption file by using the unpacked data file, wherein the unpacked data file is encrypted in the following way:
calculating the unpacked data file through an MD5 algorithm to perform hash operation, generating an MD5 data file, and obtaining a hash value of the unpacked data file;
Generating a random number by using an SM2 algorithm through a preset random number generation method, and generating a corresponding public and private key based on the generated random number by using the SM2 algorithm;
The leading-in front-end processor encrypts the content of the unpacked data file by using the public key of the built-in leading-in server to generate a data encryption file;
and encrypting the hash value of the data file by using the private key of the leading-in front-end processor to generate a digital signature.
Storing the generated data encryption file, the digital signature and the MD5 data file into a database for updating;
and repackaging the generated data encryption file and the digital signature into a data packet based on a private protocol, and transmitting the data packet to unidirectional transmission equipment.
In one embodiment the import front end processor and import server have optical gates.
The leading-in front-end processor transmits the repackaged data packets to the unidirectional transmission device through the optical gate, the unidirectional transmission device and the optical gate are set to support a private protocol, and the unidirectional transmission device transmits the data packets packaged into the private protocol to the leading-in server through the optical gate according to the protocol format of the data packets.
The importing server receives the service call request of the unidirectional transmission device, executes the security policy to perform access control on the service call, and the specific access control implementation mode refers to the importing front end processor and is not described herein again.
After responding to a service call request of unidirectional transmission equipment, the importing server receives a data packet transmitted from the optical gate, unpacks the data packet, restores the data packet head into a TCP/IP header packet, and decrypts the data, wherein the unpacked data file decrypting mode specifically comprises:
the generated data encryption file and digital signature are obtained through unpacking;
decrypting the data encryption file based on the private key of the importing server;
performing hash operation on the decrypted data file by using an MD5 algorithm to obtain a hash value of the decrypted data file;
the import server uses the built-in public key of the import front end processor to decrypt the digital signature;
And comparing the hash value of the decrypted data encryption file with the hash value obtained by the digital signature, and checking the integrity and the safety of the data file. If the hash values agree, it is demonstrated that the transmitted data file has not undergone any form of tampering during transmission.
And repackaging the restored header and data, performing bidirectional authentication with the second security level network based on the IP and the MAC address, and transmitting the file identification corresponding to the identification to a corresponding service module in the second security level network.
The specific steps of the importing server receiving the data packet, performing mutual authentication with the second security level network, and then requesting and importing data are as shown in fig. 3:
In a specific embodiment, the import server comprises a security module, a decryption module and an application proxy module, wherein the security module provides a control function of high-security service access and supports authentication verification of IP address information; access control of service call by setting security policy is supported, including time period control, IP address black-and-white list control, request frequency or flow control, request parameter detection and filtering, service response key filtering, etc. The decryption module unpacks and decrypts the data packet. The application proxy module provides a request service call interface, creates a data security transmission channel crossing network domains through a message service, and performs various processing and conversion on structured data (database), internet traffic (IoT) data (message queue), file data (FTP or WebDAV protocol).
The application agent module comprises an external/internal resource scheduling module, a channel task management module, a main task management module, a transmission module and an opposite end transmission module.
When a call request of the unidirectional transmission equipment is received, the unidirectional transmission equipment responds to the data transmission request of the unidirectional transmission equipment through the check of the safety module, and the channel task management module is called through the external/internal resource scheduling module to provide a task configuration interface for receiving the data packet for the unidirectional transmission equipment. And the decryption module unpacks and decrypts the data packet to obtain the data file. The channel task management module sends the data file to the master task management module. The main task management module judges the corresponding service type according to the identifiers corresponding to different data files, repackages the service type into a data packet with a TCP/IP header, generates a task configuration message and sends the task configuration message to the transmission module corresponding to different data types. And each transmission module sends the data packet to the corresponding service end of the second security network through the opposite end transmission module according to the task configuration message type, and updates the database corresponding to the data file stored in the service end.
The system provided by the invention fully considers the data security by arranging the unidirectional data security transmission module with security control functions such as integrity check, format check, virus scanning, content filtering and the like on software, simultaneously utilizes the irreversible control of light, simultaneously realizes the feedback-free transmission of data among different network domains, fully utilizes bandwidth resources through optical transmission characteristics, improves the bandwidth utilization rate, greatly improves the transmission speed through an optical transmission path, meets the high-speed data transmission requirement, and enables different types of transmission data to be transmitted to a designated service end for processing.
As shown in fig. 4, a method for cross-network cross-domain transmission based on physical isolation is provided, and the implementation steps of the method include:
S1, a first security level network transmits data packets which need to be transmitted across networks to an importing front-end processor;
S2, the leading-in front end processor receives a request of data of the first security network and leads in a data packet, unpacking checking, identification, encryption and repackaging are carried out on the data packet, and then the packed data packet is transmitted to the unidirectional transmission equipment;
S3, the unidirectional transmission equipment receives the encapsulated data packet and transmits the encapsulated data packet to the importing server;
And S4, the importing server receives the data packet transmitted by the unidirectional transmission equipment, performs unpacking inspection, identification recognition, decryption and repackaging, and transmits the data packet to the second security level network.
Referring now to FIG. 5, there is illustrated a schematic diagram of a computer system 500 suitable for use in implementing an electronic device of an embodiment of the present application. The electronic device shown in fig. 5 is only an example and should not be construed as limiting the functionality and scope of use of the embodiments of the present application.
As shown in fig. 5, the computer system 500 includes a Central Processing Unit (CPU) 501, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data required for the operation of the system 500 are also stored. The CPU 501, ROM 502, and RAM 503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input section 506 including a keyboard, a mouse, and the like; an output portion 507 including a Liquid Crystal Display (LCD) or the like, a speaker or the like; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The drive 510 is also connected to the I/O interface 505 as needed. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as needed so that a computer program read therefrom is mounted into the storage section 508 as needed.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 509, and/or installed from the removable media 511. The above-described functions defined in the method of the present application are performed when the computer program is executed by a Central Processing Unit (CPU) 501.
The computer readable storage medium of the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable storage medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present application may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++, python and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments of the present application may be implemented in software or in hardware.
As another aspect, the present application also provides a computer-readable storage medium that may be contained in the electronic device described in the above embodiment; or may exist alone without being incorporated into the electronic device. The computer-readable storage medium carries one or more programs that, when executed by the electronic device, cause the electronic device to: the first classified network transmits the data packet to be transmitted across the network to the leading-in front-end processor; the leading-in front end processor receives the data request of the first security network and leads in the data packet, unpacking, encrypting and repackaging the data packet, and then transmitting the packed data packet to the unidirectional transmission equipment; the unidirectional transmission equipment receives the encapsulated data packet and transmits the encapsulated data packet to the importing server; the import server receives the data packet transmitted by the unidirectional transmission device, performs unpacking inspection, identification, decryption and repackaging, and transmits the data packet to the second security level network.
The above description is only illustrative of the preferred embodiments of the present application and of the principles of the technology employed. It will be appreciated by persons skilled in the art that the scope of the application referred to in the present application is not limited to the specific combinations of the technical features described above, but also covers other technical features formed by any combination of the technical features described above or their equivalents without departing from the inventive concept described above. Such as the above-mentioned features and the technical features disclosed in the present application (but not limited to) having similar functions are replaced with each other.

Claims (10)

1. A system based on physical isolation cross-network cross-domain transmission is characterized by comprising a first security network, a second security network, an import front-end processor, one-way transmission equipment and an import server,
The leading-in front-end processor, the unidirectional transmission equipment and the leading-in server are arranged between the first security network and the second security network,
The leading-in front end processor receives the data request of the first security network and leads in the data packet, unpacking checking, marking, encrypting and repackaging are carried out on the data packet, and then the packed data packet is transmitted to the unidirectional transmission equipment;
The unidirectional transmission equipment receives the encapsulated data packet and transmits the encapsulated data packet to the importing server;
And the import server receives the transmitted data packet, performs unpacking inspection, identification, decryption and repackaging, and transmits the data packet to the second security level network.
2. The system of claim 1, wherein the data packets sent by the first private network have TCP/IP headers, including structured data of a database, ioT data originating from a message queue, file data based on FTP or WebDAV protocol, and the import front-end processor identifies the different types of data accordingly.
3. The system of claim 2, wherein the import front-end processor performs unpacking analysis after receiving the data packet, replaces the TCP/IP header of the data packet sent by the first classified network area with a private protocol, and encrypts and repackages the data.
4. A system for cross-domain transport over a physical isolation network as claimed in claim 3, wherein the import front end processor and the import server have optical gates.
5. The system of claim 4, wherein the import front end processor transmits the repackaged data packets to the unidirectional transmission device through the optical gate, and the unidirectional transmission device transmits the data packets to the import server through the optical gate according to a proprietary protocol of the data packets.
6. The system of claim 5, wherein the import server, after receiving the data packet transmitted from the optical gate, unpacks the data packet, restores the header of the data packet to a TCP/IP header packet, decrypts the data packet, repackages the restored header and the data, performs bidirectional authentication with the second security network based on the IP and MAC addresses, and transmits the data packet to the second security network.
7. The system for cross-domain transmission based on physical isolation according to claim 1, wherein the import front end processor and the import server perform access control on service call by setting security policy.
8. The system for cross-domain transmission based on physical isolation according to claim 6, wherein the import front-end processor determines different file types according to different identifiers, and stores the transmitted data in the second private network.
9. A method based on physical isolation cross-network cross-domain transmission, characterized in that the method is based on the system based on physical isolation cross-network cross-domain transmission according to any one of claims 1-8, the implementation steps of the method include:
S1, a first security level network transmits data packets which need to be transmitted across networks to an importing front-end processor;
s2, the leading-in front-end processor receives a request of data of the first security network and leads in a data packet, unpacking and checking the data packet, encrypting the identification and repackaging the data packet, and then transmitting the packed data packet to the unidirectional transmission equipment;
S3, the unidirectional transmission equipment receives the encapsulated data packet and transmits the encapsulated data packet to the importing server;
And S4, the importing server receives the data packet transmitted by the unidirectional transmission equipment, performs unpacking inspection, identification recognition, decryption and repackaging, and transmits the data packet to the second security level network.
10. A computing system comprising a processor and a memory, the processor configured to perform the method of claim 9.
CN202311856248.3A 2023-12-29 2023-12-29 System and method for cross-network and cross-domain transmission based on physical isolation Pending CN117978447A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311856248.3A CN117978447A (en) 2023-12-29 2023-12-29 System and method for cross-network and cross-domain transmission based on physical isolation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311856248.3A CN117978447A (en) 2023-12-29 2023-12-29 System and method for cross-network and cross-domain transmission based on physical isolation

Publications (1)

Publication Number Publication Date
CN117978447A true CN117978447A (en) 2024-05-03

Family

ID=90858870

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311856248.3A Pending CN117978447A (en) 2023-12-29 2023-12-29 System and method for cross-network and cross-domain transmission based on physical isolation

Country Status (1)

Country Link
CN (1) CN117978447A (en)

Similar Documents

Publication Publication Date Title
CN111371549B (en) Message data transmission method, device and system
US10069800B2 (en) Scalable intermediate network device leveraging SSL session ticket extension
CN106713320B (en) Terminal data transmission method and device
US9485228B2 (en) Selectively performing man in the middle decryption
US11303431B2 (en) Method and system for performing SSL handshake
CN104322001A (en) Transport layer security traffic control using service name identification
US20180375648A1 (en) Systems and methods for data encryption for cloud services
EP2521311A1 (en) Resource control method, apparatus and system in peer-to-peer network
CN112968778A (en) Block chain state encryption algorithm conversion method and system, computer equipment and application
CN116633582A (en) Secure communication method, apparatus, electronic device and storage medium
CN115603932A (en) Access control method, access control system and related equipment
CN114125027B (en) Communication establishment method and device, electronic equipment and storage medium
CN115333839A (en) Data security transmission method, system, device and storage medium
WO2021170049A1 (en) Method and apparatus for recording access behavior
US9800568B1 (en) Methods for client certificate delegation and devices thereof
CN112995119A (en) Data monitoring method and device
CN112995120A (en) Data monitoring method and device
US20220191042A1 (en) Secure Transport of Content Via Content Delivery Service
CN114978769A (en) Unidirectional lead-in device, method, medium, and apparatus
CN117978447A (en) System and method for cross-network and cross-domain transmission based on physical isolation
CN110995730B (en) Data transmission method and device, proxy server and proxy server cluster
CN111935112B (en) Cross-network data security ferrying device and method based on serial
CN113810779A (en) Code stream signature checking method and device, electronic equipment and computer readable medium
US12120104B2 (en) Decentralized edge node authentication
CN116865993B (en) Data transmission method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination