CN207083114U - A kind of data one-way transmission apparatus between two security domain networks - Google Patents
A kind of data one-way transmission apparatus between two security domain networks Download PDFInfo
- Publication number
- CN207083114U CN207083114U CN201720639619.6U CN201720639619U CN207083114U CN 207083114 U CN207083114 U CN 207083114U CN 201720639619 U CN201720639619 U CN 201720639619U CN 207083114 U CN207083114 U CN 207083114U
- Authority
- CN
- China
- Prior art keywords
- data
- security domain
- network
- way transmission
- transmission apparatus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The utility model discloses the data one-way transmission apparatus between a kind of two security domain networks, in the first security domain network, Data entries device is set, it is connected with the terminal called in network, in the second security domain network, data outlet device is set, it is connected with the terminal called in network, communicated and connected by light one-way transmission path between Data entries device and data outlet device, one-way data transfer is carried out on light one-way transmission path with private data host-host protocol.Due to inside data one-way transmission apparatus, data can only flow to the data outlet device of the second security domain network from the Data entries device of the first security domain network, can not be changed by any physical switch or software set, without any bypass can enable data from Data entries device flow to data outlet device when not via light one-way transmission path.So that physically prevent the outside possibility swarmed into or attacked by outside virus, the security of data transfer between two security domain networks of effective guarantee.
Description
Technical field
It the utility model is related to Security Data Transmission technology, the data sheet between more particularly to a kind of two security domain networks
To transmission technology.
Background technology
With developing rapidly for industrial automatic control, more and more industrial enterprises use its internal (or special) network
By its process-specified equipment or industrial intelligent equipment (IntelligentElectricDevice-IED) interconnection together,
Form production control system network.Due to being connected using Intranet or dedicated network, physically completely cut off external interference, therefore
This industrial enterprise is preferable with built-in system internet security, and visual is security domain network.
For commercial Application demand, it is often necessary to which the industrial data of a security domain network is transferred into another security domain
Network, two or more industry security domain networks are subjected to communication connection, so that a central control system can be to institute
There is sub- production control system to exercise supervision and control, or, also may be such that can mutually communicate between more sub- production control systems,
A bigger production control system is formed, more optimal control and use are carried out to its resource.Data between two security domain networks
The safety issue of transmission then turns into the focus of attention.
Utility model content
The purpose of this utility model is to provide the data one-way transmission apparatus between a kind of two security domain networks so that
The security of data transfer between two security domain networks is protected, and physically prevents outside and swarms into or by outside virus
The possibility of invasion and attack.
In order to solve the above technical problems, embodiment of the present utility model is provided between a kind of two security domain networks
Data one-way transmission apparatus, at least one communicates connected first network terminal in the first security domain network,
At least one communicates the second connected network terminal in two security domain networks, and first security domain network includes one
Data entries device, it is connected with the first network terminal called in first security domain network, second security domain network
Including a data outlet device, it is connected with the second network terminal communication in second security domain network, the data enter
Communicated and connected by light one-way transmission path between mouth device and the data outlet device, with private data host-host protocol in institute
The enterprising row data inlet device of light one-way transmission path is stated to the one-way data transfer of data outlet device.
The utility model embodiment sets Data entries to fill in terms of existing technologies, in the first security domain network
Put, be connected with the first network terminal called in the first security domain network, data outlet device is set in the second security domain network,
It is connected with the second network terminal communication in the second security domain network, passes through between the Data entries device and data outlet device
Light one-way transmission path communication connection, with private data host-host protocol in the enterprising row data inlet device of light one-way transmission path extremely
The one-way data transfer of data outlet device.Because inside data one-way transmission apparatus, data can only be from the first security domain net
The Data entries device of network flows to the data outlet device of the second security domain network, it is impossible to by data one-way transmission apparatus
Any physical switch or software set are changed, moreover, without any bypass data can be caused from Data entries device stream
To can be not via light one-way transmission path during data outlet device.Swarmed into so as to physically prevent outside (illegally across security domain
Swarm into) or the possibility attacked by outside virus, the security of the data transfer between two security domain networks of effective guarantee.
As a further improvement, being provided with data inbound port on the Data entries device, the Data entries device leads to
Cross the data that the data inbound port gathers first network terminal in first security domain network;The data inbound port bag
Include one below or its any combination:Serial communication interface, Ethernet interface, USB interface, field-bus interface.So as to
With the transmission of Various types of data in compatible different types of industrial network.
As a further improvement, the data inbound port includes one or more physical interfaces.
As a further improvement, the data inbound port is carried out by a kind of or different multiple kinds of identical
Data acquisition;The communications protocol comprises at least:Industry communications protocol or information system communications protocol.So as to preferably it is compatible not
The transmission of Various types of data in the industrial network of same type.
As a further improvement, including data exit port on the data outlet device, the data outlet device passes through
Data exit port forwards the data to second network terminal;The data exit port includes one below or its any combination:String
Row communication interface, Ethernet interface, USB interface, field-bus interface.
As a further improvement, the data exit port includes one or more physical interfaces.
As a further improvement, the data exit port is carried out by a kind of or different multiple kinds of identical
Data forwarding;The communications protocol comprises at least:Industry communications protocol or information system communications protocol.
As a further improvement, the Data entries device can include:
The data acquisition module of first network terminal data is gathered in the first security domain network, to the data collected
The first protocol conversion module that former agreement to privately owned communications protocol is changed is carried out, the data after conversion are unidirectionally passed by the light
The first smooth Network Communication module that defeated passage is transmitted;
The data outlet device can include:
The second smooth Network Communication module of data is received from the smooth one-way transmission path, the data received are carried out privately owned
Communications protocol to former protocol conversion second protocol modular converter, by the data forwarding after conversion to target second network terminal
Data forwarding module.
As a further improvement, the smooth one-way transmission path is by data sending terminal mouth, data receiver port and is connected to
Simple optical fiber between the data sending terminal mouth and the data receiver port is formed;The data sending terminal mouth is arranged at institute
State on data outlet device, the data receiver port is arranged on the Data entries device.So as to physically ensure do not have
Have any bypass can enable data from Data entries device flow to data outlet device when not via light one-way transmission path.
As a further improvement, being provided with the data sending terminal mouth in the first smooth Network Communication module does not include data
Receiving port;The data receiver port is provided with the second smooth Network Communication module without including data sending terminal mouth, from
Physically ensure that the passage can only carry out one-way transmission.
Brief description of the drawings
Fig. 1 is the data one-way transmission dress between two security domain networks according to the better embodiment of the utility model one
Put structural representation.
Embodiment
It is new to this practicality below in conjunction with accompanying drawing to make the purpose of this utility model, technical scheme and advantage clearer
Each embodiment of type is explained in detail.It is however, it will be understood by those skilled in the art that each in the utility model
In embodiment, in order that reader more fully understands the application and proposes many ins and outs.But even if without these skills
Art details and many variations based on following embodiment and modification, it can also realize that each claim of the application is required and protect
The technical scheme of shield.
A better embodiment of the present utility model is related to the data one-way transmission dress between a kind of two security domain networks
Put.
In present embodiment, to carry out one-way data biography between the first security domain network 10 and the second security domain network 20
Illustrated exemplified by defeated.Wherein, connected first network terminal (such as work is communicated including multiple in the first security domain network 10
Industry smart machine IED), the second connected network terminal is communicated (such as industry including multiple in the second security domain network 20
Smart machine IED).
As shown in figure 1, the data one-way transmission apparatus includes the Data entries dress for being arranged at the first security domain network 10
101 are put, is arranged at the data outlet device 102 of the second security domain network 20, and is connected to the remainder evidence of Data entries device 101
Light one-way transmission path 103 between outlet device 102.
Specifically, Data entries device 101 is connected with each first network terminal called in the first security domain network 10,
Data outlet device 102 is connected with the second network terminal communication in the second security domain network 20, Data entries device 101 and number
Connected according to being communicated between outlet device 102 by light one-way transmission path 103, with private data host-host protocol in light one-way transmission
The enterprising row data inlet device 101 of passage 103 to data outlet device 102 one-way data transfer.Due to unidirectionally being passed in data
Inside defeated device, data can only flow to the data outlet of the second security domain network from the Data entries device of the first security domain network
Device, it is impossible to be changed by any physical switch on data one-way transmission apparatus or software set, moreover, not any
Bypass can enable data from Data entries device flow to data outlet device when not via light one-way transmission path.So that from
Physically prevent the outside possibility swarmed into or attacked by outside virus, the data between two security domain networks of effective guarantee pass
Defeated security.
Wherein, light one-way transmission path 103 by data sending terminal mouth, data receiver port and is connected to the data transmission
Simple optical fiber between port and the data receiver port is formed;Data sending terminal mouth is arranged on data outlet device 102,
Data receiver port is arranged on Data entries device 101.It can specifically be realized using light Network Communication module, in Data entries
One smooth Network Communication module is set respectively in device 101 and data outlet device 102, and the optical communications module of conventional two-way communication is simultaneously
Port RX is picked comprising data sending terminal mouth TX and data.In present embodiment, the first smooth Netcom in Data entries device 101
Data sending terminal mouth TX only is included in letter module, and does not include data receiver port RX;The second light in data outlet device 102
Only comprising data receiver port RX without including data sending terminal mouth TX in Network Communication module.Light one-way transmission path is entered by data
TX ports, the RX ends of the second of data outlet device 102 the smooth Network Communication module of first smooth Network Communication module of mouth device 101
Mouthful, and simple optical fiber composition therebetween.So as to physically ensure that light one-way transmission path 103 can only be passed unidirectionally
It is defeated, and physically without any bypass can enable data from Data entries device flow to data outlet device when not via
Light one-way transmission path.
As a further improvement, being provided with data inbound port A on Data entries device 101, Data entries device 10 passes through
The data of data inbound port A collection first network terminals in the first security domain network 10;Data inbound port A can be industrial letter
Cease common various ports in network, such as serial communication interface (RS-232-C serial ports, RS-422 serial ports, RS485 serial ports), with
Too network interface, USB interface and other field-bus interfaces.One data inbound port (data inbound port A) can include one
Individual or more than one physical interface.Data inbound port A can be a kind of or different by identical multiple kinds it is (or logical
Interrogate stipulations) carry out data acquisition;Wherein communications protocol (or communication protocol) can include:Industry communications protocol or information system are led to
Interrogate agreement etc..
Include data exit port B on data outlet device 102, data outlet device 102 is by data exit port B by data
It is forwarded to second network terminal;Data exit port B can be various ports common in industrial information network, as serial communication connects
Mouth (RS-232-C serial ports, RS-422 serial ports, RS485 serial ports etc.), Ethernet interface, USB interface and other fieldbus
Interface.Data exit port B can equally include one or more physical interfaces.Correspondingly, data exit port B can pass through
A kind of or different multiple kinds of identical (or communication protocol) carry out data forwarding;Wherein communications protocol (or communication
Stipulations) it can include:Industry communications protocol or information system communications protocol etc..
So that the data one-way transmission apparatus can be compatible with all kinds of in different types of industrial information network
The transmission of industrial data.
As a further improvement, it may further include in the Data entries device 101:
Data acquisition module, for gathering first network terminal data in the first security domain network;
First protocol conversion module, for carrying out what former agreement was changed to privately owned communications protocol to the data collected;
First smooth Network Communication module, for the data after conversion to be transmitted by light one-way transmission path.
It may further include in data outlet device 102:
Second smooth Network Communication module, for receiving data from light one-way transmission path;
Second protocol modular converter, for carrying out privately owned communications protocol to former protocol conversion to the data received;
Data forwarding module, for by the data forwarding after conversion to target second network terminal.
It is noted that each module involved in present embodiment is logic module, and in actual applications, one
Individual logic unit can be a part for a physical location or a physical location, can also be with multiple physics lists
The combination of member is realized.In addition, in order to protrude innovative part of the present utility model, will not be with solving this reality in present embodiment
Introduced with the less close unit of new proposed technical problem relation, but this is not intended that in present embodiment and it is not present
Its unit.
It will be understood by those skilled in the art that the respective embodiments described above are to realize specific implementation of the present utility model
Example, and in actual applications, can to it, various changes can be made in the form and details, without departing from spirit of the present utility model
And scope.
Claims (10)
1. the data one-way transmission apparatus between a kind of two security domain networks, in the first security domain network at least one with
Its first network terminal being connected by communication, it is whole to communicate the second connected network at least one in the second security domain network
End, it is characterised in that first security domain network is included in a data inlet device, with first security domain network
First network terminal called is connected, and second security domain network includes a data outlet device, with second security domain
The second network terminal communication in network is connected, unidirectional by light between the Data entries device and the data outlet device
Transmission channel communication connection, with private data host-host protocol in the smooth enterprising row data inlet device of one-way transmission path to number
According to the one-way data transfer of outlet device.
2. the data one-way transmission apparatus between a kind of two security domain networks according to claim 1, it is characterised in that
Data inbound port is provided with the Data entries device, the Data entries device is by the data inbound port described
The data of collection first network terminal in one security domain network;
The data inbound port includes one below or its any combination:Serial communication interface, Ethernet interface, USB interface,
Field-bus interface.
3. the data one-way transmission apparatus between a kind of two security domain networks according to claim 2, it is characterised in that
The data inbound port includes one or more physical interfaces;
The physical interface includes:Serial communication interface, Ethernet interface, USB interface or field-bus interface.
4. the data one-way transmission apparatus between a kind of two security domain networks according to claim 2, it is characterised in that
The data inbound port carries out data acquisition by a kind of or different multiple kinds of identical;
The communications protocol comprises at least:Industry communications protocol or information system communications protocol.
5. the data one-way transmission apparatus between a kind of two security domain networks according to claim 1, it is characterised in that
Include data exit port on the data outlet device, the data outlet device is forwarded the data to by data exit port
Second network terminal;
The data exit port includes one below or its any combination:Serial communication interface, Ethernet interface, USB interface,
Field-bus interface.
6. the data one-way transmission apparatus between a kind of two security domain networks according to claim 5, it is characterised in that
The data exit port includes one or more physical interfaces;
The physical interface includes:Serial communication interface, Ethernet interface, USB interface or field-bus interface.
7. the data one-way transmission apparatus between a kind of two security domain networks according to claim 5, it is characterised in that
The data exit port carries out data forwarding by a kind of or different multiple kinds of identical;
The communications protocol comprises at least:Industry communications protocol or information system communications protocol.
8. the data one-way transmission apparatus between a kind of two security domain networks according to claim 1, it is characterised in that
The Data entries device includes:
The data acquisition module of first network terminal data is gathered in the first security domain network, the data collected are carried out
The first protocol conversion module that former agreement to privately owned communications protocol is changed, the data after conversion are led to by the smooth one-way transmission
The first smooth Network Communication module that road is transmitted;
The data outlet device includes:
The second smooth Network Communication module of data is received from the smooth one-way transmission path, privately owned communication is carried out to the data received
Agreement is to the second protocol modular converter of former protocol conversion, the data by the data forwarding after conversion to target second network terminal
Forwarding module.
9. the data one-way transmission apparatus between a kind of two security domain networks according to claim 1, it is characterised in that
The smooth one-way transmission path is by data sending terminal mouth, data receiver port and is connected to the data sending terminal mouth and the number
Formed according to the simple optical fiber between receiving port;
The data sending terminal mouth is arranged on the data outlet device, and the data receiver port is arranged at the data
On inlet device.
10. the data one-way transmission apparatus between a kind of two security domain networks according to claim 1, its feature exist
In being provided with data sending terminal mouth in the first smooth Network Communication module of the Data entries device;
Data receiver port is provided with second smooth Network Communication module of the data outlet device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201720639619.6U CN207083114U (en) | 2017-06-02 | 2017-06-02 | A kind of data one-way transmission apparatus between two security domain networks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201720639619.6U CN207083114U (en) | 2017-06-02 | 2017-06-02 | A kind of data one-way transmission apparatus between two security domain networks |
Publications (1)
Publication Number | Publication Date |
---|---|
CN207083114U true CN207083114U (en) | 2018-03-09 |
Family
ID=61436823
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201720639619.6U Active CN207083114U (en) | 2017-06-02 | 2017-06-02 | A kind of data one-way transmission apparatus between two security domain networks |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN207083114U (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109547457A (en) * | 2018-12-07 | 2019-03-29 | 北京万维兴业科技有限责任公司 | One kind having the network isolation system of " micro- interaction " function |
CN111399463A (en) * | 2019-12-24 | 2020-07-10 | 上海可鲁系统软件有限公司 | Industrial network data one-way isolation method and device |
-
2017
- 2017-06-02 CN CN201720639619.6U patent/CN207083114U/en active Active
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109547457A (en) * | 2018-12-07 | 2019-03-29 | 北京万维兴业科技有限责任公司 | One kind having the network isolation system of " micro- interaction " function |
CN111399463A (en) * | 2019-12-24 | 2020-07-10 | 上海可鲁系统软件有限公司 | Industrial network data one-way isolation method and device |
CN111399463B (en) * | 2019-12-24 | 2023-10-20 | 上海可鲁系统软件有限公司 | Industrial network data unidirectional isolation method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105245555B (en) | One kind is used for electric power serial server communication protocol security protection system | |
CN104283817B (en) | Line card and the method and message forwarding equipment of logic line card intercommunication are exchanged for realizing | |
CN106341404A (en) | IPSec VPN system based on many-core processor and encryption and decryption processing method | |
CN207083114U (en) | A kind of data one-way transmission apparatus between two security domain networks | |
CN101272346B (en) | Method and device for packet flux monitoring | |
CN104283746B (en) | The system and method for digital transformer substation unification of three nets is realized using FPGA | |
CN100426794C (en) | Method for processing data stream between different fire-proof walls | |
CN105471907A (en) | Openflow based virtual firewall transmission control method and system | |
CN105141637A (en) | Transmission encryption method taking flows as granularity | |
CN107948059A (en) | EtherCAT and Modbus protocol conversion gateways based on SPARC architecture microprocessors | |
CN107132799A (en) | A kind of apparatus and method of many MCU data interactions intelligent acquisitions | |
CN108881221A (en) | A kind of internet of things equipment communication security chip based on Packet Filtering | |
CN206833182U (en) | A kind of intelligent domestic gateway and intelligent home control system | |
CN102916874B (en) | A kind of file transmitting method and equipment | |
CN109547456A (en) | There is the network isolation system of controllable interaction capabilities based on information one-way transmission technology | |
CN105515829A (en) | Intelligent wiring system | |
CN105515927A (en) | Remote serial port communication system and method based on Ethernet Cat.5 wiring framework | |
CN205407853U (en) | Double -link data transmission system | |
CN202856778U (en) | Network application layer flow management system | |
CN102024319B (en) | Centralized meter reading system capable of realizing multiple communication modes | |
CN206294204U (en) | One kind isolates physical card based on FPGA data | |
CN201623727U (en) | Small single-unit firewall device based on network processor | |
CN104363185B (en) | A kind of miniature composite network data exchange system | |
CN207232677U (en) | A kind of more MCU data interactions intelligent acquisition devices | |
CN207399226U (en) | Network interface expanding unit |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
GR01 | Patent grant | ||
GR01 | Patent grant |