WO2022174509A1

WO2022174509A1 - Method for designing firewall

Info

Publication number: WO2022174509A1
Application number: PCT/CN2021/086347
Authority: WO
Inventors: 黄策
Original assignee: 黄策
Priority date: 2021-02-17
Filing date: 2021-04-12
Publication date: 2022-08-25
Also published as: CN112839058A

Abstract

The present application discloses a novel method for designing a firewall. Said method comprises: designing a data transceiver module 1 which is connected to an external network and completes a data receiving/sending function, and a data processing module 2 which is connected to an internal network and completes a data processing function; designing, according to a transmission direction of a data stream, a data input service flow in which the data stream is transmitted from the external network to the internal network and a data output service flow in which the data stream is transmitted from the internal network to the external network; and designing, according to the needs of security protection and the needs of data stream input/output service flow, the number of data channels between the module 1 and the module 2, between the module 1 and the external network, and between the module 2 and the internal network, and a technical solution of data communication to be used. The firewall designed by using the method can provide security protection of the whole network, effectively partition the internal network, and provide security protection of different security levels for sub-internal networks after partition.

Description

A Method of Designing Firewall

technical field

The present invention relates to a method for designing a firewall.

Background technique

Firewalls are standard components that constitute a network application system today. In any network application system, the firewall, like the server, is a necessary standard component. A firewall divides the network system of a network application system into an internal network and an external network.

Firewalls have become more and more powerful since their appearance, and more and more viruses can be resisted, but their basic architecture—hardware, operating system, and antivirus application system—has not changed. In the offensive and defensive battle of network security, this structure is exhausted. Although the firewall can defend against more and more viruses, the security protection function it should play is getting weaker and smaller.

Take the ransomware that appeared two or three years ago as an example. On the one hand, what people see is a large number of domestic and foreign network security companies that provide professional network security services, constantly claiming how and how their network security products can detect and kill various known and future ransomware viruses. What I see is the continuous explosion of ransomware winning bids. The winning bidders have gradually shifted from attacking personal computers to extorting individuals, and gradually turning to attacking the network systems of enterprises and organizations, and extorting legal persons. The amount of extortion has increased from less than 1 Bitcoin ( That is, hundreds to thousands of dollars) up to now, it is often tens of millions or even tens of millions of euros, and many winning bidders eventually have to pay a lot of extortion money.

Countless network security incidents all illustrate a cruel reality. Firewall, an ancient security component, will become weaker and weaker in its security role today and in the future. At this stage, the technical concept of "Zero Trust Network" that is hot in the industry is actually the most straightforward and indirect denial of firewalls.

Since June 2019, China has successively promulgated and implemented the "Computer Grade Protection Version 2.0" (referred to in the industry as "Wangbao 2.0"). Compared with the previous implementation of Equalbao 2.0, the biggest change is that the security protection scope of network applications has expanded from the intranet behind the firewall under the rules of Equalbao 1.0 to the intranet under the rules of Equalbao 2.0 ,Extranet.

In its "5G Ecosystem: Risks and Opportunities for the U.S. Department of Defense" report released in April 2019, the U.S. Defense Innovation Council clearly pointed out that "the perimeter defense model has been proven to be ineffective. ".

In 2019, the two national behaviors of China and the United States on network security, in order to take the firewall as the most important security defense component for many years, the entire network system is artificially divided into the internal network and the external network, and the attack is blocked outside the firewall. The perimeter defense model of , sounded the death knell and drew an end.

The reason is that the security protection function that the firewall can play is getting weaker and weaker. This has been fully proved from countless network security incidents. Especially in the Internet of Things applications, which have become popular in recent years and are recognized by the industry as the next network application outlet, more and more security incidents have occurred, which shows the natural limitation of the perimeter defense model. There are several main reasons for this situation:

Reason 1: The current firewall products all adopt the standard architecture of "hardware, operating system, and anti-virus application system". In the case of natural security loopholes in operating systems and antivirus application systems, firewalls with this architecture naturally have security loopholes, and cannot guarantee their own security at all. What is worrying is that with the passage of time, the functions of the operating system are becoming more and more powerful and complex, and the security functions of the firewall are increasing. The number of these natural security vulnerabilities is not decreasing, but increasing. . With the extension of the time line, more and more security loopholes are bound to appear, which makes the security function of the firewall weaker and weaker. And theoretically speaking, the protection effect of the antivirus application system running on the operating system for the security loopholes on the operating system can basically be considered negligible and negligible.

Reason 2: No matter which firewall is used, there is no significant difference in the security policy of data inspection for data entering and exiting the firewall. Exhaustive exclusion is the standard basic security policy for all firewall products. The basic technical feature of the strategy is to use the method of detecting known virus signatures to determine whether the data entering the firewall contains viruses. In today and in the future with more and more viruses, in order to prevent the data flow in and out of the firewall from generating too much delay due to exhaustive detection, it is necessary to 1) give up some necessary detections. 2) This extremely resource-intensive exhaustive detection must be implemented by devices with large computing power and large storage capacity. This will inevitably lead to two serious consequences: 1) There are natural security loopholes in security policies. Because with more and more viruses, it is inevitable to give up some necessary virus detection. 2) The firewall cannot be miniaturized and miniaturized, and cannot provide security protection for all network terminals in a network application system. These two points have been fully verified by the frequent security incidents and ransomware attacks on the increasingly popular Internet of Things applications in recent years.

Reason 3: Security loopholes are invisible and intangible, and firewalls and network security systems based on them will inevitably come into contact with the core sensitive data of application systems more or less, which makes the construction of network security systems inevitably bring There is natural trust of network security owners in the implementation of network security system construction. In other words, for a professional network security company, the quality of the technology is second, and the trust of the network security owners in the network security project construction team, especially the key people, is the key. In a large-scale network security construction project, the network security owner first considers the security of the project construction team personnel for this reason. It is hard to imagine that a network security project owner would hire a network security team that has no sense of trust to participate in the construction of its network security project. For example, any of Russia's top cybersecurity companies would never be considered by an owner of a cybersecurity project with the highest security rating of the United States or its allies, and vice versa.

SUMMARY OF THE INVENTION

In order to effectively overcome the defects and drawbacks of the existing firewall technical solutions, the present invention provides a new method for designing a firewall. The described method is divided into the following design blocks:

Design block 1: Design two functional modules, they are the transceiver module (module 1) connected to the external network to complete the data receiving/transmitting function and the processing module (module 2) connected to the internal network to complete the data processing function. The two modules are connected by a data channel.

Design block 2: Design two data processing business processes according to the transmission direction of the data flow. The two data processing business processes are: the data input business process (process 1) of data flow from the external network to the internal network; The data output business process (process 2) of data flow transmission from the internal network to the external network;

Design block 3: Design the number of data channels between module 1 and module 2 and the technical solution for data communication according to the needs of security protection and data flow input/output business processes;

Design block 4: According to the needs of security protection and the needs of data flow input/output business processes, design the number of data channels connecting module 1 to the external network and the technical solution for data communication;

Design block 5: According to the needs of security protection and the needs of data flow input/output business process, design the number of data channels connecting module 2 to the intranet and the technical scheme of data communication used.

in:

The described module 2 has two basic types: simple module 2-1 and simple module 2-2.

The technical feature of the simple module 2-1 is that it consists of a CPU and a RAM independently managed by the CPU, the CPU runs in a non-operating system environment, and has two data channels.

The technical feature of the simple module 2-2 is that it consists of a CPU and a RAM independently managed by the CPU, the CPU runs in a non-operating system environment, and has at least three data channels.

For complex modules 2 with higher technical/performance requirements, the following but not limited to the following two methods can be used for design:

Mode 1: A matrix of simple modules 2 composed of two or more simple modules 2 in series and/or parallel. If there is a simple type module 2-2 in the module 2 matrix, all the data channels of the simple type module 2-2 have at least one data channel, which is not connected to the external network or the internal network.

Mode 2: A data processing terminal matrix consisting of two or more simple modules 2 and one or more information terminals with operating systems. In this matrix, the simple module 2 is located between the information terminal containing the operating system and the external network or the internal network, so that any one of all the information terminals containing the operating system in the matrix is connected to the internal network or external network. The network has no directly connected data channel.

The described data input business process (process 1) is composed of two sub-business processes distributed on module 1 and module 2 respectively:

Process 1-1: Module 1 receives data input from the external network, and transmits the received data to Module 2 through the data channel between Module 1 and Module 2.

Process 1-2: Module 2 processes the received data, and the processed data is either discarded or sent to the intranet.

The described data output business process (process 2) is composed of two sub-business processes distributed on module 1 and module 2 respectively:

Process 2-1: Module 2 receives the data from the intranet and processes the received data. The processed data is either discarded or transmitted to module 1 through the data channel between module 1 and module 2.

Process 2-2: Module 1 sends the received data to the external network.

The data processing described in Process 1 and Process 2 includes, but is not limited to, data insertion, deletion, splitting, reorganization, verification, verification, encryption, and decryption for security purposes.

The data channel between module 1 and module 2 includes but is not limited to a parallel data bus and a serial data bus.

In order to achieve the best security purpose of safe data transmission between the firewalls designed by the method, several preferred design principles of module 1 are:

1) Module 1 has at least two connection data channels with the external network. In principle, the more data channels there are between module 1 and the external network, the higher the engineering cost for the attacker to obtain/intercept the transmitted data, and the stronger the confidentiality of data transmission. The better the firewall's effect on the security protection of transmitted data is.

2) When module 1 has more than two connection data channels with the external network, at least two different communication methods are used. For example, a data channel adopts a data channel of the mobile Internet, and a channel adopts a short message channel or a voice channel. For any commercial network application system, the Beidou SMS channel is the best secure data channel that can be obtained.

3) When module 1 has more than two connection data channels with the external network, it is preferred to lease the communication lines of different communication operators. For example, for a firewall with two fixed network data channels, the fixed network lines of China Mobile and China Unicom are leased respectively. In this way, for network security attackers, whether they want to intercept communication data or conduct man-in-the-middle attacks, they must simultaneously invade the network lines of mobile and China Unicom, and accurately find these two communication lines, which undoubtedly increases the attack of the attacker. difficulty.

The present invention is a brand-new firewall design method. Compared with the traditional firewall, the firewall designed by this method has the following advantages:

1) The traditional firewall can only provide limited security protection for the server side of the network application system. For network security owners, due to the budget constraints of network security project construction, it is impossible to provide the entire network security protection with the same security strength. The firewall designed by the method can provide the whole network security protection covering the whole network and the same security level for any network application system, for the server end and the user end.

2) The traditional firewall cannot effectively cut the intranet. This makes any data terminal on the intranet an injection point for attacking viruses. The firewall designed by the method can effectively cut the intranet and provide security protection of different security levels for each sub-net after the cut. This makes the single-point injection of viruses under the traditional firewall, and the security attacks on the entire network become a thing of the past. This makes the popular "micro-network" security concept in the past two years a real feasible technical solution.

3) Security loopholes in operating systems and anti-virus application systems will always exist on traditional firewalls, and will never exist on firewalls designed by the method.

4) The traditional firewall does not have a clear and definite security boundary between the internal network and the external network due to the inevitable security loopholes in the operating system and anti-virus application system. The firewall designed by the method makes a clear and definite security boundary between the internal network and the external network. Any virus that invades module 1 and the intranet can see data black holes that cannot be invaded or detected one by one. A virus that invades the intranet cannot transmit even one bit of data to the extranet without the help of insiders.

5) The firewall designed by the method can adopt the data security detection strategy of unique verification for the data entering and leaving the firewall. This completely gets rid of the exhaustive detection method used by traditional firewalls and the natural dependence on large storage power and large computing power. Therefore, the cost of the firewall is greatly reduced, and the miniaturization and miniaturization of the firewall designed according to the method are technically possible.

6) In the past and present, there are many network security companies claiming that the security policies and mechanisms adopted by their network security products can not only effectively fight against current viruses, but also against future viruses. But this kind of claim is more of a business claim. Such claims can neither be verified technically nor by actual effects. In the firewall designed by the method of the present invention, when designing the business process (process 1-2, process 2-1) of data processing distributed on the module 2, for the data transmitted from the internal network to the external network, such as using The method described in the patent "A Data Packaging Method" (patent application number: 2019102326268) is used for packaging, and then the method of the patent is used to detect the data input from the external network to the internal network. Any malicious code injected into the communication data by piercing the communication protocol and using any technical means can be found now and in the future. This unique security feature in the current industry enables network security owners to completely get rid of: 1) Dependence on the trust of the network security project construction team in the design, implementation, maintenance, operation and other business links of the firewall. 2) All permanent threats that contain security loopholes that must exist on the terminal of the operating system in the intranet.

Description of drawings

Figure 1: Schematic diagram of the network system structure of traditional firewall protection.

Figure 2: A schematic diagram of the structure of the network application system protected by the new firewall under the method.

Figure 3: Schematic diagram of the structure of the simple module 2-1.

Figure 4: Schematic diagram of the structure of the simple module 2-2.

Figure 5: A schematic diagram of a new firewall structure with one internal network connection channel and two external network connection channels

Figure 6: Schematic diagram of a new firewall structure with one internal network connection channel and one external network connection channel

Figure 7: A schematic diagram of a new firewall structure that provides security protection for servers.

Figure 8: A schematic diagram of the structure of an IoT terminal based on mobile Internet things

Figure 9: A schematic diagram of a new firewall structure that provides security protection for unattended IoT terminals.

Figure 10: Schematic diagram of a new firewall architecture that provides security for manned IoT terminals

Detailed ways

The content of the present invention will be described in detail below with reference to specific embodiments.

FIG. 1 is a schematic diagram of a network system structure for traditional firewall protection. In this structure, the firewall divides the entire network system into two parts: the internal network and the external network. However, due to the security loopholes in the firewall operating system, there is no clear and clear boundary between the external network and the internal network.

In China's Era Treasure 1.0 era, the protection scope of the network application system is the intranet behind the firewall. "Waibao 2.0", which started in June 2019, expanded the protection scope of the network application system to the internal network and external network terminals.

In its "5G Ecosystem: Risks and Opportunities for the U.S. Department of Defense" report released in April 2019, the U.S. Defense Innovation Council clearly pointed out that "the perimeter defense model has been proven to be ineffective. ”, further pointed out in its report that under the “perimeter defense model”, the firewall can neither resist attacks from external network devices, such as intrusion into external network routers to intercept data stealing attacks, or man-in-the-middle attacks, nor can it defend against attacks from external network devices. Attacks on external network terminals or attacks on servers after hijacking external network terminals.

On June 28, 2019, the "Energy Infrastructure Security Act", which was considered and passed by the U.S. Senate, completely terminated the possibility of using any advanced automated system solution for security defense on the U.S. domestic energy infrastructure (such as power grid control systems). . The bill requires relevant companies to instead explore alternatives to automated systems with low-tech methods, such as the possibility of using manual processes instead of networking, and the possibility of direct human operators to complete the security control of important nodes. Because, they believe, low-tech methods can effectively increase the difficulty of network attacks and frustrate the most advanced network hackers. Clearly, for a human-made control process, a hacker, no matter how sophisticated, would have to actually gain access to the equipment in order to gain access to the grid. In this way, those energy companies, as long as they manage those who have access to the relevant equipment, can effectively block or resist the remote contactless attacks launched by any top hackers by exploiting the security holes in the operating system or application system.

It can be seen that the security model in Figure 1 has been unable to adapt to the current increasingly serious network security situation.

FIG. 2 is a schematic structural diagram of a network application system protected by a new firewall under the method.

The figure shows: 1) The new firewall 1 effectively divides the internal network and the external network. 2) The new firewall 2 effectively separates the server from the intranet. 3) The new firewall 3 and the new firewall n respectively provide security protection for the external network terminal 1 and the external network terminal n.

Under this network structure, any virus that invades the internal network terminal, server, external network terminal, internal network, and external network will see data black holes one by one, and cannot exploit the security holes in the operating system and application system to invade to other places.

The described design method provides a feasible technical solution for realizing the security of "micro-network".

For the owner of network security, he can ask Zhang San's team to build his firewall system version 1.0, and then ask Li Si's team to review the new firewall 2 without changing the communication data format between the firewall 2's intranet and the server. Make a makeover. In this way, the trust risk of Zhang San's team can be completely avoided. At the same time, because the Li Si team cannot fully understand the data structure of the entire firewall, the trust risk to the Li Si team can also be effectively shielded. After the upgrade is completed, the network security owner can ensure that the new firewall 2 will not be invaded as long as the installation site of the firewall 2 is free from outsiders.

Figure 3 and Figure 4 are schematic diagrams of the structures of the simple module 2-1 and the simple module 2-2, respectively. 3 is a schematic structural diagram of a simple module 2-2 with three data channels.

FIG. 5 is a schematic structural diagram of a new firewall with one internal network connection channel and two external network connection channels. The module 2 is a simple module 2 matrix composed of a simple module 2-1 and a simple module 2-2 with four data channels according to the mode 1. Among them, CPU1 is connected to a keyboard. This keyboard is used to input working parameters to CPU1 and CPU2.

The module 2 matrix shown in FIG. 5 is the simplest module 2 matrix connected by way 1. The network security owner uses the described method 1 to form a more complex and efficient module 2 matrix.

FIG. 6 is a schematic structural diagram of a new firewall with one intranet connection channel and one extranet connection channel. Among them, module 1 is composed of two simple modules 2-1 sandwiching a computer (that is, connected according to mode 2). This structure ensures that there is no direct data channel between the computer and the external network and the internal network. Thus, the security loopholes in the operating system and application system that must exist on the computer are guaranteed to be effectively isolated from the external network and the internal network.

The module 2 matrix shown in FIG. 6 is the simplest module 2 matrix connected by way 2. Network security owners use the described method 2 to form a more complex and efficient module 2 matrix.

Whether it is the structure in Figure 5 or Figure 6, or the more complex module 2 structure, for network security owners, he only needs to:

1) Strictly guard the keyboard to prevent any unauthorized person from touching the keyboard in module 2, then any intrusion into the internal network, external network, module 1, module 1, module 1 virus, or even module 2 matrix Developers cannot input any working parameters into module 2.

2) Strictly monitor the physical space in which the module 2 is placed, and prevent any unauthorized person from making any unauthorized changes to any components in the module 2, then the unauthorized connection between the internal network and the external network can be completely cut off. data exchange.

The structure shown in Figure 5 and Figure 6 enables network security owners; 1) It effectively shields all the connections between the security loopholes in the operating system and application system on all intranet and extranet network devices, which can effectively resist the Cyber attacks that exploit these security holes. 2) Effectively shield the trust loopholes of the firewall development team. In other words, when network security owners choose a firewall development team, they only need to consider the development capabilities of the team and whether they can match the development needs of the firewall, but not the trust of the firewall development team at all. Considering the trust of the firewall development team is the first priority when choosing to build a security protection system with the old firewall as the core security component.

FIG. 7 is a schematic structural diagram of a new firewall that provides security protection for servers. The firewall shown in the figure has one internal network data channel, four external network data channels, and one firewall control channel. The No. 3 module 2 with the mobile network communication module as the communication component provides two data channels: a mobile data channel (that is, a so-called traffic channel) and a short message channel. The keyboard is a firewall control channel. Authorized personnel input working parameters to the new firewall through the keyboard, the data transmitted from inside and outside to the external network, and the data transmitted from the external network to the internal network.

The new firewall shown in Figure 7, compared to the current firewall:

1) It can effectively block out all effective data interception attacks.

All network attacks are based on the use of security loopholes in the network system to intercept the communication data between networks as the starting point of the attack. In other words, effectively preventing the interception of communication data can effectively prevent network attacks initiated by exploiting security holes in the operating system and application system.

The security measures of the current firewall between two servers (such as the firewall of company A's head office server and the firewall of the branch server) are mostly protected by VPN. But this security protection is not safe. For this, take a look at the sources of risk in the Defense Innovation Council's April 2019 report "5G Ecosystems: Risks and Opportunities for the U.S. Department of Defense" (the sources of cybersecurity risks in the report are: Cyberspace and mobile terminals) and the relevant security requirements of my country's Equal Treasure 2.0, you can clearly know that this is not groundless. At the same time, there have been relevant cases to prove that VPN is completely breakable.

The multiple data channels of the new firewall can easily defeat all current network attacks that intercept data. Take the simplest two data channels (using the data channels of No. 1 module 1 and No. 2 module 1) as an example. As long as the network security owner connects the No. 1 module 1 to the network operated by the A network operator, and the No. 2 module 1 to the network operated by the B network operator, all current attack schemes for intercepting data can be abolished. For data interception attacks based on commercial purposes, artificial data channels and China's Beidou SMS data channel can basically be considered as absolutely safe data channels. Especially the Beidou SMS data channel, I believe that no commercial organization dares to attack it, even if it is to intercept the attack.

2) The construction cost of the firewall is greatly reduced, making it possible to construct a "micro-network" in the true technical sense and to establish a "zero trust" network security mechanism.

The detection strategy adopted by the current firewall is the exhaustive method. When performing data inspection, the firewall needs to exclude all possible virus characteristics before releasing the detected data. However, in the process of engineering implementation, this strategy naturally brings two security vulnerabilities:

Vulnerability 1: The data detection performed by the firewall on the data entering and leaving the firewall must be completed within a certain limited time, so the implementation of the security policy of exhaustive detection requires the support of strong computing power and storage power. The acquisition of large computing power and large storage power requires the support of network security owners with a strong construction budget for their network security projects. In fact, no strong budget can support the endless computing and storage needs. The limited budget determines that only limited computing power and storage power can be used as the basis for the construction of the entire network security project. This makes any network security project with the current firewall as the core component, at the beginning of its construction, a gold swallower with security loopholes. With the passage of time, security loopholes will continue to be discovered, and it is inevitable to swallow a large amount of network security construction budget. The demand for powerful computing power and storage power makes the miniaturization and miniaturization of firewalls lack a technical basis. Therefore, the security defense concept of "micro-network", which has been popularized in the past two years, only stays in the field of technical discussion in the industry.

Vulnerability 2: Today's firewalls will inevitably touch the core sensitive data of network security owners. When network security project construction has become an independent product form, for network security owners, choosing a trusted network security project construction team has become an absolute prerequisite for selecting the technical capabilities of the team. This makes the construction of any network security project inherently based on "trust". In the "Zero Trust" cybersecurity concept proposed by the Defense Innovation Council in its report "5G Ecosystem: Risks and Opportunities for the U.S. Department of Defense" released in April 2019, the "firewall" (accurately) is naturally excluded. It is the existence of the security component of the current firewall).

The new firewall adopts a unique data inspection strategy. Only data that meets the unique data inspection characteristics can pass through the new firewall. This technical feature makes: 1) The demand for computing power and storage power of the new firewall is greatly reduced, which can be reduced by one ten thousandth or one hundred thousandth of the current firewall. This allows network security owners to completely free themselves from the constraints of network security project budgets and install new firewalls wherever they want. As a result, the security and defense concept of "micro-network", which began to be hotly hyped two years ago, has become a reality with technical and financial support. 2) The construction of the new firewall naturally gets rid of the "trust" dependence of network security owners on the firewall construction team. This technically guarantees the establishment of a "zero trust" network security mechanism.

FIG. 8 is a schematic structural diagram of an Internet of Things terminal based on mobile Internet things. This structure is suitable for expressing all IoT terminals.

The Internet of Things is an application pool recognized by the industry as the next generation of various popular network applications. But what is frustrating is that the existing network security technology is completely unable to support the expectations of future Internet of Things applications for network security. Because with the existing network security attack technology, any IoT application system built with the existing network security technology can be broken in minutes. Such an attack is not a question of whether the attacker is technically "feasible" or "infeasible", but the issue of the attacker's "profit" and "loss" in the financial statement. However, looking forward to the security technology of future solutions based on the technical basis of the existing network security technology, the result is still depressing. The Energy Infrastructure Security Act, considered and passed by the U.S. Senate on June 28, 2019, fully illustrates this point.

Figure 9 is a schematic structural diagram of a new firewall that provides security protection for unattended IoT terminals. The CPU 1 and its connected RAM and the mobile network communication module 2 constitute the new firewall of the present invention.

For the network security owner, there are a large number of CPUs that meet the technical requirements described in the present invention for him to choose. The "Process 1-2" and "Process 2-1" completed on CPU1 do not have too high technical difficulty and do not require "trust investment", so the expenditure of this part of the developers is also greatly saved. This makes the cost of the firewall and BOM table in Figure 9 extremely low. IoT application systems with a little full network requirements are affordable. After the system is put into operation, the owner only needs to choose different mobile network operators. For example, SIM1 chooses mobile operator A, and uses the data channel for communication; SIM card 2 chooses mobile operator B, and uses the short message channel for communication. In this way, all effective network security attack methods can be rendered ineffective.

For the attackers of network security, facing such IoT terminals and the IoT application system constituted by the firewall of the present invention, the number one problem they face is not the problem of whether the attack technology is up or not, but how to ensure that the Aggressive behavior is a "profit" problem on the financial statement.

Figure 10 is a schematic structural diagram of a new firewall that provides security protection for manned IoT terminals. The CPU1, the RAM and the keyboard connected to it constitute the new firewall described in the present invention. The working parameters required by the new firewall are input to CPU1 by the on-duty personnel through the keyboard.

Example 1:

Firewalls between servers or firewalls between subnets in the intranet.

The new firewall with the structure of Figure 7 can constitute a firewall between servers, no matter whether the connection between these servers is through the internal network or the external network. The five data channels between the two new firewalls are sufficient to meet the security needs of most high-strength data transmissions against interception.

The extremely low engineering cost (the firewall with the structure in Figure 7, the minimum is the money of a computer of 3-4 thousand yuan), makes it possible to perform arbitrary sub-intranet segmentation on the intranet. Take a company's intranet with a scale of 1,000 employees as an example, 20 new firewalls with the structure of Figure 7, and the total budget is only 100,000 yuan. And these 20 new firewalls are enough to form at least three security lines, and the core IT equipment, such as the server of core data, and the office computers of important departments and employees, are protected from air tightness. And with the budget of 100,000 yuan, it is difficult to build a secure network system that can satisfy the head office with thousands of people.

When defining the communication protocol that penetrates the firewall with the structure of Figure 7, the network security owner can use the method described in the patent "A Data Packaging Method" (Patent Application No.: 2019102326268) to package the data that penetrates the firewall with the structure of Figure 7. . When the data packaged according to the method passes through CPU2, CPU3, and CPU4 in FIG. 7, any malicious code injected into the communication data by piercing the communication protocol through any technical means at present and in the future can be found.

This security feature complies with the security requirements specification in Dengbao 2.0 that the communication port of the IoT terminal should be able to resist malicious code injection attacks.

For any commercial network application system, if the mobile network communication channel composed of CPU4 in the structure of Figure 7 is replaced with the Beidou SMS channel, all network security attacks with commercial purposes as the ultimate attack purpose can be resisted.

Example 2:

Unattended IoT application system.

The IoT terminal shown in FIG. 9 and the firewall shown in FIG. 7 constitute the unattended IoT application system under the protection of the firewall according to the present invention.

In this system, the firewall on the terminal side of the Internet of Things can be constructed using the "xxx8x8k64x" single-chip microcomputer of "xx technology" and the cheapest GSM module (as long as it can send and receive short messages). The BOM cost of the entire firewall is 3.x yuan for the single-chip microcomputer, and no more than 25 yuan for the GSM module. For an IoT application system with a thousand IoT terminals and some requirements for network security, the BOM cost of a new firewall is less than 30,000 yuan, and there is no budget pressure at all.

Note:

1) In order to avoid being suspected of advertising, part of the information of the above microcontroller is replaced by "x".

2) The xxx8x8k64x microcontroller has 51 cores, and other technical parameters are: 64K Flash program memory, 8K on-chip extended SRAM, and 4 standard serial ports. These parameters can meet the needs of most IoT terminals to build firewalls.

3) Other brands of non-51-core microcontrollers with similar technical parameters are numerous. For owners of network security, there is a great choice of space.

Example 3:

Attended IoT application system.

The IoT terminal shown in FIG. 10 and the firewall shown in FIG. 7 constitute a manned IoT application system under the protection of the security mechanism of the present invention.

In this system, the firewall on the terminal side of the Internet of Things can use the "xxx8x8k64x" single-chip microcomputer of "xx technology". The cost of the BOM table of the entire firewall is 3.x yuan for the single-chip computer, and no more than 25 yuan for the keyboard and monitor. For an IoT system with 1,000 IoT terminals and considerable demands on network security, the BOM cost of the firewall is less than 30,000 yuan, and there is no budget pressure at all.

The attended IoT terminal in this embodiment fully complies with the technical requirements for security defense required by the Energy Infrastructure Security Act, which was deliberated and passed by the U.S. Senate on June 28, 2019.

Example 4:

In the process of network security construction, how can network security owners effectively avoid the "trust" dependence on firewall construction personnel.

In today's increasingly serious network security problem, any network security owner is faced with two difficult choices: 1): How much network security project budget should be arranged in a network application system? Too few, the application system is equivalent to "streaking"? Too many, and not enough budget to support. 2) Today, when data is king, during the construction of network security projects, the development team will inevitably come into contact with the core sensitive data of the application system. This makes the application system include the trust of the network security construction team in the early stage of construction.

The firewall design method of the present invention can effectively solve the network security owners, especially the network security owners in the early stage of entrepreneurship, who face the tight budget and the "trust" dependence on the network security construction team in the early stage of entrepreneurship.

For example, for an entrepreneurial team of an IoT application project, when building its IoT application system at the initial stage, the firewall with the structure shown in Figure 5 (with a budget of less than 500 yuan) or Figure 6 (with a budget of less than 2-3,000 yuan) can be used. , as the firewall of its initial verification system. When the system is stable and the number of terminals increases, consider adopting the firewall with the structure shown in Figure 7 (budget 4, 5,000 to tens of thousands) as an upgrade to the verification structure shown in Figure 5 or 6. As the enterprise develops, it can continue to upgrade with Figure 7 as the starting point of development. The upgrades include but are not limited to: expanding the CPU1 into CPU1-1, CPU1-2, ... CPU1-n in the structure of FIG. 7, and splitting the intranet horizontally; using multiple structures in FIG. 7 to split the intranet vertically . The upgrade and iteration of this kind of firewall can make the firewall construction team in each phase only come into contact with the fragmented firewall operation mechanism, so that the network security owner can completely get rid of the network security owner's concern for the firewall construction team. of people "trusted".

Through the demonstration of the above four embodiments, it is believed that those skilled in the art can use the method described in this patent to construct a firewall with high security strength level and low cost that meets their requirements and has a very cost-effective advantage.

Claims

A method for designing a firewall, characterized in that: the method for designing a firewall is divided into the following design modules:

Design module 1: Design two functional modules. The two functional modules are: a data transceiver module (module 1) that is connected to the external network and that completes the data receiving/transmitting function, and that is connected to the internal network to complete the data processing function. Data processing module (module 2);

Design module 2: Design two data processing business processes according to the transmission direction of the data flow. The two data processing business processes are: the data input business process (process 1) of the data flow from the external network to the internal network; The data output business process (process 2) of data flow transmission from the internal network to the external network;

Design module 3: Design the number of data channels between module 1 and module 2 and the technical scheme of data communication adopted according to the needs of security protection and data flow input/output business processes;

Design module 4: According to the needs of security protection and the needs of data flow input/output business process, design the number of data channels connecting module 1 to the external network and the technical scheme of data communication used;

Design module 5: According to the needs of security protection and the needs of data flow input/output business process, design the number of data channels connected to the intranet and the technical scheme of data communication adopted by module 2.
The method according to claim 1, wherein: the module 2 is divided into a simple type module 2 and a complex type module 2 according to the simplicity/complexity of its structure; the simple type module 2 is further divided into a simple type module 2- 1 and the simple module 2-2 are two simple modules; the simple module 2-1 consists of a CPU and its independently managed RAM, the CPU runs in a non-operating system environment, and has two Data channel; the simple module 2-2 consists of a CPU and its independently managed RAM, the CPU runs in a non-operating system environment, and has at least three data channels.
The method according to claims 1-2 is characterized in that: the complex module 2 takes the simple module 2 as the basic component, and is constituted by the following but not limited to the following two connection modes:

Mode 1: A simple module 2 matrix composed of two or more simple modules 2 in series and/or parallel, and the data channels of the simple modules 2-2 in the matrix must have at least one data channel, both Different external networks are connected to different internal networks;

Mode 2: A data processing terminal matrix consisting of two or more simple modules 2 and one or more information terminals with an operating system; in the matrix, the simple module 2 is in a Between the information terminal and the external network or the internal network, all the information terminals including the operating system in the matrix have no data channel directly connected with the internal network or the external network.
The method according to claim 1, characterized in that: when the module 1 is composed of two or more sub-modules 1 respectively connected to the external network, between any two sub-modules 1, in the method design Within the scope of the firewall, there are no directly connected data channels.
The method according to claim 1, wherein: the data input business process (process 1) is composed of two sub-business processes respectively distributed on module 1 and module 2: process 1-1: module 1 receives external Network input data, the received data is transmitted to module 2 through the data channel between module 1 and module 2; process 1-2: module 2 processes the received data, and the processed data is discarded or sent to intranet.
The method according to claim 1, characterized in that: the data output business process (process 2) is composed of two sub-business processes distributed on module 1 and module 2 respectively: process 2-1: module 2 receives data from The data transmitted from the intranet is processed, and the processed data is either discarded or transmitted to module 1 through the data channel between module 1 and module 2; process 2-2: module 1 will receive The received data is sent to the external network.
The method according to claims 5-6, wherein the processing of the received data includes, but is not limited to, data insertion, deletion, splitting, reorganization, verification, Authenticate, encrypt, decrypt.
The method according to claims 1-4, wherein the data channel includes but is not limited to a parallel data bus and a serial data bus.