Network Gate--Physical isolation function and its Realization technology analysis

  Analysis of physical isolation function and realization technology

Positioning of the physical isolation network Gate
Instead of replacing firewalls, intrusion detection, vulnerability scans, and antivirus systems, the physical isolation technology is another cornerstone of the user's "defense-in-depth" Security strategy, which is generally used to protect the "core" of the system. Physical isolation technology is an absolute solution to the security of the Internet, not to any other problem.

Problems to be solved by physical isolation
Solve the current firewall existing fundamental problems:
• Firewalls are dependent on the operating system because the operating system also has vulnerabilities
· TCP/IP Protocol Vulnerability: No TCP/IP
· The firewall, intranet, and DMZ are both connected directly,
· Apply protocol vulnerabilities because commands and directives may be illegal
· file with virus and malicious code: does not support MIME, only txt, or kill virus software, or malicious code Checker software

Physical isolation of the guiding ideology and firewalls are very different: (1) The idea of the firewall is in the security of the interconnection of the premise, as far as possible, and (2) the idea of physical isolation is to ensure that the premise of safety, as far as possible interconnection and interoperability.

Vulnerabilities in TCP/IP
TCP/IP is the product of the Cold War period, the goal is to ensure access to ensure that the transmission of the rough. The integrity of the data is ensured by back-and-forth confirmation, and retransmission is done without confirmation. TCP/IP does not have an intrinsic control mechanism to support the identification of source addresses to verify where IP comes from. This is the root cause of TCP/IP vulnerabilities. The hacker uses TCP/IP this loophole, can intercept the data using the interception method, can examine the data, speculate the TCP serial number, modifies the transmission route, modifies the authentication process, inserts the hacker's data stream. The Morris virus is the use of this, causing great harm to the Internet.

A firewall vulnerability
To ensure service, the firewall must be open to the appropriate port. To allow the HTTP service, the firewall must open 80 ports, and to provide mail services, you must open 25 ports. Attacks on open ports are not protected by firewalls. Using DOS or DDoS to attack an open port, the firewall cannot be blocked. Firewalls cannot be prevented by using data from open service inflows to attack. Use of open service data covert tunnels to attack, the firewall can not prevent. Attacks on open service software flaws that firewalls cannot prevent.
Firewalls do not prevent attacks on themselves, only to force confrontation. The firewall itself is a passive defense mechanism, not an active security mechanism. Firewall can not interfere with the package has not reached the firewall, if the packet is to attack the firewall, only the attack has occurred, the firewall will be able to fight, simply cannot prevent.
There is no technology to solve all the security problems, but the deeper the depth of defense, the more secure the network. The physical isolation network gate is the only security device that can solve the above problem at present.

The technical principle of physical isolation
The technical architecture of physical isolation is on the isolation. The following graph group can give us a clear idea of how physical isolation is achieved.
Figure 1, the extranet is not a high security of the Internet, intranet is a highly secure internal private network. Under normal circumstances, isolation equipment and external network, isolation equipment and intranet, extranet and intranet are completely disconnected. Ensure that the network is completely disconnected.

The isolation device can be understood as a pure storage medium, and a simple dispatch and control circuit.





When the extranet needs to have the data to the intranet, take the email as an example, the external server immediately initiates the data connection to the non-TCP/IP protocol of the isolating device, the isolating device splits all the protocols, and writes the original data to the storage medium. Depending on the application, it may be necessary to perform integrity and security checks on the data, such as anti-virus and malicious code. See Figure 2 below.

Once the data is fully written to the storage media of the isolation device, the quarantine device immediately interrupts the connection to the extranet. Instead, it initiates a data connection to a non-TCP/IP protocol on the intranet. The isolation device pushes data within the storage medium into the intranet. After the intranet receives the data, it immediately carries on the encapsulation of the TCP/IP encapsulation and the application protocol, and gives the application system.

This time the intranet email system received an email from the extranet email system that was forwarded through the quarantine device. See Figure 3 below.

After the console receives the complete Exchange signal, the isolating device immediately cuts off the direct connection of the isolating device in the intranet. See Figure 4 below.

If at this time, the intranet has an email to send, the isolation equipment received the intranet to establish the connection request, establishes with the intranet the non-TCP/IP protocol data connection. The isolation device strips all TCP/IP protocols and application protocols, obtains raw data, and writes the data to the storage media of the isolation device. necessary for anti-virus and malicious code checking. Then interrupt the direct connection with the intranet. See Figure 5 below.

Once the data is fully written to the storage media of the isolation device, the isolation device immediately interrupts the connection to the intranet. Instead, it initiates a data connection to a non-TCP/IP protocol outside the network. The isolation device pushes data from the storage medium to the extranet. After the extranet receives the data, the TCP/IP encapsulation and application protocols are encapsulated and handed to the system. See Figure 6 below.

When the console receives the information, it immediately interrupts the connection between the isolation device and the extranet and restores it to a fully isolated state. See Figure 7 below.

Each time the data exchange, the isolation device undergoes the data acceptance, storage and forwarding of the three processes. Because these rules are in the memory and the internal nuclear force is completed, so the speed is guaranteed, can achieve 100% of the bus processing capacity.
One of the characteristics of physical isolation is that intranet and extranet are never connected, and intranet and extranet at the same time have only one data connection with the isolation device that establishes a non-TCP/IP protocol. Its data transmission mechanism is storage and forwarding.
The benefits of physical isolation are obvious, even if the extranet in the worst case, the intranet will not have any damage. Repairing the extranet system is also very easy.