CN212519257U - Unidirectional safety data transmission structure with isolated internal and external networks - Google Patents
Unidirectional safety data transmission structure with isolated internal and external networks Download PDFInfo
- Publication number
- CN212519257U CN212519257U CN202021895619.0U CN202021895619U CN212519257U CN 212519257 U CN212519257 U CN 212519257U CN 202021895619 U CN202021895619 U CN 202021895619U CN 212519257 U CN212519257 U CN 212519257U
- Authority
- CN
- China
- Prior art keywords
- data
- multicast
- gateway
- code stream
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The utility model discloses a one-way safety data transmission structure for internal and external network isolation, which comprises an internal network operation and maintenance data signal processing system, a one-way optical fiber multicast code stream transmission unit and a one-way ASI code stream transmission device; the internal operation and maintenance data signal processing system is connected with the unidirectional optical fiber multicast code stream transmission unit and the unidirectional ASI code stream transmission unit. The utility model provides a mechanism suitable for adopting digital television broadcasting transmits the operation and maintenance data, and adopts the broadcast mode, realizes unidirectional data transmission; realizing the one-way transmission of UDP data by adopting a TS OVER IP mode and a multicast protocol of a digital television standard; and the ASI code stream playing card is adopted to realize the transmission of the TS file and the unidirectional transmission of the TS file data, only the unidirectional transmission is realized, the returned data is not generated, and the internal network security is not threatened. The operation and maintenance data can be transmitted on the public network by adopting a streaming media protocol no matter in an ASI (asynchronous serial interface) card playing mode or a UDP (user datagram protocol) multicast transmission mode.
Description
Technical Field
The utility model relates to a data one-way transmission technical field especially relates to an inside and outside one-way safe data transmission structure of keeping apart.
Background
The unidirectional data transmission technology is to realize point-to-point transmission of data in a simplex manner, for example, infrared data transmission of an infrared remote controller, television reception of an analog television system, and received FM radio stations, which are unidirectional data transmission manners. The sending end of the data can only send the data but can not receive the data, and the receiving end of the data can only receive the data but can not send the data.
The data transmission mode feels back to the era that only data can be monitored and watched, such as television and broadcasting, but programs can not be actively requested, and the data transmission mode is in direct conflict with the current technological progress and violates the technological development rule. However, anything is biplanar, and one-way data communication seems to be lagged behind, but the data is very safe, and a receiver just listens for the data because the data cannot be sent to a sender, so that the internal data of the sender can be ensured to be safe, and the sending end system cannot be crashed due to hacking. If the transmitting end is a television station or a power plant, the consequences are not imaginable.
With the importance of network security in recent years, the transmission mode of unidirectional data is reserved in different occasions, and basically adopts a physical mode of unidirectional data transmission, including infrared data, optical fiber data and the like, and simultaneously adopts various modes and methods to switch channels of return data, and adopts a physical or firewall mode, so that people can obtain data, and the unidirectional data transmission can never have feedback data interference, and is gradually applied to secure data transmission.
The firewall is a system composed of computer hardware and software, is deployed at a network boundary, is a connection bridge between an internal network and an external network, and simultaneously protects data entering and exiting the network boundary, prevents malicious intrusion and propagation of malicious codes, and the like, and ensures the safety of internal network data. The firewall technology is an application security technology established on the basis of a network technology and an information security technology, almost all boundaries of the connection between an internal network of an enterprise and an external network (such as the Internet) are provided with firewalls, and the firewalls can perform security filtering and security isolation on harmful network security information and behaviors such as external network attacks and intrusion.
A network gate:
the network gate is an information safety device which uses a solid-state switch read-write medium with multiple control functions to connect two independent host systems. Because two independent host systems are isolated through the gatekeeper, no physical connection, logical connection and information transmission protocol for communication exist between the systems, no information exchange according to the protocol exists, and only no protocol ferry is performed in a data file form. Therefore, the network gate logically isolates and blocks all network connections with potential attack possibility to the internal network, so that an external attacker cannot directly invade, attack or destroy the internal network, and the safety of the internal host is guaranteed.
Unidirectional network gate:
in order to ensure that data in a high-security network cannot flow to a low-security network but data in the low-security network can flow to the high-security network (data confidentiality requirement), the problem of information leakage of the high-security network is thoroughly solved, and only a one-way transmission technology without feedback is adopted. The developed safety isolation and information one-way leading-in system adopts a unique one-way non-feedback transmission technology to ensure the absolute one-way flow of data from a physical link layer and a transmission layer. Meanwhile, the system adopts an original and advanced error correction coding technology, an ASIC parallel processing technology and an MRP (multiple redundancy technology) to ensure high reliability, high fault tolerance, high safety and high stability of the system.
Based on the unidirectional optical transmission network cards of different hardware, a plurality of unidirectional optical network cards are available in the market at present, and unidirectional transmission of data can be realized, namely, the data can be transmitted only in one direction and cannot be provided with a reverse link or a channel. Such as: data only goes out but not in, and only can be sent from the high-density network to the low-density network without reverse connection.
The optical code is transmitted in a one-way mode, the optical code machine displays the data of the high security domain on the display equipment in a two-dimensional code mode, and the other end equipment reads the two-dimensional code on the display equipment, analyzes and restores the two-dimensional code into original data and sends the original data to the low security domain. There is no electrical connection between the display device and the reading device, and it is completely physically isolated.
UDP multicast, which is a connectionless protocol where the source and the destination do not establish a connection before transmitting data, and simply grab the data from the application when it wants to transmit and throw it as soon as possible onto the network. At the sending end, the speed of data transmission by UDP is limited only by the speed of data generation by the application program, the capability of the computer and the transmission bandwidth; at the receiving end, UDP places each message segment in a queue, from which the application reads one message segment at a time.
TS code Stream, MPEG2 format in DVD programs, TS is named Transport Stream throughout. MPEG-TS is mainly applied to real-time zhi delivered programs, such as real-time broadcast television programs. TS is an abbreviation for "Transport Stream". It is sent in packets, each of 188 bytes in length. Many types of data, such as video, audio, custom information, etc., can be filled in the TS stream. His packet is structured with a header of 4 bytes and a payload of 184 bytes.
The multiplexer digital television program multiplexer mainly completes the re-multiplexing function of MPEG-2 Transport Stream (TS), forms a multi-program transport stream (daoMPTS) for the transmission task of digital television programs. The statistical multiplexing means that the code rate of each multiplexed program is not constant, and the principle of distributing the code rate according to the image complexity is implemented among the programs. Because each channel (standard or supplementary) can transmit a plurality of programs, and the image complexity of each program is different (the same probability is small) at the same time, the code rate can be distributed among the programs in the same channel according to the image complexity, and the statistical multiplexing is realized. Key factors for realizing statistical multiplexing: firstly, how to evaluate the complexity of an image sequence at any time comprises two methods of subjective evaluation and objective evaluation; and how to timely perform bandwidth dynamic allocation of video services. The statistical multiplexing technology can improve the compression efficiency, improve the image quality, facilitate the transmission of a plurality of programs in 1 channel and save the transmission cost.
The digital television modulator has the function of modulating a VIDEO signal (VIDEO) and an AUDIO signal (AUDIO) provided by a signal source (such as an AV signal source of a digital television set-top box, a satellite television receiver, a telecommunication IPTV set-top box, a DVD or VCD machine, a computer, a monitoring camera, a television demodulator and the like) into a stable high-frequency radio frequency oscillation signal, wherein the VIDEO is in an amplitude modulation mode, and the AUDIO is in a frequency modulation mode. The digital television modulator is widely applied to the front end transformation of the digital cable television and modulates audio and video signals into radio frequency signals. The input audio and video signals can be continuously adjusted through an external adjusting knob, signals of a 0.7-1.4V video signal source and 0.775V +/-10 dB audio signals are allowed to be input, and under the condition of normal frequency offset, the modulator can also be continuously adjusted externally to enable an output image to be normal. The product adopts a frequency synthesis technology, and the frequency stability is high.
The TS OVER IP technology is a code stream transmission protocol which is suitable for a multicast mode, wherein TS code streams of a digital television are transmitted in an IP mode, and a UDP transmission protocol is generally selected in real time. Meanwhile, the multicast transmission mode of the TS OVER IP is suitable for IP equipment of the digital television, and comprises a multiplexer and a modulator for multiplexing and modulating data, so that the transmission bandwidth and the anti-interference capability of the data are saved.
As shown in fig. 1, the existing firewall can perform security filtering and security isolation of harmful network security information and behaviors such as external network attacks and intrusions. The technology is that a firewall is arranged at the boundary of the connection between the internal network and the external network, and the access authority of the external network is set in a software mode, so that the attack of the external network is shielded. The mode is not a physical isolation mode, and if a malicious attacker attacks a firewall, the data security of the intranet cannot be guaranteed. From the above figure, the data of the internal network and the external network are isolated by the firewall, and the firewall is a bidirectional network, and if the firewall is invaded, the internal network can be paralyzed. Secondly, in the mode, data of non-digital television protocols cannot be transmitted by a digital television multiplexer and a modulator at the lower stage.
As shown in fig. 2, the existing gatekeeper technology is an information security device that connects two independent host systems using a solid-state switch read-write medium with multiple control functions. Because two independent host systems are isolated through the gatekeeper, no physical connection, logical connection and information transmission protocol for communication exist between the systems, no information exchange according to the protocol exists, and only no protocol ferry is performed in a data file form. The network gate only logically isolates and blocks all network connections with potential attack possibility to the internal network, so that an external attacker cannot directly invade, attack or destroy the internal network, and the safety of an internal host is guaranteed. In fact, the network gate is also soft isolated or is connected with a link, the mode is that the internal network and the external network are respectively wired at present, but in order to meet the requirement that some special services in the internal network are connected with the external network, the internal network still is bidirectional communication through interaction of the network gate and the external network, and thus, the risk of internal network data leakage also exists. In the method, data output by the intranet cannot be transmitted through the digital television multiplexer and the modulator due to the problem of a transmission protocol, and is finally provided to the digital television receiving terminal.
As shown in fig. 3, the existing unidirectional gatekeeper ensures that data in the high-security network cannot flow to the low-security network, but data in the low-security network can flow to the high-security network (data confidentiality requirement), so as to completely solve the problem of information leakage of the high-security network, and only adopts a non-feedback unidirectional transmission technology. The developed safety isolation and information one-way leading-in system adopts a unique one-way non-feedback transmission technology to ensure the absolute one-way flow of data from a physical link layer and a transmission layer. The unidirectional network gate physically blocks the return link signal, so that high safety is realized. However, there are still 2 problems, one is that although the intranet is not attacked, the data may be leaked out; another problem is that in a broadcast television system, unidirectional transmission data cannot pass through the digital television multiplexer and modulator, and data transmission cannot be performed through a streaming media protocol, because of the data transmission protocol.
As shown in fig. 4, many optical network cards for unidirectional transmission are available in the market today, and unidirectional transmission of data can be realized, that is, data can be transmitted only in one direction, and a reverse link or a channel cannot be provided. The optical fiber network card is only connected with a single-emitting optical fiber, but not connected with a received optical fiber, so that the unidirectional output of data is realized. The problem with this approach is the same as with the unidirectional gatekeeper. There are 2 problems, one is that although the intranet is not attacked, there is a possibility that data may be revealed; another problem is that in a broadcast television system, unidirectional transmission data cannot pass through the digital television multiplexer and modulator, and data transmission cannot be performed through a streaming media protocol, because of the data transmission protocol.
As shown in fig. 5, the optical code machine displays data of a high security domain on the display device in a two-dimensional code manner, and the other end device reads the two-dimensional code on the display device, analyzes and restores the two-dimensional code to original data, and sends the original data to a low security domain. There is no electrical connection between the display device and the reading device, and it is completely physically isolated. There are 3 problems, one is that the operation is complicated, and hardware equipment and daily personnel operation and maintenance are required to be added. Another problem is that although the intranet is not attacked, data may be revealed; the problem in the last aspect is that in a broadcast television system, unidirectional transmission data cannot pass through the digital television multiplexer and modulator, and data transmission cannot be performed through a streaming media protocol because of the digital television transmission data format problem.
The prior firewall has the technical defects that: instead of adopting a physical isolation mode, if a malicious attacker invaginates the firewall, the attack and the invasion can also be caused. In the method, data output by the intranet cannot be transmitted through the digital television multiplexer and the modulator due to the problem of a transmission protocol, and is finally provided to the digital television receiving terminal.
The prior network gate has the technical defects that: in fact, the network gate is also soft isolation or is linked with a bidirectional link, the mode is that the internal network and the external network are respectively wired at present, but in order to meet the requirement that some special services in the internal network are connected with the external network, the internal network still is bidirectional communication through interaction of the network gate and the external network, and thus, the risk of internal network data leakage also exists. In the method, data output by the intranet cannot be transmitted through the digital television multiplexer and the modulator due to the problem of a transmission protocol, and is finally provided to the digital television receiving terminal.
The one-way network gate has the following defects: there are 2 problems, one is that although the intranet is not attacked, there is still a possibility that data will be revealed; another problem is that in broadcast television systems, the data transmitted in one direction cannot pass through the digital television multiplexer and modulator, while the data transmission cannot be done via streaming media protocol.
The one-way optical transmission network card has 2 problems, one problem is that although the intranet cannot be attacked, data is possibly leaked out; another problem is that in broadcast television systems, the data transmitted in one direction cannot pass through the digital television multiplexer and modulator, while the data transmission cannot be done via streaming media protocol.
The optical code unidirectional transmission has the following defects: there are 3 problems, one is that the operation is complicated, and hardware equipment and daily personnel operation and maintenance are required to be added. Another problem is that although the intranet is not attacked, data may be revealed; the problem with the last aspect is that in broadcast television systems, the data transmitted in one direction cannot pass through the digital television multiplexer and modulator, while the data transmission cannot be done via streaming media protocol.
Disclosure of Invention
In order to solve the technical problem, the utility model aims to provide an one-way safety data transmission structure for isolating an internal network and an external network, which solves the problem that the data of the internal network is transmitted to the external network in a safe way, realizes the application of the data of the internal network to the external network, and simultaneously, the external network cannot access the internal network reversely to cause the possibility of attacking the internal network; the problem of data format is solved, and a transmission protocol suitable for broadcast television is adopted to transmit data files, so that data can be transmitted in digital television equipment; the problem of public network data transmission is solved, and a streaming media protocol is adopted, so that data can be transmitted in a public network; the problem of unidirectional data transmission is solved, and unidirectional data output is realized by adopting unidirectional optical data transmission and an ASI (TS) code stream broadcasting card.
The purpose of the utility model is realized through the following technical scheme:
an intranet-extranet isolated one-way secure data transmission architecture comprising:
the system comprises an internal network operation and maintenance data signal processing system, a unidirectional optical fiber multicast code stream transmission unit and a unidirectional ASI code stream transmission device; the internal operation and maintenance data signal processing system is connected with the unidirectional optical fiber multicast code stream transmission unit and the unidirectional ASI code stream transmission unit.
A UDP multicast device and a TS code stream broadcasting card are arranged in the internal operation and maintenance data signal processing system;
the UDP multicast device comprises a data acquisition module, an intranet database server, a local file generation module, a TS file generation module and a UDP multicast code stream generation module; the data acquisition module is respectively connected with the intranet database server and the local file generation module and sends a message file to the local file generation module; the local file generation module is connected with the TS file generation module and sends a message data file and a configuration data file to the TS file generation module; the TS file generation module is connected with the UDP multicast code stream generation module and sends the TS file to the UDP multicast code stream generation module; and the UDP multicast code stream generating module is connected with the TS code stream broadcasting card and sends the UDP multicast code stream to the TS code stream broadcasting card.
The TS code stream broadcasting card comprises an internal network data acquisition module, a network database server, a local file generation module, a TS file generation module and a TS/ASI code stream broadcasting module; the intranet data acquisition module is respectively connected with the database server and the local file generation module and sends a message file to the local file generation module; the local file generation module is connected with the TS file generation module and sends the message data file and the configuration data file to the TS file generation module; and the TS file generation module is connected with the TS/ASI code stream broadcasting module and sends the TS file to the TS/ASI code stream broadcasting module.
Compared with the prior art, the utility model discloses an advantage can have as follows to one or more embodiments:
the method is suitable for transmitting the operation and maintenance data by adopting a digital television broadcasting mechanism by adopting a TS format encapsulation mode for the broadcast television operation and maintenance data, and realizes unidirectional data transmission by adopting a broadcasting mode.
The method is suitable for an optical network card, can physically realize single-fiber data transmission, is also suitable for data discovery without a handshake protocol like the UDP protocol, and has the advantages of only carrying out one-way transmission of data, having no returned data and not threatening the safety of an internal network.
The TS file data is transmitted in one way by adopting the ASI code stream broadcasting card and adopting the unidirectional ASI code stream broadcasting card through a TS packaging protocol of a digital television standard, so that the advantage that the data is transmitted in one way only without returned data and the internal network security is not threatened is realized.
The operation and maintenance data can be transmitted on the public network by adopting a streaming media protocol, so that the operation and maintenance data can be transmitted by adopting the public network, the range of system operation and maintenance is expanded, and remote operation and maintenance and mobile operation and maintenance can be realized.
Before the transmitted operation and maintenance data are packaged into a TS file, the encryption of the file is realized by adopting an MD5 mode, on one hand, the verification of the integrity of the transmitted file can be realized by an MD5, and on the other hand, the security of the transmitted data content can be realized by adopting an encryption mode similar to the MD 5.
The method is initiated, on one hand, the method adapts to the requirements of the self broadcast television safety and operation and maintenance, and more importantly, the whole data transmission mechanism is completely established on the basis of the broadcast television communication, the sharing of transmission equipment resources can be realized, the investment cost of the system is reduced, and the safe and unidirectional transmission of data can be realized by combining with the digital television service.
An internal network database and an external network database are established, a TS file transmission mode is adopted, internal network data safety forwarding mechanism is adopted while internal network storage data and external network storage data are realized by using a timer, and an internal network and external network synchronization mode of incremental data is also realized.
Drawings
FIG. 1 is a schematic diagram of a prior art firewall architecture;
FIG. 2 is a schematic diagram of a prior art gatekeeper;
FIG. 3 is a schematic diagram of a prior art unidirectional gatekeeper;
FIG. 4 is a schematic diagram of a prior art structure of a unidirectional optical transmission network card based on different hardware;
FIG. 5 is a schematic diagram of a conventional optical code unidirectional transmission technology;
FIG. 6 is a schematic diagram of a one-way secure data transmission structure with internal and external network isolation;
fig. 7 is a diagram showing the structure of a UDP multicast apparatus;
FIG. 8 is a block diagram of the output data of a TS file using a code stream distribution card;
FIG. 9 is a transmission structure diagram of a unidirectional optical fiber multicast code stream;
fig. 10 is a diagram of a multicast data gateway architecture;
fig. 11 is a flow chart of a multicast and streaming media data forwarding structure;
fig. 12 is a signal processing structure diagram of a digital television receiving terminal;
FIG. 13 is a diagram of data reception at the mobile end and the fixed end;
FIG. 14 is a diagram showing a transmission mode of a unidirectional ASI code stream;
fig. 15 is a diagram showing the structure of an ASI signal loop-through output and an IP multicast output.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, embodiments of the present invention will be described in further detail with reference to the following embodiments and accompanying drawings.
As shown in fig. 6, the unidirectional secure data transmission structure isolated by the internal and external networks includes: the system comprises an internal network operation and maintenance data signal processing system, a unidirectional optical fiber multicast code stream transmission unit and a unidirectional ASI code stream transmission device; the internal operation and maintenance data signal processing system is connected with the unidirectional optical fiber multicast code stream transmission unit and the unidirectional ASI code stream transmission unit.
The internal network operation and maintenance data signal processing system comprises: the broadcast television system is composed of various broadcast television professional equipment, basic IT equipment, a dynamic environment system and other different equipment and subsystems, covers each link of program production, processing and distribution, and is an important guarantee for safe broadcasting for operation and maintenance management of the broadcast television system. Fig. 6A shows an intranet data collection server, which can collect data of all devices in a broadcast system, store the collected data in a database server through an internal switch, and load different service applications through database data by an upper application platform.
However, with the development of technology, the local operation and maintenance cannot meet the operation and maintenance requirements, the acquired data is applied to the extranet, once the intranet is communicated with the extranet, the risk of the intranet system safety is brought, and the method and the structure solve the problem of how to safely transmit the data from the high-security and high-safety intranet to the low-level extranet.
A UDP multicast device and a TS code stream broadcasting card are arranged in the internal operation and maintenance data signal processing system; as shown in fig. 7, the UDP multicast apparatus includes a data acquisition module, an intranet database server, a local file generation module, a TS file generation module, and a UDP multicast code stream generation module; the data acquisition module is respectively connected with the intranet database server and the local file generation module and sends a message file to the local file generation module; the local file generation module is connected with the TS file generation module and sends a message data file and a configuration data file to the TS file generation module; the TS file generation module is connected with the UDP multicast code stream generation module and sends the TS file to the UDP multicast code stream generation module; and the UDP multicast code stream generating module is connected with the TS code stream broadcasting card and sends the UDP multicast code stream to the TS code stream broadcasting card.
The internal operation and maintenance data is output in a UDP multicast mode:
the first step is to complete the generation of TS file from the collected data, the whole software structure is shown in figure 7, the data is collected by the intranet data collection module, the data is stored in the intranet database server through the intranet switch, and meanwhile, a copy of data is also forwarded to the local file generation module. The local file generation module generates the collected data into two different file types, wherein the two different file types comprise a configuration data file and a message data file, the configuration data file is a file of one type packaged by the configuration data of the equipment and the system of the whole broadcast television system, and the message data file comprises data such as alarm data and equipment state packaged into a file of the other type. The configuration data file needs to be stored separately in the local server, which is a synchronization service for the configuration data file of the internal and external network storage in the future. And the configuration data file and the message data file which generate the increment in real time enter a TS file generation module, the two different types of files are generated into TS files in real time, and the TS files are finally provided for an IP multicast code stream generation module and output through a UDP code stream optical network card. The function of the timer is to convert the configuration data file stored in the intranet into a TS file at regular time, or to provide the TS file to the database of the intranet through an ASI interface or in a multicast manner to synchronize the configuration data.
And secondly, sending the TS file in a UDP multicast mode, packaging each 1316-byte TS packet into a UDP packet according to 2-7 TS packets, generating a multicast code stream in a TS OVER UDP mode, and outputting the multicast code stream in a push stream mode through an optical network card.
The output multicast code stream is output through the optical network card, the multicast output by the optical network card only outputs the code stream through the TX port and outputs the code stream to the subordinate equipment without receiving the data of the subordinate equipment, and the one-way transmission of UDP multicast data is realized.
The MD5 encryption is carried out on the transmission file, the transmission file is packaged into the TS file for transmission after being encrypted, and the completeness and the safety of the transmission file at a receiving end are ensured by the mode.
As shown in fig. 8, the TS code stream broadcasting card includes an intranet data acquisition module, a network database server, a local file generation module, a TS file generation module, and a TS/ASI code stream broadcasting module; the intranet data acquisition module is respectively connected with the database server and the local file generation module and sends a message file to the local file generation module; the local file generation module is connected with the TS file generation module and sends the message data file and the configuration data file to the TS file generation module; and the TS file generation module is connected with the TS/ASI code stream broadcasting module and sends the TS file to the TS/ASI code stream broadcasting module.
The internal operation and maintenance data is output in a TS code stream broadcasting card issuing mode:
the first step is to complete the generation of TS file from the collected data, the whole software structure is shown in figure seven, the data is collected by the intranet data collection module, the data is stored in the intranet database server through the intranet switch, and meanwhile, a copy of data is also forwarded to the local file generation module. The local file generation module generates the collected data into two different file types, wherein the two different file types comprise a configuration data file and a message data file, the configuration data file is a file of one type packaged by the configuration data of the equipment and the system of the whole broadcast television system, and the message data file comprises data such as alarm data and equipment state packaged into a file of the other type. The configuration data file needs to be stored separately in the local server, which is a synchronization service for the configuration data file of the internal and external network storage in the future. The configuration data file and the message data file which generate increment in real time enter a TS file generation module, two different types of files are generated into TS files in real time, and the TS files are finally provided for an ASI (TS) code stream broadcast card to be output in a hardware mode. The function of the timer is to convert the stored configuration data file into a TS file at regular time, and provide the TS file to the external network database through an ASI interface or a multicast mode to synchronize the configuration data.
And secondly, outputting the TS file in a TS code stream broadcasting card issuing mode, wherein the TS code stream broadcasting card is a hardware device used in a digital television system to realize the purpose of outputting the TS code stream in an ASI port mode, and the hardware can only output the TS code stream in a one-way mode and does not have a two-way function.
The MD5 encryption is carried out on the transmission file, the transmission file is packaged into the TS file after being encrypted for transmission, and the completeness and the safety of the transmission file at a receiving end are determined in such a way.
As shown in fig. 9, the unidirectional optical fiber multicast code stream transmission unit includes an intranet data acquisition server, an extranet data receiving gateway, a database server, a digital television multiplexing device, a digital television modulation device, a digital television receiving terminal, an exchange, a mobile terminal and a fixed terminal;
the intranet data acquisition server is connected with the extranet data receiving gateway and the database server; the external network data receiving gateway and the database server are respectively connected with the digital television multiplexing equipment and the switch; the digital television multiplexing equipment is connected with the digital television modulation equipment; the digital television modulation equipment is connected with the digital television receiving terminal; the switch is respectively connected with the mobile terminal and the fixed terminal through a network.
The transmission mode of the unidirectional optical fiber multicast code stream is as follows: a transmission mode (as shown in fig. 10) of a unidirectional optical fiber multicast code stream is adopted, wherein a mode a receives unidirectional multicast code stream data from a point a on an intranet side, and the following steps are described:
b1, extranet side data receiving gateway, database server:
and software of a gateway is deployed on a server at the B1 point, the received multicast code stream is restored into a data file, the multicast code stream from the point A at the intranet side is received through a light panel card, the multicast code stream is analyzed through the software, configuration file data and message file data are restored, and meanwhile, the integrity and the safety of the data are verified through the MD 5. The complete and safe data (configuration file data and message file data) are stored in the database of the server, and simultaneously the data (configuration file data and message file data) are sent to the lower level according to the original multicast mode. At this point, the outer network side link is actually already formed, and the data on the side can be communicated in a bidirectional mode in a transmission mode.
In this link, aiming at the processing of the database, including the timing synchronization of stock data and the real-time synchronization mechanism of incremental data, only the application software on the upper layer can acquire the data in real time and synchronize the application content in real time.
As shown in fig. 11, an optical fiber receiving network card, a multicast data parsing gateway module, a multicast data forwarding module and a streaming media data protocol gateway module are deployed on the external network data receiving gateway and the database server; the optical fiber receiving network card is connected with the multicast data gateway module and sends a multicast code stream to the multicast data gateway module; the multicast data analysis gateway module is connected with the multicast data forwarding module; the multicast data forwarding module is connected with the streaming media data protocol gateway module.
The B1 point server is deployed with software of a data analysis gateway, and restores the received multicast code stream into a data file, and can also forward the received multicast to provide to the next-level digital television system. Referring to fig. 11, the multicast code stream from a is received by the optical board, and the multicast code stream is analyzed by software in the multicast data gateway module to restore configuration file data and message file data. The configuration file data and the message file data are stored in the server database, and the multicast is forwarded by the multicast data forwarding module, and in the forwarding process, the multicast address and the port number can be modified and sent to the next-stage digital television system equipment. At this point, the external network link is actually the link of the external network, and the transmission of signal data in the digital television system is also the unidirectional data transmission.
The B1 point server is disposed with a streaming media protocol gateway module, which can convert the received multicast into streaming media protocols such as RTSP, HLS, SRT, etc. for forwarding and provide them to the next-level non-digital tv system. And eleventh, receiving the multicast code stream from the A through a light panel card, analyzing the multicast code stream through software, and restoring configuration file data and message file data. The configuration file data and the message file data are stored in the server database, and simultaneously, the UDP data can be converted into streaming media protocols such as RTSP, HLS, SRT and the like through the streaming media data gateway module and sent to the next-level network system. At this point, the actual extranet link is established, and the devices at this later stage include, but are not limited to, switches, routers, servers, and the like.
C1 point, digital television multiplexing equipment
The system is used for a broadcast television platform, and it is also expected that the maintenance information of the system can be released through a digital television system, so that the multicast code stream received from a point B1 is a standard TS OVER IP code stream, and the method and the structure are adopted. The code stream from the point B1 to the multiplexer can be multiplexed with other broadcast television code streams to realize the output of the multiplexed code stream.
E1 point, digital television modulation equipment
Similarly, the input of the digital television debugging equipment also needs a code stream of a standard TS OVER IP, and a standard code stream at a point E1 receiving the point C1 of the multiplexer modulates and outputs the code stream to a set top box or other terminals through an HFC network.
As shown in fig. 12, the digital television receiving terminal includes a QAM signal receiving device, an optical fiber receiving network card, a multicast data gateway, and a multicast data forwarding unit; the QAM signal receiving equipment is connected with the optical fiber receiving network card; the optical fiber receiving network card is connected with the multicast data gateway; the multicast data gateway is connected with the multicast data forwarding unit.
F1 digital TV receiving terminal
The method comprises the steps of receiving QAM signals output after debugging of an E1 point digital television through a digital television receiving terminal, demodulating and demultiplexing the QAM signals, outputting multicast code streams (shown in the figure twelve), analyzing the multicast code streams through software, restoring configuration file data and message file data, and verifying the integrity and safety of data transmission through MD 5. The safe and complete data stores the configuration file data and the message file data in the database of the server, and simultaneously converts the configuration file data and the message file data into a streaming media protocol in a UDP mode, and sends the streaming media protocol to a next-stage switch or a service application terminal. The point is actually an external network link, the subsequent data can be communicated in a two-way mode, and the application software on the upper layer can receive the incremental data in real time and can access the data of the database server to acquire historical data and release the data to the application terminal.
Point G1, switch data distribution
The switch at the point G1 receives streaming media protocol data from the point B1, where the streaming media data are data after UDP protocol conversion of operation and maintenance data, and because the possibility of UDP data transmission in the public network is very low, the streaming media protocol conversion mainly ensures that the operation and maintenance data can be transmitted in the public network, so that a streaming media protocol mode is adopted, which is also an important part in the method and structure of the present solution.
H2 Point, network
The streaming media data output by the switch at the point G1 is transmitted through the public network, including the transmission of 4G and 5G networks, and the safe public network transmission of operation and maintenance data is realized.
As shown in fig. 13, the mobile terminal and the fixed terminal are connected to the web application module and the multicast data gateway through a public network or a local area network, and the web application module and the multicast data gateway transmit data files to each other; the multicast data gateway is interconnected with the stream media data gateway, and the stream media data gateway converts the stream media data into multicast data of UDP and transmits the multicast data to the multicast data gateway; the stream media data gateway is connected with the local switch, and the switch transmits the stream media data to the stream media data gateway.
The I1 and J1 points acquire streaming media information through a public network, input the streaming media information into a local switch, firstly convert streaming media data (RTSP, HLS and SRT) into multicast data of UDP (see figure 13) through a streaming media data gateway, then analyze the multicast code stream through software through the multicast data gateway to restore configuration file data and message file data, and verify the integrity and safety of data transmission through MD 5. The safe and complete data stores the configuration file data and the message file data in the database of the server, and simultaneously provides the configuration file data and the message file data for the web application to send out software in a file mode, and the web application data is published to a public network through a local area network, so that the real-time information data can be obtained through the mobile terminal and the computer terminal, and historical data can be inquired.
As shown in fig. 14, the unidirectional ASI code stream transmission device includes an intranet data acquisition server, an ASI-to-IP gateway device, an extranet data receiving gateway, a database server, a digital television multiplexing device, a digital television modulation device, a digital television receiving terminal, a switch, a mobile terminal, and a fixed terminal; the intranet data acquisition server is connected with the ASI-to-IP gateway equipment and sends an ASI signal to the ASI-to-IP gateway equipment; the ASI-to-IP gateway equipment is connected with the external network data receiving gateway and the database server; the external network data receiving gateway and the database server are respectively connected with the digital television multiplexing equipment and the switch; the digital television multiplexing equipment is connected with the digital television modulation equipment and is connected with the digital television receiving terminal through the digital television modulation equipment; the switch is respectively connected with the mobile terminal and the fixed terminal through a network.
Unidirectional ASI code stream transmission mode:
referring to a mode B in fig. 14, a TS code stream broadcast card is used to implement a transmission mode of operation and maintenance data, where the mode B receives an ASI signal from a point a on the intranet side.
On the whole system structure, the difference from the mode A is that a point B2 is added, and the ASI is converted into an IP gateway. The link has two signal outputs, one is a multiplexer for directly providing an ASI signal to a point C2, the other is a multiplexer for encapsulating the ASI signal into UDP and providing the UDP multicast to a point B3, and the processing mode of the output signal after the ASI signal passes through a point B3 is completely the same as that of the point B1, and detailed description is omitted.
As shown in fig. 15, the ASI-to-IP gateway device includes an ASI signal output end that transmits an ASI signal to a connected ASI signal receiving end, where the ASI signal receiving end is connected to an ASI signal gateway module, and the ASI signal gateway module encapsulates UDP multicast into streaming media, and outputs data through a connected multicast data output end.
Receiving ASI signals from the point A, wherein the ASI signals are unidirectional transmission signals in the digital television, only can receive data and cannot return the data, and a transmission medium of a coaxial cable is adopted. After receiving the ASI signal, the ASI signal receiving module simultaneously outputs a loop-through ASI signal to a multiplexer of a C2-point digital television multiplexing device, transmits the ASI signal in a broadcast television network through the multiplexer, and may also perform analysis of operation and maintenance data in a UDP multicast manner in the final signal processing, and provide the analysis and release of the operation and maintenance data for application software; meanwhile, the ASI signal receiving module inputs the received data to a gateway of the ASI signal, the ASI gateway can package the ASI signal into UDP multicast and transmit the UDP multicast to a point C1 and a point B3, the transmission in a digital television system after the data is received by the point C1 and the data distribution of the UDP multicast in a protocol packaged into streaming media through a public network after the data is received by the point B3 are realized.
In this embodiment, in a data signal processing mode, the method is a method of encapsulating the data to be operated and maintained into a TS file, and in addition to this file encapsulation mode, there may also be a mode of broadcasting IP OVER DVB or DVB data on the data encapsulation.
In the encryption of the transmission data, the scheme adopts an MD5 encryption mode, and other different encryption modes can also be adopted to ensure the integrity of the transmission data and the security of the content.
Although the embodiments of the present invention have been described above, the description is only for the convenience of understanding the present invention, and the present invention is not limited thereto. It will be apparent to persons skilled in the relevant art that various changes in form and detail can be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (8)
1. An intranet-extranet isolated one-way secure data transmission architecture, the architecture comprising: the system comprises an internal network operation and maintenance data signal processing system, a unidirectional optical fiber multicast code stream transmission unit and a unidirectional ASI code stream transmission device; the internal operation and maintenance data signal processing system is connected with the unidirectional optical fiber multicast code stream transmission unit and the unidirectional ASI code stream transmission unit.
2. The unidirectional secure data transmission structure for internal and external network isolation according to claim 1, wherein a UDP multicast device and a TS stream broadcast card are disposed in the internal operation and maintenance data signal processing system;
the UDP multicast device comprises a data acquisition module, an intranet database server, a local file generation module, a TS file generation module and a UDP multicast code stream generation module; the data acquisition module is respectively connected with the intranet database server and the local file generation module and sends a message file to the local file generation module; the local file generation module is connected with the TS file generation module and sends a message data file and a configuration data file to the TS file generation module; the TS file generation module is connected with the UDP multicast code stream generation module and sends the TS file to the UDP multicast code stream generation module; the UDP multicast code stream generating module is connected with the TS code stream broadcasting card and sends the UDP multicast code stream to the TS code stream broadcasting card;
the TS code stream broadcasting card comprises an intranet data acquisition module, a database server, a local file generation module, a TS file generation module and a TS/ASI code stream broadcasting module; the intranet data acquisition module is respectively connected with the database server and the local file generation module and sends a message file to the local file generation module; the local file generation module is connected with the TS file generation module and sends the message data file and the configuration data file to the TS file generation module; and the TS file generation module is connected with the TS/ASI code stream broadcasting module and sends the TS file to the TS/ASI code stream broadcasting module.
3. The intranet and extranet isolated unidirectional secure data transmission architecture of claim 1, wherein the unidirectional optical fiber multicast code stream transmission unit comprises an intranet data acquisition server, an extranet data reception gateway, a database server, a digital television multiplexing device, a digital television modulation device, a digital television reception terminal, a switch, a mobile terminal and a fixed terminal;
the intranet data acquisition server is connected with the extranet data receiving gateway and the database server; the external network data receiving gateway and the database server are respectively connected with the digital television multiplexing equipment and the switch; the digital television multiplexing equipment is connected with the digital television modulation equipment; the digital television modulation equipment is connected with the digital television receiving terminal; the switch is respectively connected with the mobile terminal and the fixed terminal through a network.
4. The intranet and extranet isolated one-way secure data transmission architecture of claim 1, wherein an optical fiber receiving network card, a multicast data parsing gateway module, a multicast data forwarding module and a streaming media data protocol gateway module are deployed on the extranet data receiving gateway and the database server; the optical fiber receiving network card is connected with the multicast data gateway module and sends a multicast code stream to the multicast data gateway module; the multicast data analysis gateway module is connected with the multicast data forwarding module; the multicast data forwarding module is connected with the streaming media data protocol gateway module.
5. The intranet and extranet isolated one-way secure data transmission architecture of claim 3, wherein the digital television receiving terminal comprises a QAM signal receiving device, an optical fiber receiving network card, a multicast data gateway and a multicast data forwarding unit; the QAM signal receiving equipment is connected with the optical fiber receiving network card; the optical fiber receiving network card is connected with the multicast data gateway; the multicast data gateway is connected with the multicast data forwarding unit.
6. The intranet and extranet isolated one-way secure data transmission architecture of claim 3, wherein the mobile terminal and the fixed terminal are connected to the web application module and the multicast data gateway through a public network or a local area network, and the web application module and the multicast data gateway transmit data files to each other; the multicast data gateway is interconnected with the stream media data gateway, and the stream media data gateway converts the stream media data into multicast data of UDP and transmits the multicast data to the multicast data gateway; the stream media data gateway is connected with the local switch, and the switch transmits the stream media data to the stream media data gateway.
7. The structure of claim 1, wherein the unidirectional ASI code stream transmission device comprises an intranet data acquisition server, an ASI-to-IP gateway device, an extranet data reception gateway, a database server, a digital television multiplexing device, a digital television modulation device, a digital television reception terminal, a switch, a mobile terminal, and a fixed terminal; the intranet data acquisition server is connected with the ASI-to-IP gateway equipment and sends an ASI signal to the ASI-to-IP gateway equipment; the ASI-to-IP gateway equipment is connected with the external network data receiving gateway and the database server; the external network data receiving gateway and the database server are respectively connected with the digital television multiplexing equipment and the switch; the digital television multiplexing equipment is connected with the digital television modulation equipment and is connected with the digital television receiving terminal through the digital television modulation equipment; the switch is respectively connected with the mobile terminal and the fixed terminal through a network.
8. The intranet and extranet isolated unidirectional secure data transmission architecture of claim 1, wherein the ASI to IP gateway device comprises an ASI signal output terminal for transmitting ASI signals to a connected ASI signal receiving terminal, the ASI signal receiving terminal is connected to an ASI signal gateway module, and the ASI signal gateway module encapsulates UDP multicast into streaming media protocol for data output through the connected multicast data output terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202021895619.0U CN212519257U (en) | 2020-09-03 | 2020-09-03 | Unidirectional safety data transmission structure with isolated internal and external networks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202021895619.0U CN212519257U (en) | 2020-09-03 | 2020-09-03 | Unidirectional safety data transmission structure with isolated internal and external networks |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN212519257U true CN212519257U (en) | 2021-02-09 |
Family
ID=74385502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202021895619.0U Active CN212519257U (en) | 2020-09-03 | 2020-09-03 | Unidirectional safety data transmission structure with isolated internal and external networks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN212519257U (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113132357A (en) * | 2021-03-23 | 2021-07-16 | 深圳凌特华盛科技有限公司 | Time division multiplexing optical fiber hardware data sequencing method, network security transmission method and data security isolation network |
| CN113329002A (en) * | 2021-05-20 | 2021-08-31 | 普天通信有限责任公司 | Internet of things data aggregation system |
-
2020
- 2020-09-03 CN CN202021895619.0U patent/CN212519257U/en active Active
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113132357A (en) * | 2021-03-23 | 2021-07-16 | 深圳凌特华盛科技有限公司 | Time division multiplexing optical fiber hardware data sequencing method, network security transmission method and data security isolation network |
| CN113329002A (en) * | 2021-05-20 | 2021-08-31 | 普天通信有限责任公司 | Internet of things data aggregation system |
| CN113329002B (en) * | 2021-05-20 | 2022-06-21 | 普天通信有限责任公司 | Internet of things data aggregation system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111901688A (en) | Unidirectional security data transmission structure and method for internal and external network isolation | |
| CN212519257U (en) | Unidirectional safety data transmission structure with isolated internal and external networks | |
| CN108881815B (en) | Video data transmission method and device | |
| CN110557680B (en) | Audio and video data frame transmission method and system | |
| CN101902477B (en) | Transmission system, reception system, the recognition methods of media stream and system | |
| CN101202881B (en) | Method, server and system for voting of digital television | |
| DE102005035400A1 (en) | Method and apparatus for providing access to data at a user site | |
| US10674234B2 (en) | Broadcasting signal transmitting apparatus, broadcasting signal receiving apparatus, broadcasting signal transmitting method, and broadcasting signal receiving method | |
| CN110809026B (en) | File processing method and device, electronic equipment and storage medium | |
| CN110392044B (en) | Information transmission method and device based on video networking | |
| CN110061962B (en) | Method and device for transmitting video stream data | |
| CN111221664A (en) | Operation log processing system | |
| CN103747039B (en) | Digital film copy distribution system | |
| CN110719247B (en) | Terminal network access method and device | |
| US7653090B2 (en) | Method, transmitter and system for providing video on demand services | |
| CN112350792B (en) | Emergency broadcast data forwarding multiplexing method | |
| CN110086773B (en) | Audio and video data processing method and system | |
| CN101977306B (en) | Two-way video monitoring method and system | |
| US8068516B1 (en) | Method and system for exchanging media and data between multiple clients and a central entity | |
| CN101860758A (en) | On-site video processing method and device | |
| US20090080867A1 (en) | Host device interfacing with a point of deployment (POD) and a method of processing digital video recorder (DVR) status information | |
| CN115225842A (en) | High-definition system of broadcast television front end | |
| CN115150642A (en) | Communication method, server, electronic device, and storage medium | |
| CN101599903B (en) | Multicast group control stream generation device, and method and device for managing multicast group data stream | |
| WO2009000193A1 (en) | Method and device for transmitting and receiving digital television broadcasting data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| GR01 | Patent grant | ||
| GR01 | Patent grant |