[go: up one dir, main page]

CN106998333A - A kind of bilateral network security isolation system and method - Google Patents

A kind of bilateral network security isolation system and method Download PDF

Info

Publication number
CN106998333A
CN106998333A CN201710374477.XA CN201710374477A CN106998333A CN 106998333 A CN106998333 A CN 106998333A CN 201710374477 A CN201710374477 A CN 201710374477A CN 106998333 A CN106998333 A CN 106998333A
Authority
CN
China
Prior art keywords
data
intranet
processing module
outer net
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710374477.XA
Other languages
Chinese (zh)
Inventor
王继志
杨光
陈丽娟
杨英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Supercomputing Center in Jinan
Original Assignee
National Supercomputing Center in Jinan
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Supercomputing Center in Jinan filed Critical National Supercomputing Center in Jinan
Priority to CN201710374477.XA priority Critical patent/CN106998333A/en
Publication of CN106998333A publication Critical patent/CN106998333A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种双向网络安全隔离系统及方法,系统包括外网处理模块、内网处理模块和过渡区域,所述外网处理模块接入外网并通过单向数据链路与内网处理模块连接,所述内网处理模块接入内网并通过带开关的单向数据链路与过渡区域连接,所述过渡区域通过带开关的单向数据链路与外网处理模块连接。在外网向内网发送数据时外网处理模块通过单向数据链路将外网数据直接发送给内网处理模块;在内网向外网发送数据时内网处理模块通过带开关的单向数据链路将内网数据先发送给过渡区域进行过渡,然后过渡区域通过带开关的单向数据链路将过渡数据再发送给外网处理模块。本发明能够安全隔离不同安全等级的网络,并保证不同安全等级网络之间的双向数据通信。

The invention discloses a two-way network security isolation system and method. The system includes an external network processing module, an internal network processing module and a transition area. The external network processing module is connected to the external network and processed with the internal network through a one-way data link. The modules are connected, the internal network processing module is connected to the internal network and connected to the transition area through a one-way data link with a switch, and the transition area is connected to the external network processing module through a one-way data link with a switch. When the external network sends data to the internal network, the external network processing module directly sends the external network data to the internal network processing module through a one-way data link; when the internal network sends data to the external network, the internal network processing module passes the one-way data link with a switch The link first sends the internal network data to the transition area for transition, and then the transition area sends the transition data to the external network processing module through a one-way data link with a switch. The invention can safely isolate networks of different security levels and ensure bidirectional data communication between networks of different security levels.

Description

一种双向网络安全隔离系统及方法A two-way network security isolation system and method

技术领域technical field

本发明涉及一种双向网络安全隔离系统及方法,属于网络安全技术领域。The invention relates to a two-way network security isolation system and method, belonging to the technical field of network security.

背景技术Background technique

随着互联网的应用普及,网络安全面临严峻的挑战,各种安全事件层出不穷。面对这一形势,对于一个组织的内部网络,希望既能连接到互联网上进行信息交互,又能尽可能的避免各种来自互联网的网络攻击。在传统防火墙、入侵检测系统等安全设备的防御下,网络安全隔离设备逐渐显露出了重要的作用。With the popularization of Internet applications, network security is facing severe challenges, and various security incidents emerge in endlessly. Faced with this situation, for an organization's internal network, it is hoped that it can be connected to the Internet for information exchange, and avoid various network attacks from the Internet as much as possible. Under the defense of security equipment such as traditional firewalls and intrusion detection systems, network security isolation equipment has gradually revealed an important role.

网络安全隔离设备能够隔离组织的内网与外网的连接,对进出内网的数据流进行检查,过滤掉试图进入内网的恶意代码,以及试图流出到外网的敏感信息,并且凭借内外网的物理隔离,屏蔽基于网络连接的攻击行为,对于保护组织的内网起到了重要的作用。The network security isolation device can isolate the connection between the organization's internal network and the external network, check the data flow in and out of the internal network, filter out malicious codes trying to enter the internal network, and sensitive information trying to flow out of the external network, and rely on the internal and external network Physical isolation and shielding of attacks based on network connections play an important role in protecting the organization's intranet.

目前网络安全隔离设备分为单向和双向两种。单向网络安全隔离设备只允许外网数据进入内网,不允许内网数据流出外网,这样就严格保证了内网中的敏感数据不会泄露到外网。而双向网络安全隔离设备允许内、外网之间的双向数据流动,通过严格的数据内容检查来防止敏感数据的泄露。Currently, there are two types of network security isolation devices: one-way and two-way. The one-way network security isolation device only allows external network data to enter the internal network, and does not allow internal network data to flow out of the external network, thus strictly ensuring that sensitive data in the internal network will not be leaked to the external network. The two-way network security isolation device allows two-way data flow between internal and external networks, and prevents the leakage of sensitive data through strict data content inspection.

单向网络安全隔离设备的安全性是基于经典的BLP安全模型,能够在BLP模型下证明是安全的,但目前的双向网络安全隔离设备实际上是违反BLP安全模型的,无法从理论上证明目前的双向网络安全隔离设备是安全的。因此,如何设计新的双向网络安全隔离系统,既满足安全模型的要求,又能实现双向数据通信,就成为一个难点。The security of the one-way network security isolation device is based on the classic BLP security model, which can be proved to be safe under the BLP model, but the current two-way network security isolation device actually violates the BLP security model, and cannot be proved theoretically. The two-way network security isolation device is safe. Therefore, how to design a new two-way network security isolation system, which not only meets the requirements of the security model, but also realizes two-way data communication, has become a difficult point.

发明内容Contents of the invention

针对上述不足,本发明提供了一种双向网络安全隔离系统及方法,其能够安全隔离不同安全等级的网络,并保证不同安全等级网络之间的双向数据通信。In view of the above shortcomings, the present invention provides a two-way network security isolation system and method, which can safely isolate networks with different security levels and ensure two-way data communication between networks with different security levels.

本发明解决其技术问题采取的技术方案是:The technical scheme that the present invention solves its technical problem to take is:

本发明的一种双向网络安全隔离系统,其特征是,包括外网处理模块、内网处理模块和过渡区域,所述外网处理模块接入外网并通过单向数据链路与内网处理模块连接,所述内网处理模块接入内网并通过带开关的单向数据链路与过渡区域连接,所述过渡区域通过带开关的单向数据链路与外网处理模块连接。A two-way network security isolation system of the present invention is characterized in that it includes an external network processing module, an internal network processing module, and a transition area, and the external network processing module is connected to the external network and processed with the internal network through a one-way data link The modules are connected, the internal network processing module is connected to the internal network and connected to the transition area through a one-way data link with a switch, and the transition area is connected to the external network processing module through a one-way data link with a switch.

优选地,所述外网处理模块通过单向数据链路将数据直接发送给内网处理模块,所述内网处理模块通过带开关的单向数据链路将数据发送给过渡区域进行过渡,所述过渡区域通过带开关的单向数据链路将过渡数据发送给外网处理模块。Preferably, the external network processing module directly sends data to the internal network processing module through a one-way data link, and the internal network processing module sends data to the transition area through a one-way data link with a switch for transition, so The transition area sends transition data to the external network processing module through a one-way data link with a switch.

优选地,所述外网处理模块包括身份认证模块、外网数据缓存区、外网协议转换模块和恶意代码过滤模块,所述身份认证模块用以对外网用户进行身份认证,如果通过认证则允许外网用户登录外网处理模块,否则拒绝外网用户的连接请求;所述外网数据缓存区用以存储外网发送给内网的数据和内网发送给外网的数据;所述外网协议转换模块用以按照TCP/IP协议对外网发给内网的网络数据包中应用层数据进行解析或按照TCP/IP协议将内网发送给外网的数据打包为网络数据包;所述恶意代码过滤模块用以对外网发给内网的网络数据包中应用层数据进行恶意代码检测并过滤掉其中可能存在的恶意代码。Preferably, the external network processing module includes an identity authentication module, an external network data cache area, an external network protocol conversion module, and a malicious code filtering module, and the identity authentication module is used to authenticate external network users, and if passed the authentication, allow The external network user logs in to the external network processing module, otherwise the connection request of the external network user is rejected; the external network data cache area is used to store the data sent by the external network to the internal network and the data sent by the internal network to the external network; the external network The protocol conversion module is used to analyze the application layer data in the network data packet sent from the external network to the internal network according to the TCP/IP protocol or package the data sent from the internal network to the external network according to the TCP/IP protocol into a network data packet; the malicious The code filtering module is used to detect malicious codes in the application layer data in the network data packets sent from the external network to the internal network and filter out possible malicious codes therein.

优选地,所述内网处理模块包括内网数据缓存区、内网协议转换模块和敏感信息过滤模块,所述内网数据缓存区用以存储外网发送给内网的数据和内网发送给外网的数据;所述内网协议转换模块用以按照TCP/IP协议对内网发给外网的网络数据包中应用层数据进行解析或按照TCP/IP协议将外网发送给内网的数据打包为网络数据包;所述敏感信息过滤模块用以对内网发给外网的网络数据包中应用层数据进行敏感信息检测并过滤掉其中可能存在的敏感信息。Preferably, the intranet processing module includes an intranet data cache area, an intranet protocol conversion module, and a sensitive information filtering module, and the intranet data cache area is used to store data sent from the external network to the intranet and data sent to the internal network by the intranet. The data of the external network; the internal network protocol conversion module is used to analyze the application layer data in the network packet sent to the external network by the internal network according to the TCP/IP protocol or send the external network to the internal network according to the TCP/IP protocol The data is packaged into a network data packet; the sensitive information filtering module is used to detect the sensitive information of the application layer data in the network data packet sent from the internal network to the external network and filter out the sensitive information that may exist therein.

优选地,所述过渡区域包括过渡数据缓存区、系统还原模块和数据加密模块,所述过渡数据缓存区用以存储内网发送给外网数据时的过渡数据;所述数据加密模块用以对内网发送给外网的数据进行加密;所述系统还原模块用以清空过渡区域中的数据缓存区并将过渡区域还原为初始状态。Preferably, the transition area includes a transition data cache area, a system restore module and a data encryption module, the transition data cache area is used to store transition data when the internal network sends data to the external network; the data encryption module is used for The data sent from the internal network to the external network is encrypted; the system restore module is used to clear the data buffer area in the transition area and restore the transition area to the initial state.

本发明的一种双向网络安全隔离方法,其特征是,外网向内网发送数据时外网处理模块通过单向数据链路将外网数据直接发送给内网处理模块;内网向外网发送数据时内网处理模块通过带开关的单向数据链路将内网数据先发送给过渡区域进行过渡,然后过渡区域通过带开关的单向数据链路将过渡数据再发送给外网处理模块。A two-way network security isolation method of the present invention is characterized in that when the external network sends data to the internal network, the external network processing module directly sends the external network data to the internal network processing module through a one-way data link; When sending data, the internal network processing module first sends the internal network data to the transition area through the one-way data link with switch for transition, and then the transition area sends the transition data to the external network processing module through the one-way data link with switch .

进一步地,所述外网向内网发送数据的过程包括以下步骤:Further, the process of sending data from the external network to the internal network includes the following steps:

步骤101:外网用户向外网处理模块中的身份认证模块进行身份认证,如果通过认证则允许外网用户登录网络处理模块,否则拒绝外网用户的连接请求;Step 101: the external network user performs identity authentication to the identity authentication module in the external network processing module, if the authentication is passed, the external network user is allowed to log in to the network processing module, otherwise the connection request of the external network user is rejected;

步骤102:外网用户向外网处理模块按照TCP/IP协议传输要发送给内网用户的数据;Step 102: the external network user transmits the data to be sent to the internal network user to the external network processing module according to the TCP/IP protocol;

步骤103:外网协议转换模块按照TCP/IP协议将发送给内网用户的网络数据包中应用层数据解析出来并存入外网数据缓存区;Step 103: The external network protocol conversion module parses the application layer data in the network data packet sent to the internal network user according to the TCP/IP protocol and stores it in the external network data cache area;

步骤104:恶意代码过滤模块对外网数据缓存区中的应用层数据进行恶意代码检测,过滤掉其中可能存在的恶意代码后再存入外网数据缓存区;Step 104: the malicious code filtering module detects malicious codes on the application layer data in the external network data cache area, filters out possible malicious codes therein and then stores them in the external network data cache area;

步骤105:外网处理模块将经过恶意代码过滤的外网数据缓存区中的数据通过单向数据链路传输给内网处理模块;Step 105: the external network processing module transmits the data in the external network data cache area filtered by the malicious code to the internal network processing module through a one-way data link;

步骤106:内网处理模块将收到的数据存入内网处理模块中的内网数据缓存区;Step 106: the intranet processing module stores the received data into the intranet data cache in the intranet processing module;

步骤107:内网处理模块中的内网协议转换模块将收到的数据按照TCP/IP协议重新打包为网络数据包后发送给内网用户;Step 107: the intranet protocol conversion module in the intranet processing module repackages the received data into a network data packet according to the TCP/IP protocol and sends it to the intranet user;

所述内网向外网发送数据的过程包括以下步骤:The process of sending data from the intranet to the extranet includes the following steps:

步骤201:内网用户将需要传输给外网用户的数据按照TCP/IP协议传输给内网处理模块;Step 201: the intranet user transmits the data that needs to be transmitted to the external network user to the intranet processing module according to the TCP/IP protocol;

步骤202:内网处理模块将要传输给外网用户的数据存入内网处理模块的内网数据缓存区;Step 202: the internal network processing module stores the data to be transmitted to the external network user into the internal network data cache area of the internal network processing module;

步骤203:内网协议转换模块按照TCP/IP协议将要传输给外网用户的网络数据包中应用层数据解析出来并存入内网数据缓存区;Step 203: The intranet protocol conversion module parses the application layer data in the network data packet to be transmitted to the external network user according to the TCP/IP protocol and stores it in the intranet data cache area;

步骤204:内网处理模块中的敏感信息过滤模块对内网数据缓存区中的要传输给外网用户的网络数据包中应用层数据进行敏感信息检测,过滤掉其中可能存在的敏感信息后再存入内网数据缓存区;Step 204: The sensitive information filtering module in the intranet processing module performs sensitive information detection on the application layer data in the network data packet to be transmitted to the external network user in the intranet data buffer area, filters out the sensitive information that may exist therein, and then Stored in the intranet data cache;

步骤205:内网处理模块将与过滤区域连接的带开关的单向数据链路的开关闭合,将经过敏感信息过滤的内网数据缓存区中的数据通过带开关的单向数据链路传输给过渡区域;Step 205: The intranet processing module closes the switch of the one-way data link with switch connected to the filtering area, and transmits the data in the intranet data cache area filtered by sensitive information to the transition zone;

步骤206:内网处理模块将数据传输完毕断开与过渡区域连接的带开关的单向数据链路的开关;Step 206: After the data transmission is completed, the intranet processing module disconnects the switch of the one-way data link with switch connected to the transition area;

步骤207:过渡区域将收到的数据存入过渡区域中的过渡数据缓存区;Step 207: the transition area stores the received data into the transition data buffer area in the transition area;

步骤208:过渡区域中的数据加密模块随机生成一个数据加密密钥,使用分组加密算法将过渡数据缓存区中的数据进行加密,并使用外网用户的公钥加密该数据的加密密钥;Step 208: the data encryption module in the transition area randomly generates a data encryption key, encrypts the data in the transition data buffer area using a block encryption algorithm, and encrypts the encryption key of the data using the public key of the external network user;

步骤209:过渡区域闭合与外网处理模块连接的带开关的单向数据链路的开关;Step 209: the transition area closes the switch of the unidirectional data link with switch connected to the external network processing module;

步骤210:过渡区域将加密后的数据和密钥一同通过与外网处理模块连接的带开关的单向数据链路发送给外网处理模块;Step 210: the transition area sends the encrypted data and key together to the external network processing module through a one-way data link with a switch connected to the external network processing module;

步骤211:数据发送完毕,过渡区域断开与外网处理模块连接的带开关的单向数据链路的开关,同时启动系统还原模块清空过渡区域中的过渡数据缓存区,并将过渡区域还原为初始状态;Step 211: after the data has been sent, the transition area disconnects the switch of the unidirectional data link with the switch connected to the external network processing module, and simultaneously starts the system recovery module to clear the transition data buffer area in the transition area, and restores the transition area to initial state;

步骤212:外网处理模块将收到的内网用户传输给外网用户的数据存入外网处理模块中的外网数据缓存区;Step 212: the external network processing module stores the received data transmitted from the internal network user to the external network user into the external network data cache area in the external network processing module;

步骤213:外网处理模块中的外网协议转换模块按照TCP/IP协议将外网数据缓存区中内网用户传输给外网用户的数据打包为网络数据包后发送给外网用户;Step 213: the external network protocol conversion module in the external network processing module packs the data transmitted from the internal network user to the external network user in the external network data cache area into a network data packet according to the TCP/IP protocol and sends it to the external network user;

步骤214:外网用户收到数据后,先用自己的私钥解密数据加密密钥,再用数据加密密钥解密数据,获得内网用户发送的数据。Step 214: After receiving the data, the external network user first decrypts the data encryption key with its own private key, and then decrypts the data with the data encryption key to obtain the data sent by the internal network user.

本发明的有益效果是:The beneficial effects of the present invention are:

本发明的系统包括外网处理模块、内网处理模块和过渡区域,其中外网处理模块通过单向数据链路与内网处理模块连接;内网处理模块通过带开关的单向数据链路与过渡区域连接;过渡区域通过带开关的单向数据链路与外网处理模块连接,通过双单向数据链路来实现不同安全等级网络之间的数据的双向通信,并通过过渡区域的系统还原和数据加密操作来实现数据从高安全等级内网流入低安全等级外网。本发明用于不同安全等级网络之间的安全隔离,在实现数据双向通信的前提下保证数据的安全。The system of the present invention comprises an external network processing module, an internal network processing module and a transition area, wherein the external network processing module is connected with the internal network processing module through a one-way data link; the internal network processing module is connected with the internal network processing module through a one-way data link with a switch Transitional area connection; the transitional area is connected to the external network processing module through a one-way data link with a switch, and the two-way communication of data between networks with different security levels can be realized through dual one-way data links, and the system can be restored through the transitional area And data encryption operations to realize data flow from high security level internal network to low security level external network. The invention is used for safety isolation between networks with different safety levels, and ensures data safety under the premise of realizing data bidirectional communication.

本发明不仅能够安全隔离不同安全等级的网络,并保证不同安全等级网络之间的双向数据通信,而且能够保证系统的安全性,同时又保证双向数据通信的安全。The invention can not only safely isolate networks with different security levels and ensure two-way data communication between networks with different security levels, but also ensure system security and at the same time ensure the security of two-way data communication.

附图说明Description of drawings

下面结合说明书附图对本发明进行说明。The present invention will be described below in conjunction with the accompanying drawings.

图1为本发明的双向网络安全隔离系统的结构图。FIG. 1 is a structural diagram of the two-way network security isolation system of the present invention.

具体实施方式detailed description

为能清楚说明本方案的技术特点,下面通过具体实施方式,并结合其附图,对本发明进行详细阐述。下文的公开提供了许多不同的实施例或例子用来实现本发明的不同结构。为了简化本发明的公开,下文中对特定例子的部件和设置进行描述。此外,本发明可以在不同例子中重复参考数字和/或字母。这种重复是为了简化和清楚的目的,其本身不指示所讨论各种实施例和/或设置之间的关系。应当注意,在附图中所图示的部件不一定按比例绘制。本发明省略了对公知组件和处理技术及工艺的描述以避免不必要地限制本发明。In order to clearly illustrate the technical features of this solution, the present invention will be described in detail below through specific implementation modes and in conjunction with the accompanying drawings. The following disclosure provides many different embodiments or examples for implementing different structures of the present invention. To simplify the disclosure of the present invention, components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in different instances. This repetition is for the purpose of simplicity and clarity and does not in itself indicate a relationship between the various embodiments and/or arrangements discussed. It should be noted that components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and processes are omitted herein to avoid unnecessarily limiting the present invention.

如图1所示,本发明的一种双向网络安全隔离系统,它包括外网处理模块、内网处理模块和过渡区域,所述外网处理模块接入外网(与外网双向通信)并通过单向数据链路与内网处理模块连接,所述内网处理模块接入内网(与内网双向通信)并通过带开关的单向数据链路与过渡区域连接,所述过渡区域通过带开关的单向数据链路与外网处理模块连接。As shown in Figure 1, a kind of two-way network security isolation system of the present invention, it comprises external network processing module, internal network processing module and transition area, described external network processing module accesses external network (with external network two-way communication) and Connect with the intranet processing module through a unidirectional data link, the intranet processing module accesses the intranet (two-way communication with the intranet) and connects with the transition area through a unidirectional data link with a switch, and the transition area passes The one-way data link with switch is connected with the external network processing module.

优选地,所述外网处理模块通过单向数据链路将数据直接发送给内网处理模块,所述内网处理模块通过带开关的单向数据链路将数据发送给过渡区域进行过渡,所述过渡区域通过带开关的单向数据链路将过渡数据发送给外网处理模块。Preferably, the external network processing module directly sends data to the internal network processing module through a one-way data link, and the internal network processing module sends data to the transition area through a one-way data link with a switch for transition, so The transition area sends transition data to the external network processing module through a one-way data link with a switch.

优选地,所述外网处理模块包括身份认证模块、外网数据缓存区、外网协议转换模块和恶意代码过滤模块,所述身份认证模块用以对外网用户进行身份认证,如果通过认证则允许外网用户登录外网处理模块,否则拒绝外网用户的连接请求;所述外网数据缓存区用以存储外网发送给内网的数据和内网发送给外网的数据;所述外网协议转换模块用以按照TCP/IP协议对外网发给内网的网络数据包中应用层数据进行解析或按照TCP/IP协议将内网发送给外网的数据打包为网络数据包;所述恶意代码过滤模块用以对外网发给内网的网络数据包中应用层数据进行恶意代码检测并过滤掉其中可能存在的恶意代码。Preferably, the external network processing module includes an identity authentication module, an external network data cache area, an external network protocol conversion module, and a malicious code filtering module, and the identity authentication module is used to authenticate external network users, and if passed the authentication, allow The external network user logs in to the external network processing module, otherwise the connection request of the external network user is rejected; the external network data cache area is used to store the data sent by the external network to the internal network and the data sent by the internal network to the external network; the external network The protocol conversion module is used to analyze the application layer data in the network data packet sent from the external network to the internal network according to the TCP/IP protocol or package the data sent from the internal network to the external network according to the TCP/IP protocol into a network data packet; the malicious The code filtering module is used to detect malicious codes in the application layer data in the network data packets sent from the external network to the internal network and filter out possible malicious codes therein.

优选地,所述内网处理模块包括内网数据缓存区、内网协议转换模块和敏感信息过滤模块,所述内网数据缓存区用以存储外网发送给内网的数据和内网发送给外网的数据;所述内网协议转换模块用以按照TCP/IP协议对内网发给外网的网络数据包中应用层数据进行解析或按照TCP/IP协议将外网发送给内网的数据打包为网络数据包;所述敏感信息过滤模块用以对内网发给外网的网络数据包中应用层数据进行敏感信息检测并过滤掉其中可能存在的敏感信息。Preferably, the intranet processing module includes an intranet data cache area, an intranet protocol conversion module, and a sensitive information filtering module, and the intranet data cache area is used to store data sent from the external network to the intranet and data sent to the internal network by the intranet. The data of the external network; the internal network protocol conversion module is used to analyze the application layer data in the network packet sent to the external network by the internal network according to the TCP/IP protocol or send the external network to the internal network according to the TCP/IP protocol The data is packaged into a network data packet; the sensitive information filtering module is used to detect the sensitive information of the application layer data in the network data packet sent from the internal network to the external network and filter out the sensitive information that may exist therein.

优选地,所述过渡区域包括过渡数据缓存区、系统还原模块和数据加密模块,所述过渡数据缓存区用以存储内网发送给外网数据时的过渡数据;所述数据加密模块用以对内网发送给外网的数据进行加密;所述系统还原模块用以清空过渡区域中的数据缓存区并将过渡区域还原为初始状态。Preferably, the transition area includes a transition data cache area, a system restore module and a data encryption module, the transition data cache area is used to store transition data when the internal network sends data to the external network; the data encryption module is used for The data sent from the internal network to the external network is encrypted; the system restore module is used to clear the data buffer area in the transition area and restore the transition area to the initial state.

本发明的外网处理模块通过单向数据链路与内网处理模块连接,即只允许数据从外网处理模块通过该单向数据链路进入内网处理模块;内网处理模块通过带开关的单向数据链路与过渡区域连接,即只允许数据从内网处理模块通过该带开关的单向数据链路进入过渡区域;过渡区域通过带开关的单向数据链路与外网处理模块连接,即只允许数据从过渡区域通过该带开关的单向数据链路进入外网处理模块;本发明在目前双向网络安全隔离系统架构的基础上设计了一种新的双向网络安全隔离系统,既满足安全模型的要求,又能实现双向数据通信。The external network processing module of the present invention is connected with the internal network processing module through a one-way data link, that is, only data is allowed to enter the internal network processing module from the external network processing module through the one-way data link; The one-way data link is connected to the transition area, that is, only data is allowed to enter the transition area from the internal network processing module through the one-way data link with switch; the transition area is connected to the external network processing module through the one-way data link with switch , that is, only allow data to enter the external network processing module through the one-way data link with switch from the transition area; the present invention designs a new two-way network security isolation system on the basis of the current two-way network security isolation system architecture, both It meets the requirements of the security model and can realize two-way data communication.

本发明的一种双向网络安全隔离方法,在外网向内网发送数据时外网处理模块通过单向数据链路将外网数据直接发送给内网处理模块;在内网向外网发送数据时内网处理模块通过带开关的单向数据链路将内网数据先发送给过渡区域进行过渡,然后过渡区域通过带开关的单向数据链路将过渡数据再发送给外网处理模块。A two-way network security isolation method of the present invention, when the external network sends data to the internal network, the external network processing module directly sends the external network data to the internal network processing module through a one-way data link; when the internal network sends data to the external network The internal network processing module first sends the internal network data to the transition area for transition through the one-way data link with switch, and then the transition area sends the transition data to the external network processing module through the one-way data link with switch.

进一步地,所述外网向内网发送数据的过程(即当处于外网的用户需要向内网用户传输数据时)包括以下步骤:Further, the process of sending data from the external network to the internal network (that is, when the user in the external network needs to transmit data to the internal network user) includes the following steps:

步骤101:外网用户向外网处理模块中的身份认证模块进行身份认证,如果通过认证则允许外网用户登录网络处理模块,否则拒绝外网用户的连接请求;Step 101: the external network user performs identity authentication to the identity authentication module in the external network processing module, if the authentication is passed, the external network user is allowed to log in to the network processing module, otherwise the connection request of the external network user is rejected;

步骤102:外网用户向外网处理模块按照TCP/IP协议传输要发送给内网用户的数据;Step 102: the external network user transmits the data to be sent to the internal network user to the external network processing module according to the TCP/IP protocol;

步骤103:外网协议转换模块按照TCP/IP协议将发送给内网用户的网络数据包中应用层数据解析出来并存入外网数据缓存区;Step 103: The external network protocol conversion module parses the application layer data in the network data packet sent to the internal network user according to the TCP/IP protocol and stores it in the external network data cache area;

步骤104:恶意代码过滤模块对外网数据缓存区中的应用层数据进行恶意代码检测,过滤掉其中可能存在的恶意代码后再存入外网数据缓存区;Step 104: the malicious code filtering module detects malicious codes on the application layer data in the external network data cache area, filters out possible malicious codes therein and then stores them in the external network data cache area;

步骤105:外网处理模块将经过恶意代码过滤的外网数据缓存区中的数据通过单向数据链路传输给内网处理模块;Step 105: the external network processing module transmits the data in the external network data cache area filtered by the malicious code to the internal network processing module through a one-way data link;

步骤106:内网处理模块将收到的数据存入内网处理模块中的内网数据缓存区;Step 106: the intranet processing module stores the received data into the intranet data cache in the intranet processing module;

步骤107:内网处理模块中的内网协议转换模块将收到的数据按照TCP/IP协议重新打包为网络数据包后发送给内网用户。Step 107: The intranet protocol conversion module in the intranet processing module repackages the received data into a network data packet according to the TCP/IP protocol and sends it to the intranet user.

所述内网向外网发送数据的过程(即当处于内网的用户需要传输数据给外网用户时)包括以下步骤:The process of sending data from the internal network to the external network (that is, when the user in the internal network needs to transmit data to the external network user) includes the following steps:

步骤201:内网用户将需要传输给外网用户的数据按照TCP/IP协议传输给内网处理模块;Step 201: the intranet user transmits the data that needs to be transmitted to the external network user to the intranet processing module according to the TCP/IP protocol;

步骤202:内网处理模块将要传输给外网用户的数据存入内网处理模块的内网数据缓存区;Step 202: the internal network processing module stores the data to be transmitted to the external network user into the internal network data cache area of the internal network processing module;

步骤203:内网协议转换模块按照TCP/IP协议将要传输给外网用户的网络数据包中应用层数据解析出来并存入内网数据缓存区;Step 203: The intranet protocol conversion module parses the application layer data in the network data packet to be transmitted to the external network user according to the TCP/IP protocol and stores it in the intranet data cache area;

步骤204:内网处理模块中的敏感信息过滤模块对内网数据缓存区中的要传输给外网用户的网络数据包中应用层数据进行敏感信息检测,过滤掉其中可能存在的敏感信息后再存入内网数据缓存区;Step 204: The sensitive information filtering module in the intranet processing module performs sensitive information detection on the application layer data in the network data packet to be transmitted to the external network user in the intranet data buffer area, filters out the sensitive information that may exist therein, and then Stored in the intranet data cache;

步骤205:内网处理模块将与过滤区域连接的带开关的单向数据链路的开关闭合,将经过敏感信息过滤的内网数据缓存区中的数据通过带开关的单向数据链路传输给过渡区域;Step 205: The intranet processing module closes the switch of the one-way data link with switch connected to the filtering area, and transmits the data in the intranet data cache area filtered by sensitive information to the transition zone;

步骤206:内网处理模块将数据传输完毕断开与过渡区域连接的带开关的单向数据链路的开关;Step 206: After the data transmission is completed, the intranet processing module disconnects the switch of the one-way data link with switch connected to the transition area;

步骤207:过渡区域将收到的数据存入过渡区域中的过渡数据缓存区;Step 207: the transition area stores the received data into the transition data buffer area in the transition area;

步骤208:过渡区域中的数据加密模块随机生成一个数据加密密钥,使用分组加密算法(如AES算法)将过渡数据缓存区中的数据进行加密,并使用外网用户的公钥加密该数据的加密密钥;Step 208: The data encryption module in the transitional area randomly generates a data encryption key, encrypts the data in the transitional data buffer area using a block encryption algorithm (such as the AES algorithm), and encrypts the data in the external network user's public key encryption key;

步骤209:过渡区域闭合与外网处理模块连接的带开关的单向数据链路的开关;Step 209: the transition area closes the switch of the unidirectional data link with switch connected to the external network processing module;

步骤210:过渡区域将加密后的数据和密钥一同通过与外网处理模块连接的带开关的单向数据链路发送给外网处理模块;Step 210: the transition area sends the encrypted data and key together to the external network processing module through a one-way data link with a switch connected to the external network processing module;

步骤211:数据发送完毕,过渡区域断开与外网处理模块连接的带开关的单向数据链路的开关,同时启动系统还原模块清空过渡区域中的过渡数据缓存区,并将过渡区域还原为初始状态;Step 211: after the data has been sent, the transition area disconnects the switch of the unidirectional data link with the switch connected to the external network processing module, and simultaneously starts the system recovery module to clear the transition data buffer area in the transition area, and restores the transition area to initial state;

步骤212:外网处理模块将收到的内网用户传输给外网用户的数据存入外网处理模块中的外网数据缓存区;Step 212: the external network processing module stores the received data transmitted from the internal network user to the external network user into the external network data cache area in the external network processing module;

步骤213:外网处理模块中的外网协议转换模块按照TCP/IP协议将外网数据缓存区中内网用户传输给外网用户的数据打包为网络数据包后发送给外网用户;Step 213: the external network protocol conversion module in the external network processing module packs the data transmitted from the internal network user to the external network user in the external network data cache area into a network data packet according to the TCP/IP protocol and sends it to the external network user;

步骤214:外网用户收到数据后,先用自己的私钥解密数据加密密钥,再用数据加密密钥解密数据,获得内网用户发送的数据。Step 214: After receiving the data, the external network user first decrypts the data encryption key with its own private key, and then decrypts the data with the data encryption key to obtain the data sent by the internal network user.

本发明通过双单向数据链路来实现不同安全等级网络之间的数据的双向通信,并通过过渡区域的系统还原和数据加密操作来实现数据从高安全等级内网流入低安全等级外网,在实现数据双向通信的前提下保证数据的安全,可应用于不同安全等级网络之间的安全隔离。The present invention realizes the two-way communication of data between networks of different security levels through double unidirectional data links, and realizes the flow of data from the internal network with high security level to the external network with low security level through the system restoration and data encryption operation in the transition area. Data security is ensured on the premise of realizing two-way data communication, which can be applied to security isolation between networks with different security levels.

以上所述只是本发明的优选实施方式,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也被视为本发明的保护范围。The above is only a preferred embodiment of the present invention. For those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications are also considered as the present invention. protection scope of the invention.

Claims (7)

1. a kind of bilateral network security isolation system, it is characterized in that, including outer net processing module, Intranet processing module and transition region Domain, the outer net processing module accessing external network is simultaneously connected by unidirectional data link with Intranet processing module, the Intranet processing Module accesses Intranet and is connected by the unidirectional data link of belt switch with transitional region, and the transitional region passes through belt switch Unidirectional data link is connected with outer net processing module.
2. a kind of bilateral network security isolation system according to claim 1, it is characterized in that, the outer net processing module is led to Cross unidirectional data link and data are transmitted directly to Intranet processing module, the unidirectional number that the Intranet processing module passes through belt switch Transitional region is sent the data to according to link and carries out transition, and the transitional region is by the unidirectional data link of belt switch by transition Data are sent to outer net processing module.
3. a kind of bilateral network security isolation system according to claim 1 or 2, it is characterized in that, the outer net handles mould Block includes authentication module, outer net data buffer area, outer net protocol conversion module and malicious code filtering module, the identity Authentication module allows external user to log in outer net processing mould to carry out authentication to external user if by certification Block, otherwise refuses the connection request of external user;The outer net data buffer area is sent to the data of Intranet to store outer net The data of outer net are sent to Intranet;The outer net protocol conversion module to outer net according to ICP/IP protocol to issue Intranet Application layer data is parsed or the data that Intranet is sent to outer net is packaged as into net according to ICP/IP protocol in network packet Network packet;Application layer data is disliked in network packet of the malicious code filtering module to issue Intranet to outer net Meaning code detection simultaneously filters out malicious code wherein that may be present.
4. a kind of bilateral network security isolation system according to claim 1 or 2, it is characterized in that, the Intranet handles mould Block includes intranet data buffer area, Intranet protocol conversion module and sensitive information filtering module, and the intranet data buffer area is used The data and Intranet of Intranet are sent to store outer net and are sent to the data of outer net;The Intranet protocol conversion module be used to according to ICP/IP protocol is issued application layer data in the network packet of outer net to Intranet and parsed or will be outer according to ICP/IP protocol The data that net is sent to Intranet are packaged as network packet;Net of the sensitive information filtering module to issue outer net to Intranet Application layer data carries out sensitive information detection and filters out sensitive information wherein that may be present in network packet.
5. a kind of bilateral network security isolation system according to claim 1 or 2, it is characterized in that, the transitional region bag Transit data buffer area, system reducing module and data encryption module are included, the transit data buffer area is sent out to storing intranet Give transit data during outer network data;The data encryption module is encrypted to be sent to the data of outer net to Intranet; The system reducing module is to empty the data buffer area in transitional region and transitional region is reduced into original state.
6. a kind of bilateral network security isolation method, it is characterized in that, outer net passes through to outer net processing module during Intranet transmission data Outer network data is transmitted directly to Intranet processing module by unidirectional data link;Intranet to outer net send data when Intranet processing module Intranet data is first sent to by the unidirectional data link of belt switch by transitional region and carries out transition, then transitional region passes through band Transit data is then forwarded to outer net processing module by the unidirectional data link of switch.
7. a kind of bilateral network security isolation method according to claim 6, it is characterized in that,
The process that the outer net sends data to Intranet comprises the following steps:
Step 101:Authentication module of the external user into outer net processing module carries out authentication, if by certification Allow external user logging in network processing module, otherwise refuse the connection request of external user;
Step 102:External user will be sent to the data of Intranet user to outer net processing module according to ICP/IP protocol transmission;
Step 103:Outer net protocol conversion module will be sent in the network packet of Intranet user according to ICP/IP protocol and apply Layer data parses and is stored in outer net data buffer area;
Step 104:Application layer data in the external network data buffer area of malicious code filtering module carries out Malicious Code Detection, mistake Outer net data buffer area is restored again into after filtering malicious code wherein that may be present;
Step 105:Data in the outer net data buffer area that outer net processing module will be filtered by malicious code are by unidirectionally counting Intranet processing module is given according to link transmission;
Step 106:The data received are stored in the intranet data buffer area in Intranet processing module by Intranet processing module;
Step 107:Intranet protocol conversion module in Intranet processing module beats the data received according to ICP/IP protocol again Wrap to be sent to Intranet user after network packet;
The process that the Intranet sends data to outer net comprises the following steps:
Step 201:The data that Intranet user will need to be transferred to external user are transferred to Intranet processing mould according to ICP/IP protocol Block;
Step 202:The intranet data that Intranet processing module will be transferred to the data deposit Intranet processing module of external user delays Deposit area;
Step 203:Intranet protocol conversion module will be transferred in the network packet of external user according to ICP/IP protocol should Parsed with layer data and be stored in intranet data buffer area;
Step 204:Sensitive information filtering module in Intranet processing module in intranet data buffer area to that will be transferred to outer net Application layer data carries out sensitive information detection in the network packet of user, filters out after sensitive information wherein that may be present again It is stored in intranet data buffer area;
Step 205:Intranet processing module closes the switch of the unidirectional data link for the belt switch being connected with filtration zone, will be through The data crossed in the intranet data buffer area of sensitive information filtering are transferred to transitional region by the unidirectional data link of belt switch;
Step 206:Intranet processing module finishes data transfer on the one-way data chain for disconnecting the belt switch being connected with transitional region The switch on road;
Step 207:The data received are stored in the transit data buffer area in transitional region by transitional region;
Step 208:Data encryption module in transitional region generates a data encryption key at random, uses block encryption algorithm Data in transit data buffer area are encrypted, and use the encryption key of the public key encryption of the external user data;
Step 209:The switch of the unidirectional data link for the belt switch that transitional region closure is connected with outer net processing module;
Step 210:Data and key after encryption are together passed through the belt switch that is connected with outer net processing module by transitional region Unidirectional data link is sent to outer net processing module;
Step 211:Data are sent, and transitional region disconnects the unidirectional data link for the belt switch being connected with outer net processing module Switch, while activation system recovery module empties the transit data buffer area in transitional region, and transitional region is reduced to Original state;
Step 212:The data that the Intranet user received is transferred to external user are stored in outer net processing module by outer net processing module In outer net data buffer area;
Step 213:Outer net protocol conversion module in outer net processing module is according to ICP/IP protocol by outer net data buffer area The data that Intranet user is transferred to external user are packaged as after network packet being sent to external user;
Step 214:External user is received after data, first with the private key ciphertext data encryption key of oneself, then close with data encryption Key ciphertext data, obtains the data that Intranet user is sent.
CN201710374477.XA 2017-05-24 2017-05-24 A kind of bilateral network security isolation system and method Pending CN106998333A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710374477.XA CN106998333A (en) 2017-05-24 2017-05-24 A kind of bilateral network security isolation system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710374477.XA CN106998333A (en) 2017-05-24 2017-05-24 A kind of bilateral network security isolation system and method

Publications (1)

Publication Number Publication Date
CN106998333A true CN106998333A (en) 2017-08-01

Family

ID=59435980

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710374477.XA Pending CN106998333A (en) 2017-05-24 2017-05-24 A kind of bilateral network security isolation system and method

Country Status (1)

Country Link
CN (1) CN106998333A (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107809392A (en) * 2017-10-18 2018-03-16 珠海许继芝电网自动化有限公司 A kind of data transmission method across forward and reverse isolation load balancing and high reliability
CN107888599A (en) * 2017-11-17 2018-04-06 中国航空工业集团公司西安航空计算技术研究所 Intercommunication system and method between a kind of avionics height secure network domain
CN108390778A (en) * 2018-02-10 2018-08-10 浙江财经大学 A kind of computer network security prior-warning device
CN108833395A (en) * 2018-06-07 2018-11-16 北京网迅科技有限公司杭州分公司 A kind of outer net access authentication system and authentication method based on hardware access card
CN110290060A (en) * 2019-07-15 2019-09-27 腾讯科技(深圳)有限公司 A kind of internetwork communication method, apparatus and storage medium
CN110381008A (en) * 2018-04-13 2019-10-25 武汉梓金山科技有限公司 A kind of Dynamic Defense System of Network Security and method based on big data
CN110545324A (en) * 2019-09-04 2019-12-06 北京百度网讯科技有限公司 Data processing method, device, system, network equipment and storage medium
CN110933025A (en) * 2019-10-21 2020-03-27 武汉神库小匠科技有限公司 Multi-source heterogeneous data cross-domain synchronous shared storage method, device, equipment and medium
CN111556062A (en) * 2020-05-06 2020-08-18 国网电力科学研究院有限公司 A network security isolation device and method with one-way import function
CN112468571A (en) * 2020-11-24 2021-03-09 中国联合网络通信集团有限公司 Intranet and extranet data synchronization method and device, electronic equipment and storage medium
CN113824669A (en) * 2020-06-18 2021-12-21 深圳市桑威科技有限公司 External computer network early warning equipment and method
CN114024753A (en) * 2021-11-08 2022-02-08 中铁信安(北京)信息安全技术有限公司 A data communication two-way ferry isolation device and method
CN114297650A (en) * 2021-12-29 2022-04-08 北京安天网络安全技术有限公司 Data flow protection method and device based on application system
CN114465821A (en) * 2022-04-02 2022-05-10 浙江国利网安科技有限公司 Data transmission system and data transmission method
CN114500068A (en) * 2022-02-10 2022-05-13 广州云羲网络科技有限公司 Information data exchange system based on safety isolation network gate
CN114553528A (en) * 2022-02-22 2022-05-27 成都睿智兴华信息技术有限公司 Internal and external network data safety transmission system and transmission method thereof
CN114615082A (en) * 2022-04-07 2022-06-10 西安热工研究院有限公司 System and method for simulating TCP duplex safety communication by using forward and reverse network gates
CN114710360A (en) * 2022-04-15 2022-07-05 北京全路通信信号研究设计院集团有限公司 Audit-based inside-out data secure transmission method and system and electronic equipment
CN114766086A (en) * 2019-12-19 2022-07-19 西门子交通有限责任公司 Transmission device for transmitting data
CN115242446A (en) * 2022-06-22 2022-10-25 中国电子科技集团公司第五十二研究所 Cloud desktop one-way data importing system and method under intranet environment
CN115242432A (en) * 2022-06-13 2022-10-25 中国电子科技集团公司第三十研究所 Cross-domain time synchronization device and method
CN115514573A (en) * 2022-09-28 2022-12-23 广船国际有限公司 Physically isolated file ferry system, method, device, equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491072A (en) * 2013-09-06 2014-01-01 北京信息控制研究所 Boundary access control method based on double one-way separation gatekeepers
CN104363221A (en) * 2014-11-10 2015-02-18 青岛微智慧信息有限公司 Network safety isolation file transmission control method
US20150088934A1 (en) * 2013-09-20 2015-03-26 Open Text S.A. Hosted application gateway architecture with multi-level security policy and rule promulgations
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
CN106341397A (en) * 2016-08-25 2017-01-18 柏盟(北京)科技发展有限公司 Industrial safety isolation GAP

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491072A (en) * 2013-09-06 2014-01-01 北京信息控制研究所 Boundary access control method based on double one-way separation gatekeepers
US20150088934A1 (en) * 2013-09-20 2015-03-26 Open Text S.A. Hosted application gateway architecture with multi-level security policy and rule promulgations
CN104363221A (en) * 2014-11-10 2015-02-18 青岛微智慧信息有限公司 Network safety isolation file transmission control method
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
CN106341397A (en) * 2016-08-25 2017-01-18 柏盟(北京)科技发展有限公司 Industrial safety isolation GAP

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李旋,吴其聪: "一种数据加密与完整性保护的网闸实现方法", 《南通大学学报(自然科学版)》 *
郑炜: "基于MIPS_CPU的千兆物理隔离网闸的系统研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107809392A (en) * 2017-10-18 2018-03-16 珠海许继芝电网自动化有限公司 A kind of data transmission method across forward and reverse isolation load balancing and high reliability
CN107888599A (en) * 2017-11-17 2018-04-06 中国航空工业集团公司西安航空计算技术研究所 Intercommunication system and method between a kind of avionics height secure network domain
CN107888599B (en) * 2017-11-17 2020-10-27 中国航空工业集团公司西安航空计算技术研究所 Two-way communication system and method between high-low security network domains of avionics
CN108390778A (en) * 2018-02-10 2018-08-10 浙江财经大学 A kind of computer network security prior-warning device
CN110381008B (en) * 2018-04-13 2022-02-25 海南波克科技有限公司 Network security dynamic defense system and method based on big data
CN110381008A (en) * 2018-04-13 2019-10-25 武汉梓金山科技有限公司 A kind of Dynamic Defense System of Network Security and method based on big data
CN108833395A (en) * 2018-06-07 2018-11-16 北京网迅科技有限公司杭州分公司 A kind of outer net access authentication system and authentication method based on hardware access card
CN110290060A (en) * 2019-07-15 2019-09-27 腾讯科技(深圳)有限公司 A kind of internetwork communication method, apparatus and storage medium
CN110290060B (en) * 2019-07-15 2021-12-14 腾讯科技(深圳)有限公司 Cross-network communication method, device and storage medium
CN110545324A (en) * 2019-09-04 2019-12-06 北京百度网讯科技有限公司 Data processing method, device, system, network equipment and storage medium
CN110933025A (en) * 2019-10-21 2020-03-27 武汉神库小匠科技有限公司 Multi-source heterogeneous data cross-domain synchronous shared storage method, device, equipment and medium
CN114766086A (en) * 2019-12-19 2022-07-19 西门子交通有限责任公司 Transmission device for transmitting data
CN111556062A (en) * 2020-05-06 2020-08-18 国网电力科学研究院有限公司 A network security isolation device and method with one-way import function
CN113824669A (en) * 2020-06-18 2021-12-21 深圳市桑威科技有限公司 External computer network early warning equipment and method
CN112468571B (en) * 2020-11-24 2022-02-01 中国联合网络通信集团有限公司 Intranet and extranet data synchronization method and device, electronic equipment and storage medium
CN112468571A (en) * 2020-11-24 2021-03-09 中国联合网络通信集团有限公司 Intranet and extranet data synchronization method and device, electronic equipment and storage medium
CN114024753A (en) * 2021-11-08 2022-02-08 中铁信安(北京)信息安全技术有限公司 A data communication two-way ferry isolation device and method
CN114024753B (en) * 2021-11-08 2025-01-17 中铁信安(北京)信息安全技术有限公司 A data communication two-way ferry isolation device and method
CN114297650A (en) * 2021-12-29 2022-04-08 北京安天网络安全技术有限公司 Data flow protection method and device based on application system
CN114500068B (en) * 2022-02-10 2024-01-09 广州云羲网络科技有限公司 Information data exchange system based on safety isolation gatekeeper
CN114500068A (en) * 2022-02-10 2022-05-13 广州云羲网络科技有限公司 Information data exchange system based on safety isolation network gate
CN114553528A (en) * 2022-02-22 2022-05-27 成都睿智兴华信息技术有限公司 Internal and external network data safety transmission system and transmission method thereof
CN114553528B (en) * 2022-02-22 2024-04-19 成都睿智兴华信息技术有限公司 Internal and external network data safety transmission system and transmission method thereof
CN114465821A (en) * 2022-04-02 2022-05-10 浙江国利网安科技有限公司 Data transmission system and data transmission method
CN114615082A (en) * 2022-04-07 2022-06-10 西安热工研究院有限公司 System and method for simulating TCP duplex safety communication by using forward and reverse network gates
CN114615082B (en) * 2022-04-07 2023-09-12 西安热工研究院有限公司 A system and method for simulating TCP duplex secure communication using forward and reverse gatekeepers
CN114710360A (en) * 2022-04-15 2022-07-05 北京全路通信信号研究设计院集团有限公司 Audit-based inside-out data secure transmission method and system and electronic equipment
CN114710360B (en) * 2022-04-15 2024-01-19 北京全路通信信号研究设计院集团有限公司 Audit-based inside-to-outside data security transmission method and system and electronic equipment
CN115242432A (en) * 2022-06-13 2022-10-25 中国电子科技集团公司第三十研究所 Cross-domain time synchronization device and method
CN115242432B (en) * 2022-06-13 2023-05-16 中国电子科技集团公司第三十研究所 Cross-domain time synchronization device and method
CN115242446A (en) * 2022-06-22 2022-10-25 中国电子科技集团公司第五十二研究所 Cloud desktop one-way data importing system and method under intranet environment
CN115514573A (en) * 2022-09-28 2022-12-23 广船国际有限公司 Physically isolated file ferry system, method, device, equipment and medium

Similar Documents

Publication Publication Date Title
CN106998333A (en) A kind of bilateral network security isolation system and method
CN108965215B (en) A dynamic security method and system for multi-integrated linkage response
CN103491072B (en) A kind of border access control method based on double unidirection insulation network brakes
Weinberg et al. Stegotorus: a camouflage proxy for the tor anonymity system
CN104683352B (en) A kind of industrial communication isolation gap with binary channels ferry-boat
Xin A mixed encryption algorithm used in internet of things security transmission system
CN202178780U (en) Internal-and-external network safety isolation system based on one-way transmission
CN111245862A (en) System for safely receiving and sending terminal data of Internet of things
CN101262405B (en) High Speed Security Virtual Private Network System Based on Network Processor and Its Realization Method
CN101795271B (en) network security printing system and printing method
CN102316108B (en) Device for establishing network isolated channel and method thereof
CN104994094B (en) Virtual platform safety protecting method based on virtual switch, device and system
CN111859472A (en) Security plug-in for system-on-chip platform
CN107172020A (en) A kind of network data security exchange method and system
CN108810023A (en) Safe encryption method, key sharing method and safety encryption isolation gateway
CN106209883A (en) Based on link selection and the multi-chain circuit transmission method and system of broken restructuring
CN108449310B (en) Domestic network security isolation and one-way import system and method
CN103428204A (en) Data security implementation method capable of resisting timing attacks and devices
CN107493292A (en) The information transmission system and method for isomery multichannel security isolation
CN106506540A (en) A kind of intranet data transmission method of attack resistance and system
CN101521667A (en) Method and device for safety data communication
CN103220279A (en) Safe data transmission method and system
CN102710638A (en) Device and method for isolating data by adopting non-network manner
CN1326365C (en) Worm blocking system and method using hardware-based pattern matching
CN102882859B (en) A kind of safety protecting method based on public network data transmission information system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170801