CN200941631Y - Net one-way protocal separator - Google Patents
Net one-way protocal separator Download PDFInfo
- Publication number
- CN200941631Y CN200941631Y CN 200620132274 CN200620132274U CN200941631Y CN 200941631 Y CN200941631 Y CN 200941631Y CN 200620132274 CN200620132274 CN 200620132274 CN 200620132274 U CN200620132274 U CN 200620132274U CN 200941631 Y CN200941631 Y CN 200941631Y
- Authority
- CN
- China
- Prior art keywords
- network
- isolation card
- insincere
- pci bus
- bus interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The utility model relates to a network unilateral agreement isolation device, which comprise a trustworthy terminal network PCI bus interface, a untrustworthy terminal network PCI bus interface, a untrustworthy terminal isolation card, a trustworthy terminal isolation card and a LVDS bus. The trustworthy terminal network PCI bus interface is connected with the trustworthy terminal isolation card; the untrustworthy terminal network PCI bus interface is connected with the untrustworthy isolation card; and the both ends of the LVDS bus are respectively connected with the untrustworthy terminal isolation card and the trustworthy terminal isolation card. The utility model has simple structure, is connected between the trustworthy and the untrustworthy network, and has the functions such as virus prevention, visit control, and safety audit etc; the data can be transmitted one way only, namely from the low safety grade network to high safety grade network; so the internal high grade data is prevented to be leaked to low grade network, the network safety is promoted.
Description
Technical field
The utility model relates to a kind of network uni-directional agreement spacer assembly.
Background technology
Internet develops into and has obtained great success today.The development of network applications such as e-commerce and e-government and popularize and to have brought very big convenience not only for people's life, and creating great riches.But meanwhile, Internet has also brought such as a lot of fearful things such as hacker, virus, Trojan Horse to people, data are distorted and are stolen, file is destroyed, people are also threatened by various potential safety hazards when enjoying the joy of bringing the internet, and 47.1% user claims the invaded situation of computer that met with [CNNIC " China Internet network state of development statistical report "] in 1 year.More and more enterprises and government department begin to adopt the network security of security protection instrument protection oneself.
The development of network security technology is accompanied by popularizing of Internet and extensive use has also had significant progress, and safety products such as fire compartment wall, intrusion detection, VPN, encrypting and decrypting instrument produce gradually, develop and be ripe.As if but till today, the safety problem on the Internet not only still exists, and more seriously wherein be no lack of the client who has adopted fire compartment wall, intrusion detection product.
But, although fire compartment wall (Firewall) in Prevention-Security as a kind of access control means of core, played irreplaceable effect, but be the real demand that the defense system of core can not satisfy network security with the fire compartment wall, be connected with TCP/IP between the unreliable network because fire compartment wall has remained trustable network.So just can not the real safety problem that solves information interaction between the internal-external network.In case fire compartment wall is because of attacking or malfunction and failure, or can not correctly realize its function the time, the TCP/IP that exists connects all the time just becomes the hand that the assailant attacks the crime of protected network.Therefore, design a kind of TCP/IP and connect that to disconnect the safety means that logic simultaneously connects are far reachings.Just be based on above idea, producing new agreement isolation technology (GAP).
Guiding theory and fire compartment wall that agreement is isolated are very different: the thinking of (1) fire compartment wall is under the prerequisite that guarantee is interconnected, and is safe as far as possible, and the thinking that (2) agreement is isolated is under the prerequisite that guarantees necessary safety, interconnects as far as possible.Can solve the root problem that present fire compartment wall (Firewall) exists by the agreement xegregating unit:
1, prevent the protocol bug of TCP/IP: wherein one section without TCP/IP, uses independently GAP agreement;
2, Intranet, outer net and the simultaneously direct TCP/IP of DMZ are connected in the shielding fire compartment wall: adopt two main machine structures;
3, the leak of security application agreement is because the order of application protocol and instruction may be illegal: carry out other protocol contents inspection of application level.
The utility model content
Technical problem to be solved in the utility model is to propose a kind of network uni-directional agreement spacer assembly, and the real isolation between realization trustable network and the unreliable network guarantees that trustable network not under fire, strengthens its coefficient of safety.
Technical scheme provided by the utility model is: a kind of network uni-directional agreement spacer assembly, include credible end network pci bus interface, insincere end network pci bus interface, insincere end isolation card, credible end isolation card and LVDS bus, described credible end network pci bus interface is connected with credible end isolation card, insincere end network pci bus interface is connected with insincere end isolation card, and LVDS bus two ends link to each other with insincere end isolation card, credible end isolation card respectively.
Described insincere end isolation card is provided with ICP/IP protocol stack, protocol-analysis model and the conversation module that links to each other successively, and insincere end network pci bus interface links to each other with the ICP/IP protocol stack; Described credible end isolation card is provided with conversation module, agreement reconstructed module and the ICP/IP protocol stack that links to each other successively, and credible end network pci bus interface links to each other with the ICP/IP protocol stack; The two ends of LVDS bus link to each other with conversation module on the credible end isolation card with insincere end isolation card respectively.
This spacer assembly includes two guard plates, and insincere end isolation card is plugged on the guard plate by insincere end network pci bus interface, and credible end isolation card is plugged on another guard plate by credible end network pci bus interface; All be provided with netting twine slot and power interface on these two guard plates.
All be inserted with memory bar on described two guard plates.
The utility model has following advantage: simple in structure, be connected between trustable network and the unreliable network, carry out functions such as virus prevention, access control, security audit, data can only one-way transmission, promptly by the low network of level of security to the high Network Transmission of level of security, thereby guarantee that inner high-level network data can not leak in the low level network, improve the fail safe of system.
Description of drawings
Below in conjunction with the drawings and specific embodiments the utility model is described.
Fig. 1 is a theory diagram of the present utility model;
Fig. 2 is a structured flowchart of the present utility model;
Fig. 3-1 to Fig. 3-4 be circuit diagram of the present utility model.
Wherein: 1: insincere end isolation card 2: credible end isolation card 3:LVDS bus
11: insincere end guard plate 21: credible end guard plate
4: outer network interface 5: interior network interface
6: memory bar 7: external power supply
Embodiment
The schematic diagram of a kind of network uni-directional agreement spacer assembly as shown in Figure 2, include credible end network pci bus interface, insincere end network pci bus interface, insincere end isolation card 1, credible end isolation card 2 and LVDS bus 3, credible end network pci bus interface is connected with credible end isolation card 2, insincere end network pci bus interface is connected with insincere end isolation card 1, and LVDS bus 3 two ends link to each other with insincere end isolation card 1, credible end isolation card 3 respectively.Wherein, insincere end isolation card 1 is provided with ICP/IP protocol stack, protocol-analysis model and the conversation module that links to each other successively, and insincere end network pci bus interface links to each other with the ICP/IP protocol stack; And credible end isolation card 2 is provided with conversation module, agreement reconstructed module and the ICP/IP protocol stack that links to each other successively, and credible end network pci bus interface links to each other with the ICP/IP protocol stack; The two ends of LVDS bus 3 link to each other with conversation module on the credible end isolation card 2 with insincere end isolation card 1 respectively.
A kind of network uni-directional agreement spacer assembly as shown in Figure 1, include insincere end isolation card 1, credible end isolation card 2, LVDS bus 3, also include insincere guard plate 11 and credible end guard plate 21, insincere end isolation card 1 is plugged on the insincere end guard plate 11 by insincere end network pci bus interface, and credible end isolation card 2 is plugged on the credible end guard plate 21 by credible end network pci bus interface; Insincere end guard plate 11 is provided with outer network interface 4 and power interface, network interface 5 and power interface in credible end guard plate 21 is provided with, and the power interface at two places is connected with external power supply 7; All be inserted with memory bar 6 on insincere end guard plate 11 and the credible end guard plate 21, memory bar 6 stores the program that starts isolation card.
The computer that links to each other with external network by outer network interface 4 links to each other, and the computer that interior network interface 5 links to each other with internal network links to each other, and the LVDS bus is used for transmitting data between two isolation cards, and its exchange rate can reach 1G/bps.The function of insincere end isolation card 1 and credible end isolation card 2 is different, and their function mainly shows the application data bag with the professional format of insincere end computer transmission, and is sent to the opposite end by electronic equipment.Trusted host carries out processing such as source discriminating, buffer memory, relaying, and receives data.The transfer of unidirectional of xegregating unit is the core of guard plate.
To the circuit diagram shown in Fig. 3-4, the D1 model is the PCI9054_C chip as Fig. 3-1, is the pci bus interface chip of PLX company exploitation, and major function connects and transfer of data for realizing the PCI between guard plate and the computer; The D2 model is XC2S100PQ208, is the fpga chip of XILINX company exploitation, and major function exchanges for realizing the guard plate high-speed data, and finishes guard plate internal interface controlled function; D3 and D4 model are IDT72V3670, are the big capacity synchronization fifo chip of IDT company exploitation, and major function is carrying out playing data cached effect before the LVDS signal conversion transmission for realizing the transmission and the reception of data; The D5 model is XCF01S, is the serial PROM of XILINX company exploitation, and the actuating logic of the XC2S100PQ208 of storage is used for the Configuration Online of XC2S100PQ208; The model of D9 and D10 is respectively SN65LVDS96 and SN65LVDS95 chip, serial modulator and demodulator for the multi-channel high-speed LVDS universal serial bus of TI company exploitation, wherein, SN65LVDS95 is that serial sends chip, SN65LVDS96 is a serial demodulator receiving chip, and major function is for realizing that high-speed data connects between guard plate.
In the use, external network data is the TCP/IP data usually, transmits the ICP/IP protocol stack by insincere end network interface layer; The ICP/IP protocol stack according to network data according to the control that conducts interviews of the rule in the global safety policy library: time, data source IP, source port, purpose IP and destination interface; The TCP/IP data are passing to protocol-analysis model by the ICP/IP protocol stack, protocol-analysis model is handled with the different application protocol state machine according to the application protocol different mining, wherein, what import in the protocol-analysis model is the application protocol data of TCP/IP, output be GAP protocol data bag; GAP protocol data bag passes to conversation module by protocol-analysis model, and conversation module starts concrete isolation program, and rational data are ferried in the conversation module to the other side; When transfer of data arrives the opposite end, the opposite end conversation module is sent to the certain protocol reconstructed module to the GAP data together with control information according to the session id of data, and the agreement reconstructed module is according to the setting of global safety policy library, finish the reorganization of application data agreement, and give the ICP/IP protocol stack and handle; Wherein, what import in the agreement reconstructed module is GAP protocol data bag, the application protocol data of the TCP/IP of output; By network, ICP/IP protocol stack structure legal data packet is carried out transmission process by credible end network.Because data in transmission, become the GAP form by the TCP/IP format conversion, play the agreement buffer action.
Claims (4)
1, a kind of network uni-directional agreement spacer assembly, it is characterized in that: include credible end network pci bus interface, insincere end network pci bus interface, insincere end isolation card, credible end isolation card and LVDS bus, described credible end network pci bus interface is connected with credible end isolation card, insincere end network pci bus interface is connected with insincere end isolation card, and LVDS bus two ends link to each other with insincere end isolation card, credible end isolation card respectively.
2, network uni-directional agreement spacer assembly according to claim 1, it is characterized in that: described insincere end isolation card is provided with ICP/IP protocol stack, protocol-analysis model and the conversation module that links to each other successively, and insincere end network pci bus interface links to each other with the ICP/IP protocol stack; Described credible end isolation card is provided with conversation module, agreement reconstructed module and the ICP/IP protocol stack that links to each other successively, and this ICP/IP protocol stack links to each other with credible end network pci bus interface; The two ends of LVDS bus link to each other with conversation module on the credible end isolation card with insincere end isolation card respectively.
3, network uni-directional agreement spacer assembly according to claim 1 and 2, it is characterized in that: this spacer assembly includes two guard plates, insincere end isolation card is plugged on the guard plate by insincere end network pci bus interface, and credible end isolation card is plugged on another guard plate by credible end network pci bus interface; All be provided with netting twine slot and power interface on these two guard plates.
4, network uni-directional agreement spacer assembly according to claim 3 is characterized in that: all be inserted with memory bar on described two guard plates.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200620132274 CN200941631Y (en) | 2006-08-16 | 2006-08-16 | Net one-way protocal separator |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200620132274 CN200941631Y (en) | 2006-08-16 | 2006-08-16 | Net one-way protocal separator |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN200941631Y true CN200941631Y (en) | 2007-08-29 |
Family
ID=38747803
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200620132274 Expired - Fee Related CN200941631Y (en) | 2006-08-16 | 2006-08-16 | Net one-way protocal separator |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN200941631Y (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101325565B (en) * | 2008-07-30 | 2010-12-01 | 北京华电天仁电力控制技术有限公司 | Unidirection insulation network brake with protocol conversion function |
| CN101986638A (en) * | 2010-09-16 | 2011-03-16 | 珠海市鸿瑞软件技术有限公司 | Gigabit one-way network isolation device |
| CN103186743A (en) * | 2012-09-14 | 2013-07-03 | 曾崛 | Multi-network system data transmission device and method |
-
2006
- 2006-08-16 CN CN 200620132274 patent/CN200941631Y/en not_active Expired - Fee Related
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101325565B (en) * | 2008-07-30 | 2010-12-01 | 北京华电天仁电力控制技术有限公司 | Unidirection insulation network brake with protocol conversion function |
| CN101986638A (en) * | 2010-09-16 | 2011-03-16 | 珠海市鸿瑞软件技术有限公司 | Gigabit one-way network isolation device |
| CN103186743A (en) * | 2012-09-14 | 2013-07-03 | 曾崛 | Multi-network system data transmission device and method |
| CN103186743B (en) * | 2012-09-14 | 2015-10-28 | 曾崛 | A kind of multi-network system data transmission device and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101127761A (en) | Unidirectional protocol isolation method and device in network | |
| CN109842585B (en) | Network information safety protection unit and protection method for industrial embedded system | |
| CN101127760A (en) | Bidirectional protocol isolation method and its device in network | |
| CN104683352B (en) | A kind of industrial communication isolation gap with binary channels ferry-boat | |
| CN103812861B (en) | Isolation method and system for IPSEC (internet protocol security) VPN (virtual private network) device | |
| CN105656883A (en) | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network | |
| CN101986638A (en) | Gigabit one-way network isolation device | |
| CN108521331A (en) | Hidden information based on source address sends system and sending method | |
| CN106506510A (en) | Dynamic vibration signal data inter-network lock Transmission system and its method | |
| CN103237036A (en) | Device for realizing physical partition of internal and external networks | |
| CN103209191A (en) | Method for realizing physical partition of internal and external networks | |
| CN106330973B (en) | Data security exchange method based on black and white list | |
| CN200941631Y (en) | Net one-way protocal separator | |
| CN109218308A (en) | A kind of data high-speed secure exchange method based on intelligent network adapter | |
| CN204089849U (en) | A kind of network isolating device based on industrial control protocols | |
| CN202231742U (en) | Network isolation device | |
| CN107612679A (en) | A kind of safe Ethernet bridge scrambling terminal based on national secret algorithm | |
| CN106992987A (en) | A kind of information transmission equipment and method based on USB | |
| CN104079578A (en) | Evidence-taking data hidden transmission method and system | |
| CN202979014U (en) | Network isolation device | |
| CN204481853U (en) | A kind of isolation gap based on SDI | |
| CN108418839A (en) | Electric power dedicated encrypted COMSEC module | |
| Grossi et al. | A high throughput Intrusion Detection System (IDS) to enhance the security of data transmission among research centers | |
| CN102904864A (en) | Personal computer system and method for preventing passive network disclosure | |
| CN200944606Y (en) | Networking two-way protocol isolation device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070829 Termination date: 20090916 |