CN201557119U - Isolation card device based on dual-port RAM - Google Patents
Isolation card device based on dual-port RAM Download PDFInfo
- Publication number
- CN201557119U CN201557119U CN2009201315709U CN200920131570U CN201557119U CN 201557119 U CN201557119 U CN 201557119U CN 2009201315709 U CN2009201315709 U CN 2009201315709U CN 200920131570 U CN200920131570 U CN 200920131570U CN 201557119 U CN201557119 U CN 201557119U
- Authority
- CN
- China
- Prior art keywords
- port ram
- isolation
- pci
- module
- card device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Abstract
The utility model relates to an isolation card device based on a dual-port RAM, which comprises two PCI card modules for connecting two mutually isolated networks, wherein the two PCI card modules are mutually connected through the dual-port RAM which is used for storing to-be-switched data between the two mutually isolated networks, and the two PCI card modules and the dual-port RAM are simultaneously connected to a complex programmable logical module which is used for leading local buses in the PCI card modules to realize bus match with the dual-port RAM and for realizing data ferry control logic. The existing isolation card devices are low in transmission efficiency and Ethernet switching chip mode or SCST controller mode can lead protocols to be incompletely isolated and development cycle to be long and complicated, the isolation card device based on the dual-port RAM can enhance the safe switch rate of network data and improve the safety control performance without changing original network typology and isolation function.
Description
Technical field
The utility model field of communication security more particularly, relates to a kind of isolation card device based on two-port RAM.
Background technology
In recent years, along with the quickening of China's informatization paces, " E-Government " arises at the historic moment, and is embodied as: industrial and commercial registration declares, declares dutiable goods on the net, declaration, fund project such as declare at the aspect on the net.In China's electronic government affairs system was built, outer net was connecting the numerous common people, and Intranet is connecting civil servant's desktop office, and private network is connecting governments at all levels' information system, and exchange message is basic demand between outer net, Intranet, private network.How under the prerequisite that guarantees Intranet and private network resource security, realize that convenient unimpeded, the resource-sharing of network from the common people to the government is the technical problem that must solve during electronic government affairs system is built.
Method commonly used at present is: manually isolate copy, fire compartment wall, viral detection and methods such as intrusion detection, isolation gap.
Artificial mode of isolating copy can be avoided the threats such as assault of untrusted network, however shortcoming isolated both sides and must the input personnel be participated in the work of data copy, management cost is higher; Frequent simultaneously floppy disk or other storage mediums of using increased virus, wooden horse propagation, brings new risk.
The mode of logic mechanisms such as fire compartment wall adopts measures such as packet filtering, network address translation, application level proxy that network is protected, and can limit source IP, purpose IP, service.But there is following limitation in this mode: a large amount of legal packets can cause network congestion because of fire compartment wall; Can't stop the invasion of initiating by the leak of puppy parc own; The defective of firewall system itself; The hidden danger that mis-arrange brings.
The pattern of virus scan and intrusion detection is based on the digital signature or the feature database of known viruse, by scanning file destination or memory, seeks and whether mates virus or intrusion behavior.Shortcoming is that sign slowly storehouse and feature database can't be caught up with attack development at full speed, thereby uses the security protection system is nowhere near
The hardware net safety measure that present isolation gap is adopted, mainly contain network electronic switch, network hard disc isolation card, their characteristics are an electronic switch to be set on the physical connection or two cover operating systems are installed on a station server, transfer of data and service processing are opened and closed by continuous switch or system switches and finishes, though this can ensure the safety of network, but message transmission rate is low, can not satisfy data transmission efficiency requirement in the big data quantity scene.
At the low problem of efficiency of transmission, existing technical scheme comprises direct employing Ethernet switching chip method or scsi controller method.Based on the isolation card device of Ethernet switching chip, though design is simpler, the intranet and extranet main frame does not need to develop special driver, directly adopts the TCP/IP stack to drive and gets final product, and defective is: agreement is isolated not thorough.Based on the spacer assembly that scsi controller is realized, its defective is: to the requirement height of hardware, thereby realize the cost height, realize that difficulty is big; Need mainboard expansion SCSI passage simultaneously, and programming needs to realize the scsi command standard, construction cycle length and complicated.
The utility model content
The technical problems to be solved in the utility model is, lowly adopt Ethernet switching chip method or scsi controller method and bring agreement to isolate thoroughly or the construction cycle is long and complicated defective at the above-mentioned efficiency of transmission of prior art, a kind of safety between two networks of isolating mutually that realizes is provided, efficiently, controllably carry out the isolation card device based on two-port RAM of exchanges data, to solve the defective of above-mentioned spacer assembly, on the basis that does not change legacy network topological structure and isolation features, improve the network data security exchange rate, and improve the security management and control performance.
The technical scheme that its technical problem that solves the utility model adopts is: construct a kind of isolation card device based on two-port RAM, it comprises two pci card modules that connect two networks of isolating mutually, described two pci card modules interconnect by being used to preserve the two-port RAM for the treatment of swap data between mutual isolation network, and described two pci card modules and two-port RAM are connected to one simultaneously and are used for the complex programmable logic module that bus is mated and realized data ferry-boat control logic between interior local bus of described pci card module and the described two-port RAM.
In isolation card device described in the utility model, described pci card module comprises that the local bus that is used for read-write operation switches between the pci bus and local bus in the described pci card module PCI/ local bus conversion chip module, is connected with described two-port RAM and complex programmable logic module by local bus expands the input and output accelerator module, expands the configuration storage module that the input and output accelerator module is connected the startup configuration parameter that is used to store described isolation card device with described local bus.
In isolation card device described in the utility model, described two-port RAM has two groups of separate address wires, data wire and control line port, and its inside comprises terminal logic, arbitrated logic and semaphore logic control.
In isolation card device described in the utility model, described two-port RAM includes four RAM, and described four RAM are divided into two one group, is read by described two pci card modules respectively.
In isolation card device described in the utility model, described complex programmable logic module receives the handshake of described local bus expansion input and output accelerator module, make computerized information transfer to local bus, wherein said complex programmable logic module has 3 the tunnel and imports 8 tunnel output decodings, is used to select four RAM and the built-in register of complex programmable logic module, judges that RAM is whether read-write and chooses address ram execution read-write operation.
In isolation card device described in the utility model, described complex programmable logic module is connected with described two-port RAM, is used for the Interrupt Process to described two-port RAM, produces to computer and interrupts.
Implement the isolation card device of the utility model based on two-port RAM, has following beneficial effect: provide the physical isolation that adopts high speed two-port RAM memory to realize network, can support the switch of nanosecond to suit frequency, speed of information exchange has very big flexibility, and theoretical speed can reach 1056Mb/s; Employing is solidified the integrality of hardware protection control logic and can not be changed, and promptly wherein the logic control of CPLD can't be modified; Adopt internal data path to use, non-formatted visit and no-protocol infiltration problem as just an intermediate storage medium; Adopt complete formative proprietary data form, or not thoroughly do not peel off general ICP/IP protocol, thereby greatly improve the high security of data " ferry-boat " passage by the basic media of any puppy parc conduct; Isolation card device based on the PCI system is provided, and Installation and Debugging are very easy.
Description of drawings
The utility model is described in further detail below in conjunction with drawings and Examples, in the accompanying drawing:
Fig. 1 is the structural representation of the utility model based on the isolation card device of two-port RAM;
Fig. 2 is the workflow diagram of the utility model based on the isolation card device of two-port RAM;
Fig. 3 A is that the A plate of operation two-port RAM is read the B plate and write schematic diagram;
Fig. 3 B is that the B plate of operation two-port RAM is read the A plate and write schematic diagram;
Fig. 4 is the hour hands sequential schematic diagram of the monocycle read-write of operation two-port RAM;
Fig. 5 is the hour hands sequential schematic diagram of the DMA read-write of operation two-port RAM.
Embodiment
In order to make technical problem to be solved in the utility model, technical scheme and beneficial effect clearer,, the utility model is further elaborated below in conjunction with drawings and Examples.Should be understood that specific embodiment described herein only in order to explanation the utility model, and be not used in qualification the utility model.
As shown in Figure 1, there is shown the isolation card device of the utility model based on two-port RAM.Shown isolation card device comprises two pci card modules 7 that connect two networks of isolating mutually, two pci card modules 7 interconnect by being used to preserve the two-port RAM 2 (being double-port RAM) for the treatment of swap data between mutual isolation network, and two pci card modules 7 and two-port RAM 2 are connected to one simultaneously and are used in the pci card module 7 bus coupling between the local bus and two-port RAM 2 and realize the ferry complex programmable logic module 1 (being CPLD) of control logic of data.
Wherein, complex programmable logic module (CPLD) the 1st, the control unit of whole hardware circuit, comprise to the response of local bus signal judgment, to the control of PCI local bus arbitration, local bus expansion input and output accelerators (being PCI9054) 3 are sent handshake, read-write is also judged in select target double-port random stored memory module (RAM) 2 addresses, realizes from coupling of the bus between bus expansion slot bus (PCI BUS) 5 and the double-port random stored memory module (RAM) 2 and data ferry-boat control logic.Complex programmable logic module 1 is connected with two-port RAM 2, is used for two-port RAM 2 is done Interrupt Process, produces to computer and interrupts.
Double-port random stored memory module (RAM) 2 is used to preserve data to be exchanged between mutual isolation network, and it allows two-port (promptly a left side is with right) to read while write data.Wherein each port has separately independently control signal wire, address wire and data wire, but zero access data (minimum access time is 15ns) are supported to be used with most of high speed processors, and be need not to insert wait state; It has the Master/slave control pin, but extension storage capacity and data bit width; It has the concentrator marker function, can constitute the multiple interfaces form when data transmit; The time relationship (arbitrated logic) that the control logic that comprises in the sheet has solved signal relation (being interrupt logic) between the processor, two CPU when using a same address and block storage is assigned to certain hardware supports (semaphore logic) is on one side temporarily guaranteed correctly carrying out of data between the two-shipper, signal communication.
Local bus expansion input and output accelerators (PCI9054) 3 are used to produce handshake, have optional Serial E PROM interface, and its local bus clock can be asynchronous with pci clock.There are 6 kinds of programmable FIFO PC9054 inside, to realize the asynchronous transmission operation between zero-waiting burst transfer and local address bus module 4 (being LOCALBUS) and the bus expansion slot bus (PCI BUS) 5.This local bus expansion input and output accelerator 3 supports holotypes, from pattern, DMA transmission means.In addition, configuration storage module (EPROM) 6 is used to store the startup configuration parameter of above-mentioned Network Isolation card device.
Two-port RAM 2 includes four RAM, and four RAM are divided into two one group, are read by above-mentioned two pci card modules 7 respectively.Complex programmable logic module 1 receives the handshake of local bus expansion input and output accelerator 3, make computer data information transfer to local bus, wherein complex programmable logic module 1 has 3 the tunnel and imports 8 tunnel output decodings, is used to select the built-in register 1 of four RAM and complex programmable logic module, judges that RAM is whether read-write and chooses address ram execution read-write operation.
As shown in Figure 2, there is shown the workflow diagram of the utility model based on the isolation card device of two-port RAM.At step S1, the external data bag through behind the PCI9054, transfers to local bus A4 from pci bus 5, comprising following substep:
S11, PCI9054 produce handshake, comprise at least: local bus (i.e. " LHOLD ") signal, the last transmission signal of bus access (i.e. " BLAST ") are used in application; And be sent on the CPLD 1, go to next step S12 then;
The response that S12, CPLD 1 make according to current local bus 4 states, and judge whether LocalBus can transmit, promptly whether effective (ADS) signal in test address is low level at least, changes S13;
S13, if the signal that CPLD 1 responds meets the write condition of local bus 4 agreements, just the ADS signal is a low level, and when being high level, then PCI9054 transfers to local bus 4 with data from pci bus 5 to read-write (i.e. " LW/R "), and change S15, otherwise change S14;
S14, if the signal that CPLD 1 responds does not meet the write condition of local bus 4 agreements, promptly be in readable state, PCI9054 no longer asks local bus, changes S15;
S15, PCI9054 transfer idle condition to.
At step S2, data on the local bus 4 as after the described judgement of step S1, are transferred to the space of appointment two-port RAM 2 through complex programmable logic module (CPLD) 1, comprising following substep:
S21, isolation card device by the sign of CPLD 1 internal state register judge two-port RAM 2 whether readable writing (0 is busy condition, 1 is read-write state), the decoder of 8 outputs of shared one 3 inputs of RAM chip selection signal and read status register marking signal.Wherein two-port RAM is divided into 2 groups in advance, and has preset the reading and writing constraint, specifically describes down:
During the break-make of isolation card device of the present utility model information between isolation network A and network B, in the information Control process of portion, following several situation can appear within it:
(1) network A is read, and network B writes simultaneously;
(2) network A is read, and network B is read simultaneously;
(3) network A writes, and network B writes simultaneously;
(4) network A writes, and network B is read simultaneously.
Realize real in logic isolation fully, the information that realizes network A is when the read-write of two-port RAM 2, and network B can not be read and write two-port RAM simultaneously.
As shown in Figure 3A, R1 and the R2 of 4 RAM in the two-port RAM is divided into one group, this group only is responsible for being derived from the write operation requests and the network B of the information of network A can carry out the read operation request.Simultaneously, shown in Fig. 3 B, R3 and R4 are divided into one group, this group only is responsible for being derived from the data write operation request and the network A execution read operation request of network B.
If S22 meets the read-write condition, then CPLD 1 selected RAM 2, and commentaries on classics S23, otherwise change S25; Selected RAM is determined by the chip selection signal in the request code;
S23, described isolation card device are selected corresponding RAM 2 addresses, and change S24; Above-mentioned address is an address data memory, is determined by the address wire signal of local bus 4;
S24, described isolation card device carry out write operation or read operation to the selected address space of the RAM 2 that chooses, and read-write operation determines that by the level of the 15th of address wire high level is write, and low level is read;
S25, as can not reading and writing, CPLD 1 then handle other threads.
At step S3, the interrupt operation of CPLD 1 control two-port RAM 2 read-writes realizes the isolated operation function, comprising following substep:
After one end of S31, two-port RAM 2 has been write data, write latter two unit; The other end of two-port RAM 2 produces and interrupts (interrupt signal for low level time trigger interrupt), and rewrites the relevant indicating bit of CPLD 1 status register; Be masked as readablely as read-write, change S32;
Whether an end that obtains above-mentioned interruption on S32, the two-port RAM 2 detects and can read according to CPLD 1 status register; If can read, then data are read (system regulation, the maximum length of each read-write is the 2K byte), read latter two memory cell of two-port RAM 2 at last again, read latter two memory cell and can trigger automatic removing and interrupt sign;
S33, CPLD 1 test interrupt signal after be high level, is rewritten the relevant indicating bit of status register, as puts to read and write and be masked as and can write.
As shown in Figure 4, be the monocycle read-write sequence figure of operation two-port RAM of the present utility model, as shown in Figure 5, be the DMA multicycle read-write sequence figure of operation two-port RAM of the present utility model.Its leg signal control is described below:
| Leg signal | The signal controlling explanation |
| LHOLD | Input signal, local bus is used in application. |
| LHOLDA | Input signal is replied LHOLD. |
| ADS | Output signal is represented the beginning of new bus access effective address.First time cycle at bus access is provided with. |
| BLAST | Output signal, the last transmission of expression bus access. |
| LW/R | Output signal, high level is represented write operation, low level is represented read operation. |
| LA | Address wire. |
| LD | Data wire |
| READY | Output signal, on the expression bus read data effectively or write data finish.In order to connect |
Table 1
The above only is preferred embodiment of the present utility model; not in order to restriction the utility model; any modification of being done within every spirit of the present utility model and the principle, be equal to and replace and improvement etc., all should be included within the protection range of the present utility model.
Claims (5)
1. isolation card device based on two-port RAM, it is characterized in that, comprise two pci card modules that connect two networks of isolating mutually, described two pci card modules interconnect by being used to preserve the two-port RAM for the treatment of swap data between mutual isolation network, and described two pci card modules and two-port RAM are connected to one simultaneously and are used for the complex programmable logic module that bus is mated and realized data ferry-boat control logic between interior local bus of described pci card module and the described two-port RAM.
2. isolation card device according to claim 1, it is characterized in that described pci card module comprises that the local bus that is used for read-write operation switches between the pci bus and local bus in the described pci card module PCI/ local bus conversion chip module, is connected with described two-port RAM and complex programmable logic module by local bus expands the input and output accelerator module, expands the configuration storage module that the input and output accelerator is connected the startup configuration parameter that is used to store described isolation card device with described local bus.
3. isolation card device according to claim 1 is characterized in that, described two-port RAM has two groups of separate address wires, data wire and control line port, and its inside comprises terminal logic, arbitrated logic and semaphore logic control.
4. isolation card device according to claim 3 is characterized in that, described two-port RAM includes four RAM, and described four RAM are divided into two one group, is read and write by described two pci card modules respectively.
5. isolation card device according to claim 1 is characterized in that, described complex programmable logic module is connected with described two-port RAM, is used for the Interrupt Process to described two-port RAM, produces to computer and interrupts.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009201315709U CN201557119U (en) | 2009-05-08 | 2009-05-08 | Isolation card device based on dual-port RAM |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009201315709U CN201557119U (en) | 2009-05-08 | 2009-05-08 | Isolation card device based on dual-port RAM |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN201557119U true CN201557119U (en) | 2010-08-18 |
Family
ID=42616808
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009201315709U Expired - Lifetime CN201557119U (en) | 2009-05-08 | 2009-05-08 | Isolation card device based on dual-port RAM |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN201557119U (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102611689A (en) * | 2011-12-21 | 2012-07-25 | 成都众询科技有限公司 | Network isolation device |
| CN107766269A (en) * | 2017-10-18 | 2018-03-06 | 深圳市亿威尔信息技术股份有限公司 | One kind isolation switch and method |
| CN111818092A (en) * | 2020-08-14 | 2020-10-23 | 苏州海德汛互联网技术有限公司 | Network security physical isolator and information exchange method |
-
2009
- 2009-05-08 CN CN2009201315709U patent/CN201557119U/en not_active Expired - Lifetime
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102611689A (en) * | 2011-12-21 | 2012-07-25 | 成都众询科技有限公司 | Network isolation device |
| CN107766269A (en) * | 2017-10-18 | 2018-03-06 | 深圳市亿威尔信息技术股份有限公司 | One kind isolation switch and method |
| CN111818092A (en) * | 2020-08-14 | 2020-10-23 | 苏州海德汛互联网技术有限公司 | Network security physical isolator and information exchange method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6078970A (en) | System for determining adapter interrupt status where interrupt is sent to host after operating status stored in register is shadowed to host memory | |
| CN103064805B (en) | SPI controller and communication means | |
| US9052829B2 (en) | Methods and structure for improved I/O shipping in a clustered storage system | |
| CN103269284B (en) | The catching method of real-time network data | |
| CN103150279B (en) | Method allowing host and baseboard management controller to share device | |
| JP2005228311A (en) | Bus system based on open type core protocol | |
| WO2012143953A2 (en) | Optimized multi-root input output virtualization aware switch | |
| CN101267361A (en) | A high-speed network data packet capturing method based on zero duplication technology | |
| US8990451B2 (en) | Controller for direct access to a memory for the direct transfer of data between memories of several peripheral devices, method and computer program enabling the implementation of such a controller | |
| CN102541791A (en) | Data transferring apparatus and control method thereof | |
| CN102375797A (en) | Bus system and bridge circuit connecting bus system and connection apparatus | |
| CN108228492A (en) | A kind of multichannel DDR intertexture control method and device | |
| CN103399830A (en) | Equipment and method for reading computer physical memory through PCI Express bus | |
| CN103973476A (en) | Gateway, and gateway hot backup system and method | |
| JP2009217813A (en) | Data transfer between devices in integrated circuit | |
| CN201557119U (en) | Isolation card device based on dual-port RAM | |
| JP2016535483A (en) | Network interface | |
| CN106844263B (en) | Configurable multiprocessor-based computer system and implementation method | |
| EP2538335A2 (en) | Apparatus and method for sharing i/o device | |
| WO2016201983A1 (en) | Method and device for managing enablement state of optical module | |
| CN104102550A (en) | Method for communicating among multiple host machine processes | |
| CN103995789B (en) | A kind of direct memory access realizes system and method | |
| CN104170307B (en) | Failover methods, devices and systems | |
| US20120239826A1 (en) | System authorizing direct data transfers between memories of several components of that system | |
| CN105634635A (en) | Real-time clock (RTC) sharing method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: SHENZHEN YONGDA ELECTRONIC INFORMATION CO., LTD. Free format text: FORMER NAME: SHENZHEN RONGDA ELECTRONICS CO., LTD. |
|
| CP03 | Change of name, title or address |
Address after: Three D301-309 room, building 518000, building D, Shenzhen Institute of Aerospace Science and technology, No. 6 South ten road, Nanshan District, Shenzhen, Guangdong, China Patentee after: Shenzhen Yongda electronic Touchplus information Corp Address before: 518057 Shenzhen Aerospace Science and Technology Innovation Research Institute, South ten road, Nanshan District science and technology, Guangdong, Shenzhen D301-D309 Patentee before: Shenzhen Rongda Electronics Co., Ltd. |
|
| CX01 | Expiry of patent term |
Granted publication date: 20100818 |
|
| CX01 | Expiry of patent term |