WO2014114232A1 - Isolation protection system and method thereof for performing bidirectional data packet filtration inspection - Google Patents

Isolation protection system and method thereof for performing bidirectional data packet filtration inspection Download PDF

Info

Publication number
WO2014114232A1
WO2014114232A1 PCT/CN2014/071101 CN2014071101W WO2014114232A1 WO 2014114232 A1 WO2014114232 A1 WO 2014114232A1 CN 2014071101 W CN2014071101 W CN 2014071101W WO 2014114232 A1 WO2014114232 A1 WO 2014114232A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication
data
protection device
packet
filtering
Prior art date
Application number
PCT/CN2014/071101
Other languages
French (fr)
Chinese (zh)
Inventor
杨磊
杨剑楠
赵岳云
Original Assignee
横河电机株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 横河电机株式会社 filed Critical 横河电机株式会社
Priority to JP2015552998A priority Critical patent/JP6269683B2/en
Publication of WO2014114232A1 publication Critical patent/WO2014114232A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones

Definitions

  • the invention relates to an isolation protection system used on a communication line and a method thereof for performing bidirectional packet filtering inspection, which are arranged in a communication path (for example, between communication networks, in a gateway path, and between different communication terminals) to implement a network Security protection, isolation protection of facilities on both sides of the communication, and two-way packet filtering check. Especially suitable for information networks and control networks in industrial sites. Background technique
  • Security products deployed between the information network and the control network of the existing industrial site mostly use firewalls or gateway products.
  • firewall technology is insufficient support for industrial communication protocols.
  • a dynamic port of 1024 to 65535 is required, so the firewall must open all the ports in the above range, which significantly increases the security risk of the network.
  • the firewall implements read control of the IP layer, but does not support read control of data.
  • the firewall supports checking the data link layer, network layer, and transport layer of the general network.
  • there are certain deficiencies in the inspection function of the application layer especially the inspection function of the industrial protocol.
  • the gateway technology first collects data from the server of the control system network, and the gateway delegates the function of the server that controls the system network.
  • the client of the MES/ERP layer collects data through the gateway, thereby achieving the purpose of protecting the server of the control system network.
  • the disadvantage of gateway technology is that the gateway product has its own IP address. Even if the control system network is already configured, the client of the MES/ERP layer still needs to be reset (change the server IP and server name, etc., register the gateway server) . In addition, the firewall function of the gateway is insufficient. Because the gateway product has an IP address, it may be attacked. When the gateway product is compromised, the risk of the device in the control system increases.
  • Fig. 1 In the communication line of both sides (N1, N2) of the communication, a security guard 100 is provided, wherein the filtering module F0 filters the "to" packets.
  • a disadvantage of the above prior art is that the firewall security filter check modules of the prior art all run on a single central processing unit (CPU). In this case, when the firewall is attacked while transmitting data from one communication to another, the entire security firewall will be corrupted and unusable because the entire firewall runs on a single central processor.
  • CPU central processing unit
  • the technical problem to be solved by the present invention is to provide an isolation protection system for isolating and protecting communication facilities of communication parties in a communication line and a method for performing bidirectional packet filtering inspection, the isolation protection system being integrated with communication respectively Two two-way protection devices running on separate central processors and two-way data transmission modules for two-way data communication between the two protection devices in accordance with a proprietary communication protocol to ensure data packets between the communicating parties The security of the transmission is avoided while the entire isolation protection system is damaged and cannot be used due to the destruction of the central processor for a communication party.
  • the present invention provides an isolation protection system that is provided in a communication line to isolate and protect communication facilities of both communication parties, and includes:
  • a first protection device and a second protection device for respectively connecting to a communication facility of one of the communication parties
  • a bidirectional data transmission module disposed between the first protection device and the second protection device, configured to connect the first protection device and the second protection device, and the first communication device according to a proprietary communication protocol Data output by a protection device is transmitted to the second protection device, and data output by the second protection device is transmitted to the first protection device; characterized in that: the first protection device and the second The protection device has a completely independent hardware structure and operates separately on a separate central processor, wherein the first protection device and the second protection device Each of the set includes:
  • a first interface configured to respectively receive a data packet of the data stream from a communication facility of the connected communication party and output data from another communication party to the connected communication facility;
  • a filtering module configured to perform a filtering check on the data stream received from the first interface, and output data that meets security requirements
  • a second interface configured to receive the data that meets the security requirement, and transmit the data that meets the security requirement to the two-way data transmission module;
  • isolation protection system of the present invention adopts the "2+1" structure of the present invention, that is, the first protection device and the second protection device including a completely independent hardware structure and respectively operating in separate central processors, and A two-way data transmission module is connected between the first protection device and the second protection device to enable the communication parties to communicate according to a proprietary communication protocol to implement secure two-way data communication between the communication parties.
  • the two protection devices operate on separate central processors, when one of the protection devices is attacked or physically damaged, the other protection device is not affected; since the two protection devices that constitute the isolation protection system operate on Separate central processing unit, so each protection device can be constructed in a separate manner in hardware implementation, so that when one of the protection devices is attacked or physically damaged, it can be easily replaced and targetedly repaired and maintained; In addition, since the hardware structures of the two protection devices constituting the isolation protection system are completely independent, it is possible to separately manufacture the protection devices whose hardware structures are completely independently controlled, and then according to the security of the communication party or the destination communication party to which the protection devices are connected. Sexual requirements program its hardware structure.
  • the configuration of the present invention can simplify the hardware manufacturing process as a whole. Provide separate guarantees for facilities on both sides of the communication Protection.
  • the two-way data communication module disposed between the two protection devices included in the isolation protection system according to the present invention constructs a communication link between two protection devices for the communication parties according to a proprietary communication protocol, that is, The data packet passing through the data stream of one protection device must satisfy the proprietary communication protocol to be able to enter another protection device, so the two-way data transmission module is set between the two protection devices (that is, between the communication parties) A protective barrier.
  • the isolation protection system according to the present invention implements secure two-way data transmission between the communication parties through the filter module and the two-way data transmission module in the protection device, the isolation protection system of the present invention.
  • the system overcomes the problem that the gateway product existing in the existing gateway technology must have its own IP address, that is, when the communication parties establish communication by using the isolation protection system according to the present invention, it is not required to configure each network end. Reset, so that because there is no IP address, the possibility of being attacked is further reduced.
  • the communication device of the communication party may be an input/output device of a computer, a server or other network information.
  • the data filtering module may include a built-in firewall module for performing basic firewall checking on the data packets of the transmitted data stream and a packet filtering module for performing packet deep filtering.
  • the built-in firewall module may perform a header content check on a data packet of the data stream, and the packet filtering module may perform a package content check on the data packet of the data stream.
  • the header content relates to an IP address, a MAC address, protocol type information, and port information
  • the package content relates to a communication target, a communication source, a communication destination, a communication type, and a communication content.
  • the built-in firewall module and the packet filtering module included in each protection device of the isolation protection system of the present invention perform two filtering checks on the data packets flowing through the data flow, wherein the built-in firewall module pairs the data flow flowing through
  • the packet header of the packet performs a basic firewall check
  • the packet filtering module performs packet deep filtering check on the packet of the data stream.
  • performing the basic firewall check may include performing a header content check on the data packet of the data stream
  • performing a packet depth filtering check on the data packet of the data stream may include performing a package content check on the data packet of the data stream .
  • the two packets are successively filtered in a protection device to ensure the security of the packets flowing through.
  • the two-way data transmission module further protects between the two protection devices in accordance with a proprietary communication protocol. Therefore, even in a protection device, the unsafe data packet that has passed the two filtering check processes performed by the built-in firewall module and the packet filtering module cannot pass the bidirectional data transmission module without satisfying the proprietary communication protocol. Entering another protection device, in other words, after passing the built-in firewall module and packet filtering module, the further transmission of the insecure data packet is also blocked by the two-way data communication module, which further increases the security of data transmission between the two communication parties. .
  • the data packet filtering module has built-in support for the industrial communication protocol. Filter list.
  • the network isolation protection system of the present invention since the packet filtering module in each protection device can check the application data of the industrial protocol, the network isolation protection system of the present invention can fully support the industrial communication protocol and enhance the inspection of the application layer.
  • the check function can be easily applied between the industrial field information network and the control network.
  • the present invention also provides a method for performing a two-way packet filtering check using the above-described isolation protection system, comprising the steps of:
  • a first protection device and a second protection device having completely independent hardware structures and respectively operating in separate central processors for communication facilities of the communication parties;
  • a filtering check is performed on the data packets of the transmitted data stream using the filtering modules provided in the first protection device and the second protection device.
  • the filtering check includes:
  • the performing a basic firewall check on the data packet of the transmitted data stream includes performing a header content check on the data packet of the data stream, and performing depth filtering on the data packet of the transmitted data stream includes data on the data stream
  • the package performs a package body check.
  • the header content relates to an IP address, a MAC address, protocol type information, and port information
  • the package content relates to a communication target, a communication source, a communication destination, a communication type, and a communication content.
  • an isolation protection system for providing isolation protection for communication facilities of both communication parties in a communication line and a method for performing bidirectional packet filtering inspection thereof can be performed not only at the data link layer but also through a built-in firewall module in the protection device.
  • the network layer and the transport layer perform filtering check on the data packet and can perform deep filtering check on the data packet by the packet filtering module in the protection device to establish two-way data communication between the communication parties, thereby making the isolation protection of the present invention
  • the system and its method of performing two-way packet filtering check can realize the security of two-way data transmission of both communicating parties; and because the first protection device and the second protection device for both sides of the communication included in the isolation protection system according to the present invention are operated On separate central processors, so when one of the protection devices is attacked or physically damaged, the other protection device does not Will be affected by it.
  • FIG. 1 is a schematic diagram showing the principle of a prior art security firewall product
  • FIG. 2 shows a block diagram of an isolation protection system in accordance with a first embodiment of the present invention
  • Figure 3 shows a block diagram of an isolation protection system in accordance with a second embodiment of the present invention
  • Figure 4 illustrates the use of an isolation protection system in accordance with the present invention.
  • FIG. 5 illustrates an isolation protection system using a second embodiment according to the present invention
  • the security product deployed between the information network and the control network of the existing industrial site mostly adopts a firewall or a gateway product, and in the prior art, the two-way data transmission can only be realized by a firewall product running on a single central processor.
  • an isolation protection system and its method of performing two-way packet filtering checks are proposed.
  • the present invention provides an isolation protection system for isolating and protecting communication facilities of communication parties in a communication line, which adopts the "2+1" structure of the present invention (ie, Two protection devices for two communication units running on two separate central processors, and a two-way data transmission module connecting between the two protection devices to control data transmission between the two protection devices by using a proprietary communication protocol ) to establish secure two-way data transmission between the two communicating parties.
  • each protection device can be constructed in a discrete manner, so that when one of the protection devices is attacked or physically damaged, it can be easily disassembled and replaced; in addition, due to the two protections that constitute the isolation protection system
  • the hardware structure of the device is completely independent, so the hardware device can separately manufacture the protection device with completely independent control of the hardware structure, and then program the hardware structure according to the security requirements of the communication party or the destination communication party to which the protection device is connected ( This mainly involves the configuration of the communication protocol.
  • the configuration of the present invention can simplify the hardware manufacturing process as a whole. , providing points for facilities of both parties to the communication Protection.
  • the two-way data communication module in the isolation protection system utilizes a proprietary communication protocol to construct a communication link between two protection devices for the communication parties, that is, the data flow through a protection device must satisfy the proprietary communication protocol. It is only possible to enter another protection device, so that the two-way data transmission module provides another protection barrier between the two protection devices (that is, between the communication parties).
  • Fig. 2 shows a block diagram of an isolation protection system 1 according to a first embodiment of the invention.
  • the isolation protection system 1 according to the present invention may be disposed between the first communication party N1 and the second communication party N2 to implement secure two-way data communication between the first communication party N1 and the second communication party N2.
  • the communication facilities of the first communication party N1 and the second communication party N2 may be input/output devices of a computer, a server or other network information.
  • the isolation protection system 1 may include a first protection device 10, a second protection device 20, and a bidirectional data transmission module 4, that is, the "2+1" structure of the present invention.
  • the first protection device 10 and the second protection device 20 perform bidirectional data communication through the bidirectional data transmission module 4.
  • a proprietary communication protocol is built in the bidirectional data transmission module 4, which may be a proprietary communication protocol hardware or a proprietary communication protocol software or a combination of the two to establish security between the first protection device 10 and the second protection device 20.
  • Barrier The data packet of the proprietary communication protocol is intercepted and blocked by the data packet that does not conform to the proprietary communication protocol, so that secure data interaction between the first protection device 10 and the second protection device 20 can be ensured.
  • the first protection device 10 includes a first interface A1 for bidirectional data communication with the first communication party N1 and a second interface Bi0 for bidirectional communication with the two-line data communication module 4 at the first protection device 10.
  • a filtering module F1 and a transmission channel C1 that transmits the data packet from the second interface B1 to the first interface A1.
  • the filtering module F1 is disposed between the first interface A1 and the second interface B1, and is configured to perform a filtering check on the data packet to be transmitted from the first communication party N1 to the second communication party N2 received from the first interface A1. And outputting the data packet conforming to the communication protocol as the security requirement built in the filter module F1 to the second interface B1.
  • the second interface B1 outputs the data packet that has passed the filtering check of the filtering module F1 to the bidirectional data transmission module 4, and the bidirectional data transmission module 4 outputs the data of the first protection device 10 through the second interface A2 according to a proprietary communication protocol. Transfer to the second protection device 20.
  • the second protection device 20 is completely independent of the first protection device 10 in hardware configuration.
  • the second protection device 20 includes a first interface A2 for bidirectional data communication with the second communication party N2 and a second interface B2 for bidirectional communication with the two-line data communication module 4.
  • Also included in the second protection device 20 is a filtering module F2 and a transmission channel C2 for transmitting data packets from the second interface B2 to the first interface A2.
  • the filtering module F2 is disposed between the first interface A2 and the second interface B2, and is configured to perform a filtering check on the data packet that is received from the first interface A2 and is to be transmitted from the second communication party N2 to the first communication party N1.
  • the second interface B2 outputs the data packet that has passed the filtering check of the filtering module F2 to the bidirectional data transmission module 4, and the bidirectional data transmission module 4 outputs the data of the second protection device 20 through the second interface B2 according to a proprietary communication protocol.
  • the packet is delivered to the first protection device 10.
  • the first protection device 10 and the second protection device 20 in the isolation protection system 1 according to the present invention are respectively operated on a central processing unit CPU1 and a central processing unit CPU2 which are independent of each other (i.e., independently operated and operated), wherein each One central processor corresponds to one memory.
  • This configuration ensures that when one of the central processors is compromised or physically damaged, the other central processor is not affected.
  • the two first protection device 10 and the second protection device 20 independently operating on the respective central processors are fed through the bidirectional data transmission module 4 according to a proprietary communication protocol. Line two-way data transmission.
  • the isolation protection system 1 according to the first embodiment of the present invention is provided between the filter module and the two protection devices provided in the protection device included in the independent central processing unit
  • the two-way data transmission module performs data transmission on both sides of the communication, and therefore, when the data is exchanged between the networks by the isolation protection system 1 according to the first embodiment of the present invention, it is not required to be the same as the existing gateway product, and to the client and the server side.
  • the IP address is set so that it has no effect on the existing network.
  • the security policy of the isolation protection system 1 is implemented by setting the filter modules included in the protection device, an appropriate security policy can be set according to the security requirements of both communication parties.
  • the isolation protection system 1 when a data packet is to be transmitted from the first communication party N1 to the second communication party N2, the data packet flows as shown by the path L1 in Fig. 2 .
  • the data from the first communication device N1 enters the first protection device 10 by the first interface A1 of the first protection device 10; inside the first protection device 10, the data packet is filtered and checked by the filtering module F1; The data packet conforming to the security requirement passes through the filtering module F1 and enters the bidirectional data transmission module 4 via the second interface A2 of the first protection device 10; if the data packet does not comply with the proprietary communication protocol built in the bidirectional data transmission module 4, The data packet will be blocked from entering the second protection device 20.
  • the data packet conforms to the proprietary communication protocol, it can enter the second protection device 20 through the intermediate communication module 4; within the second protection device 20, the data The packet is directly transmitted by the second interface B2 to the first interface A2 through the transmission channel C2, thereby completing the packet transmission from the first communication party N1 to the second communication party N2.
  • the data packet first passes the filtering check of the filtering module F1 set in the first protection device 10, and then from the first according to the proprietary communication protocol.
  • the protection device 10 enters the second protection device 20, such a configuration assuring data security transmitted from the first communication party N1 to the second communication party N2.
  • the packet transmission flow from the second communicating party N2 to the first communicating party N1 is shown as a path L2 in Fig. 2, which is similar to the path L1, and a description thereof will be omitted herein.
  • the isolation protection system 1 employs the "2+1" structure of the present invention: that is, two central processors operating independently of each other for the communication parties
  • a two-way data communication module 4 that performs secure data interaction between two protection devices 10, 20 between two protection devices 10, 20 and in accordance with a proprietary communication protocol enables bidirectional data communication between the communication parties.
  • the two protection devices include a filtering module for filtering and checking the data packets, so that the communication protocol as a security requirement of the filtering module can be set according to the security requirements of the communication parties to meet the security requirements of the communication parties. .
  • the first protection device 10 and the second protection device 20 are respectively operated on separate central processors, so that two protection devices that are completely independent of each other in hardware can be realized.
  • the bidirectional data transmission module 4 is disposed between the first protection device 10 and the second protection device 20 and implements secure communication between the first protection device 10 and the second protection device 20 using a proprietary communication protocol, such as the present invention.
  • the "2+1" architecture can bring many advantages in hardware implementation.
  • the first protection device 10 and the second protection device 20 can be fabricated as two separate hosts, the host including a central processor, and each central processor can have a corresponding memory.
  • a dedicated embedded Linux operating system with a bootloader as the boot loader can be used.
  • the performance of the other protection device is not affected by one attack or physical damage between the two protection devices.
  • the first protection device 10 and the second protection device 20 may be fabricated as a device in the form of a plug-in, that is, a device manufactured in a detachable form, and the bidirectional data transmission module 4 is manufactured as a backplane incorporating a proprietary communication protocol.
  • the two protection devices are inserted into the backplane, an isolation protection system for isolating and protecting the communication facilities of both communication parties according to the present invention is formed. In this case, when one of the protection devices is broken, replacement and maintenance can be easily performed, and the other protection device is not affected at all.
  • the filter module F1 in the first protection device 10 includes a built-in firewall module K1 and packet filtering.
  • the module S1, and the filtering module F2 in the second protection device 20 includes a built-in firewall module K2 and a packet filtering module S2, as shown in FIG.
  • the built-in firewall module K1 can perform firewall filtering check on the data packet received from the first communication party N1 to the second communication party N2 from the first interface A1, and the firewall filtering check can be a basic firewall check to ensure General cyber attacks are hard to work with.
  • Basic firewall technology The communication rules of setting protocol, port, IP, etc.
  • the data packet can be checked at the data link layer, the network layer, and the transport layer, which mainly involves performing packet header content inspection on the data packet. Check that packets that do not satisfy the communication rule will be intercepted.
  • Packet filtering module
  • the packet filtering check is different from the firewall filtering check, which may be based on deep filtering check and protocol analysis of the data packet on the application layer. It mainly involves performing a package content check on the data stream.
  • an industrial communication protocol can be built in the packet filtering module S1 to check an application conforming to the industrial communication protocol. data.
  • the header content relates to an IP address, a MAC address, protocol type information, and port information, and the contents of the package relate to a communication target, a communication source, a communication destination, a communication type, and a communication content.
  • the filter module F2 in the second protection device 20 includes a built-in firewall module K2 and a packet filtering module S2.
  • the built-in firewall module K2 is configured to perform firewall filtering check on the data packet input from the first interface A2 to be transmitted from the second communication party N2 to the first communication party N1, and the firewall filtering check may be a basic firewall check.
  • the basic firewall technology implements defense functions by setting communication protocols such as protocols, ports, and IPs, that is, data can be checked at the data link layer, network layer, and transport layer. This mainly involves checking the packet header of the packet, and packets that do not satisfy the communication rule will be intercepted.
  • the packet filtering module S2 is configured to perform packet filtering check on the data packet filtered by the built-in firewall module K2, and the packet filtering check is different from the firewall filtering check, which may be based on the deep filtering of the data packet on the application layer.
  • Check, protocol analysis which mainly involves performing package content check on data packets of the data stream.
  • an industrial communication protocol can be built in the packet filtering module S2 to check an application conforming to the industrial communication protocol.
  • the header content relates to an IP address, a MAC address, protocol type information, and port information
  • the package content relates to a communication target, a communication source, a communication destination, a communication type, and a communication content.
  • both the first protection device 10 and the second protection device 20 include a built-in firewall module and a packet filtering module for filtering and checking data packets successively, and the two filtering checks can be directed to the data stream. Filtering checks on different parts of the packet.
  • the built-in firewall module supports checking the data link layer, network layer, and transport layer of the general network. It is mainly used to filter the packet header of the data packet; the packet filtering module supports checking the application layer data, and sp, mainly filtering and checking the content of the data packet, so it can be built in the packet filtering module.
  • Industrial communication protocol for checking application data in compliance with industrial protocols.
  • each protection device included in the isolation protection system according to the present invention includes a built-in firewall module and a packet filtering module that successively filter and check data, it is possible to ensure security through data and can pass data in
  • the desired industrial communication protocol is preset in the packet filtering module to enable the network security protection system of the present invention to fully support the industrial communication protocol to accommodate the security requirements between the information network and the control network at the industrial site.
  • the built-in firewall module S1 and the built-in firewall module S2 can be identical, that is, provide the same basic firewall filtering check.
  • the packet filtering module S1 and the packet filtering module S2 may be the same, that is, the same communication protocol may be built therein; or different built in according to different security requirements of the first communication party N1 and the second communication party N2.
  • the communication protocol for example, when the first communication party N1 is the sender of the data packet, and the second communication party N2 is the receiver of the data packet, it may be based on the security requirement of the second communication party N2 as the data packet receiver.
  • the communication protocol built in the packet filtering module S1 in the first protection device 10 is set; and when the first communication party N1 is the receiver of the data packet and the second communication party N2 is the sender of the data packet,
  • the security of the communication party N1 requires setting the communication protocol built in the packet filtering module S2 in the second protection device 20, thereby satisfying the security requirements of both parties.
  • the two-way data transmission module 4 with a proprietary communication protocol is provided between the first protection device 10 and the second protection device 20, the data packets transmitted from one communication party to another communication party are protected even if they are protected.
  • the filtering check of the built-in firewall module and the packet filtering module in the device is also blocked and blocked when it does not satisfy the proprietary communication protocol built in the bidirectional data transmission module 4, and cannot reach another communication party, which further The security of data transmission on the communication lines of both communication parties is increased.
  • the isolation protection system 2 according to the second embodiment of the present invention can be applied between an industrial field information network and a control network to perform security protection on the control network. This is mainly because, in the isolation protection system 2 of the present invention, both the first protection device 10 and the second protection device 20 contain packet filtering checks in addition to the conventional built-in firewall filtering check. A variety of automation product manufacturers' proprietary communication protocols can be built into the packet filtering module for both client and service. Effective communication between industrial protocols such as OPC and Modbus is carried out between the terminals, and data read and write control is supported. Other non-industrial data is discarded.
  • the client and the server are used as communication parties as an example to describe how the isolation protection system 2 according to the present invention implements secure transmission of data on the client side and the server side.
  • Figure 4 shows a flow chart for transferring data from the client to the server.
  • the client transmits a data packet; in step S72, the data packet is sent to the CPU (first protection device 10) connected to the client; in step S73, a basic firewall check is performed, and the data packet of the invalid data is It is discarded (step S76), and the valid data is further subjected to packet filtering check (step S74); if the data subjected to the packet filtering check in step S74 is determined to be invalid data, the packet is discarded (step S76). And the data determined to be valid is transmitted to the CPU (second protection device 20) connected to the server side (step S75); further, in step S77, the received data packet is transmitted to the server side.
  • FIG. 5 shows a flow chart for transferring data from the server to the client.
  • the server sends a data packet; in step S82, the data packet is sent to the CPU (second protection device 20) connected to the server; in step S83, a basic firewall check is performed, and the data packet of the invalid data is It is discarded (step S86), and the valid data is further subjected to packet filtering check (step S84); if the data of the packet filtering check in step S84 is determined to be invalid data, the packet is discarded (step S86). And the data determined to be valid is transmitted to the CPU (first protection device 10) connected to the client (step S85); further, in step S87, the received data packet is transmitted to the client.
  • the above shows an isolation protection system and a method thereof for performing two-way packet filtering inspection according to the present invention.
  • the isolation protection system of the present invention adopts the "2+1" structure of the present invention, that is, the first protection device and the second protection device capable of two-way communication with the communication parties, respectively, and the first protection device and the A bidirectional data transmission module with a built-in proprietary communication protocol controlled by data interaction between the second protection devices, wherein the first protection device and the second protection device in the isolation protection system of the present invention are respectively operated on independent hosts Above, controlled by independent CPU processors, which ensures that when one of the hosts fails or When compromised by a virus, another host will not be affected.
  • the first protection device and the data packet filtering module in the second protection device in the isolation protection system of the present invention are for deep inspection and protocol analysis of application layer data packets, and a plurality of proprietary industrial communication protocols are built therein. It can realize the protection mode based on the built-in industrial communication protocol, and carry out in-depth inspection of data packets at the application layer to provide a unique, industrial-grade professional isolation protection solution for industrial communication. Therefore, the isolation protection system of the present invention is particularly suitable for application to secure interaction of data between an industrial field information network and a control network.

Abstract

Disclosed are an isolation protection system and a method thereof for performing bidirectional data packet filtration inspection. The isolation protection system is arranged in a communication line to subject the communication facilities of two communication parties to isolation protection, and comprises: a first protective device and a second protective device, which are used for respectively connecting to the communication facility of one of the communication parties; and a bidirectional data transmission module, which is arranged between the first protective device and the second protective device, and is used for connecting the first protective device and the second protective device, transmitting data output by the first protective device to the second protective device according to a proprietary communication protocol, and transmitting data output by the second protective device to the first protective device. The system is characterized in that: the first protective device and the second protective device have completely independent hardware structures and respectively operate in independent central processing units.

Description

隔离保护系统及其执行双向数据包过滤检査的方法 技术领域  Isolation protection system and method for performing bidirectional packet filtering inspection
本发明涉使用在通信线路上的隔离保护系统及其执行双向数据包过 滤检査的方法, 设置在通信路径中 (例如通信网络之间、 网关路径中以及 不同的通信终端之间), 实现网络安全保障、通信双方的设施的隔离保护、 及其双向数据包过滤检査。 尤其适用于工业现场的信息网络和控制网络。 背景技术  The invention relates to an isolation protection system used on a communication line and a method thereof for performing bidirectional packet filtering inspection, which are arranged in a communication path (for example, between communication networks, in a gateway path, and between different communication terminals) to implement a network Security protection, isolation protection of facilities on both sides of the communication, and two-way packet filtering check. Especially suitable for information networks and control networks in industrial sites. Background technique
现有工业现场的信息网络和控制网络之间部署的安全性产品多采用 防火墙或者网关产品。  Security products deployed between the information network and the control network of the existing industrial site mostly use firewalls or gateway products.
现有防火墙技术存在的不足是对工业通信协议支持不够充分。 例如 工业现场应用 0PC工业协议时, 需要使用 1024到 65535的动态端口, 所 以防火墙必须开放上述范围内的所有端口, 这样做显著增加了网络的安全 性风险。 另外, 防火墙实现了 IP层的读取控制, 但是不支持对数据的读 取控制。防火墙支持对一般网络的数据链路层、网络层、传输层进行检査, 但是对应用层的检査功能存在一定的不足, 尤其是对工业协议的检査功能 有所欠缺。  The shortcoming of existing firewall technology is insufficient support for industrial communication protocols. For example, in the industrial field application 0PC industrial protocol, a dynamic port of 1024 to 65535 is required, so the firewall must open all the ports in the above range, which significantly increases the security risk of the network. In addition, the firewall implements read control of the IP layer, but does not support read control of data. The firewall supports checking the data link layer, network layer, and transport layer of the general network. However, there are certain deficiencies in the inspection function of the application layer, especially the inspection function of the industrial protocol.
网关技术首先从控制系统网络的服务器采集数据, 网关代理了控制 系统网络的服务器的功能, MES/ERP层的客户端再通过网关采集数据, 以 此达到防护控制系统网络的服务器的目的。 网关技术存在的不足在于网关 产品有自己的 IP地址, 即使已经配置好的控制系统网络, 其 MES/ERP层 的客户端仍然需要重新设定 (更改服务器的 IP 以及服务器名等、 注册网 关服务器) 。 另外, 网关的防火墙功能不足, 由于网关产品有 IP地址, 可能会被攻击。 当网关产品被入侵时, 控制系统中设备的风险增加了。  The gateway technology first collects data from the server of the control system network, and the gateway delegates the function of the server that controls the system network. The client of the MES/ERP layer collects data through the gateway, thereby achieving the purpose of protecting the server of the control system network. The disadvantage of gateway technology is that the gateway product has its own IP address. Even if the control system network is already configured, the client of the MES/ERP layer still needs to be reset (change the server IP and server name, etc., register the gateway server) . In addition, the firewall function of the gateway is insufficient. Because the gateway product has an IP address, it may be attacked. When the gateway product is compromised, the risk of the device in the control system increases.
作为保护网络安全、 尤其是保护工业现场应用网络的现有技术可以 参见例如中国专利公开 CN101014048 (申请日 2007年 02月 12、 申请号 200710063822. 4, 发明名称: 分布式防火墙系统及实现防火墙内容检测的 方法) , 以及多芬诺 (T0FIN0 ) 工业网络安全保护技术 (可通过链接 http : //www. doc88. com/p- 649582721525. html来査看)。上述已有技术作 为背景技术结合在本申请中作为参考。 As a prior art for protecting network security, especially for protecting industrial field application networks, see, for example, Chinese Patent Publication CN101014048 (Application Date: February 12, 2007, Application No. 200710063822. 4, Invention Name: Distributed Firewall System and Implementation of Firewall Content Detection Method), as well as Tofino (T0FIN0) industrial network security protection technology (available via link Http : //www. doc88. com/p- 649582721525. html to view). The above prior art is incorporated herein by reference.
可以将上述的已有技术用图 1 的框图来概括: 在通信的双方 (Nl, N2 )的通信线路中设置有安全防护装置 100, 其中的过滤模块 F0对于"来 往" 的数据包进行过滤。 上述已有技术的缺陷在于, 现有技术中的防火墙 安全过滤检査模块都运行于单个中央处理器 (CPU ) 上。 在这种情况下, 当防火墙在从一通信方向另一通信方传输数据时被攻击, 则由于整个防火 墙运行于单个中央处理器上, 则整个安全防火墙将被损坏而无法使用。 而 且, 上述已有技术中的安全防火墙技术并不对于数据包进行深度检査, 例 如对包体内容的深度检査, 从而使得深入隐藏在包体内的病毒数据有可能 破坏通信设施 (Nl, N2 ) 的操作。 发明内容  The above prior art can be summarized by the block diagram of Fig. 1: In the communication line of both sides (N1, N2) of the communication, a security guard 100 is provided, wherein the filtering module F0 filters the "to" packets. A disadvantage of the above prior art is that the firewall security filter check modules of the prior art all run on a single central processing unit (CPU). In this case, when the firewall is attacked while transmitting data from one communication to another, the entire security firewall will be corrupted and unusable because the entire firewall runs on a single central processor. Moreover, the above-mentioned prior art security firewall technology does not perform deep inspection on data packets, for example, deep inspection of the contents of the package, so that the virus data deeply hidden in the package body may damage the communication facility (Nl, N2). ) operation. Summary of the invention
本发明所要解决的技术问题是提供一种设置在通信线路中对通信双 方的通信设施进行隔离保护的隔离保护系统及其执行双向数据包过滤检 査的方法, 该隔离保护系统集成有分别针对通信双方的运行于独立的中央 处理器上的两个保护装置以及按照专有通信协议在两个保护装置之间进 行双向数据通信的一个双向数据传输模块, 以在确保在通信双方之间的数 据包传输的安全性的同时避免由于针对一通信方的中央处理器受到攻击 而被破坏时整个隔离保护系统都受到损坏而无法使用。  The technical problem to be solved by the present invention is to provide an isolation protection system for isolating and protecting communication facilities of communication parties in a communication line and a method for performing bidirectional packet filtering inspection, the isolation protection system being integrated with communication respectively Two two-way protection devices running on separate central processors and two-way data transmission modules for two-way data communication between the two protection devices in accordance with a proprietary communication protocol to ensure data packets between the communicating parties The security of the transmission is avoided while the entire isolation protection system is damaged and cannot be used due to the destruction of the central processor for a communication party.
为此, 本发明提供了一种隔离保护系统, 设置在通信线路中对通信 双方的通信设施进行隔离保护, 它包括:  To this end, the present invention provides an isolation protection system that is provided in a communication line to isolate and protect communication facilities of both communication parties, and includes:
第一保护装置和第二保护装置, 用于分别与所述通信方之一的通信 设施连接;  a first protection device and a second protection device for respectively connecting to a communication facility of one of the communication parties;
双向数据传输模块, 设置在所述第一保护装置和所述第二保护装置 之间, 用于连接所述第一保护装置和所述第二保护装置, 而且根据专有通 信协议将所述第一保护装置输出的数据传送到所述第二保护装置, 以及将 所述第二保护装置输出的数据传送到所述第一保护装置; 其特征在于: 所述第一保护装置和所述第二保护装置具有完全独立的硬件结构并 分别运行于独立的中央处理器, 其中所述第一保护装置和所述第二保护装 置的每一个包括: a bidirectional data transmission module, disposed between the first protection device and the second protection device, configured to connect the first protection device and the second protection device, and the first communication device according to a proprietary communication protocol Data output by a protection device is transmitted to the second protection device, and data output by the second protection device is transmitted to the first protection device; characterized in that: the first protection device and the second The protection device has a completely independent hardware structure and operates separately on a separate central processor, wherein the first protection device and the second protection device Each of the set includes:
第一接口, 用于分别从所连接的通信方的通信设施接收数据流的数 据包并将来自另一通信方的数据输出到所连接的通信设施;  a first interface, configured to respectively receive a data packet of the data stream from a communication facility of the connected communication party and output data from another communication party to the connected communication facility;
过滤模块, 用于对从所述第一接口接收的数据流执行过滤检査, 并 输出符合安全性要求的数据;  a filtering module, configured to perform a filtering check on the data stream received from the first interface, and output data that meets security requirements;
第二接口, 用于接收所述的符合安全性要求的数据, 并将该符合安 全性要求的数据传送到所述双向数据传输模块; 以及  a second interface, configured to receive the data that meets the security requirement, and transmit the data that meets the security requirement to the two-way data transmission module;
传输通道, 用于将来自所述第二接口的数据传送到所述第一接口。 本发明的上述隔离保护系统采用了本发明的 " 2+1 " 的结构, 即采用 了包括具有完全独立的硬件结构并分别运行于独立的中央处理器的第一 保护装置和第二保护装置以及连接在第一保护装置和第二保护装置之间 使通信双方根据专有通信协议进行通信的双向数据传输模块的结构, 来在 通信双方之间实现安全的双向数据通信。 由于两个保护装置运行于独立的 中央处理器上, 因此当其中的一个保护装置受到攻击或者物理损坏时, 另 一个保护装置不会受其影响; 由于构成隔离保护系统的两个保护装置运行 于独立的中央处理器上, 因此在硬件实现上可以以分立的方式构建每个保 护装置, 这样当其中一个保护装置受到攻击或者物理损坏时, 可以方便地 进行替换和有针对性地修复和维护; 另外, 由于构成隔离保护系统的两个 保护装置的硬件结构完全独立, 因此在制造上可以分开制造硬件结构完全 独立控制的保护装置, 然后根据各保护装置所连接的通信方或目的通信方 的安全性需求对其硬件结构进行程序化, 与现有技术中的运行于单个中央 处理器上的防火墙安全过滤检査模块相比, 本发明的这种配置可以在整体 上简化硬件制造工艺的同时, 提供对于通信双方设施的分别保护。 另外, 根据本发明的隔离保护系统中所包括的设置于两个保护装置之间的双向 数据通信模块按照专有通信协议在针对通信双方的两个保护装置之间架 构通信链路, 也就是说, 通过了一个保护装置的数据流的数据包必须满足 专有通信协议才能够进入另一个保护装置, 因此双向数据传输模块在两个 保护装置之间 (也就是在通信双方之间) 设置了另一道保护屏障。 由于根 据本发明的隔离保护系统是通过保护装置中的过滤模块和双向数据传输 模块在通信双方之间实现安全的双向数据传输, 因此本发明的隔离保护系 统克服了现有网关技术中存在的网关产品必须有自己的 IP地址的问题, 也就是说, 在通信双方采用根据本发明的隔离保护系统建立通信时, 不需 要对已经配置好的各个网络端进行重新设置, 这样, 由于没有 IP地址, 被攻击的可能性得到了进一步降低。 And a transmission channel, configured to transmit data from the second interface to the first interface. The above-described isolation protection system of the present invention adopts the "2+1" structure of the present invention, that is, the first protection device and the second protection device including a completely independent hardware structure and respectively operating in separate central processors, and A two-way data transmission module is connected between the first protection device and the second protection device to enable the communication parties to communicate according to a proprietary communication protocol to implement secure two-way data communication between the communication parties. Since the two protection devices operate on separate central processors, when one of the protection devices is attacked or physically damaged, the other protection device is not affected; since the two protection devices that constitute the isolation protection system operate on Separate central processing unit, so each protection device can be constructed in a separate manner in hardware implementation, so that when one of the protection devices is attacked or physically damaged, it can be easily replaced and targetedly repaired and maintained; In addition, since the hardware structures of the two protection devices constituting the isolation protection system are completely independent, it is possible to separately manufacture the protection devices whose hardware structures are completely independently controlled, and then according to the security of the communication party or the destination communication party to which the protection devices are connected. Sexual requirements program its hardware structure. Compared with the firewall security filtering check module running on a single central processor in the prior art, the configuration of the present invention can simplify the hardware manufacturing process as a whole. Provide separate guarantees for facilities on both sides of the communication Protection. In addition, the two-way data communication module disposed between the two protection devices included in the isolation protection system according to the present invention constructs a communication link between two protection devices for the communication parties according to a proprietary communication protocol, that is, The data packet passing through the data stream of one protection device must satisfy the proprietary communication protocol to be able to enter another protection device, so the two-way data transmission module is set between the two protection devices (that is, between the communication parties) A protective barrier. Since the isolation protection system according to the present invention implements secure two-way data transmission between the communication parties through the filter module and the two-way data transmission module in the protection device, the isolation protection system of the present invention The system overcomes the problem that the gateway product existing in the existing gateway technology must have its own IP address, that is, when the communication parties establish communication by using the isolation protection system according to the present invention, it is not required to configure each network end. Reset, so that because there is no IP address, the possibility of being attacked is further reduced.
其中, 所述的通信方的通信设施可以是计算机、 服务器或其它网络 信息的输入 /输出装置。  The communication device of the communication party may be an input/output device of a computer, a server or other network information.
优选地, 所述数据过滤模块可以包括分别用于对传输的数据流的数 据包执行基本防火墙检査的内置防火墙模块和用于执行数据包深度过滤 的数据包过滤模块。  Preferably, the data filtering module may include a built-in firewall module for performing basic firewall checking on the data packets of the transmitted data stream and a packet filtering module for performing packet deep filtering.
其中, 所述内置防火墙模块可以对数据流的数据包执行包头内容检 査, 而所述数据包过滤模块可以对数据流的数据包执行包体内容检査。  The built-in firewall module may perform a header content check on a data packet of the data stream, and the packet filtering module may perform a package content check on the data packet of the data stream.
其中, 所述包头内容涉及 IP地址、 MAC地址、 协议类型信息、 端口 信息, 而所述包体内容涉及通信目标、 通信源、 通信目的、 通信类型和通 信内容。  The header content relates to an IP address, a MAC address, protocol type information, and port information, and the package content relates to a communication target, a communication source, a communication destination, a communication type, and a communication content.
本发明的隔离保护系统的每个保护装置中包括的内置防火墙模块和 数据包过滤模块对流经的数据流的数据包先后进行两道过滤检査, 其中内 置防火墙模块对所流经的数据流的数据包的包头执行基本防火墙检査, 而 数据包过滤模块对数据流的数据包执行数据包深度过滤检査。 进一步地, 执行基本防火墙检査可以包括对数据流的数据包执行包头内容检査, 而对 数据流的数据包执行数据包深度过滤检査可以包括对数据流的数据包执 行包体内容检査。 在一个保护装置内相继对数据包进行两道过滤处理, 确 保了流经的数据包的安全性。 另外, 由于在两个保护装置之间还设置了双 向数据传输模块, 该双向数据传输模块根据专有通信协议在两个保护装置 之间进行进一步的防护。 因此, 即使在一个保护装置中通过了内置防火墙 模块和数据包过滤模块所进行的两道过滤检査处理的不安全数据包在不 满足专有通信协议的情况下也无法通过双向数据传输模块而进入另一个 保护装置, 换句话说, 通过了内置防火墙模块和数据包过滤模块之后, 不 安全数据包的进一步传输也会被双向数据通信模块阻断, 这进一步增加了 通信双方数据传输的安全性。  The built-in firewall module and the packet filtering module included in each protection device of the isolation protection system of the present invention perform two filtering checks on the data packets flowing through the data flow, wherein the built-in firewall module pairs the data flow flowing through The packet header of the packet performs a basic firewall check, and the packet filtering module performs packet deep filtering check on the packet of the data stream. Further, performing the basic firewall check may include performing a header content check on the data packet of the data stream, and performing a packet depth filtering check on the data packet of the data stream may include performing a package content check on the data packet of the data stream . The two packets are successively filtered in a protection device to ensure the security of the packets flowing through. In addition, since a two-way data transmission module is also provided between the two protection devices, the two-way data transmission module further protects between the two protection devices in accordance with a proprietary communication protocol. Therefore, even in a protection device, the unsafe data packet that has passed the two filtering check processes performed by the built-in firewall module and the packet filtering module cannot pass the bidirectional data transmission module without satisfying the proprietary communication protocol. Entering another protection device, in other words, after passing the built-in firewall module and packet filtering module, the further transmission of the insecure data packet is also blocked by the two-way data communication module, which further increases the security of data transmission between the two communication parties. .
优选地, 所述数据包过滤模块中分别内置有支持工业通信协议的过 滤列表。 Preferably, the data packet filtering module has built-in support for the industrial communication protocol. Filter list.
在本发明的隔离保护系统中, 由于各个保护装置中的数据包过滤模 块能够检査工业协议的应用数据, 因此本发明的网络隔离保护系统能够充 分支持工业通信协议, 增强了对应用层的检査功能, 能够容易地应用于工 业现场信息网络和控制网络之间。  In the isolation protection system of the present invention, since the packet filtering module in each protection device can check the application data of the industrial protocol, the network isolation protection system of the present invention can fully support the industrial communication protocol and enhance the inspection of the application layer. The check function can be easily applied between the industrial field information network and the control network.
本发明还提供了采用上述隔离保护系统执行双向数据包过滤检査的 方法, 其特征在于包括步骤:  The present invention also provides a method for performing a two-way packet filtering check using the above-described isolation protection system, comprising the steps of:
在通信线路中设置具有完全独立的硬件结构并且分别运行于独立的 中央处理器的第一保护装置和第二保护装置分别用于通信双方的通信设 施; 以及  Providing, in the communication line, a first protection device and a second protection device having completely independent hardware structures and respectively operating in separate central processors for communication facilities of the communication parties;
利用设置在第一保护装置和第二保护装置中的过滤模块对传输的数 据流的数据包执行过滤检査。  A filtering check is performed on the data packets of the transmitted data stream using the filtering modules provided in the first protection device and the second protection device.
其中, 所述的过滤检査包括:  The filtering check includes:
对传输的数据流的数据包执行基本防火墙检査, 以及  Perform a basic firewall check on the packets of the transmitted data stream, and
对传输的数据流的数据包执行深度过滤。  Performs deep filtering on the packets of the transmitted data stream.
其中, 所述对传输的数据流的数据包执行基本防火墙检査包括对数 据流的数据包执行包头内容检査, 而所述对传输的数据流的数据包执行深 度过滤包括对数据流的数据包执行包体内容检査。  The performing a basic firewall check on the data packet of the transmitted data stream includes performing a header content check on the data packet of the data stream, and performing depth filtering on the data packet of the transmitted data stream includes data on the data stream The package performs a package body check.
其中, 所述包头内容涉及 IP地址、 MAC地址、 协议类型信息、 端口 信息, 而所述包体内容涉及通信目标、 通信源、 通信目的、 通信类型和通 信内容。  The header content relates to an IP address, a MAC address, protocol type information, and port information, and the package content relates to a communication target, a communication source, a communication destination, a communication type, and a communication content.
根据本发明的设置在通信线路中对通信双方的通信设施进行隔离保 护的隔离保护系统及其执行双向数据包过滤检査的方法, 不仅能够通过保 护装置中的内置防火墙模块在数据链路层、 网络层、 传输层上对数据包进 行过滤检査以及能够通过保护装置中的数据包过滤模块对数据包进行深 度过滤检査来在通信双方之间建立双向数据通信, 从而使得本发明的隔离 保护系统及其执行双向数据包过滤检査的方法能够实现通信双方的双向 数据传输的安全性; 而且由于根据本发明的隔离保护系统所包括的针对通 信双方的第一保护装置和第二保护装置运行于彼此独立的中央处理器上, 因此当其中的一个保护装置受到攻击或者物理损坏时, 另一个保护装置不 会受其影响。 附图说明 According to the present invention, an isolation protection system for providing isolation protection for communication facilities of both communication parties in a communication line and a method for performing bidirectional packet filtering inspection thereof can be performed not only at the data link layer but also through a built-in firewall module in the protection device. The network layer and the transport layer perform filtering check on the data packet and can perform deep filtering check on the data packet by the packet filtering module in the protection device to establish two-way data communication between the communication parties, thereby making the isolation protection of the present invention The system and its method of performing two-way packet filtering check can realize the security of two-way data transmission of both communicating parties; and because the first protection device and the second protection device for both sides of the communication included in the isolation protection system according to the present invention are operated On separate central processors, so when one of the protection devices is attacked or physically damaged, the other protection device does not Will be affected by it. DRAWINGS
通过结合附图的以下描述, 将会更容易地理解本发明并且更容易地 理解其伴随的优点和特征, 其中:  The invention will be more readily understood and its attendant advantages and features will be more readily understood by the following description in conjunction with the accompanying drawings in which:
图 1示出了现有技术的安全防火墙产品的原理示意图;  FIG. 1 is a schematic diagram showing the principle of a prior art security firewall product;
图 2示出了根据本发明的第一实施例的隔离保护系统的框图; 图 3示出了根据本发明的第二实施例的隔离保护系统的框图; 图 4 示出了利用根据本发明的第二实施例的隔离保护系统从客户端 向服务器端传输数据时所执行的数据包过滤检査的方法的流程图; 以及 图 5 示出了利用根据本发明的第二实施例的隔离保护系统从服务端 向客户端传输数据时所执行的数据包过滤检査的方法的流程图。 具体实施方式  Figure 2 shows a block diagram of an isolation protection system in accordance with a first embodiment of the present invention; Figure 3 shows a block diagram of an isolation protection system in accordance with a second embodiment of the present invention; Figure 4 illustrates the use of an isolation protection system in accordance with the present invention. A flowchart of a method of packet filtering check performed by the isolation protection system of the second embodiment when transmitting data from a client to a server; and FIG. 5 illustrates an isolation protection system using a second embodiment according to the present invention A flowchart of a method of packet filtering checks performed when data is transmitted from a server to a client. detailed description
为了使本发明的内容更加清楚和易于理解, 下面结合附图对本发明 的具体实施例进行详细描述。 在本发明中, 以示例方式, 对本发明提出的 隔离保护系统及其执行双向数据包过滤检査的方法进行了说明, 但是本发 明不限于所公开的优选实施例的具体形式。所属领域的技术人员可以根据 本发明公开的内容对本发明进行修改和变型, 这些修改和变型也应当属于 由权利要求限定的本发明保护的范围。  In order to make the content of the present invention clearer and easier to understand, the specific embodiments of the present invention are described in detail below with reference to the accompanying drawings. In the present invention, the isolation protection system proposed by the present invention and its method of performing two-way packet filtering inspection are described by way of example, but the present invention is not limited to the specific form of the disclosed preferred embodiment. Modifications and variations of the present invention are intended to be included within the scope of the present invention.
本发明针对现有工业现场的信息网络和控制网络之间部署的安全性 产品多采用防火墙或者网关产品以及现有技术中只能通过运行于单个中 央处理器上的防火墙产品来实现双向数据传输的安全性的问题, 提出了一 种隔离保护系统及其执行双向数据包过滤检査的方法。为了在通信双方之 间实现安全的双向数据传输, 本发明所提供的设置在通信线路中对通信双 方的通信设施进行隔离保护的隔离保护系统采用了本发明的 " 2+1 " 结构 (即, 针对通信双方的分别运行于彼此独立的两个中央处理器上的两个保 护装置和连接在两个保护装置之间利用专有通信协议控制两个保护装置 之间数据传输的一个双向数据传输模块)来在通信双方之间建立安全的双 向数据传输。 其中, 针对通信双方的两个保护装置分别运行于独立的中央 处理器上, 因此当针对一通信方的保护装置受到攻击或者物理损坏时, 针 对另一通信方的保护装置不会受其影响; 由于构成隔离保护系统的两个保 护装置运行于独立的中央处理器上, 因此在硬件实现上可以以分立的方式 构建每个保护装置, 这样当其中一个保护装置受到攻击或者物理损坏时, 可以方便地进行拆卸替换; 另外, 由于构成隔离保护系统的两个保护装置 的硬件结构完全独立, 因此在硬件实现上可以分开制造硬件结构完全独立 控制的保护装置, 然后根据各保护装置所连接的通信方或目的通信方的安 全性需求对其硬件结构进行程序化(这其中主要涉及对通信协议的配置), 与现有技术中的运行于单个中央处理器上的防火墙安全过滤检査模块相 比, 本发明的这种配置可以在整体上简化硬件制造工艺的同时, 提供对于 通信双方设施的分别保护。 另外, 隔离保护系统中的双向数据通信模块利 用专有通信协议在针对通信双方的两个保护装置之间架构通信链路, 也就 是说, 通过了一个保护装置的数据流必须满足专有通信协议才能够进入另 一个保护装置, 因此双向数据传输模块在两个保护装置之间 (也就是在通 信双方之间)设置了另一道保护屏障。 这同时也克服了现有网关技术中存 在的网关产品必须有自己的 IP地址的问题, 也就是说, 在网络之间采用 根据本发明的隔离保护系统建立数据通信时, 不需要对已经配置好的各个 网络端进行重新设置, 这样, 由于没有 IP地址, 被攻击的可能性得到了 进一步降低。 The security product deployed between the information network and the control network of the existing industrial site mostly adopts a firewall or a gateway product, and in the prior art, the two-way data transmission can only be realized by a firewall product running on a single central processor. For security issues, an isolation protection system and its method of performing two-way packet filtering checks are proposed. In order to achieve secure two-way data transmission between two communicating parties, the present invention provides an isolation protection system for isolating and protecting communication facilities of communication parties in a communication line, which adopts the "2+1" structure of the present invention (ie, Two protection devices for two communication units running on two separate central processors, and a two-way data transmission module connecting between the two protection devices to control data transmission between the two protection devices by using a proprietary communication protocol ) to establish secure two-way data transmission between the two communicating parties. Wherein, the two protection devices for the two sides of the communication are respectively operated in independent central On the processor, therefore, when the protection device for one communication party is attacked or physically damaged, the protection device for the other communication party is not affected; since the two protection devices constituting the isolation protection system operate in independent central processing Therefore, in the hardware implementation, each protection device can be constructed in a discrete manner, so that when one of the protection devices is attacked or physically damaged, it can be easily disassembled and replaced; in addition, due to the two protections that constitute the isolation protection system The hardware structure of the device is completely independent, so the hardware device can separately manufacture the protection device with completely independent control of the hardware structure, and then program the hardware structure according to the security requirements of the communication party or the destination communication party to which the protection device is connected ( This mainly involves the configuration of the communication protocol. Compared with the firewall security filtering check module running on a single central processor in the prior art, the configuration of the present invention can simplify the hardware manufacturing process as a whole. , providing points for facilities of both parties to the communication Protection. In addition, the two-way data communication module in the isolation protection system utilizes a proprietary communication protocol to construct a communication link between two protection devices for the communication parties, that is, the data flow through a protection device must satisfy the proprietary communication protocol. It is only possible to enter another protection device, so that the two-way data transmission module provides another protection barrier between the two protection devices (that is, between the communication parties). This also overcomes the problem that the gateway products existing in the existing gateway technology must have their own IP addresses, that is, when the data communication is established between the networks by using the isolation protection system according to the present invention, it is not required to be configured. Each network side is reset, so that the possibility of being attacked is further reduced because there is no IP address.
下面参照附图对本发明的隔离保护系统进行描述。  The isolation protection system of the present invention will now be described with reference to the accompanying drawings.
图 2示出了根据本发明的第一实施例的隔离保护系统 1 的框图。 根 据本发明的隔离保护系统 1 可以设置在第一通信方 N1和第二通信方 N2 之间, 以在第一通信方 N1和第二通信方 N2之间实现安全的双向数据通 信。 其中, 第一通信方 N1和第二通信方 N2的通信设施可以是计算机、 服务器或其它网络信息的输入 /输出装置。 如图 2所示, 隔离保护系统 1 可以包括第一保护装置 10、 第二保护装置 20和双向数据传输模块 4, 即 本发明的 " 2+1 " 结构。 第一保护装置 10和第二保护装置 20通过双向数 据传输模块 4进行双向数据通信。双向数据传输模块 4中内置有专有通信 协议, 其可以为专有通信协议硬件或者专有通信协议软件或二者结合, 用 以在第一保护装置 10和第二保护装置 20之间建立安全的屏障, 使得符合 该专有通信协议的数据包通过, 而不符合该专有通信协议的数据包被拦截 阻断, 从而可以确保第一保护装置 10和第二保护装置 20之间的安全的数 据交互。 Fig. 2 shows a block diagram of an isolation protection system 1 according to a first embodiment of the invention. The isolation protection system 1 according to the present invention may be disposed between the first communication party N1 and the second communication party N2 to implement secure two-way data communication between the first communication party N1 and the second communication party N2. The communication facilities of the first communication party N1 and the second communication party N2 may be input/output devices of a computer, a server or other network information. As shown in FIG. 2, the isolation protection system 1 may include a first protection device 10, a second protection device 20, and a bidirectional data transmission module 4, that is, the "2+1" structure of the present invention. The first protection device 10 and the second protection device 20 perform bidirectional data communication through the bidirectional data transmission module 4. A proprietary communication protocol is built in the bidirectional data transmission module 4, which may be a proprietary communication protocol hardware or a proprietary communication protocol software or a combination of the two to establish security between the first protection device 10 and the second protection device 20. Barrier The data packet of the proprietary communication protocol is intercepted and blocked by the data packet that does not conform to the proprietary communication protocol, so that secure data interaction between the first protection device 10 and the second protection device 20 can be ensured.
如图 2所示, 第一保护装置 10包括与第一通信方 N1进行双向数据 通信的第一接口 A1以及与双线数据通信模块 4进行双向通信的第二接口 Bi o 在第一保护装置 10中还包括过滤模块 F1和将来自第二接口 B1的数 据包传送到第一接口 A1的传输通道 C1。过滤模块 F1设置在第一接口 A1 和第二接口 B1之间, 用于对从第一接口 A1接收到的要从第一通信方 N1 传输到第二通信方 N2的数据包执行过滤检査, 并且将符合该过滤模块 F1 内置的作为安全性要求的通信协议的数据包输出到第二接口 Bl。 第二接 口 B1将通过了过滤模块 F1的过滤检査的数据包输出到双向数据传输模块 4, 而双向数据传输模块 4根据专有通信协议将第一保护装置 10通过第二 接口 A2输出的数据传送到第二保护装置 20。  As shown in FIG. 2, the first protection device 10 includes a first interface A1 for bidirectional data communication with the first communication party N1 and a second interface Bi0 for bidirectional communication with the two-line data communication module 4 at the first protection device 10. There is also included a filtering module F1 and a transmission channel C1 that transmits the data packet from the second interface B1 to the first interface A1. The filtering module F1 is disposed between the first interface A1 and the second interface B1, and is configured to perform a filtering check on the data packet to be transmitted from the first communication party N1 to the second communication party N2 received from the first interface A1. And outputting the data packet conforming to the communication protocol as the security requirement built in the filter module F1 to the second interface B1. The second interface B1 outputs the data packet that has passed the filtering check of the filtering module F1 to the bidirectional data transmission module 4, and the bidirectional data transmission module 4 outputs the data of the first protection device 10 through the second interface A2 according to a proprietary communication protocol. Transfer to the second protection device 20.
第二保护装置 20在硬件结构上与第一保护装置 10完全独立。 第二 保护装置 20包括与第二通信方 N2进行双向数据通信的第一接口 A2以及 与双线数据通信模块 4进行双向通信的第二接口 B2。 在第二保护装置 20 中还包括过滤模块 F2和将来自第二接口 B2的数据包传送到第一接口 A2 的传输通道 C2。 过滤模块 F2设置在第一接口 A2和第二接口 B2之间, 用于对从第一接口 A2接收到的要从第二通信方 N2传输到第一通信方 N1 的数据包执行过滤检査, 并且将符合该过滤模块 F2 内置的作为安全性要 求的通信协议的数据包输出到第二接口 B2。第二接口 B2将通过了过滤模 块 F2的过滤检査的数据包输出到双向数据传输模块 4,而双向数据传输模 块 4根据专有通信协议将第二保护装置 20通过第二接口 B2输出的数据包 传送到第一保护装置 10。  The second protection device 20 is completely independent of the first protection device 10 in hardware configuration. The second protection device 20 includes a first interface A2 for bidirectional data communication with the second communication party N2 and a second interface B2 for bidirectional communication with the two-line data communication module 4. Also included in the second protection device 20 is a filtering module F2 and a transmission channel C2 for transmitting data packets from the second interface B2 to the first interface A2. The filtering module F2 is disposed between the first interface A2 and the second interface B2, and is configured to perform a filtering check on the data packet that is received from the first interface A2 and is to be transmitted from the second communication party N2 to the first communication party N1. And outputting the data packet conforming to the communication protocol as the security requirement built in the filter module F2 to the second interface B2. The second interface B2 outputs the data packet that has passed the filtering check of the filtering module F2 to the bidirectional data transmission module 4, and the bidirectional data transmission module 4 outputs the data of the second protection device 20 through the second interface B2 according to a proprietary communication protocol. The packet is delivered to the first protection device 10.
根据本发明的隔离保护系统 1中的第一保护装置 10和第二保护装置 20分别运行于彼此独立 (即, 独立进行操作和运算) 的中央处理器 CPU1 和中央处理器 CPU2上, 其中, 每个中央处理器对应一个内存。 这样的构 造确保了当其中一台中央处理器受到病毒侵害或者物理损坏时, 另一台中 央处理器不会受到影响。这两个独立运行于各自中央处理器上的第一保护 装置 10和第二保护装置 20按照专有通信协议通过双向数据传输模块 4进 行双向数据传输。 The first protection device 10 and the second protection device 20 in the isolation protection system 1 according to the present invention are respectively operated on a central processing unit CPU1 and a central processing unit CPU2 which are independent of each other (i.e., independently operated and operated), wherein each One central processor corresponds to one memory. This configuration ensures that when one of the central processors is compromised or physically damaged, the other central processor is not affected. The two first protection device 10 and the second protection device 20 independently operating on the respective central processors are fed through the bidirectional data transmission module 4 according to a proprietary communication protocol. Line two-way data transmission.
从以上可以看出, 根据本发明的第一实施例的隔离保护系统 1 利用 其所包括的运行于独立的中央处理器上的保护装置中所设置的过滤模块 和两个保护装置之间设置的双向数据传输模块在通信双方进行数据传输, 因此利用根据本发明的第一实施例的隔离保护系统 1在网络之间交互数据 时, 不需要如现有网关产品一样, 要对客户端和服务器端的 IP地址进行 设置, 因此对已有网络无任何影响。  As can be seen from the above, the isolation protection system 1 according to the first embodiment of the present invention is provided between the filter module and the two protection devices provided in the protection device included in the independent central processing unit The two-way data transmission module performs data transmission on both sides of the communication, and therefore, when the data is exchanged between the networks by the isolation protection system 1 according to the first embodiment of the present invention, it is not required to be the same as the existing gateway product, and to the client and the server side. The IP address is set so that it has no effect on the existing network.
由于根据本发明的隔离保护系统 1 的安全策略是通过对保护装置所 包括的过滤模块进行设置来实现的, 因此可以根据通信双方的安全性需求 设置适当的安全策略。  Since the security policy of the isolation protection system 1 according to the present invention is implemented by setting the filter modules included in the protection device, an appropriate security policy can be set according to the security requirements of both communication parties.
利用根据本发明的第一实施例的隔离保护系统 1,当要从第一通信方 N1向第二通信方 N2传输数据包时,数据包流向如图 2中的路径 L1所示。 具体地讲, 来自第一通信方 N1的数据由第一保护装置 10的第一接口 A1 进入第一保护装置 10; 在第一保护装置 10内部, 该数据包通过过滤模块 F1进行过滤检査; 符合安全性要求的数据包通过过滤模块 Fl, 并且经由 第一保护装置 10的第二接口 A2进入双向数据传输模块 4; 如果该数据包 不符合双向数据传输模块 4内置的专有通信协议, 则数据包将被阻断而无 法进入第二保护装置 20,如果该数据包符合专有通信协议,则其可以通过 中间通信模块 4进入第二保护装置 20; 在第二保护装置 20内部, 该数据 包由第二接口 B2通过传输通道 C2直接传输到第一接口 A2, 从而完成从 第一通信方 N1向第二通信方 N2的数据包传输。在从第一通信方 N1向第 二通信方 N2 传输数据包的过程中, 数据包首先通过了第一保护装置 10 中设置的过滤模块 F1 的过滤检査, 然后根据专有通信协议从第一保护装 置 10进入第二保护装置 20, 这样的配置能够确保从第一通信方 N1传输 到第二通信方 N2的数据安全性。从第二通信方 N2向第一通信方 N1的数 据包传输流向如图 2中的路径 L2所示, 其类似于路径 Ll, 在此将省略其 描述。  With the isolation protection system 1 according to the first embodiment of the present invention, when a data packet is to be transmitted from the first communication party N1 to the second communication party N2, the data packet flows as shown by the path L1 in Fig. 2 . Specifically, the data from the first communication device N1 enters the first protection device 10 by the first interface A1 of the first protection device 10; inside the first protection device 10, the data packet is filtered and checked by the filtering module F1; The data packet conforming to the security requirement passes through the filtering module F1 and enters the bidirectional data transmission module 4 via the second interface A2 of the first protection device 10; if the data packet does not comply with the proprietary communication protocol built in the bidirectional data transmission module 4, The data packet will be blocked from entering the second protection device 20. If the data packet conforms to the proprietary communication protocol, it can enter the second protection device 20 through the intermediate communication module 4; within the second protection device 20, the data The packet is directly transmitted by the second interface B2 to the first interface A2 through the transmission channel C2, thereby completing the packet transmission from the first communication party N1 to the second communication party N2. In the process of transmitting a data packet from the first communication party N1 to the second communication party N2, the data packet first passes the filtering check of the filtering module F1 set in the first protection device 10, and then from the first according to the proprietary communication protocol. The protection device 10 enters the second protection device 20, such a configuration assuring data security transmitted from the first communication party N1 to the second communication party N2. The packet transmission flow from the second communicating party N2 to the first communicating party N1 is shown as a path L2 in Fig. 2, which is similar to the path L1, and a description thereof will be omitted herein.
与图 1所示的现有技术的防火墙相比,根据本发明的隔离保护系统 1 采用了本发明的 " 2+1 " 结构: 即, 针对通信双方的运行于彼此独立的两 个中央处理器上且在硬件结构上完全独立的两个保护装置 10、 20和设置 在两个保护装置 10、 20之间且根据专有通信协议在两个保护装置 10、 20 之间进行安全数据交互的双向数据通信模块 4, 来在通信双方之间实现双 向数据通信。 两个保护装置中均包含有对数据包进行过滤检査的过滤模 块, 这样可以根据通信双方的安全性要求对过滤模块的作为安全性要求的 通信协议进行设置, 以满足通信双方的安全性要求。 在根据本发明的第一 实施例的隔离保护系统 1中,第一保护装置 10和第二保护装置 20分别运 行于独立的中央处理器上, 因此可以实现硬件上彼此完全独立的两个保护 装置; 双向数据传输模块 4设置在第一保护装置 10和第二保护装置 20之 间且利用专有通信协议实现第一保护装置 10和第二保护装置 20之间的安 全通信, 本发明的这种 " 2+1 " 结构在硬件实现上可以带来很多优点。 例 如, 可以将第一保护装置 10和第二保护装置 20制造成两个彼此独立的主 机, 该主机包括中央处理器, 而每个中央处理器可以具有相对应的内存。 对于每个主机, 可以采用以 Bootloader 作为引导加载程序的专用嵌入式 Linux操作系统。 这样, 两个保护装置之间不会因为一个被攻击或者物理 损坏而影响另一个保护装置的性能。 又例如, 可以将第一保护装置 10和 第二保护装置 20制造成插件形式的装置, 即制造成可拆卸形式的装置, 而将双向数据传输模块 4制造成内置有专有通信协议的背板, 这样, 当两 个保护装置插入背板时, 就形成了根据本发明的对通信双方的通信设施进 行隔离保护的隔离保护系统。在这种情况下,当其中一个保护装置破坏时, 可以容易地进行更换和维护, 而另一个保护装置不会受到任何影响。 Compared to the prior art firewall shown in Fig. 1, the isolation protection system 1 according to the present invention employs the "2+1" structure of the present invention: that is, two central processors operating independently of each other for the communication parties Two protection devices 10, 20 and settings that are completely independent on the hardware structure A two-way data communication module 4 that performs secure data interaction between two protection devices 10, 20 between two protection devices 10, 20 and in accordance with a proprietary communication protocol enables bidirectional data communication between the communication parties. The two protection devices include a filtering module for filtering and checking the data packets, so that the communication protocol as a security requirement of the filtering module can be set according to the security requirements of the communication parties to meet the security requirements of the communication parties. . In the isolation protection system 1 according to the first embodiment of the present invention, the first protection device 10 and the second protection device 20 are respectively operated on separate central processors, so that two protection devices that are completely independent of each other in hardware can be realized. The bidirectional data transmission module 4 is disposed between the first protection device 10 and the second protection device 20 and implements secure communication between the first protection device 10 and the second protection device 20 using a proprietary communication protocol, such as the present invention The "2+1" architecture can bring many advantages in hardware implementation. For example, the first protection device 10 and the second protection device 20 can be fabricated as two separate hosts, the host including a central processor, and each central processor can have a corresponding memory. For each host, a dedicated embedded Linux operating system with a bootloader as the boot loader can be used. In this way, the performance of the other protection device is not affected by one attack or physical damage between the two protection devices. For another example, the first protection device 10 and the second protection device 20 may be fabricated as a device in the form of a plug-in, that is, a device manufactured in a detachable form, and the bidirectional data transmission module 4 is manufactured as a backplane incorporating a proprietary communication protocol. Thus, when the two protection devices are inserted into the backplane, an isolation protection system for isolating and protecting the communication facilities of both communication parties according to the present invention is formed. In this case, when one of the protection devices is broken, replacement and maintenance can be easily performed, and the other protection device is not affected at all.
下面参照图 3描述根据本发明第二实施例的隔离保护系统 2。图 3所 示的第二实施例中与图 2 所示的第一实施例中相同的标号表示相同的部 件, 在此不再重复描述。  Next, an isolation protection system 2 according to a second embodiment of the present invention will be described with reference to FIG. The same reference numerals in the second embodiment shown in Fig. 3 as those in the first embodiment shown in Fig. 2 denote the same components, and the description thereof will not be repeated.
与本发明第一实施例的隔离保护系统 1 不同的是, 在根据本发明第 二实施例的隔离保护系统 2中,第一保护装置 10中的过滤模块 F1包括内 置防火墙模块 K1和数据包过滤模块 Sl, 而第二保护装置 20中的过滤模 块 F2包括内置防火墙模块 K2和数据包过滤模块 S2, 如图 3所示。 内置 防火墙模块 K1可以对要从第一通信方 N1传输到第二通信方 N2的从第一 接口 A1接收的数据包执行防火墙过滤检査, 防火墙过滤检査可以是基本 的防火墙检査, 以确保一般性的网络攻击难以奏效。 基本的防火墙技术通 过设定协议、端口、 IP等的通信规则实现防御功能,即可以在数据链路层、 网络层、 传输层上对流经数据包进行检査, 这其中主要涉及到对数据包执 行包头内容检査, 不满足该通信规则的数据包将被拦截。 数据包过滤模块Different from the isolation protection system 1 of the first embodiment of the present invention, in the isolation protection system 2 according to the second embodiment of the present invention, the filter module F1 in the first protection device 10 includes a built-in firewall module K1 and packet filtering. The module S1, and the filtering module F2 in the second protection device 20 includes a built-in firewall module K2 and a packet filtering module S2, as shown in FIG. The built-in firewall module K1 can perform firewall filtering check on the data packet received from the first communication party N1 to the second communication party N2 from the first interface A1, and the firewall filtering check can be a basic firewall check to ensure General cyber attacks are hard to work with. Basic firewall technology The communication rules of setting protocol, port, IP, etc. implement the defense function, that is, the data packet can be checked at the data link layer, the network layer, and the transport layer, which mainly involves performing packet header content inspection on the data packet. Check that packets that do not satisfy the communication rule will be intercepted. Packet filtering module
S1用于对经过内置防火墙模块 K1过滤后的数据包进行数据包过滤检査, 数据包过滤检査不同于防火墙过滤检査, 其可以是基于应用层上数据包的 深度过滤检査、 协议分析, 其主要涉及对数据流的数据包执行包体内容检 査。在根据本发明的隔离保护系统 2部署在工业现场的信息网络和控制网 络之间作为工业网络安全隔离系统时, 数据包过滤模块 S1 中可以内置工 业通信协议, 以检査符合工业通信协议的应用数据。所述包头内容涉及 IP 地址、 MAC地址、 协议类型信息、 端口信息, 而所述包体内容涉及通信目 标、 通信源、 通信目的、 通信类型和通信内容。 第二保护装置 20 中的过 滤模块 F2包括内置防火墙模块 K2和数据包过滤模块 S2。 内置防火墙模 块 K2用于对要从第二通信方 N2传输到第一通信方 N1的从第一接口 A2 输入的数据包进行防火墙过滤检査, 防火墙过滤检査可以是基本的防火墙 检査, 来确保一般性的网络攻击难以奏效, 基本的防火墙技术通过设定协 议、端口、 IP等的通信规则实现防御功能, 即可以在数据链路层、 网络层、 传输层上对流经数据进行检査, 这其中主要涉及到对数据包的包头的检 査, 不满足该通信规则的数据包将被拦截。 数据包过滤模块 S2用于对经 过内置防火墙模块 K2过滤后的数据包进行数据包过滤检査, 数据包过滤 检査不同于防火墙过滤检査, 其可以是基于应用层上数据包的深度过滤检 査、 协议分析, 其主要涉及对数据流的数据包执行包体内容检査。 在根据 本发明的隔离保护系统 2部署在工业现场的信息网络和控制网络之间作为 工业网络安全隔离系统时,数据包过滤模块 S2中可以内置工业通信协议, 以检査符合工业通信协议的应用数据。 所述包头内容涉及 IP 地址、 MAC 地址、协议类型信息、端口信息, 而所述包体内容涉及通信目标、通信源、 通信目的、 通信类型和通信内容。 S1 is used to perform packet filtering check on the data packet filtered by the built-in firewall module K1. The packet filtering check is different from the firewall filtering check, which may be based on deep filtering check and protocol analysis of the data packet on the application layer. It mainly involves performing a package content check on the data stream. When the isolation protection system 2 according to the present invention is deployed between an information network and a control network of an industrial site as an industrial network security isolation system, an industrial communication protocol can be built in the packet filtering module S1 to check an application conforming to the industrial communication protocol. data. The header content relates to an IP address, a MAC address, protocol type information, and port information, and the contents of the package relate to a communication target, a communication source, a communication destination, a communication type, and a communication content. The filter module F2 in the second protection device 20 includes a built-in firewall module K2 and a packet filtering module S2. The built-in firewall module K2 is configured to perform firewall filtering check on the data packet input from the first interface A2 to be transmitted from the second communication party N2 to the first communication party N1, and the firewall filtering check may be a basic firewall check. To ensure that general network attacks are difficult to achieve, the basic firewall technology implements defense functions by setting communication protocols such as protocols, ports, and IPs, that is, data can be checked at the data link layer, network layer, and transport layer. This mainly involves checking the packet header of the packet, and packets that do not satisfy the communication rule will be intercepted. The packet filtering module S2 is configured to perform packet filtering check on the data packet filtered by the built-in firewall module K2, and the packet filtering check is different from the firewall filtering check, which may be based on the deep filtering of the data packet on the application layer. Check, protocol analysis, which mainly involves performing package content check on data packets of the data stream. When the isolation protection system 2 according to the present invention is deployed between an information network and a control network of an industrial site as an industrial network security isolation system, an industrial communication protocol can be built in the packet filtering module S2 to check an application conforming to the industrial communication protocol. data. The header content relates to an IP address, a MAC address, protocol type information, and port information, and the package content relates to a communication target, a communication source, a communication destination, a communication type, and a communication content.
从以上可以看出, 第一保护装置 10和第二保护装置 20中均包含有 相继对数据包进行过滤检査的内置防火墙模块和数据包过滤模块, 这两道 过滤检査可以针对数据流的数据包的不同部分进行过滤检査, 例如内置防 火墙模块支持对一般网络的数据链路层、 网络层、 传输层进行检査, 艮卩, 主要用于对数据包的包头进行过滤检査; 而数据包过滤模块支持对应用层 数据进行检査, sp, 主要对数据包内容进行过滤检査, 因此可以在数据包 过滤模块中内置多种工业通信协议, 以用于检査符合工业协议的应用数 据。 由于根据本发明的隔离保护系统中所包含的每个保护装置均包含有相 继对数据进行过滤检査的内置防火墙模块和数据包过滤模块, 因此可以确 保通过数据的安全性, 并且可以通过在数据包过滤模块中预设期望的工业 通信协议来使得本发明的网络安全保护系统能够充分地支持工业通信协 议, 以适应工业现场的信息网络和控制网络之间的安全需求。 It can be seen from the above that both the first protection device 10 and the second protection device 20 include a built-in firewall module and a packet filtering module for filtering and checking data packets successively, and the two filtering checks can be directed to the data stream. Filtering checks on different parts of the packet. For example, the built-in firewall module supports checking the data link layer, network layer, and transport layer of the general network. It is mainly used to filter the packet header of the data packet; the packet filtering module supports checking the application layer data, and sp, mainly filtering and checking the content of the data packet, so it can be built in the packet filtering module. Industrial communication protocol for checking application data in compliance with industrial protocols. Since each protection device included in the isolation protection system according to the present invention includes a built-in firewall module and a packet filtering module that successively filter and check data, it is possible to ensure security through data and can pass data in The desired industrial communication protocol is preset in the packet filtering module to enable the network security protection system of the present invention to fully support the industrial communication protocol to accommodate the security requirements between the information network and the control network at the industrial site.
在本发明中, 内置防火墙模块 S1和内置防火墙模块 S2可以相同, 即, 提供相同的基本防火墙过滤检査。 数据包过滤模块 S1和数据包过滤 模块 S2可以相同, 即, 其中可以内置有相同的通信协议; 也可以根据第 一通信方 N1和第二通信方 N2的不同的安全性要求而内置有不同的通信 协议, 例如, 在第一通信方 N1 作为数据包的发送方, 而第二通信方 N2 作为数据包的接收方时, 可以根据作为数据包接收方的第二通信方 N2的 安全性要求对第一保护装置 10内的数据包过滤模块 S1内置的通信协议进 行设置; 而当第一通信方 N1作为数据包的接收方, 而第二通信方 N2作 为数据包的发送方时, 可以根据第一通信方 N1的安全性要求对第二保护 装置 20内的数据包过滤模块 S2内置的通信协议进行设置,从而满足通信 双方的安全性需求。  In the present invention, the built-in firewall module S1 and the built-in firewall module S2 can be identical, that is, provide the same basic firewall filtering check. The packet filtering module S1 and the packet filtering module S2 may be the same, that is, the same communication protocol may be built therein; or different built in according to different security requirements of the first communication party N1 and the second communication party N2. The communication protocol, for example, when the first communication party N1 is the sender of the data packet, and the second communication party N2 is the receiver of the data packet, it may be based on the security requirement of the second communication party N2 as the data packet receiver. The communication protocol built in the packet filtering module S1 in the first protection device 10 is set; and when the first communication party N1 is the receiver of the data packet and the second communication party N2 is the sender of the data packet, The security of the communication party N1 requires setting the communication protocol built in the packet filtering module S2 in the second protection device 20, thereby satisfying the security requirements of both parties.
由于第一保护装置 10和第二保护装置 20之间设置了内置有专有通 信协议的双向数据传输模块 4, 这样的话, 要从一通信方传输到另一通信 方的数据包即使通过了保护装置内的内置防火墙模块和数据包过滤模块 的过滤检査, 在其不满足双向数据传输模块 4中内置的专有通信协议时也 会被拦截阻断, 而无法到达另一通信方, 这进一步增加了通信双方通信线 路上的数据传输的安全性。  Since the two-way data transmission module 4 with a proprietary communication protocol is provided between the first protection device 10 and the second protection device 20, the data packets transmitted from one communication party to another communication party are protected even if they are protected. The filtering check of the built-in firewall module and the packet filtering module in the device is also blocked and blocked when it does not satisfy the proprietary communication protocol built in the bidirectional data transmission module 4, and cannot reach another communication party, which further The security of data transmission on the communication lines of both communication parties is increased.
根据本发明第二实施例的隔离保护系统 2 可以应用于工业现场信息 网络和控制网路之间, 对控制网路进行安全性防护。 这主要是因为, 在本 发明的隔离保护系统 2中,第一保护装置 10和第二保护装置 20中都包含 有除了常规内置防火墙过滤检査之外的数据包过滤检査。在数据包过滤模 块中可以内置多种自动化产品制造商的私有通信协议, 以在客户端和服务 器端之间进行有效的 OPC、 Modbus等工业协议数据的通信, 并且支持数 据的读写控制。 其他非工业数据全部被丢弃。 The isolation protection system 2 according to the second embodiment of the present invention can be applied between an industrial field information network and a control network to perform security protection on the control network. This is mainly because, in the isolation protection system 2 of the present invention, both the first protection device 10 and the second protection device 20 contain packet filtering checks in addition to the conventional built-in firewall filtering check. A variety of automation product manufacturers' proprietary communication protocols can be built into the packet filtering module for both client and service. Effective communication between industrial protocols such as OPC and Modbus is carried out between the terminals, and data read and write control is supported. Other non-industrial data is discarded.
下面, 将结合图 3并且参照图 4和图 5来详细描述利用本发明的隔 离保护系统 2执行双向数据包过滤检査的方法。  Next, a method of performing bidirectional packet filtering inspection using the isolation protection system 2 of the present invention will be described in detail with reference to Fig. 3 and with reference to Figs. 4 and 5.
为了描述的方便起见, 图 4和图 5 中以客户端和服务器端作为通信 双方为例描述根据本发明的隔离保护系统 2如何在客户端和服务器端实现 数据的安全传输的方法。  For convenience of description, in FIG. 4 and FIG. 5, the client and the server are used as communication parties as an example to describe how the isolation protection system 2 according to the present invention implements secure transmission of data on the client side and the server side.
图 4示出了从客户端向服务器端传输数据的流程图。在步骤 S71, 客 户端发送数据包; 在步骤 S72, 数据包被发送至与客户端连接的 CPU (第 一保护装置 10 ) ; 在步骤 S73, 进行基本的防火墙检査, 无效数据的数据 包将被丢弃 (步骤 S76 ) , 而有效数据进一步进行数据包过滤检査 (步骤 S74 ); 经过步骤 S74的数据包过滤检査的数据如果被认定为是无效数据, 则数据包将被丢弃 (步骤 S76 ) , 而被认定为有效的数据将被传送至与服 务器端连接的 CPU (第二保护装置 20 ) (步骤 S75 ) ; 进一步, 在步骤 S77 , 将接收到的数据包发送至服务器端。  Figure 4 shows a flow chart for transferring data from the client to the server. In step S71, the client transmits a data packet; in step S72, the data packet is sent to the CPU (first protection device 10) connected to the client; in step S73, a basic firewall check is performed, and the data packet of the invalid data is It is discarded (step S76), and the valid data is further subjected to packet filtering check (step S74); if the data subjected to the packet filtering check in step S74 is determined to be invalid data, the packet is discarded (step S76). And the data determined to be valid is transmitted to the CPU (second protection device 20) connected to the server side (step S75); further, in step S77, the received data packet is transmitted to the server side.
图 5示出了从服务器端向客户端传输数据的流程图。在步骤 S81, 服 务器端发送数据包; 在步骤 S82, 数据包被发送至与服务器端连接的 CPU (第二保护装置 20) ; 在步骤 S83, 进行基本的防火墙检査, 无效数据的 数据包将被丢弃(步骤 S86 ),而有效数据进一步进行数据包过滤检査(步 骤 S84) ; 经过步骤 S84的数据包过滤检査的数据如果被认定为是无效数 据, 则数据包将被丢弃 (步骤 S86 ) , 而被认定为有效的数据将被传送至 与客户端连接的 CPU (第一保护装置 10) (步骤 S85 ) ; 进一步, 在步骤 S87 , 将接收到的数据包发送至客户端。  Figure 5 shows a flow chart for transferring data from the server to the client. In step S81, the server sends a data packet; in step S82, the data packet is sent to the CPU (second protection device 20) connected to the server; in step S83, a basic firewall check is performed, and the data packet of the invalid data is It is discarded (step S86), and the valid data is further subjected to packet filtering check (step S84); if the data of the packet filtering check in step S84 is determined to be invalid data, the packet is discarded (step S86). And the data determined to be valid is transmitted to the CPU (first protection device 10) connected to the client (step S85); further, in step S87, the received data packet is transmitted to the client.
以上示出了根据本发明的隔离保护系统及其执行双向数据包过滤检 査的方法。 本发明的隔离保护系统采用了本发明的 " 2+1 " 结构, 即, 能 够分别与通信双方进行双向通信的第一保护装置和第二保护装置以及置 于其间用于对第一保护装置和第二保护装置之间的数据交互进行控制的 内置专有通信协议的双向数据传输模块, 其特征在于本发明的隔离保护系 统中的第一保护装置和第二保护装置分别运行于彼此独立的主机上, 由彼 此独立的 CPU处理器进行控制, 这样就确保了当其中一个主机出现故障或 受到病毒侵害时, 另一个主机不会受到影响。 另外, 本发明的隔离保护系 统中的第一保护装置和第二保护装置内的数据包过滤模块是针对应用层 数据包的深度检査、 协议分析, 通过在其中内置多种专有工业通信协议, 可以实现基于内置工业通讯协议的防护模式, 在应用层上对数据包进行深 度检査, 为工业通讯提供独特的、工业级的专业隔离防护解决方案。因此, 本发明的隔离保护系统尤其适于应用于工业现场信息网络和控制网络之 间的数据的安全交互。 The above shows an isolation protection system and a method thereof for performing two-way packet filtering inspection according to the present invention. The isolation protection system of the present invention adopts the "2+1" structure of the present invention, that is, the first protection device and the second protection device capable of two-way communication with the communication parties, respectively, and the first protection device and the A bidirectional data transmission module with a built-in proprietary communication protocol controlled by data interaction between the second protection devices, wherein the first protection device and the second protection device in the isolation protection system of the present invention are respectively operated on independent hosts Above, controlled by independent CPU processors, which ensures that when one of the hosts fails or When compromised by a virus, another host will not be affected. In addition, the first protection device and the data packet filtering module in the second protection device in the isolation protection system of the present invention are for deep inspection and protocol analysis of application layer data packets, and a plurality of proprietary industrial communication protocols are built therein. It can realize the protection mode based on the built-in industrial communication protocol, and carry out in-depth inspection of data packets at the application layer to provide a unique, industrial-grade professional isolation protection solution for industrial communication. Therefore, the isolation protection system of the present invention is particularly suitable for application to secure interaction of data between an industrial field information network and a control network.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案而非限 制, 尽管参照较佳实施例对本发明进行了详细说明, 本领域的普通技术人 员应当理解, 可以对本发明的技术方案进行修改或者等同替换, 而不脱离 本发明技术方案的精神和范围。  It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to be limiting, and the present invention will be described in detail with reference to the preferred embodiments. Modifications or equivalents are made without departing from the spirit and scope of the invention.

Claims

权 利 要 求 书 Claim
1. 一种隔离保护系统,设置在通信线路中对通信双方的通信设施进 行隔离保护, 它包括:  1. An isolation protection system that is installed in a communication line to protect the communication facilities of both communication parties. It includes:
第一保护装置 (10) 和第二保护装置 (20) , 用于分别与所述通信 方之一的通信设施连接;  a first protection device (10) and a second protection device (20) for respectively connecting with a communication facility of one of the communicating parties;
双向数据传输模块 (4) , 设置在所述第一保护装置 (10) 和所述第 二保护装置 (20) 之间, 用于连接所述第一保护装置 (10) 和所述第二保 护装置 (20) , 而且根据专有通信协议将所述第一保护装置 (10) 输出的 数据传送到所述第二保护装置 (20) , 以及将所述第二保护装置 (20) 输 出的数据传送到所述第一保护装置 (10) ; 其特征在于:  a bidirectional data transmission module (4) disposed between the first protection device (10) and the second protection device (20) for connecting the first protection device (10) and the second protection a device (20), and transmitting data output by the first protection device (10) to the second protection device (20) according to a proprietary communication protocol, and data output by the second protection device (20) Transfer to the first protection device (10); characterized by:
所述第一保护装置 (10) 和所述第二保护装置 (20) 具有完全独立 的硬件结构并分别运行于独立的中央处理器 (CPU1, CPU2) , 其中所述第 一保护装置 (10) 和所述第二保护装置 (20) 的每一个包括:  The first protection device (10) and the second protection device (20) have completely independent hardware structures and respectively operate on separate central processing units (CPU1, CPU2), wherein the first protection device (10) And each of the second protection devices (20) includes:
第一接口 (Al, A2) , 用于从所连接的通信方的通信设施接收数据 流的数据包并将来自另一通信方的数据输出到所连接的通信设施;  a first interface (Al, A2) for receiving a data packet of the data stream from a communication facility of the connected communication party and outputting data from another communication party to the connected communication facility;
过滤模块 (Fl, F2) , 用于对从所述第一接口 (Al, A2) 接收的数 据流执行过滤检査, 并输出符合安全性要求的数据;  a filtering module (F1, F2) for performing a filtering check on the data stream received from the first interface (Al, A2), and outputting data complying with security requirements;
第二接口 (Bl, B2) , 用于接收所述的符合安全性要求的数据, 并 将该符合安全性要求的数据传送到所述双向数据传输模块 (4) ; 以及 传输通道 (Cl, C2) , 用于将来自所述第二接口 (B2, B1) 的数据 传送到所述第一接口 (Al, A2) 。  a second interface (B1, B2) for receiving the data meeting the security requirement, and transmitting the data meeting the security requirement to the two-way data transmission module (4); and the transmission channel (Cl, C2) ) for transmitting data from the second interface (B2, B1) to the first interface (Al, A2).
2. 根据权利要求 1所述的隔离保护系统, 其中所述的通信方的通信 设施是计算机、 服务器或其它网络信息的输入 /输出装置。 2. The isolation protection system according to claim 1, wherein said communication device of said communication party is an input/output device of a computer, a server or other network information.
3. 根据权利要求 1所述的隔离保护系统, 其中所述过滤模块 (Fl, F2)包括分别用于对传输的数据流的数据包执行基本防火墙检査的内置防 火墙模块 (Kl, Κ2) 和用于执行数据包深度过滤的数据包过滤模块 (Sl, S2) 。 3. The isolation protection system according to claim 1, wherein the filtering module (F1, F2) comprises a built-in firewall module (K1, Κ2) for performing basic firewall checking on data packets of the transmitted data stream, respectively A packet filtering module (S1, S2) for performing packet depth filtering.
4. 根据权利要求 3所述的隔离保护系统, 其中所述内置防火墙模块 (Kl, K2)对数据流的数据包执行包头内容检査, 而所述数据包过滤模块 (SI, S2) 对数据流的数据包执行包体内容检査。 4. The isolation protection system according to claim 3, wherein said built-in firewall module (K1, K2) performs a header content check on a data packet of the data stream, and said packet filtering module (SI, S2) pairs data The streamed packet performs a body content check.
5. 根据权利要求 4所述的隔离保护系统,其中所述包头内容涉及 IP 地址、 MAC地址、 协议类型信息、 端口信息, 而所述包体内容涉及通信目 标、 通信源、 通信目的、 通信类型和通信内容。 5. The isolation protection system according to claim 4, wherein the header content relates to an IP address, a MAC address, protocol type information, port information, and the package content relates to a communication target, a communication source, a communication destination, and a communication type. And communication content.
6. 根据权利要求 1所述的隔离保护系统, 其中所述数据包过滤模块 (SI, S2) 中分别内置有支持工业通信协议的过滤列表。 6. The isolation protection system according to claim 1, wherein a filter list supporting an industrial communication protocol is built in the data packet filtering module (SI, S2).
7. 采用根据权利要求 1的隔离保护系统执行双向数据包过滤检査的 方法, 其特征在于包括步骤: 7. A method of performing a two-way packet filtering check using the isolation protection system of claim 1 comprising the steps of:
在通信线路中设置具有完全独立的硬件结构并且分别运行于独立的 中央处理器 (CPU1,CPU2) 的第一保护装置 (10) 和第二保护装置 (20) 分别用于通信双方的通信设施; 以及  Providing, in the communication line, a first protection device (10) and a second protection device (20) having completely independent hardware structures and respectively operating on separate central processing units (CPU1, CPU2) for communication facilities of the communication parties; as well as
利用设置在第一保护装置 (10) 和第二保护装置 (20) 中的过滤模 块 (Fl, F2) 对传输的数据流的数据包执行过滤检査。  A filtering check is performed on the packets of the transmitted data stream using the filtering modules (F1, F2) provided in the first protection device (10) and the second protection device (20).
8. 根据权利要求 7所述的方法, 其中所述的过滤检査包括: 8. The method of claim 7, wherein the filtering check comprises:
对传输的数据流的数据包执行基本防火墙检査, 以及  Perform a basic firewall check on the packets of the transmitted data stream, and
对传输的数据流的数据包执行数据包深度过滤。  Perform packet depth filtering on packets of the transmitted data stream.
9. 根据权利要求 8所述的方法, 其中 9. The method of claim 8 wherein
所述对传输的数据流的数据包执行基本防火墙检査包括对数据流的 数据包执行包头内容检査, 以及  Performing a basic firewall check on the data packet of the transmitted data stream includes performing a header content check on the data packet of the data stream, and
所述对传输的数据流的数据包执行数据包深度过滤包括对数据流的 数据包执行包体内容检査。  Performing packet depth filtering on the data packets of the transmitted data stream includes performing a body content check on the data packets of the data stream.
10. 根据权利要求 9所述的方法, 其中所述包头内容涉及 IP地址、 MAC地址、 协议类型信息、 端口信息, 而所述包体内容涉及通信目标、 通 信源、 通信目的、 通信类型和通信内容。 10. The method of claim 9, wherein the header content relates to an IP address, The MAC address, the protocol type information, and the port information, and the contents of the package relate to a communication target, a communication source, a communication destination, a communication type, and a communication content.
PCT/CN2014/071101 2013-01-22 2014-01-22 Isolation protection system and method thereof for performing bidirectional data packet filtration inspection WO2014114232A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2015552998A JP6269683B2 (en) 2013-01-22 2014-01-22 Quarantine protection system and method it performs bi-directional packet filtering inspection

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310023542.6 2013-01-22
CN201310023542.6A CN103944865B (en) 2013-01-22 2013-01-22 Insulation blocking system and its method for executing bi-directional data packet filtering inspection

Publications (1)

Publication Number Publication Date
WO2014114232A1 true WO2014114232A1 (en) 2014-07-31

Family

ID=51192352

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/071101 WO2014114232A1 (en) 2013-01-22 2014-01-22 Isolation protection system and method thereof for performing bidirectional data packet filtration inspection

Country Status (3)

Country Link
JP (1) JP6269683B2 (en)
CN (1) CN103944865B (en)
WO (1) WO2014114232A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150256512A1 (en) * 2014-03-07 2015-09-10 Airbus Operations (Sas) High assurance security gateway interconnecting different domains
US20170070507A1 (en) * 2015-09-04 2017-03-09 Airbus Operations Sas High assurance segregated gateway interconnecting different domains
CN107948139A (en) * 2017-11-09 2018-04-20 南京捷安信息科技有限公司 A kind of supervisory control of substation Networked E-Journals method based on security strategy management and control
CN112261032A (en) * 2020-10-19 2021-01-22 中国石油化工股份有限公司 Industrial internet network security protection method and system based on real-time data transmission
CN113472727A (en) * 2020-03-31 2021-10-01 北京中科网威信息技术有限公司 Data synchronization method and device, electronic equipment and storage medium
CN114024753A (en) * 2021-11-08 2022-02-08 中铁信安(北京)信息安全技术有限公司 Data communication bidirectional ferry isolation device and method
CN114915459A (en) * 2015-12-17 2022-08-16 郭爱波 Ethernet one-way transmission ring

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102016222617A1 (en) * 2016-11-17 2018-05-17 Siemens Aktiengesellschaft Protective device and network cabling device for protected transmission of data
CN107070907A (en) * 2017-03-31 2017-08-18 杭州通悟科技有限公司 Intranet and extranet data unidirectional transmission method and system
CN107196931B (en) * 2017-05-17 2020-09-08 南京南瑞继保电气有限公司 Deep packet inspection method based on network isolation device
CN108833340A (en) * 2018-04-26 2018-11-16 浙江麦知网络科技有限公司 A kind of internal home network communication security protection system
US10862866B2 (en) * 2018-06-26 2020-12-08 Oracle International Corporation Methods, systems, and computer readable media for multiple transaction capabilities application part (TCAP) operation code (opcode) screening
CN110247924A (en) * 2019-06-25 2019-09-17 深圳市利谱信息技术有限公司 Transmitted in both directions and control system and data transmission method based on physical transfer

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1173256A (en) * 1995-09-18 1998-02-11 数字保证网络技术股份有限公司 Network security device
CN101540668A (en) * 2008-03-18 2009-09-23 联想(北京)有限公司 Data processing equipment
CN101668002A (en) * 2008-09-03 2010-03-10 英业达股份有限公司 Network interface card with data packet filtering and filtering method thereof
CN102685119A (en) * 2012-04-28 2012-09-19 上海杰之能信息科技有限公司 Data transmitting/receiving method, data transmitting/receiving device, transmission method, transmission system and server
US20120266230A1 (en) * 2011-04-15 2012-10-18 Lockheed Martin Corporation Method and apparatus for cyber security

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6272538B1 (en) * 1996-07-30 2001-08-07 Micron Technology, Inc. Method and system for establishing a security perimeter in computer networks
JP2006094377A (en) * 2004-09-27 2006-04-06 Oki Electric Ind Co Ltd Access control apparatus, access control method, and access control program
JP4575219B2 (en) * 2005-04-12 2010-11-04 株式会社東芝 Security gateway system and method and program thereof
JP2012065287A (en) * 2010-09-17 2012-03-29 Toshiba Corp Security gateway system and method thereof
CN102014010B (en) * 2010-12-31 2013-04-03 北京网康科技有限公司 System and method for managing network behaviors

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1173256A (en) * 1995-09-18 1998-02-11 数字保证网络技术股份有限公司 Network security device
CN101540668A (en) * 2008-03-18 2009-09-23 联想(北京)有限公司 Data processing equipment
CN101668002A (en) * 2008-09-03 2010-03-10 英业达股份有限公司 Network interface card with data packet filtering and filtering method thereof
US20120266230A1 (en) * 2011-04-15 2012-10-18 Lockheed Martin Corporation Method and apparatus for cyber security
CN102685119A (en) * 2012-04-28 2012-09-19 上海杰之能信息科技有限公司 Data transmitting/receiving method, data transmitting/receiving device, transmission method, transmission system and server

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150256512A1 (en) * 2014-03-07 2015-09-10 Airbus Operations (Sas) High assurance security gateway interconnecting different domains
US10462103B2 (en) * 2014-03-07 2019-10-29 Airbus Operations Sas High assurance security gateway interconnecting different domains
US20170070507A1 (en) * 2015-09-04 2017-03-09 Airbus Operations Sas High assurance segregated gateway interconnecting different domains
US10609029B2 (en) * 2015-09-04 2020-03-31 Airbus Operations Sas High assurance segregated gateway interconnecting different domains
CN114915459A (en) * 2015-12-17 2022-08-16 郭爱波 Ethernet one-way transmission ring
CN107948139A (en) * 2017-11-09 2018-04-20 南京捷安信息科技有限公司 A kind of supervisory control of substation Networked E-Journals method based on security strategy management and control
CN107948139B (en) * 2017-11-09 2021-04-20 南京捷安信息科技有限公司 Transformer substation monitoring network debugging method based on security policy management and control
CN113472727A (en) * 2020-03-31 2021-10-01 北京中科网威信息技术有限公司 Data synchronization method and device, electronic equipment and storage medium
CN113472727B (en) * 2020-03-31 2023-02-17 北京中科网威信息技术有限公司 Data synchronization method and device, electronic equipment and storage medium
CN112261032A (en) * 2020-10-19 2021-01-22 中国石油化工股份有限公司 Industrial internet network security protection method and system based on real-time data transmission
CN112261032B (en) * 2020-10-19 2023-10-17 中国石油化工股份有限公司 Industrial Internet network safety protection method and system based on real-time data transmission
CN114024753A (en) * 2021-11-08 2022-02-08 中铁信安(北京)信息安全技术有限公司 Data communication bidirectional ferry isolation device and method

Also Published As

Publication number Publication date
CN103944865B (en) 2018-11-27
JP2016507979A (en) 2016-03-10
CN103944865A (en) 2014-07-23
JP6269683B2 (en) 2018-01-31

Similar Documents

Publication Publication Date Title
WO2014114232A1 (en) Isolation protection system and method thereof for performing bidirectional data packet filtration inspection
WO2019100691A1 (en) Industrial embedded system-oriented network information security protection unit and protection method
US9762429B2 (en) Control protocol encapsulation
JP6518771B2 (en) Security system, communication control method
TWI482462B (en) Network system, and network redundant configuration method
CA2623120C (en) Network security appliance
EP3395043A1 (en) Rule-based network-threat detection for encrypted communications
JP2008271339A (en) Security gateway system, method and program thereof
CN104519065B (en) A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol
CN107612679B (en) Ethernet bridge scrambling terminal based on state cryptographic algorithm
WO2010087326A1 (en) Tcp communication scheme
CN104412558B (en) For ensuring the reverse access method of front end applications and other application safety
JP5402688B2 (en) Packet transfer system and method for avoiding packet concentration in packet transfer system
JP2022190651A (en) Communication system and communication method for reporting compromised state in one-way transmission
EP3180705B1 (en) End point secured network
US20070195775A1 (en) Method and system for filtering packets within a tunnel
JP5655848B2 (en) TCP communication system
US11588798B1 (en) Protocol free encrypting device
TW201501487A (en) Ip-less end-point management appliance
TW201304455A (en) Network security device
KR101453980B1 (en) Packet relay and transmission apparatus for semiconductor manufacturing equipment
WO2017143969A1 (en) Method, router, and network processor for controlling port status
JP6162996B2 (en) Network control apparatus and method
CN107248982A (en) A kind of wireless industrial equipment access device
JP2013255141A (en) Authentication switch

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14743365

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2015552998

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14743365

Country of ref document: EP

Kind code of ref document: A1