[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN106330973B - Data security exchange method based on black and white list - Google Patents

Data security exchange method based on black and white list Download PDF

Info

Publication number
CN106330973B
CN106330973B CN201610952787.0A CN201610952787A CN106330973B CN 106330973 B CN106330973 B CN 106330973B CN 201610952787 A CN201610952787 A CN 201610952787A CN 106330973 B CN106330973 B CN 106330973B
Authority
CN
China
Prior art keywords
data
network
matching
data content
pure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610952787.0A
Other languages
Chinese (zh)
Other versions
CN106330973A (en
Inventor
高昇宇
张滔
王宏延
陆忞
娄征
徐威
郭靓
章浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing NARI Group Corp
Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd
Original Assignee
Nanjing NARI Group Corp
Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing NARI Group Corp, Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd filed Critical Nanjing NARI Group Corp
Priority to CN201610952787.0A priority Critical patent/CN106330973B/en
Publication of CN106330973A publication Critical patent/CN106330973A/en
Application granted granted Critical
Publication of CN106330973B publication Critical patent/CN106330973B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a data security exchange method based on a black and white list, which comprises the following steps: reading data to be exchanged and matching with a rule strategy, carrying out protocol stripping on the successfully matched data to be exchanged to obtain pure data content, matching the pure data content with keywords in a white list, if the matching is successful, sending the data to be exchanged to an isolation card of a network I, writing the pure data content into a one-way data transmission channel by the isolation card of the network I, if the matching is failed, matching the pure data content with the keywords in a black list, and pushing the pure data content to a user for selective configuration after the matching is failed. The intelligent white list technology is adopted, the problem that a traditional isolation device cannot meet special transmission requirements is solved, the white list is automatically expanded by extracting keywords in data through the main program and is combined with manual addition of the black list and the white list by an operator, the safety of data interaction is guaranteed, and the flexibility of data transmission is enhanced.

Description

Data security exchange method based on black and white list
Technical Field
The invention relates to a data security exchange method, in particular to a data security exchange method based on a black and white list.
Background
With the maturity of network technologies and the continuous improvement of applications, the Internet is increasingly being incorporated into various aspects of society. On one hand, a series of network applications such as enterprise internet surfing, electronic commerce, remote education, remote medical treatment and the like are developed vigorously, and the daily life of people is increasingly closely related to the network; on the other hand, network user components are becoming more and more diverse, and network intrusions and attacks for various purposes are becoming more and more frequent. People increasingly feel troubles caused by the problems of frequent network attacks, virus flooding, unauthorized access, information disclosure and the like while enjoying rich and convenient information brought by the Internet.
In many important fields such as governments, national defense and energy, the requirements on data confidentiality, network stability and service continuity are extremely high, and the security of the strong rock is particularly critical. Market demand has prompted innovation of security technology, russian Ry Jones first proposed the "AirGap" isolation concept in the middle of the last 90 s, and then successfully developed a physical isolation card in israel to realize security isolation between networks; later, the American Whale Communications company and the Israel SpearHead company successively put forward e-Gap and Netgap products, and the secure exchange and resource sharing of data of two networks under the condition of non-communication are realized by using special hardware, so that the security isolation technology is developed from the pure realization of 'network isolation prohibited exchange' to 'secure isolation and reliable exchange'. At present, the U.S. military and important government departments adopt isolation technologies to guarantee information security, and the development of the security isolation technology in China also goes through similar processes.
The existing power system isolation technology is not flexible enough in a real operation environment, the function of judging the interaction behavior of the internal and external networks is single, in some special environments, some information which a user wants to transmit is blocked by isolation equipment for some reasons (such as that keyword examination does not pass) and cannot be transmitted, but the information user confirms that no problem exists and can only transmit the information in an off-line copying mode, and the operation is very inconvenient.
Disclosure of Invention
The technical problem to be solved by the invention is that the existing power system isolation technology is not flexible enough in a real operation environment, the function of judging the interaction behavior of the internal and external networks is single, and in some special environments, some information which a user wants to transmit is blocked by isolation equipment for some reasons (such as that keyword examination does not pass) and cannot be transmitted, but the information is confirmed by the user to have no problem and can only be transmitted in an off-line copying mode, which is very inconvenient.
In order to solve the technical problem, the invention provides a data security exchange method based on a black and white list, which comprises the following steps:
step 1, reading data to be exchanged in real time through a network port of a network I, matching the data to be exchanged with a preset rule strategy, entering a step 2 if the matching is successful, isolating the data to be exchanged and recording abstract information of the data to be exchanged if the matching is failed, and finishing the data exchange transmission at the same time;
step 2, carrying out protocol stripping on the successfully matched data to be exchanged to obtain pure data content, matching the pure data content with keywords in a white list, entering step 3 if the matching is successful, and entering step 4 if the matching is failed;
step 3, sending the data to be exchanged to an isolation card of the network I, and then entering step 6;
step 4, matching the pure data content with the keywords in the blacklist, if the matching is successful, isolating the data to be exchanged, recording abstract information of the data to be exchanged, and simultaneously finishing the data exchange transmission, if the matching is failed, entering step 5;
step 5, pushing the pure data content to a user for selective configuration, if the user selects to add the keywords in the pure data content into a blacklist, extracting the fields in the pure data content to obtain the keywords therein, then adding the obtained keywords into the blacklist, if the user selects to add the keywords in the pure data content into a white list, extracting the fields in the pure data content to obtain the keywords therein, then adding the obtained keywords into the white list, and returning to the step 1 after the user selects to configure;
step 6, after the data to be exchanged reaches the isolation card of the first network, the isolation card carries out protocol stripping on the data to be exchanged to obtain pure data content, then the pure data content is written into a unidirectional data transmission channel of the isolation card of the first network, and the pure data content is transmitted to the isolation card of the second network through the unidirectional data transmission channel;
and 7, matching the pure data content with the rule strategy of the second network after the pure data content reaches the isolation card of the second network, and sending the pure data content to a system of the second network through the network port of the second network after the pure data content is matched.
The intelligent white list technology is adopted, the problem that the special transmission requirements of the traditional isolation device cannot be met is solved, the white list is automatically expanded by extracting keywords in the data through the main program and is combined with the manual addition of the black list and the white list by an operator, the safety of data interaction is guaranteed, the flexibility of data transmission is enhanced, and the black list and the white list are continuously expanded along with the increase of time, so that the flexibility is stronger and stronger.
As a further limitation of the present invention, the rule policy includes a source address, a destination address, a source port, a destination port, a protocol mac, a source mac, and a destination mac.
As a further limitation of the present invention, in step 6, after the pure data content is completely written into the unidirectional data transmission channel of the first network isolation card, the first network isolation card immediately interrupts the connection with the first network, and pushes the pure data content in the unidirectional data transmission channel to the second network isolation card. The design can ensure that unsafe data cannot be mixed after the data safety transmission is finished, and the safety protection performance is higher.
As a further definition of the present invention, the unidirectional data transfer channel is a FIFO channel.
The invention has the beneficial effects that: the intelligent white list technology is adopted, the problem that the traditional isolation device cannot meet special transmission requirements is solved, the white list is automatically expanded by extracting keywords in the data through the main program and the black list and the white list are manually added by an operator to be combined, the safety of data interaction is guaranteed, the flexibility of data transmission is enhanced, and the black list and the white list are continuously expanded along with the increase of time, so that the flexibility is stronger and stronger.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
As shown in fig. 1, the method for securely exchanging data based on black and white lists provided by the present invention includes the following steps:
step 1, reading data to be exchanged by a network port of a network I in real time, matching the data to be exchanged with a preset rule strategy, entering a step 2 if matching is successful, isolating the data to be exchanged if matching is failed, recording abstract information of the data to be exchanged, and simultaneously finishing data exchange transmission, wherein the rule strategy comprises a source address, a destination address, a source port, a destination port, a protocol mac, a source mac and a destination mac;
step 2, carrying out protocol stripping on the successfully matched data to be exchanged to obtain pure data content, matching the pure data content with keywords in a white list, entering step 3 if the matching is successful, and entering step 4 if the matching is failed;
step 3, sending the data to be exchanged to an isolation card of the network I, and then entering step 6;
step 4, matching the pure data content with the keywords in the blacklist, if the matching is successful, isolating the data to be exchanged, recording abstract information of the data to be exchanged, and simultaneously finishing the data exchange transmission, if the matching is failed, entering step 5;
step 5, pushing the pure data content to a user for selective configuration, if the user selects to add the keywords in the pure data content into a blacklist, extracting the fields in the pure data content to obtain the keywords therein, then adding the obtained keywords into the blacklist, if the user selects to add the keywords in the pure data content into a white list, extracting the fields in the pure data content to obtain the keywords therein, then adding the obtained keywords into the white list, and returning to the step 1 after the user selects to configure;
step 6, after the data to be exchanged reaches the isolation card of the first network, the isolation card carries out protocol stripping on the data to be exchanged to obtain pure data content, then the pure data content is written into the unidirectional data transmission channel of the isolation card of the first network, the pure data content is transmitted to the isolation card of the second network through the unidirectional data transmission channel, after the pure data content is completely written into the unidirectional data transmission channel of the isolation card of the first network, the isolation card of the first network immediately breaks the connection with the first network, and then the pure data content in the unidirectional data transmission channel is pushed to the isolation card of the second network, wherein the unidirectional data transmission channel is an FIFO channel;
and 7, matching the pure data content with the rule strategy of the second network after the pure data content reaches the isolation card of the second network, and sending the pure data content to a system of the second network through the network port of the second network after the pure data content is matched.
The specific embodiment is as follows:
the invention takes an external network as a first network and an internal network as a second network, supposing that information is from the external network to the internal network, the invention adopts a 2+1 module structure design, namely comprising an external network host module, an internal network host module and an isolation exchange module. The internal and external network host modules are provided with independent operation units and storage units which are respectively connected with the internal and external network. The isolation exchange module is realized by adopting a special double-channel isolation exchange card, and the safe data exchange between the internal and external network host modules is completed through an embedded safety chip. There is no network connection between the internal and external network host modules, so there is no data forwarding based on network protocol. The isolation exchange module is the only channel for data exchange between the internal and external network host modules, and has no operating system and application programming interface, all control logic and transmission logic are solidified in the safety chip, and the exchange and verification of the internal and external network data are realized independently. The method comprises the steps that a blacklist and a white list are used as two resource pools, the internal and external network programs are both provided with the black and white lists which are keyword sets, the white list is system learning and user setting, the blacklist keywords comprise 1=1 and the like, a main program is configured on the external network, and after the program detects that the blacklist and the white list is changed, the change can be automatically carried out for internal and external network synchronization. The configuration strategy is configured by the user at the external network side, and the configuration can be automatically synchronized to the internal network after the configuration is completed, wherein the strategy comprises a data source and a destination address, a source port, a destination port, an internal and external network port address, a protocol, a source mac and a destination mac. The data isolation technology is utilized to realize the information exchange between the internal network and the external network, and the realization mode comprises two stages.
Stage 1: and (5) an initial stage.
In the initial stage, the content of the white list is less, the content of the white list can be expanded by pre-configuring the white list, and in the initial test stage, the environment can be defaulted to be safe, all the passing information can be defaulted to be safe information, the system automatically reads the information content, and the keywords are picked to expand the white list.
In the stage, a user is required to use a simulation service for sending, before the stage begins, an operator configuration program enters an initial stage, a blacklist function is not started in the initial stage, and all data information is defaulted as safety data. Supposing that information is sent from an external network to an internal network, data first reaches an external network port, an external network program firstly analyzes a protocol and then matches the protocol with a strategy, matching contents comprise a source address, a destination address, a source port, a destination port, a protocol, a source and a destination mac, then data is stripped, a main program extracts a specific field to form a keyword and stores the keyword into a white list, then pure data reaches an external network hardware isolation card and reaches the external network isolation card through an FIFO data channel, meanwhile, only control information of a TCP (transmission control protocol) packet without any data in an application layer is allowed to be transmitted to the internal network, no packet, command and TCP/IP (including UDP (user datagram protocol) and ICMP (internet protocol)) can penetrate through the internal network and the internal network program is sent to the internal network after the strategy is matched. The same flow is adopted when data arrives at the external network from the internal network and the external network.
And (2) stage: phase of operation
After the initial stage is finished, a formal operation stage is entered, namely a service on-line stage, the default operation environment is unsafe, a user configures a main program and enters an operation stage, a blacklist is started by a system, in the stage, information can reach the other end through matching of the white list and the blacklist, and an operator can expand the white list and the blacklist according to actual conditions. The specific process is as follows:
process 1, supposing that the information is from outer net to inner net, the data first arrives at outer net mouth, the outer net program first analyzes the protocol, matches with the rule strategy, the matching content includes source, destination address, source, destination port, protocol, source, destination mac, the matching result has two kinds: the first is that the strategy (Y) can be matched, the second is that the strategy (N) can not be matched (for example, if the data protocol is that the TCP source address is 1.1.1.1, the destination address is 1.1.1.2, the mac is 000000000000 abcdabcd, only one strategy is provided, the source address is 1.1.1.1, the destination address is 1.1.1.2, and the mac is 0000abcdabcd, the matching result is Y), if the strategy (N) can not be matched, the main program isolates the information, and the auditing system records the information abstract and generates syslog, and the data transmission is finished;
in the process 2, if the matching result in the "process 1" is Y, the pure data content is matched with the keywords in the white list after the data is stripped, and the matching results are two types: the first one is that the strategy (Y) can be matched, and the second one is that the strategy (N) can not be matched (for example: the source data is '12345 Nanjing power supply collector', the relevant key word 'Nanjing power supply' in the white list, the matching result is Y, the white list has no '12345 Nanjing power supply collector', the matching result is (N), the matching result is (Y), the data is sent to the external network isolation card, and reaches the internal network isolation card through the special fifo channel;
in the process 3, if the matching result in the "process 2" is N, the pure data is matched with the blacklist, and the matching results are two types: the first is that the strategy (Y) can be matched, the second is that the strategy (N) can not be matched (for example, if the source data is '12345 Nanjing power supply collector', the relevant key word 'Nanjing power supply' in the blacklist, the matching result is Y, and if the white list has no '12345 Nanjing power supply collector', the matching result is N), the matching result is Y, the main program isolates the information, and the auditing system records the information abstract and generates syslog, and the data transmission is finished;
in the process 4, if the matching result in the "process 3" is N, the auditing system is triggered, syslog is generated, and the data information is pushed to the configuration interface, at this time, the user operator may have 2 choices, select 1: selecting keywords in the data to be added into a blacklist, extracting specific fields by a main program, forming keywords and storing the keywords into the blacklist; selecting 2: selecting keywords in the data to add into a white list, extracting specific fields by a main program, forming keywords and storing the keywords into the white list;
process 5, the data reaches the outer net isolation card, the server of the outer net immediately initiates the data connection to the isolation device, the isolation device strips all protocols, writes the original pure data into the high-speed data transmission channel, once the data is completely written into the unidirectional security channel of the security isolation device, the isolation device outer net side immediately breaks the connection with the outer net, pushes the data in the unidirectional security channel to the inner net side, the inner net side initiates the data connection to the outer net after receiving the data, and after the connection is successfully established, the TCP/IP encapsulation and the application protocol encapsulation are carried out;
step 6, after the data reaches the intranet isolation card, matching the data with the intranet rules, and sending the matched data to an intranet system according to the intranet rules;
in the process 7, if data arrives from the intranet to the extranet, the data is processed according to the same flow from the extranet to the intranet.
The terms of the present invention are explained as follows:
(1)TCP/IP
the translation of Transmission Control Protocol/Internet Protocol is named as Transmission Control Protocol/Internet interconnection Protocol, also named as network communication Protocol, which is the most basic Protocol of Internet and the basis of Internet, and consists of IP Protocol in network layer and TCP Protocol in Transmission layer.
(2)fifo
FIFO memories are widely used in system design for the purpose of increasing data transmission rates, processing a large number of data streams, and matching systems having different transmission rates, thereby improving system performance. The FIFO memory is a first-in first-out double-port buffer, i.e. the first data entering the FIFO memory is shifted out first, wherein one input port of the FIFO memory and the other port are output ports of the FIFO memory. For monolithic FIFOs, there are two main structures: a trigger guide structure and a zero guide transmission structure. The FIFO of the trigger oriented transmission structure is composed of a register array, and the FIFO of the zero oriented transmission structure is composed of a dual-port RAM with read and write address pointers.
(3)Syslog
The system log (Syslog) protocol is a standard for forwarding system log information in an IP network, developed in the TCP/IP system implementation of the berkeley software distribution research center (BSD), university of california, usa, and is now an industry standard protocol with which to log devices. Syslog records any events in the system, and managers can master the system condition at any time by viewing the system records. The system log records relevant events of the system through a Syslog process, and can also record operation events of the application program. With proper configuration, communication between machines running the Syslog protocol may also be achieved. By analyzing these network behavior logs, conditions related to the device and the network can be tracked and mastered.

Claims (4)

1. A data security exchange method based on a black and white list is characterized by comprising the following steps:
step 1, reading data to be exchanged in real time through a network port of a network I, matching the data to be exchanged with a preset rule strategy, entering a step 2 if the matching is successful, isolating the data to be exchanged and recording abstract information of the data to be exchanged if the matching is failed, and finishing the data exchange transmission at the same time;
step 2, carrying out protocol stripping on the successfully matched data to be exchanged to obtain pure data content, matching the pure data content with keywords in a white list, entering step 3 if the matching is successful, and entering step 4 if the matching is failed;
step 3, sending the data to be exchanged to an isolation card of the network I, and then entering step 6;
step 4, matching the pure data content with the keywords in the blacklist, if the matching is successful, isolating the data to be exchanged, recording abstract information of the data to be exchanged, and simultaneously finishing the data exchange transmission, if the matching is failed, entering step 5;
step 5, pushing the pure data content to a user for selective configuration, if the user selects to add the keywords in the pure data content into a blacklist, extracting the fields in the pure data content to obtain the keywords therein, then adding the obtained keywords into the blacklist, if the user selects to add the keywords in the pure data content into a white list, extracting the fields in the pure data content to obtain the keywords therein, then adding the obtained keywords into the white list, and returning to the step 1 after the user selects to configure;
step 6, after the data to be exchanged reaches the isolation card of the first network, the isolation card carries out protocol stripping on the data to be exchanged to obtain pure data content, then the pure data content is written into a unidirectional data transmission channel of the isolation card of the first network, and the pure data content is transmitted to the isolation card of the second network through the unidirectional data transmission channel;
and 7, matching the pure data content with the rule strategy of the second network after the pure data content reaches the isolation card of the second network, and sending the pure data content to a system of the second network through the network port of the second network after the pure data content is matched.
2. The blacklist-based data security exchange method according to claim 1, wherein the rule policy includes a source address, a destination address, a source port, a destination port, a protocol mac, a source mac and a destination mac.
3. The method according to claim 1 or 2, wherein in step 6, after the pure data content is completely written into the unidirectional data transmission channel of the first network card, the first network card immediately interrupts the connection with the first network card, and pushes the pure data content in the unidirectional data transmission channel to the second network card.
4. The method according to claim 1 or 2, wherein the unidirectional data transmission channel is a FIFO channel.
CN201610952787.0A 2016-10-27 2016-10-27 Data security exchange method based on black and white list Active CN106330973B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610952787.0A CN106330973B (en) 2016-10-27 2016-10-27 Data security exchange method based on black and white list

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610952787.0A CN106330973B (en) 2016-10-27 2016-10-27 Data security exchange method based on black and white list

Publications (2)

Publication Number Publication Date
CN106330973A CN106330973A (en) 2017-01-11
CN106330973B true CN106330973B (en) 2021-09-24

Family

ID=57819017

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610952787.0A Active CN106330973B (en) 2016-10-27 2016-10-27 Data security exchange method based on black and white list

Country Status (1)

Country Link
CN (1) CN106330973B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111741032B (en) * 2020-08-26 2021-02-26 杭州数列网络科技有限责任公司 Data transmission control method
CN114006763A (en) * 2021-11-01 2022-02-01 许昌许继软件技术有限公司 Rapid retrieval matching method and system based on rapid table
CN114745176A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Data transmission control method, device, computer equipment and storage medium
CN114745454A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Boundary protection device, system, method, computer equipment and storage medium
CN114900340A (en) * 2022-04-24 2022-08-12 金祺创(北京)技术有限公司 Illegal external connection detection method and device based on internal and external network interactive verification

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104135492A (en) * 2014-08-20 2014-11-05 国家电网公司 Internal and external network information exchange method based on information exchange bus
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
CN104767752A (en) * 2015-04-07 2015-07-08 西安汇景倬元信息技术有限公司 Distributed network isolating system and method
CN105812387A (en) * 2016-05-09 2016-07-27 北京航天数控系统有限公司 Unidirectional safe data exchange device
JP2016163348A (en) * 2015-03-04 2016-09-05 韓國電子通信研究院Electronics and Telecommunications Research Institute One-way gateway, vehicle network system and method for protecting network within vehicle using one-way gateway

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8490156B2 (en) * 2008-05-13 2013-07-16 At&T Mobility Ii Llc Interface for access management of FEMTO cell coverage

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104135492A (en) * 2014-08-20 2014-11-05 国家电网公司 Internal and external network information exchange method based on information exchange bus
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
JP2016163348A (en) * 2015-03-04 2016-09-05 韓國電子通信研究院Electronics and Telecommunications Research Institute One-way gateway, vehicle network system and method for protecting network within vehicle using one-way gateway
CN104767752A (en) * 2015-04-07 2015-07-08 西安汇景倬元信息技术有限公司 Distributed network isolating system and method
CN105812387A (en) * 2016-05-09 2016-07-27 北京航天数控系统有限公司 Unidirectional safe data exchange device

Also Published As

Publication number Publication date
CN106330973A (en) 2017-01-11

Similar Documents

Publication Publication Date Title
CN106330973B (en) Data security exchange method based on black and white list
RU2769216C2 (en) Dynamic secure communication network and protocol
US6167515A (en) Method and system for performing the transmission of private data over a public network
CN104486336A (en) Device for safely isolating and exchanging industrial control networks
CN104363221A (en) Network safety isolation file transmission control method
CN105939284B (en) The matching process and device of message control strategy
CN101127761A (en) Unidirectional protocol isolation method and device in network
CN103237036A (en) Device for realizing physical partition of internal and external networks
CN109218308A (en) A kind of data high-speed secure exchange method based on intelligent network adapter
CN106992987A (en) A kind of information transmission equipment and method based on USB
CN114615082A (en) System and method for simulating TCP duplex safety communication by using forward and reverse network gates
CN103067389B (en) High safety file transfer method based on short website
US9722955B2 (en) Buffered session filtering for inline bypass application
EP2728833B1 (en) Time-locked network and nodes for exchanging secure data packets
CN112804265A (en) Unidirectional network gate interface circuit, method and readable storage medium
CN117971963A (en) Private domain distributed data collaborative equipment
RU2449361C2 (en) Method of protecting computer network having dedicated server
CN110581848B (en) Cloud desktop multi-network isolation system and method
CN200941631Y (en) Net one-way protocal separator
CN112532603B (en) Cross-domain file exchange leading-in device and method based on exchange authorization file
Manoj Cyber Security
RU228377U1 (en) Onboard cyber-secure gateway
Wu et al. Lightweight Cryptography Implementation for Internet of Things Network on FPGA
Jaskolka Modeling, analysis, and detection of information leakage via protocol-based covert channels
CN109617866A (en) Industrial control system host session data filtering method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant