Physical isolation and data exchange: Design principle and mistaken idea of net gate

Source: Internet
Author: User
Tags firewall

First, what is the net brake

The requirements of network brake technology from intranet and extranet data interoperability requirements, such as the government's e-government is to the public service, and the Internet connectivity, and the intranet of the government office network, because of the requirements of confidentiality, intranet if connected with the network, it faces the various threats from the public network. The advice given by security experts is: because of the current security technology, no matter firewall, UTM and other protection systems can not guarantee that the attack must be blocked, intrusion detection and other monitoring systems can not guarantee the invasion of complete capture, so the safest way is the physical separation, so in the Ministry of Public Security Technical requirements, the requirements of e-government in the internal, "Physical isolation" between external networks. No connection, from the external network of attacks on the network can not talk about.

However, the network's physical isolation, to the data communication brings a lot of inconvenience, such as staff travel only access to the Internet, to obtain the intranet files there is no way, can only let the office of the files on the Internet. In addition, the intranet Office system needs to provide statistical data from the extranet, because of service isolation, data acquisition is also very difficult. Therefore, with the increasingly mature network business, the demand for data exchange is strongly proposed.

The initial solution is manual "transfer", using a U disk or CD-ROM between the internal and external network to switch data. With the increase in the number of business, the expansion of data, the artificial way is clearly a bottleneck in many businesses, in the internal and external network to establish a "physical isolation" of the security requirements, but also for data exchange equipment or solutions, which gave birth to the gateway technology.

The net gate realizes is a security concept, with the firewall and so on network security equipment different place is he blocks the communication the connection, only completes the data exchange, does not have the service connection, the attack has no carrier, like the network "the Physical isolation". The net gate is actually simulates the artificial data to switch, utilizes the intermediate data to switch the area, the time-sharing and the internal and external network connection, but one time only with one network connection, maintains "the physical separation", realizes the data the switching. This is like the ferry boat on the Yangtze River, which has no "physical connection" bridge, but also the exchange of goods.

In fact, in addition to the e-government internal and external network exchange demand, other kinds of secret-related networks and public networks have such a demand, such as: radio and television editing and broadcasting network and the Internet, electric power control network and office network, Customs Operation Network and Customs Inquiry network, the bank's business network and online banking network and so on.

Two, the realization principle of the net gate

The net gate is realizes the data exchange between two mutual service isolation networks, the general gate model design generally is divided into three basic parts:

Intranet processing Unit

External network Processing Unit

Isolation and switching control unit

All three units require the operating system of their software to be secure, that is, a generic operating system or a modified, dedicated operating system. Generally, the variant version of Unix BSD or Linux, or other embedded operating system VxWorks, but all to the bottom of the unwanted protocol, service deletion, the use of the Protocol to optimize the transformation, increase security features, while improving efficiency.

Intranet processing unit: including intranet interface Unit and intranet data buffer. The interface part is responsible for connecting with intranet and terminating network connection of intranet users, the data for virus detection, firewall, intrusion protection and other security detection after stripping out "pure data", make good exchange preparation, also completes from the intranet to the user identification, ensure the data security channel; Data buffer is to store and dispatch the data after the split , and is responsible for the exchange of data with the isolation Exchange unit.

External network Processing Unit: With the internal processing unit function is the same, but the processing is the external network connection.

Isolation and switching control unit: It is the ferry control of the net gate isolation control, which controls the opening and closing of the switching channel. The control unit contains a data exchange area, which is the ferry ship in the data interchange. There are currently two techniques for the control of the switching channel, the ferry switch and the channel control. Ferry switch is an electronic switching switch, so that the data exchange area and the network at any time of the different time connection, the formation of gaps in space gap, to achieve physical isolation. Channel mode is to change the communication mode between the inside and outside network, interrupt the direct connection of the internal and external network, and use private communication means to form the physical isolation of the internal and external network. The unit has a data exchange area, which is used as a transit for exchanging data.

In the internal and external network processing Unit, the channel between the interface processing and the data buffering, called the internal Channel 1, the channel between the buffer zone and the Exchange area, is called the internal Channel 2. On the internal channel of the switch control, you can form an internal and external network isolation. In the model, the intermediate data exchange area Ferry data is called the three-zone model; When the ferry, the bus of the exchange area is connected with the inner and outer network buffer, namely the internal Channel 2 control, completes the data exchange.

Another way is to cancel the data exchange area, respectively, to control the internal Channel 1 and internal Channel 2, to form a two-zone model.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.