I. Requirements for information security
According to the technical requirements of information confidentiality, the secret-involved network can not be directly connected with the Internet, and if the secret-related network is connected with the non-dense network, if the network is not physically isolated from the Internet, two-way network gate is used to isolate the secret-involved network and the non-secret network; If the secret network is logically isolated Then the one-way network gate is used to isolate the dense network and the non-secret network, so that the confidential data does not flow from the high density network to the low level network.
Second, the role of the net brake
The network gate isolation function is based on the directional "ferry" data, the net gate principle is simulates the artificial data "the copy", do not establish two network "physical path", so the general form of the gateway is the application of the data "Peel", ferry to the other side, and then through the normal way of communication to the destination, so from a security point of view, The network gate Ferry data in the less the better the format information, of course, there is no format of the original data is better, because there is no format information text there is no way to hide other non-data things, reduce the carrying "virus" carrier.
The network gate is cut off the upper business communication protocol, saw the original data, in order to achieve the "isolation" effect, the use of private communications protocol, or the use of storage protocols, are to show that to completely peel off all the Protocol additional information, so that the ferry data is the most "clean". But in order to conveniently "ferry business", on both sides of the gateway set up a business proxy server, logically connected to the business.
Although the net gate transmits the actual data, however, the Agency agreement after the proposal, each ferry may no longer be a complete data content, for security checks brought about by the difficulties, attackers can be a "worm" into a number of fragments to be transferred, or even small to a single command, do not restore the original is difficult to know what it is; Executable code binary, it is difficult to distinguish between data and attacks.
The network gate to the unfamiliar business is uses closes the strategy, only then opens oneself to think needs, the controllable business service, therefore the network gate in the different dense network separation function still has the certain effect.
In the confidentiality requirement of the secret information, high-density network of high-density level data can not flow to the low level network, but low classified data flow to high-density network (data confidentiality requirements), which puts forward the data of one-way flow requirements, if we only retain one-way data flow, we can achieve data confidentiality requirements, In this case, the demand of one-way gateway is generated.
Three, one-way net gate
One-way network gate is to allow only one-way data flow, the specific implementation of the following several technologies:
1, Data pump Technology (PUMP): 1993 for the implementation of low-level to advanced database reliable data copy, by Myong H.kang, such as Pump technology, known as "secure storage and forwarding technology." The method is to restrict the data transmission from inside to outside by the reverse confirmation to realize the one-way flow from the outward.
Data pump technology is based on the basis of communication, only to allow the transmission of data in a single direction, the opposition only control information can be passed, such as data received confirmation, error control, flow control and so on. That is, the communication protocol allows only one direction of data to pass. Therefore, the data pump technology to achieve relatively simple, you can use the current mature communication protocol.
Data pump Technology Although the data is a single direction, but the protocol to control the Galaxy is transmitted by both sides, if the protocol itself has a loophole, it is possible to use the protocol to reverse the possibility of sending data.
This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/