Similarities and differences of several data exchange technologies under Network isolation

I. BACKGROUND

Network physical isolation is a lot of network designers are unwilling to choose, the network to carry a dedicated business, its security must be guaranteed. However, the construction of the network is to exchange, there is no data sharing, the role of the network has shrunk a lot, so network isolation and data exchange is a natural pair of contradictions, how to solve the security of the network, and conveniently realize the exchange of data is a lot of network security technicians have been exploring.

There are many reasons for the network to be isolated, usually with the following two points:

1, the dense network and low dense network interconnection is unsafe, especially from the uncontrolled network intrusion and attack is unable to locate the management. The internet is a world-class network, it is also a network that is difficult to control, and it is connected to provide public service and protect all kinds of attacks and viruses. To have isolation, but also data exchange is the enterprise, the Government and other network construction of the first to face the problem.

2, security protection technology is always behind the attack technology, the first spear, you can stab the enemy, have a shield, you can protect the enemy stabbed. Attack technology is constantly changing and upgrading, the threshold is reduced, the period of vulnerability appears shorter, the virus transmission technology has become a Trojan vehicle. and protection technology seems to always play the patch, the current internet on the "hacker" has been industrialized, some like the network of "triad", although sometimes do some Kilfouzi "charity", but in order to survive, constantly research new attack technology is inevitable. After the emergence of a new type of attack, the protection technology will be delayed for some time to deal with, which is the current status of the network security community.

So network isolation is the first to the network and the demilitarized zone, of course, the best way is to dig around the city moat, and then build a few can control the "drawbridge", to maintain the exchange outside the city. The development of data exchange technology is to study the protection technology of "bridge".

Currently there are several technologies for data exchange:

Bridge Repair Strategy: The business agreement is passed directly, the data is not reorganized, the impact on speed is small, the security is weak

N Firewall FW: Filtering the network layer

N Multiple security gateways: Filtering from the network layer to the application layer, multiple checkpoint strategy

Ferry strategy: The business agreement does not pass directly, the data wants to reorganize, the security is good

N NET Gate: protocol Landing, security detection relies on existing security technology

N-Switched networks: establishment of exchange buffers, three-dimensional security monitoring and protection

Artificial strategy: Do not do physical connection, manual use of mobile Media exchange data, security is done.

Ii. Data exchange Technology

1, Firewall

Firewalls are the most common means of network isolation, mainly through the network routing control, that is, access control List (ACL) technology, the network is a packet switching technology, packets are routed through the route to the destination, so control the route, you can control the communication lines, control the flow of packets, So the early network security control aspect basically uses the firewall. The "standard design" of many Internet service websites is a firewall with three-zone mode.

However, the firewall has a very significant disadvantage: the firewall can only do under the network four layer of control, for the application layer of viruses, worms have no way. Small network isolation is possible for access to the Internet, but it is not sufficient for business network isolation that requires two-way access.

Also worth mentioning is the NAT technology in the firewall, address translation can hide intranet IP address, many people regard it as a kind of security protection, think no route is enough safe. Address translation is actually a proxy server technology, do not let business access directly through the firewall than the security of a step forward, but the agent service itself does not have good security and control, mainly rely on the operating system-level security strategy, for the current network attack technology is clearly fragile. At present, a lot of attack technology is for NAT, especially the firewall for the application layer has no control, facilitate the entry of Trojans, into the intranet of the Trojan to see the intranet address, directly reported to the external network of attackers, address hidden role is not big.

2. Multiple security gateways

Firewall is in the "bridge" erected a checkpoint, can only do similar "passport" inspection, multiple security gateway method is to set up a number of checkpoints, check baggage, there are inspectors. Multiple security gateways also have a unified name: UTM (Unified threat Management). Whether it is a device, or a plurality of devices, is only a different processing capability of the device itself, it is important to conduct a comprehensive check from the network layer to the application layer.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/jhjs/