FAQs about physical isolation locks

FAQs about physical isolation locks
Do physical isolation locks must adopt dedicated switch integrated circuits?

A: No. In the implementation of the switch, the most direct way is to use a dedicated switch integrated circuit to directly control the bus. Due to the horizontal limitation of China's chip manufacturing industry, it is difficult to guarantee the performance and quality. When it is sent to foreign production, it is necessary to hand over the circuit design and worry about security issues. Another problem is the mass production and price of dedicated chips, which is hard to be solved in the United States. Currently, there are not many physical isolation gateway manufacturers in the United States that use dedicated switch chips.

How does physical isolation gateway use SCSI to implement switch technology?

A: First, SCSI is not a communication protocol, but a protocol used to read and write data from hosts to storage peripherals. Connect a storage device through two hosts, such:

The solid-state storage medium in the middle uses block instead of a file system ). The external host can initiate read and write requests to the solid state storage media. The internal host can also initiate read and write requests to the solid state storage media, but the solid state storage media only accepts one request at a time. The solid state storage media itself cannot initiate connection requests to the host. Therefore, external hosts and internal hosts are not connected and can only be ferry through solid state storage media. This provides a simple switching principle. In actual technology, it is much more complicated. manufacturers need to solve a series of problems, such as clock problems, efficiency problems, synchronization problems, reliability problems, and blocking problems, to realize the SCSI-based switch technology. Because the SCSI connection does not have any programming interface of the upper layer protocol, it only has the read/write function, and can block any upper layer communication protocol, including TCP/IP, with high reliability and stability. Therefore, the switch design between hosts using SCSI Technology in the core layer of the operating system is very popular internationally and is also a mainstream trend.

Can I use USB, Firewire, and ethereum to enable soft switches for physical isolation switches?

A: No. USB, Firewire, and Ethernet are communication protocols, which are similar to firewalls in terms of security. The USB, Firewire, and Ethernet programming interfaces are easy to add. For example, loading TCP/IP may be controlled by some software programming methods, the TCP/IP and application services cannot be effectively and thoroughly interrupted. The intercept based on the above Media (some vendors claim to be soft switches) is not the required switch for physical isolation locks. The line is disconnected, not physical isolation. (For details, see answers to common concepts of physical isolation locks)

Why does SCSI work, while USB, Firewire, and Ethernet work?

A: It is easy for everyone to accept the integrated circuit switch. SCSI is also a line, USB, wire and Ethernet are also a line. Why does SCSI work, and others do not work? The reason is very simple. scsi is not a communication protocol, but a file read/write protocol. The SCSI line and the solid state storage media are used as a system to implement the switching principle. USB, Firewire, and Ethernet are communication protocols. They are connected to two hosts and do not have the isolation and security features required by physical isolation locks.

Is the switch speed of the physical isolation gateway slow?

A: It's not slow. The PCI bandwidth of a 32-bit bus with 33 MHz is 132 Mbit/s. The PCI bandwidth of a 64-bit bus of 66mhz is 528 Mbit/s. The two-channel 320 Mbit/s SCSI can achieve a total bandwidth of 640 Mbit/s, that is, 5120 Mbit/s. 5G bandwidth should be enough.

What layer does the physical isolation gateway work on in the OSI model?

A: All layer-7 instances work. (For details, refer to the White Paper on physical isolation of CEN)

How does a physical isolation gateway work at Layer 5th of the OSI model?

A: The physical isolation gateway interrupts TCP sessions by working on Layer 3. It restores a group of IP packets to an application data. Therefore, all TCP-based attacks are removed. For example, synflooding attacks.

How does a physical isolation gateway work at Layer 7 of the OSI model?

A: The physical isolation gateway must provide specific application proxy services on both the external and internal hosts. Packages of application services that do not provide Proxy services will fail. Only when the relevant application proxy service is provided and the TCP/IP is stripped can the application protocol be "stripped" to shield potential vulnerabilities of the application protocol and ensure security. The application proxy "restores" the application data and uses the switching circuit "Ferry" to the other party.

How does the information security exchange system work?

A: The OSI model of the information security exchange system is shown below. External host proxy. Internal host proxy and intermediate security check host. The three hosts are connected through Ethernet. It has been said that the security check host in the middle can be manually switched using a physical isolation card. Some system applications similar to security systems and physical isolation cards can be considered as physical isolation, but not physical isolation.

How does a security isolation gateway work in the OSI model?

A: There are many security isolation work models. Among them, one of the most secure is.

However, it is not found that this structure is essentially different from a single proxy, unless the operating system of the internal host is different from that of the external host. The other two models of this structure are as follows: Circuit proxy and packet filtering.

After performing authentication and session check, the circuit proxy is pre-released, which is more efficient than the application proxy.

The dual-host structure of packet filtering is currently the most secure. It almost cannot be seen that it is different from the connection between two packet filtering firewalls. Some vendors extract data from the kernel of the external host, set the NIC to the hybrid mode, and directly transmit the data to the kernel of the internal host. It sounds safe and nothing is actually done. For example, some physical isolation means that the two hosts are directly connected using Ethernet in the chassis.

Does physical isolation mean protocol conversion?

A: No. In the form of Dual-host, protocol conversion is performed between two hosts, which is still in the scope of security isolation or logical isolation. Because protocol conversion does not mean that protocol-based attacks are eliminated, communication connections exist, and communication-based attacks exist.

What types and forms of protocol-based conversion-based dual-Host Architecture?

A: There are three main types: application proxy, circuit proxy, and packet filtering. Protocol conversion formats include but are not limited to USB, Firewire, serial port, parallel port, ATM, Myrinet, and dedicated ASIC cards.

Many people do not think that the dual host is connected in the Ethernet mode, which can increase security or what physical isolation is. In theory, hackers can detect host vulnerabilities by scanning operating system vulnerabilities, intrude into the host, and then scan the next host to gradually intrude into the host. Therefore, some manufacturers have changed ethernet cables to serial ports, parallel ports, USB or Firewire, and some simply run TCP/IP protocols on USB or firewire. In general, it can be concluded that there is a communication protocol or even a TCP/IP protocol between two hosts. In some cases, packets directly reach the internal host from the external host, packet-based attacks may occur. In some cases, connection-based attacks may occur. In some cases, command-based attacks may occur. Therefore, private communication protocols do not mean security.

Some vendors use TCP stream to restore data streams to increase content check. These functions can also be added to the firewall. If a vendor launches stream filtering, it is such a feature. This is just a variant. There are also connection-based attacks, session-based attacks, and protocol-based attacks.

This is another variant. The application proxy is used on the dual host to enhance security and eliminate the possibility of Protocol Vulnerability attacks. However, there is still a possibility of communication-based connection attacks. Therefore, none of the above are physical isolation locks.

What proxy is required for each application of the physical isolation Gateway?

A: Yes. In addition to standard and common applications, each application can be customized as long as there are protocol specifications. Therefore, physical isolation locks can be used in any industry, no matter how special their applications are.

Does the application proxy of the physical isolation gateway comply with the RFC specifications?

A: Yes. Only conformity can ensure the transparency and interconnectivity of applications.

The Intranet cannot be pinged from the Internet. Is it a physical isolation gate?

A: Not necessarily. Of course, you cannot Ping physical isolation locks, but not necessarily physical isolation locks. If the ICMP protocol is disabled on the vro, Ping cannot work, but it is not a physical isolation gateway.

An Intranet host cannot be scanned from the Internet. Is it a physical isolation gatekeeper?

A: Not necessarily. Scanning Software cannot scan internal hosts through physical isolation locks, but it cannot scan internal hosts, not necessarily physical isolation locks. Scanning Software cannot scan internal hosts through the proxy server, but the proxy server is not a physical isolation gateway.

Packet forwarding is implemented through the switch. Is it a physical isolation gatekeeper?

A: No. A TCP connection can be established even if the packet contains the TCP/IP protocol. There are packet and TCP-based attacks.

Why can't I intrude into internal hosts even if I intrude into the external hosts of the network gate?

A: The external host and the internal host of the physical isolation gateway do not communicate through conversations, but do not communicate with each other. They only perform simple operations according to the "good" conventions. For example, in the worst possible case, hackers intrude into external hosts and can manually write files to the solid state storage media. After the internal host obtains these files, internal applications cannot understand these files, so they have to lose them. Even if they understand these files and find that they do not comply with security policies, they also lose them. The decision of the internal host is not determined by the file sent from the external host, but by the internal security policy. Therefore, internal control is not possible. In addition, there is no connection, no communication, no protocol, and it is impossible to intrude into the internal system.

What measures can be taken to prevent intrusion on external hosts with physical isolation locks?

A: access to the external host must be permitted to provide services. From an absolute technical point of view, there is no operating system to ensure that my operating system has no vulnerabilities. Therefore, in theory, there is a possibility of an attack on the external host, even a small probability event in one thousandth. This does not mean that the external host will be attacked. There are many technical means to ensure that hackers cannot intrude into the system even if the operating system has vulnerabilities, such as lightweight intrusion detection, closing the logon host service, and protecting the configuration file from tampering, and many other measures to minimize the risk of external host intrusion.

Why can physical isolation locks prevent unknown attacks?

A: currently, attacks are categorized as application protocol-based vulnerabilities, TCP/IP protocol-based vulnerabilities, command-based attacks, and packet-based attacks. The physical isolation gatekeeper fundamentally solves these four types of attacks. Therefore, new attacks can be prevented as long as they are based on the above four principles, both known and unknown.

Is the physical isolation gateway the most secure?

A: Yes. The physical isolation Gatekeeper is positioned to provide the highest security, which is used for access to the confidential network, protect core assets, protect private networks with high security requirements, protect key databases, and protect the system from attacks from the Internet.