During the development of the firewall, people finally realized the security limitations of the firewall. The contradiction between high performance, high security, and ease of use is not well resolved. The firewall architecture is flawed in terms of high security and drives people to pursue solutions with higher security. People expect more secure technical means and the isolation of network gate technology will emerge.
The isolated gatekeeper technology is a dark horse in the security market. After a long clarification of market concepts and the evolution of marathon technology, the market finally accepts isolated network switches with the highest security. For example, the physical isolation gateway X-gap developed by CEN can interrupt the direct connection of the network, not only check all protocols, but also strip the protocols and directly restore them to the original data, data can be checked and scanned to prevent malicious code and viruses, or even to request data attributes. TCP/IP is not supported and does not depend on the operating system, perform a comprehensive inspection on Layer 7 of OSI and reorganize all data on Heterogeneous Media. Therefore, the network is isolated and can be blocked from various network attacks and intrusions to provide users with secure browsing, sending and receiving emails, and data exchange based on files and databases.
The Internet is implemented based on TCP/IP, and all attacks can be classified as one or more layers of attacks based on the OSI Data Communication Model of TCP/IP, therefore, the first and most direct idea is to disconnect all layers of the OSI Data Model of TCP/IP to eliminate the current attacks on TCP/IP networks, this is the basis for realizing network isolation in the network physical isolation gate X-GAP. The following uses the physical isolation gate X-gap of the China Network as an example. The specific discussion involves the following points.
I. network physical layer disconnection
The physical layer can be attacked. In particular, the logical representation of the physical layer can be attacked. The main attack methods for the logical representation of the network layer are spoofing and forgery. Therefore, the authentication and authentication methods can be used to prevent spoofing and forgery. This is a common method for binding IP addresses and MAC addresses. It is also feasible to directly control access to the MAC address itself, which is the Mac firewall. The final solution is to completely disconnect the physical layer without the network function, so there will be no attacks from the network.
Physical Layer disconnection is a complex concept. The physical layer is disconnected. For example, wireless is invisible to human eyes, but the physical layer is connected. The physical layer connection is not what the human eye can see. For example, if two computers are connected by a piece of wood, although it is a physical connection in reality, it cannot establish a connection to the data link in an OSI model based on the connection, therefore, it is not a physical layer connection in the sense of an OSL model. In this sense, it is difficult to determine whether it is connected or not.
Due to the universality of air and vacuum, it is at least difficult to identify to any two computers that they do not have connections in a certain reality. Air and vacuum can transmit electromagnetic waves. Therefore, you cannot simply define the disconnection of the physical layer.
Technically, the disconnection on a physical layer should be "cannot establish a data link in an OSI model based on a physical layer connection ". Let's check whether the definition is correct. Wireless Transmission, based on the connection of physical media invisible to the human eye, can establish a connection to the data link in the OSI model, so it is not the disconnection of the physical layer. A piece of wood connects two computers. Although it is a real connection, it is not a physical connection in a strict sense in the OSI model, nor can it establish a data link in an OSI model, so it is disconnected.
The disconnection of the physical layer may lead to the failure of the working mechanism of other layers of the OSI model. Therefore, attacks on other layers can be reduced. However, the disconnection of the physical layer only addresses physical layer-based attacks and does not imply that attacks against other layers of the OSI model can be solved. In the subsequent technical implementation, we did find an example of a switch-based FTP resumable data transfer application, indicating that physical layer disconnection does not guarantee the elimination of attacks against other layers.
2. Disconnection of the network data link layer
A data link is a communication protocol concept that establishes a data link that can communicate with each other on the physical layer. Communication protocols can be attacked. Data links can be attacked.
Therefore, network isolation must also disconnect any data links that may be established based on the physical layer, rather than overtcp/ip.
What does data link disconnection mean? First, all control signals for establishing communication links must be eliminated because these signals can be attacked. Second, there is no guarantee on whether or not the data is delivered or correct during each data transmission. Once again, you cannot establish a session mechanism. Therefore, in technical terms, Data Link disconnection means that the probability of the correlation between the last data transmission and the next data transmission is zero. Therefore, there is no reliability guarantee for data transmission without data links.
The disconnection of data links breaks down the Communication Foundation and eliminates Data Link-based attacks. As mentioned above, it seems that the disconnection of data links greatly reduces attacks on other layers, but it cannot be ruled out. We can imagine that the unreliable data broadcast and transmission does not mean that the correct data cannot be correctly transmitted once, so there is still the possibility of attacks based on the upper layer.
3. Network Layer disconnection
Network Layer disconnection means to strip all IP protocols.
If the IP address is removed, the internal network structure will not be exposed based on the IP packet, so there will be no true or false IP addresses or IP fragmentation, and all attacks based on the IP protocol will be eliminated.
Iv. Disconnection of the Network Transmission Layer
The disconnection of the transport layer is to strip the TCP or UDP protocol. Therefore, TCP or UDP-based attacks are eliminated.
5. Disconnection of the Network Session Layer
The Session Layer disconnection actually disconnects an application session and eliminates the interactive application session.
6. Disconnection of the network performance Layer
The presentation layer is a cross-platform application used to ensure the network. When the presentation layer is removed, cross-platform applications are eliminated.
7. Network Application Layer disconnection
The disconnection of the application layer means that all application protocols are eliminated or stripped. The disconnection at the application layer is not entirely a proxy at the application layer. Some Application Layer proxies only check whether the application protocol complies with the specifications and do not implement the functions of stripping and restructuring. Therefore, the application layer is not broken, but the application layer is checked.
The principle of layer-7 disconnection of the OSI model is introduced above. The physical isolation or network isolation refers to the disconnection of all seven layers. Although the disconnection of each layer reduces the probability of attacks on other layers, it does not theoretically eliminate attacks on other layers. Some examples show that if a layer is disconnected, attacks against other layers still exist. The isolation gatekeeper must completely disconnect all layers of the OSI model. On the basis of the disconnection, the "copy disk" of files or data is implemented ".