CN206294204U - One kind isolates physical card based on FPGA data - Google Patents
One kind isolates physical card based on FPGA data Download PDFInfo
- Publication number
- CN206294204U CN206294204U CN201621389321.6U CN201621389321U CN206294204U CN 206294204 U CN206294204 U CN 206294204U CN 201621389321 U CN201621389321 U CN 201621389321U CN 206294204 U CN206294204 U CN 206294204U
- Authority
- CN
- China
- Prior art keywords
- data
- card
- mainboard
- memory
- arbitration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Small-Scale Networks (AREA)
Abstract
The utility model provides a kind of based on FPGA data isolation physical card, including data isolation card I, data isolation card II, arbitration card, memory II, memory I, mainboard II and mainboard I.Memory II is connected with data isolation card II.Data isolation card II is connected with mainboard II, arbitration card and data isolation card I respectively.Memory I is connected with data isolation card I.The data isolation card I is connected with mainboard I and arbitration card respectively.Mainboard II and mainboard I are FPGA module, and FPGA module mainly includes that fpga chip side, as processor, is detected and filtered using data capture and data filtering method in fpga chip to inputoutput data.Data capture and data filtering method carry out the secondary filter to inputoutput data level with reference to the industrial protocol that existing power industry Ethernet is commonly used, so that data isolation ability is stronger in electric control system.
Description
Technical field
The utility model is related to data isolation field, especially, is related to a kind of based on FPGA data isolation physical card.
Background technology
In recent years, for the attack quantity cumulative year after year of electric control system, attack meanses are more complicated, due to industry control system
The more obvious fragility of system, makes the information safety defense of the original heavy physical isolation of power system, the filtering of light access control former
Significant challenge is then met with, while the economic interests that power system real-time is preferential, business continuance has reality also cause traditional letter
Breath security means is difficult to implement in industrial control field.
In addition, more in China's network intrusion prevention product category at present, expensive, deployment is highly specialized, right
The professional knowledge requirement of user is high, develops the characteristics of its most of function is not directed to power system again.Accordingly, it would be desirable to according to
Specifically need and develop specific data isolation card, so that the corresponding data isolation card of application in corresponding field, makes isolation
Data are safer, also cause to install and using simpler.For above-mentioned reason, it is necessary to develop the fusion based on FPGA technology
The physical card product of electric power ethernet communication technology and intrusion prevention technology.
Utility model content
The utility model purpose is to provide a kind of based on FPGA data isolation physical card, to solve existing Electric control system
The more fragile technical problem of the quantity isolation performance of system.
To achieve the above object, the utility model provide it is a kind of physical card is isolated based on FPGA data, including data every
From card I, data isolation card II, arbitration card, memory II, memory I, mainboard II and mainboard I;The memory II and data every
Connected from card II;The data isolation card II is connected with mainboard II, arbitration card and data isolation card I respectively;The memory I with
Data isolation card I is connected;The data isolation card I is connected with mainboard I and arbitration card respectively;
The data isolation card I includes two-way data channel switch I, request for arbitration control logic circuit I, mainboard interface I
With single data channel switch I;The two-way data channel switchs I one end and is connected with memory I, the other end and data isolation card
II connection;Described one end of request for arbitration control logic circuit I is connected with arbitration card, and the other end is connected with mainboard interface I;The list
The one end of circuit-switched data channel switch I is connected with memory I, and the other end is connected with mainboard interface I;The mainboard interface I connects with mainboard I
Connect;
The data isolation card II includes single data channel switch II, mainboard interface II, request for arbitration control logic electricity
Road II and two-way data channel switch II;The single data channel switchs II one end and is connected with memory II, the other end and master
Plate interface II is connected;The two-way data channel switchs II one end and is connected with memory II, in the other end and data isolation card I
Two-way data channel switch I is connected;Described one end of request for arbitration control logic circuit II is connected with arbitration card, the other end and mainboard
Interface II is connected;The mainboard interface II is connected with mainboard II;
The arbitration card includes arbitration control logic circuit;The arbitration control logic circuit by two-conductor line respectively with it is double
Circuit-switched data channel switch I and two-way data channel switch II are connected.
In such scheme, preferably mainboard II and mainboard I are FPGA module, and FPGA module mainly includes fpga chip
While as processor, being detected to inputoutput data and mistake using data capture and data filtering method in fpga chip
Filter.
In such scheme, preferably data capture and data filtering method are conventional with reference to existing power industry Ethernet
Industrial protocol carry out to inputoutput data level secondary filter.
In such scheme, preferably the conventional industrial protocol of power industry Ethernet is power industry Ethernet switch
Technical specification DL/T 1241-2013.
In such scheme, preferably mainboard interface I and mainboard interface II are PCIE interfaces, and the PCIE interfaces are used for
Realize data duplex communication.
In such scheme, preferably memory II and memory I is DDR data storages.
The utility model has the advantages that:
1st, mainboard II and mainboard I are FPGA module in the utility model, and FPGA module is mainly made including fpga chip side
It is processor, inputoutput data is detected and filtered using data capture and data filtering method in fpga chip;Number
Carried out to inputoutput data with reference to the industrial protocol that existing power industry Ethernet is commonly used according to capture and data filtering method
The secondary filter of level, so that data filtering is safer;
2nd, the utility model carries out data transmission channel selecting, and PCIE data transfers and fiber count using hardware switch
Carried out according to transmission timesharing, and there can only be a transmission in the same time, so that data transfer is safer;
3rd, card is arbitrated in the utility model and realizes arbitrated logic control, it is ensured that the application complete response of isolation card, and can located
Manage when A cards and B cards are applied simultaneously, priority treatment A cards;Optical fiber transceiving data in single isolation card, can only in the same time
Receive data or send data.
In addition to objects, features and advantages described above, the utility model also has other purposes, feature and excellent
Point.Below with reference to figure, the utility model is described in further detail.
Brief description of the drawings
The accompanying drawing for constituting the part of the application is used for providing being further understood to of the present utility model, of the present utility model
Schematic description and description is used to explain the utility model, does not constitute to improper restriction of the present utility model.In accompanying drawing
In:
Fig. 1 is the structured flowchart of the utility model preferred embodiment.
Marginal data:
A, data isolation card I;B, data isolation card II;C, arbitration card;1st, memory II;2nd, single data channel switch
Ⅱ;3rd, mainboard interface II;4th, mainboard II;5th, request for arbitration control logic circuit II;6th, two-way data channel switch II;7th, arbitrate
Control logic circuit;8th, two-way data channel switch I;9th, request for arbitration control logic circuit I;10th, mainboard I;11st, mainboard interface
Ⅰ;12nd, single data channel switch I;13rd, memory I.
Specific embodiment
Embodiment of the present utility model is described in detail below in conjunction with accompanying drawing, but the utility model can be according to power
Profit requires to limit and the multitude of different ways of covering is implemented.
One kind based on FPGA data isolate physical card, as shown in figure 1, including the A of data isolation card I, the B of data isolation card II,
Arbitration card C, memory II 1, memory I 13, mainboard II 4 and mainboard I 10.Memory II 1 is connected with the B of data isolation card II, number
It is the function isolation card of the data transfer of memory II 1 according to the B of isolation card II.The main number incoming to external network of memory II 1
According to storage when carrying out zero.The B of data isolation card II is connected with mainboard II 4, the arbitration card C and A of data isolation card I respectively, mainboard II 4
Mainly to being detected and being filtered from the incoming data of extranets or instruction, and when testing result is safe, notify that arbitration blocks C
Incoming data are let pass, further pass on the A of data isolation card I.Memory I 13 is connected with the A of data isolation card I,
I 13 pairs of Intranets of memory need the data for spreading out of or instruction carries out storage when zero, and the A of data isolation card I is the data of memory I 13
The function isolation card of transmission.The A of data isolation card I is connected with mainboard I 10 and arbitration card C respectively, and I 10 pairs of Intranets of mainboard need to spread out of
Data, detected and filtered.And when testing result is safe, notify that arbitration card C incoming data are let pass, then
It is passed further on the B of data isolation card II.
Memory II 1 and memory I 13 are DDR data storages, and DDR data storages have data storage speed
Hurry up, and the advantages of long service life.
Mainboard II 4 and mainboard I 10 are FPGA module, and FPGA module mainly includes fpga chip side as processor,
Inputoutput data is detected and filtered using data capture and data filtering method in fpga chip.Data capture sum
The secondary mistake to inputoutput data level is carried out with reference to the industrial protocol that existing power industry Ethernet is commonly used according to filter method
Filter, so that data isolation is safer.The conventional industrial protocol of power industry Ethernet is power industry Ethernet exchanging
Machine technical specification DL/T 1241-2013, or the conventional industrial protocol of other common power industry Ethernets, root
Different agreements is used according to different electric control systems.
As shown in figure 1, the A of data isolation card I include two-way data channel switch I 8, request for arbitration control logic circuit I 9,
Mainboard interface I 11 and single data channel switch I 12.Two-way data channel switchs I 8 one end and is connected with memory I 13, two-way number
Mainly receive to switch I 8 through two-way data channel after being stored at memory I 13 0 from the data of Intranet transmission according to channel switch I 8
In spreading out of the B of data isolation card II.The other end of the B of data isolation card II is connected with the B of data isolation card II, mainly realizes data
Transmission, two-way data channel switch I 8 can only realize the transmission or reception of data, it is impossible to while receiving data has transmission data, it is main
Play a part of the outpost of the tax office, controlled by arbitration card C.The one end of request for arbitration control logic circuit I 9 is connected with arbitration card C, secondary
Cut out application control logic circuit I 9 and receive the incoming Data Detection and filter result of mainboard interface I 11, and controlled according to result
Two-way data channel switch I 8 processed is turned on and off.The other end of request for arbitration control logic circuit I 9 connects with mainboard interface I 11
Connect, receive the result data that mainboard interface I 11 spreads out of.Single data channel switchs I 12 one end and is connected with memory I 13, another
End is connected with mainboard interface I 1.When memory I 13 has intranet data to store, single data channel switch I 12 is opened and passed through
Mainboard interface I 11 is transmitted to the detection of mainboard I 10 and filters.Mainboard interface I 11 is connected with mainboard I 10, and mainboard interface I 11 connects for PCIE
Mouthful, realize the duplex communication of mainboard I 10.
As shown in figure 1, the B of data isolation card II includes single data channel switch II 2, mainboard interface II 3, request for arbitration control
Logic circuit processed II 5 and two-way data channel switch II 6.Single data channel switchs II 2 one end and is connected with memory II 1, separately
One end is connected with mainboard interface II 3.When memory II 1 has intranet data to store, single data channel switch II 2 is opened and passed through
Mainboard interface II 3 is crossed to be transmitted to the detection of mainboard II 4 and filter.Two-way data channel switchs II 6 one end and is connected with memory II 1, separately
One end is connected with the two-way data channel switch I 8 in the A of data isolation card I.Two-way data channel switch II 6 is used to receive to be arbitrated
Card C incoming control instruction is turned on and off, and is transmitted to memory II for receiving the data of the A of data isolation card I transmission
1, while the data that reception memory II 1 is transmitted further are transmitted to the A of data isolation card I.Request for arbitration control logic circuit II 51
End is connected with arbitration card C, and the other end is connected with mainboard interface II 3.Request for arbitration control logic circuit II 5 receives mainboard interface II
3 incoming Data Detection results are simultaneously transmitted to arbitration card C.Mainboard interface II 3 is connected with mainboard II 4, and mainboard interface II 3 connects for PCIE
Mouthful, realize the duplex communication of mainboard I 10.
The arbitration card C includes arbitration control logic circuit 7.Arbitration control logic circuit 7 by two-conductor line respectively with it is double
Circuit-switched data channel switch I 8 and two-way data channel switch II 6 are connected.Arbitration control logic circuit 7 primarily serves controlling switch
Effect, for controlling two-way data channel to switch the opening and closing of II 6 and two-way data channel switch I 8.
Operation principle of the present utility model:
As shown in figure 1, when outer net has data to come into, being stored in memory II 1 during outer network data zero, memory II 1
Notify that single-pass data channel switch II 2 is opened and outer network data is transmitted to mainboard II 4 by mainboard interface II 3, mainboard II 4 is external
Network data according to capture and data filtering, testing result was finally entered mainboard interface II 3 and is transmitted to request for arbitration control logic
Circuit II 5, request for arbitration control logic circuit II 5 applied to arbitration control logic circuit 7 again, arbitration control logic circuit
7 are controlled according to the result data of detection;When result data is qualified, the control two-way data of arbitration control logic circuit 7 are led to
Road switchs II 6 sending modes, and two-way data channel switchs I 8 reception patterns, and data are opened from memory II 1 through two-way data channel
Close II 6 and two-way data channel switch I 8 reach memories I 13 and enter Intranet, complete data isolation of the data from outer net to Intranet
Transmission.
When Intranet there are data to come into, stored in memory I 13 during intranet data zero, the advice note way of memory I 13
Opened according to channel switch I 12 and intranet data is transmitted to mainboard I 10 by mainboard interface I 11, I 10 pairs of intranet datas of mainboard are carried out
According to capture and data filtering, testing result was finally entered mainboard interface I 11 and was transmitted to request for arbitration control logic circuit I 9, arbitrated
Application control logic circuit I 9 is applied for that arbitration control logic circuit 7 is according to the knot for detecting to arbitration control logic circuit 7 again
Fruit data are controlled;When result data is qualified, the control two-way data channel of arbitration control logic circuit 7 switch I 8 sends mould
Formula, two-way data channel switchs II 6 reception patterns, and data switch I 8 and two-way data from memory I 13 through two-way data channel
Channel switch II 6 reaches memory II 1 and enters outer net, completes data isolation transmission of the data from Intranet to outer net.
Preferred embodiment of the present utility model is the foregoing is only, the utility model is not limited to, for this
For the technical staff in field, the utility model can have various modifications and variations.It is all it is of the present utility model spirit and principle
Within, any modification, equivalent substitution and improvements made etc. should be included within protection domain of the present utility model.
Claims (5)
- It is 1. a kind of that physical card is isolated based on FPGA data, it is characterised in that:Including data isolation card I (A), data isolation card II (B), arbitration card (C), memory II (1), memory I (13), mainboard II (4) and mainboard I (10);The memory II (1) with Data isolation card II (B) is connected;The data isolation card II (B) blocks (C) and data isolation card I with mainboard II (4), arbitration respectively (A) connect;The memory I (13) is connected with data isolation card I (A);The data isolation card I (A) respectively with mainboard I (10) Connected with arbitration card (C);The data isolation card I (A) includes two-way data channel switch I (8), request for arbitration control logic circuit I (9), mainboard Interface I (11) and single data channel switch I (12);The two-way data channel switchs I (8) one end with memory I (13) even Connect, the other end is connected with data isolation card II (B);The one end of the request for arbitration control logic circuit I (9) is with arbitration card (C) even Connect, the other end is connected with mainboard interface I (11);The single data channel switchs I (12) one end and is connected with memory I (13), The other end is connected with mainboard interface I (11);The mainboard interface I (11) is connected with mainboard I (10);The data isolation card II (B) includes that single data channel switch II (2), mainboard interface II (3), request for arbitration control is patrolled Collect circuit II (5) and two-way data channel switch II (6);The single data channel switchs II (2) one end and memory II (1) Connection, the other end is connected with mainboard interface II (3);The two-way data channel switchs II (6) one end with memory II (1) even Connect, the other end is connected with the two-way data channel switch I (8) in data isolation card I (A);The request for arbitration control logic electricity The one end of road II (5) is connected with arbitration card (C), and the other end is connected with mainboard interface II (3);The mainboard interface II (3) and mainboard II (4) connection;Arbitration card (C) includes arbitration control logic circuit (7);The arbitration control logic circuit (7) is by two-conductor line point It is not connected with two-way data channel switch I (8) and two-way data channel switch II (6).
- 2. it is according to claim 1 a kind of based on FPGA data isolation physical card, it is characterised in that the mainboard II (4) FPGA module is with mainboard I (10).
- 3. it is according to claim 2 a kind of based on FPGA data isolation physical card, it is characterised in that power industry Ethernet Conventional industrial protocol is power industry Ethernet Exchanger Technology specification DL/T 1241-2013.
- 4. it is according to claim 1 a kind of based on FPGA data isolation physical card, it is characterised in that the mainboard interface I (11) and mainboard interface II (3) is PCIE interfaces, the PCIE interfaces are used to realize data duplex communication.
- 5. it is according to claim 1 a kind of based on FPGA data isolation physical card, it is characterised in that the memory II And memory I (13) is DDR data storages (1).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201621389321.6U CN206294204U (en) | 2016-12-16 | 2016-12-16 | One kind isolates physical card based on FPGA data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201621389321.6U CN206294204U (en) | 2016-12-16 | 2016-12-16 | One kind isolates physical card based on FPGA data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN206294204U true CN206294204U (en) | 2017-06-30 |
Family
ID=59104911
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201621389321.6U Active CN206294204U (en) | 2016-12-16 | 2016-12-16 | One kind isolates physical card based on FPGA data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN206294204U (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106657051A (en) * | 2016-12-16 | 2017-05-10 | 湖南大唐先科技有限公司 | FPGA (Field Programmable Gate Array) based data isolation physical card |
| CN112468496A (en) * | 2020-11-26 | 2021-03-09 | 中铁信安(北京)信息安全技术有限公司 | Double physical isolation data one-way transmission system and method |
-
2016
- 2016-12-16 CN CN201621389321.6U patent/CN206294204U/en active Active
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106657051A (en) * | 2016-12-16 | 2017-05-10 | 湖南大唐先科技有限公司 | FPGA (Field Programmable Gate Array) based data isolation physical card |
| CN106657051B (en) * | 2016-12-16 | 2023-06-06 | 湖南大唐先一科技有限公司 | Based on FPGA data isolation physical card |
| CN112468496A (en) * | 2020-11-26 | 2021-03-09 | 中铁信安(北京)信息安全技术有限公司 | Double physical isolation data one-way transmission system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105320628B (en) | Enable single I/O equipment more shared adaptive devices, system and methods | |
| CN102495920B (en) | Integrated logic analysis module based on PCIe (peripheral component interconnection express) for FPGA (field programmable gate array) | |
| CN108833237A (en) | Intelligent domestic gateway and its management-control method | |
| CN103248526A (en) | Communication equipment and method for achieving out-of-band monitoring and management, and master-slave switching method | |
| CN206294204U (en) | One kind isolates physical card based on FPGA data | |
| CN101447915A (en) | Method for realizing automatic and smooth switch among different network topology structures and network device thereof | |
| CN102098309A (en) | Device and method for realizing multiuser access to USB equipment | |
| CN110460646A (en) | A kind of imperfect network protocol communications board and working method based on FPGA | |
| CN107786248A (en) | A kind of power line carrier safety governor | |
| CN104022963B (en) | Communication and the communication means and device deposited | |
| CN107908575A (en) | Substation powered fortune checking device compatibility interface adapting appts and method in real time | |
| CN106851183A (en) | Multi-channel video processing system and method based on FPGA | |
| CN102761488B (en) | High-speed full duplex switched Ethernet controller | |
| CN107506324A (en) | Interconnecting device, telecommunication system, data transmission method and device | |
| CN207233041U (en) | A kind of campus card is swiped the card attendance checking system | |
| CN106657051A (en) | FPGA (Field Programmable Gate Array) based data isolation physical card | |
| CN104104594B (en) | VSU protocol massages are sent and method of reseptance, equipment and system | |
| CN207083114U (en) | A kind of data one-way transmission apparatus between two security domain networks | |
| CN107579913A (en) | A kind of configurable Communication Gateway and the communication means based on the Communication Gateway | |
| CN106502911A (en) | Multiple terminals access device | |
| CN208257836U (en) | Double 485 buses of modified | |
| CN106656773A (en) | Communication system and method | |
| CN207232677U (en) | A kind of more MCU data interactions intelligent acquisition devices | |
| CN105653490B (en) | A kind of data processing method and device based on address control | |
| CN201323593Y (en) | Network device for automatic smooth switching between various network topology structures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| GR01 | Patent grant | ||
| GR01 | Patent grant |