CN207083114U - A kind of data one-way transmission apparatus between two security domain networks - Google Patents

A kind of data one-way transmission apparatus between two security domain networks Download PDF

Info

Publication number
CN207083114U
CN207083114U CN201720639619.6U CN201720639619U CN207083114U CN 207083114 U CN207083114 U CN 207083114U CN 201720639619 U CN201720639619 U CN 201720639619U CN 207083114 U CN207083114 U CN 207083114U
Authority
CN
China
Prior art keywords
data
security domain
network
way transmission
transmission apparatus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201720639619.6U
Other languages
Chinese (zh)
Inventor
孙胜前
徐风光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Heli Heli System Technology Co Ltd
Original Assignee
Beijing Heli Heli System Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Heli Heli System Technology Co Ltd filed Critical Beijing Heli Heli System Technology Co Ltd
Priority to CN201720639619.6U priority Critical patent/CN207083114U/en
Application granted granted Critical
Publication of CN207083114U publication Critical patent/CN207083114U/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The utility model discloses the data one-way transmission apparatus between a kind of two security domain networks, in the first security domain network, Data entries device is set, it is connected with the terminal called in network, in the second security domain network, data outlet device is set, it is connected with the terminal called in network, communicated and connected by light one-way transmission path between Data entries device and data outlet device, one-way data transfer is carried out on light one-way transmission path with private data host-host protocol.Due to inside data one-way transmission apparatus, data can only flow to the data outlet device of the second security domain network from the Data entries device of the first security domain network, can not be changed by any physical switch or software set, without any bypass can enable data from Data entries device flow to data outlet device when not via light one-way transmission path.So that physically prevent the outside possibility swarmed into or attacked by outside virus, the security of data transfer between two security domain networks of effective guarantee.

Description

A kind of data one-way transmission apparatus between two security domain networks
Technical field
It the utility model is related to Security Data Transmission technology, the data sheet between more particularly to a kind of two security domain networks To transmission technology.
Background technology
With developing rapidly for industrial automatic control, more and more industrial enterprises use its internal (or special) network By its process-specified equipment or industrial intelligent equipment (IntelligentElectricDevice-IED) interconnection together, Form production control system network.Due to being connected using Intranet or dedicated network, physically completely cut off external interference, therefore This industrial enterprise is preferable with built-in system internet security, and visual is security domain network.
For commercial Application demand, it is often necessary to which the industrial data of a security domain network is transferred into another security domain Network, two or more industry security domain networks are subjected to communication connection, so that a central control system can be to institute There is sub- production control system to exercise supervision and control, or, also may be such that can mutually communicate between more sub- production control systems, A bigger production control system is formed, more optimal control and use are carried out to its resource.Data between two security domain networks The safety issue of transmission then turns into the focus of attention.
Utility model content
The purpose of this utility model is to provide the data one-way transmission apparatus between a kind of two security domain networks so that The security of data transfer between two security domain networks is protected, and physically prevents outside and swarms into or by outside virus The possibility of invasion and attack.
In order to solve the above technical problems, embodiment of the present utility model is provided between a kind of two security domain networks Data one-way transmission apparatus, at least one communicates connected first network terminal in the first security domain network, At least one communicates the second connected network terminal in two security domain networks, and first security domain network includes one Data entries device, it is connected with the first network terminal called in first security domain network, second security domain network Including a data outlet device, it is connected with the second network terminal communication in second security domain network, the data enter Communicated and connected by light one-way transmission path between mouth device and the data outlet device, with private data host-host protocol in institute The enterprising row data inlet device of light one-way transmission path is stated to the one-way data transfer of data outlet device.
The utility model embodiment sets Data entries to fill in terms of existing technologies, in the first security domain network Put, be connected with the first network terminal called in the first security domain network, data outlet device is set in the second security domain network, It is connected with the second network terminal communication in the second security domain network, passes through between the Data entries device and data outlet device Light one-way transmission path communication connection, with private data host-host protocol in the enterprising row data inlet device of light one-way transmission path extremely The one-way data transfer of data outlet device.Because inside data one-way transmission apparatus, data can only be from the first security domain net The Data entries device of network flows to the data outlet device of the second security domain network, it is impossible to by data one-way transmission apparatus Any physical switch or software set are changed, moreover, without any bypass data can be caused from Data entries device stream To can be not via light one-way transmission path during data outlet device.Swarmed into so as to physically prevent outside (illegally across security domain Swarm into) or the possibility attacked by outside virus, the security of the data transfer between two security domain networks of effective guarantee.
As a further improvement, being provided with data inbound port on the Data entries device, the Data entries device leads to Cross the data that the data inbound port gathers first network terminal in first security domain network;The data inbound port bag Include one below or its any combination:Serial communication interface, Ethernet interface, USB interface, field-bus interface.So as to With the transmission of Various types of data in compatible different types of industrial network.
As a further improvement, the data inbound port includes one or more physical interfaces.
As a further improvement, the data inbound port is carried out by a kind of or different multiple kinds of identical Data acquisition;The communications protocol comprises at least:Industry communications protocol or information system communications protocol.So as to preferably it is compatible not The transmission of Various types of data in the industrial network of same type.
As a further improvement, including data exit port on the data outlet device, the data outlet device passes through Data exit port forwards the data to second network terminal;The data exit port includes one below or its any combination:String Row communication interface, Ethernet interface, USB interface, field-bus interface.
As a further improvement, the data exit port includes one or more physical interfaces.
As a further improvement, the data exit port is carried out by a kind of or different multiple kinds of identical Data forwarding;The communications protocol comprises at least:Industry communications protocol or information system communications protocol.
As a further improvement, the Data entries device can include:
The data acquisition module of first network terminal data is gathered in the first security domain network, to the data collected The first protocol conversion module that former agreement to privately owned communications protocol is changed is carried out, the data after conversion are unidirectionally passed by the light The first smooth Network Communication module that defeated passage is transmitted;
The data outlet device can include:
The second smooth Network Communication module of data is received from the smooth one-way transmission path, the data received are carried out privately owned Communications protocol to former protocol conversion second protocol modular converter, by the data forwarding after conversion to target second network terminal Data forwarding module.
As a further improvement, the smooth one-way transmission path is by data sending terminal mouth, data receiver port and is connected to Simple optical fiber between the data sending terminal mouth and the data receiver port is formed;The data sending terminal mouth is arranged at institute State on data outlet device, the data receiver port is arranged on the Data entries device.So as to physically ensure do not have Have any bypass can enable data from Data entries device flow to data outlet device when not via light one-way transmission path.
As a further improvement, being provided with the data sending terminal mouth in the first smooth Network Communication module does not include data Receiving port;The data receiver port is provided with the second smooth Network Communication module without including data sending terminal mouth, from Physically ensure that the passage can only carry out one-way transmission.
Brief description of the drawings
Fig. 1 is the data one-way transmission dress between two security domain networks according to the better embodiment of the utility model one Put structural representation.
Embodiment
It is new to this practicality below in conjunction with accompanying drawing to make the purpose of this utility model, technical scheme and advantage clearer Each embodiment of type is explained in detail.It is however, it will be understood by those skilled in the art that each in the utility model In embodiment, in order that reader more fully understands the application and proposes many ins and outs.But even if without these skills Art details and many variations based on following embodiment and modification, it can also realize that each claim of the application is required and protect The technical scheme of shield.
A better embodiment of the present utility model is related to the data one-way transmission dress between a kind of two security domain networks Put.
In present embodiment, to carry out one-way data biography between the first security domain network 10 and the second security domain network 20 Illustrated exemplified by defeated.Wherein, connected first network terminal (such as work is communicated including multiple in the first security domain network 10 Industry smart machine IED), the second connected network terminal is communicated (such as industry including multiple in the second security domain network 20 Smart machine IED).
As shown in figure 1, the data one-way transmission apparatus includes the Data entries dress for being arranged at the first security domain network 10 101 are put, is arranged at the data outlet device 102 of the second security domain network 20, and is connected to the remainder evidence of Data entries device 101 Light one-way transmission path 103 between outlet device 102.
Specifically, Data entries device 101 is connected with each first network terminal called in the first security domain network 10, Data outlet device 102 is connected with the second network terminal communication in the second security domain network 20, Data entries device 101 and number Connected according to being communicated between outlet device 102 by light one-way transmission path 103, with private data host-host protocol in light one-way transmission The enterprising row data inlet device 101 of passage 103 to data outlet device 102 one-way data transfer.Due to unidirectionally being passed in data Inside defeated device, data can only flow to the data outlet of the second security domain network from the Data entries device of the first security domain network Device, it is impossible to be changed by any physical switch on data one-way transmission apparatus or software set, moreover, not any Bypass can enable data from Data entries device flow to data outlet device when not via light one-way transmission path.So that from Physically prevent the outside possibility swarmed into or attacked by outside virus, the data between two security domain networks of effective guarantee pass Defeated security.
Wherein, light one-way transmission path 103 by data sending terminal mouth, data receiver port and is connected to the data transmission Simple optical fiber between port and the data receiver port is formed;Data sending terminal mouth is arranged on data outlet device 102, Data receiver port is arranged on Data entries device 101.It can specifically be realized using light Network Communication module, in Data entries One smooth Network Communication module is set respectively in device 101 and data outlet device 102, and the optical communications module of conventional two-way communication is simultaneously Port RX is picked comprising data sending terminal mouth TX and data.In present embodiment, the first smooth Netcom in Data entries device 101 Data sending terminal mouth TX only is included in letter module, and does not include data receiver port RX;The second light in data outlet device 102 Only comprising data receiver port RX without including data sending terminal mouth TX in Network Communication module.Light one-way transmission path is entered by data TX ports, the RX ends of the second of data outlet device 102 the smooth Network Communication module of first smooth Network Communication module of mouth device 101 Mouthful, and simple optical fiber composition therebetween.So as to physically ensure that light one-way transmission path 103 can only be passed unidirectionally It is defeated, and physically without any bypass can enable data from Data entries device flow to data outlet device when not via Light one-way transmission path.
As a further improvement, being provided with data inbound port A on Data entries device 101, Data entries device 10 passes through The data of data inbound port A collection first network terminals in the first security domain network 10;Data inbound port A can be industrial letter Cease common various ports in network, such as serial communication interface (RS-232-C serial ports, RS-422 serial ports, RS485 serial ports), with Too network interface, USB interface and other field-bus interfaces.One data inbound port (data inbound port A) can include one Individual or more than one physical interface.Data inbound port A can be a kind of or different by identical multiple kinds it is (or logical Interrogate stipulations) carry out data acquisition;Wherein communications protocol (or communication protocol) can include:Industry communications protocol or information system are led to Interrogate agreement etc..
Include data exit port B on data outlet device 102, data outlet device 102 is by data exit port B by data It is forwarded to second network terminal;Data exit port B can be various ports common in industrial information network, as serial communication connects Mouth (RS-232-C serial ports, RS-422 serial ports, RS485 serial ports etc.), Ethernet interface, USB interface and other fieldbus Interface.Data exit port B can equally include one or more physical interfaces.Correspondingly, data exit port B can pass through A kind of or different multiple kinds of identical (or communication protocol) carry out data forwarding;Wherein communications protocol (or communication Stipulations) it can include:Industry communications protocol or information system communications protocol etc..
So that the data one-way transmission apparatus can be compatible with all kinds of in different types of industrial information network The transmission of industrial data.
As a further improvement, it may further include in the Data entries device 101:
Data acquisition module, for gathering first network terminal data in the first security domain network;
First protocol conversion module, for carrying out what former agreement was changed to privately owned communications protocol to the data collected;
First smooth Network Communication module, for the data after conversion to be transmitted by light one-way transmission path.
It may further include in data outlet device 102:
Second smooth Network Communication module, for receiving data from light one-way transmission path;
Second protocol modular converter, for carrying out privately owned communications protocol to former protocol conversion to the data received;
Data forwarding module, for by the data forwarding after conversion to target second network terminal.
It is noted that each module involved in present embodiment is logic module, and in actual applications, one Individual logic unit can be a part for a physical location or a physical location, can also be with multiple physics lists The combination of member is realized.In addition, in order to protrude innovative part of the present utility model, will not be with solving this reality in present embodiment Introduced with the less close unit of new proposed technical problem relation, but this is not intended that in present embodiment and it is not present Its unit.
It will be understood by those skilled in the art that the respective embodiments described above are to realize specific implementation of the present utility model Example, and in actual applications, can to it, various changes can be made in the form and details, without departing from spirit of the present utility model And scope.

Claims (10)

1. the data one-way transmission apparatus between a kind of two security domain networks, in the first security domain network at least one with Its first network terminal being connected by communication, it is whole to communicate the second connected network at least one in the second security domain network End, it is characterised in that first security domain network is included in a data inlet device, with first security domain network First network terminal called is connected, and second security domain network includes a data outlet device, with second security domain The second network terminal communication in network is connected, unidirectional by light between the Data entries device and the data outlet device Transmission channel communication connection, with private data host-host protocol in the smooth enterprising row data inlet device of one-way transmission path to number According to the one-way data transfer of outlet device.
2. the data one-way transmission apparatus between a kind of two security domain networks according to claim 1, it is characterised in that Data inbound port is provided with the Data entries device, the Data entries device is by the data inbound port described The data of collection first network terminal in one security domain network;
The data inbound port includes one below or its any combination:Serial communication interface, Ethernet interface, USB interface, Field-bus interface.
3. the data one-way transmission apparatus between a kind of two security domain networks according to claim 2, it is characterised in that The data inbound port includes one or more physical interfaces;
The physical interface includes:Serial communication interface, Ethernet interface, USB interface or field-bus interface.
4. the data one-way transmission apparatus between a kind of two security domain networks according to claim 2, it is characterised in that The data inbound port carries out data acquisition by a kind of or different multiple kinds of identical;
The communications protocol comprises at least:Industry communications protocol or information system communications protocol.
5. the data one-way transmission apparatus between a kind of two security domain networks according to claim 1, it is characterised in that Include data exit port on the data outlet device, the data outlet device is forwarded the data to by data exit port Second network terminal;
The data exit port includes one below or its any combination:Serial communication interface, Ethernet interface, USB interface, Field-bus interface.
6. the data one-way transmission apparatus between a kind of two security domain networks according to claim 5, it is characterised in that The data exit port includes one or more physical interfaces;
The physical interface includes:Serial communication interface, Ethernet interface, USB interface or field-bus interface.
7. the data one-way transmission apparatus between a kind of two security domain networks according to claim 5, it is characterised in that The data exit port carries out data forwarding by a kind of or different multiple kinds of identical;
The communications protocol comprises at least:Industry communications protocol or information system communications protocol.
8. the data one-way transmission apparatus between a kind of two security domain networks according to claim 1, it is characterised in that The Data entries device includes:
The data acquisition module of first network terminal data is gathered in the first security domain network, the data collected are carried out The first protocol conversion module that former agreement to privately owned communications protocol is changed, the data after conversion are led to by the smooth one-way transmission The first smooth Network Communication module that road is transmitted;
The data outlet device includes:
The second smooth Network Communication module of data is received from the smooth one-way transmission path, privately owned communication is carried out to the data received Agreement is to the second protocol modular converter of former protocol conversion, the data by the data forwarding after conversion to target second network terminal Forwarding module.
9. the data one-way transmission apparatus between a kind of two security domain networks according to claim 1, it is characterised in that The smooth one-way transmission path is by data sending terminal mouth, data receiver port and is connected to the data sending terminal mouth and the number Formed according to the simple optical fiber between receiving port;
The data sending terminal mouth is arranged on the data outlet device, and the data receiver port is arranged at the data On inlet device.
10. the data one-way transmission apparatus between a kind of two security domain networks according to claim 1, its feature exist In being provided with data sending terminal mouth in the first smooth Network Communication module of the Data entries device;
Data receiver port is provided with second smooth Network Communication module of the data outlet device.
CN201720639619.6U 2017-06-02 2017-06-02 A kind of data one-way transmission apparatus between two security domain networks Active CN207083114U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201720639619.6U CN207083114U (en) 2017-06-02 2017-06-02 A kind of data one-way transmission apparatus between two security domain networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201720639619.6U CN207083114U (en) 2017-06-02 2017-06-02 A kind of data one-way transmission apparatus between two security domain networks

Publications (1)

Publication Number Publication Date
CN207083114U true CN207083114U (en) 2018-03-09

Family

ID=61436823

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201720639619.6U Active CN207083114U (en) 2017-06-02 2017-06-02 A kind of data one-way transmission apparatus between two security domain networks

Country Status (1)

Country Link
CN (1) CN207083114U (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109547457A (en) * 2018-12-07 2019-03-29 北京万维兴业科技有限责任公司 One kind having the network isolation system of " micro- interaction " function
CN111399463A (en) * 2019-12-24 2020-07-10 上海可鲁系统软件有限公司 Industrial network data one-way isolation method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109547457A (en) * 2018-12-07 2019-03-29 北京万维兴业科技有限责任公司 One kind having the network isolation system of " micro- interaction " function
CN111399463A (en) * 2019-12-24 2020-07-10 上海可鲁系统软件有限公司 Industrial network data one-way isolation method and device
CN111399463B (en) * 2019-12-24 2023-10-20 上海可鲁系统软件有限公司 Industrial network data unidirectional isolation method and device

Similar Documents

Publication Publication Date Title
CN105245555B (en) One kind is used for electric power serial server communication protocol security protection system
CN104283817B (en) Line card and the method and message forwarding equipment of logic line card intercommunication are exchanged for realizing
CN106341404A (en) IPSec VPN system based on many-core processor and encryption and decryption processing method
CN207083114U (en) A kind of data one-way transmission apparatus between two security domain networks
CN101272346B (en) Method and device for packet flux monitoring
CN104283746B (en) The system and method for digital transformer substation unification of three nets is realized using FPGA
CN100426794C (en) Method for processing data stream between different fire-proof walls
CN105471907A (en) Openflow based virtual firewall transmission control method and system
CN105141637A (en) Transmission encryption method taking flows as granularity
CN107948059A (en) EtherCAT and Modbus protocol conversion gateways based on SPARC architecture microprocessors
CN107132799A (en) A kind of apparatus and method of many MCU data interactions intelligent acquisitions
CN108881221A (en) A kind of internet of things equipment communication security chip based on Packet Filtering
CN206833182U (en) A kind of intelligent domestic gateway and intelligent home control system
CN102916874B (en) A kind of file transmitting method and equipment
CN109547456A (en) There is the network isolation system of controllable interaction capabilities based on information one-way transmission technology
CN105515829A (en) Intelligent wiring system
CN105515927A (en) Remote serial port communication system and method based on Ethernet Cat.5 wiring framework
CN205407853U (en) Double -link data transmission system
CN202856778U (en) Network application layer flow management system
CN102024319B (en) Centralized meter reading system capable of realizing multiple communication modes
CN206294204U (en) One kind isolates physical card based on FPGA data
CN201623727U (en) Small single-unit firewall device based on network processor
CN104363185B (en) A kind of miniature composite network data exchange system
CN207232677U (en) A kind of more MCU data interactions intelligent acquisition devices
CN207399226U (en) Network interface expanding unit

Legal Events

Date Code Title Description
GR01 Patent grant
GR01 Patent grant