CN104168257A - Data isolation device based on non-network mode, and method and system thereof - Google Patents
Data isolation device based on non-network mode, and method and system thereof Download PDFInfo
- Publication number
- CN104168257A CN104168257A CN201410042475.7A CN201410042475A CN104168257A CN 104168257 A CN104168257 A CN 104168257A CN 201410042475 A CN201410042475 A CN 201410042475A CN 104168257 A CN104168257 A CN 104168257A
- Authority
- CN
- China
- Prior art keywords
- tcp
- outer net
- service end
- network
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 112
- 238000000034 method Methods 0.000 title description 16
- 238000004891 communication Methods 0.000 claims abstract description 82
- 238000005516 engineering process Methods 0.000 claims description 23
- 230000005540 biological transmission Effects 0.000 claims description 20
- 238000006243 chemical reaction Methods 0.000 claims description 8
- 230000001568 sexual effect Effects 0.000 claims description 5
- 238000012423 maintenance Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 2
- 238000005192 partition Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000003993 interaction Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000002452 interceptive effect Effects 0.000 description 3
- 238000005538 encapsulation Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a data isolation device based on a non-network mode, and an isolation method and an isolation system thereof. The data isolation device comprises an intranet host, an extranet host, and an isolated communication module. The intranet host and the extranet host are loaded with a network protocol stack, and respectively maintain a TCP proxy client module and a TCP proxy server module. A TCP connection socket1 is established and data forwarding is carried out between the TCP proxy server module and a service data packet client. A TCP connection socket2 is established and data forwarding is carried out between the TCP proxy client module and a service data packet server. The isolated communication module uses a proprietary protocol. The TCP header and following message headers of a service data packet are removed. Only pure service data load forwarding is carried out. Four-layer isolated subsystem communication between inner-end and outer-end hosts is realized on the whole, all network attacks except proprietary-protocol-based internal attacks are effectively prevented, and high network data exchange efficiency is ensured on the premise of physical isolation between the internal network and the external network.
Description
Technical field
The present invention relates to network security technology field, particularly relate to data isolation apparatus and method and system thereof based on non-network mode.
Background technology
Along with the universal and development of computer networking technology, the attack based on TCP/IP network is spread unchecked, and it is further important that network security problem seems.In the higher network application scene of a class security requirement, conventionally require internal network and external network physical isolation to guarantee the safety of internal network information.
But meanwhile, guaranteeing under the prerequisite of internal network and external network physical isolation, also need to carry out a small amount of data interaction with external network in order to make internal network normally move work, common this data interaction adopts offline mode, offline mode data interaction inefficiency, need to expend a large amount of time, seriously increase operating personnel's task.
Summary of the invention
Based on this, be necessary guaranteeing under the prerequisite of internal network and external network physical isolation for existing, carry out the problem of inside and outside internet off-line data interaction inefficiency, the data isolation apparatus based on non-network mode and method and system thereof that inside and outside network data exchange efficiency is high are provided under a kind of prerequisite of guaranteeing internal network and external network physical isolation.
A kind of data isolation method of data isolation apparatus of non-network mode, the data isolation apparatus of non-network mode comprises intranet host, outer net main frame and isolated communication module, described intranet host and described outer net main frame are by described isolated communication module physical connection, and described intranet host and described outer net main frame are loaded with respectively channel isolation proprietary protocol, operating system and network protocol stack;
The data isolation method of the data isolation apparatus of non-network mode comprises step:
Set up the TCP agent client in TCP agency service end and the described intranet host in described outer net main frame; Adopt port redirection technology, the TCP setting up between described TCP agency service end and outer net packet client is connected socket1;
Obtain the privately owned communication protocol of isolated communication module, according to the privately owned communication protocol of described isolated communication module, set up the non-network isolated channel between described TCP agency service end and described TCP agent client;
Adopt source network address conversion query technology, set up described TCP agent client and be connected socket2 with the TCP of outer net packet service end;
Socket1 and socket2 are maintained as to logical channel, so that the business datum of transmitting between outer net packet client and outer net packet service end wraps in transmission in socket1, channel isolation and tri-sections of intervals of socket2;
In the time having business data packet to pass through described non-network isolated channel transmission, divest the TCP head of described business data packet and following heading, only carry out pure business datum load transmission.
A kind of data isolation system of data isolation apparatus of non-network mode, the data isolation apparatus of non-network mode comprises intranet host, outer net main frame and isolated communication module, described intranet host and described outer net main frame are by described isolated communication module physical connection, and described intranet host and described outer net main frame are loaded with respectively channel isolation proprietary protocol, operating system and network protocol stack;
The data isolation system of the data isolation apparatus of non-network mode comprises:
TCP agent side is set up module, for setting up the TCP agent client in TCP agency service end and the described intranet host of described outer net main frame;
The first communication link is set up module, and for adopting port redirection technology, the TCP setting up between described TCP agency service end and outer net packet client is connected socket1;
Channel isolation is set up module, for obtaining the privately owned communication protocol of isolated communication module, according to the privately owned communication protocol of described isolated communication module, sets up the non-network isolated channel between described TCP agency service end and described TCP agent client;
Second communication link establishment module, for adopting source network address conversion query technology, sets up described TCP agent client and is connected socket2 with the TCP of outer net packet service end;
Logical channel forms module, for socket1 and socket2 are maintained as to logical channel, so that the business datum of transmitting between outer net packet client and outer net packet service end wraps in transmission in socket1, channel isolation and tri-sections of intervals of socket2;
Message divests module, in the time having business data packet to pass through described non-network isolated channel transmission, divests the TCP head of described business data packet and following heading, only carries out pure business datum load transmission.
A kind of data isolation apparatus based on non-network mode, comprise intranet host, outer net main frame and isolated communication module, described intranet host and described outer net main frame are by described isolated communication module physical connection, described intranet host and described outer net main frame are loaded with respectively channel isolation proprietary protocol, operating system and network protocol stack, outer net host maintenance TCP agency service end module, intranet host is safeguarded TCP agent client module;
Described isolated communication module is used for according to built-in proprietary protocol, pure application data between mutual described intranet host and described outer net main frame, and isolate the non-pure application data between described intranet host and described outer net main frame, described pure application data is the data that do not comprise the TCP network information, link information and transport layer information.
The data isolation apparatus that the present invention is based on non-network mode comprises intranet host, outer net main frame and isolated communication module, the equal network protocol stack of intranet and extranet main frame, and safeguard respectively TCP agent client module and TCP agency service end module.TCP agency service end module is built TCP with business data packet client and is connected socket1 and data retransmission, TCP agent client module is responsible for setting up TCP with business data packet service end and is connected socket2 and data retransmission, isolated communication module is used proprietary protocol, divest business data packet TCP head and following heading, only carried out pure business datum load and forward.Realize on the whole four layers of separaant system communication between inside and outside end main frame, effectively stop the all-network except " based on the attack of proprietary protocol inside " to be attacked, guarantee under the prerequisite of internal network and external network physical isolation the high efficiency of network data exchange.
Brief description of the drawings
Fig. 1 is the schematic flow sheet that the present invention is based on first embodiment of partition method of the data isolation apparatus of non-network mode;
Fig. 2 is the schematic flow sheet that the present invention is based on second embodiment of partition method of the data isolation apparatus of non-network mode;
Fig. 3 is the structural representation that the present invention is based on one of them embodiment of shielding system of the data isolation apparatus of non-network mode;
Fig. 4 is the structural representation that the present invention is based on first embodiment of data isolation apparatus of non-network mode;
Fig. 5 is the structural representation that the present invention is based on second embodiment of data isolation apparatus of non-network mode;
Fig. 6 the present invention is based on the process schematic diagram that in one of them embodiment of partition method of data isolation apparatus of non-network mode, socket1 passage, channel isolation and socket2 set up;
Fig. 7 the present invention is based on the processing procedure schematic diagram of packet from client to service end in one of them embodiment of partition method of data isolation apparatus of non-network mode;
Fig. 8 is the process schematic diagram that the present invention is based on packet in one of them embodiment of partition method of data isolation apparatus of non-network mode and return from service end client after service end is processed.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawings and embodiment, the present invention is further elaborated.Should be appreciated that concrete enforcement described herein, only in order to explain the present invention, does not limit the present invention.
As shown in Figure 1, a kind of data isolation method of data isolation apparatus of non-network mode, the data isolation apparatus of non-network mode comprises intranet host, outer net main frame and isolated communication module, described intranet host and described outer net main frame are by described isolated communication module physical connection, and described intranet host and described outer net main frame are loaded with respectively channel isolation proprietary protocol, operating system and network protocol stack;
The data isolation method of the data isolation apparatus of non-network mode comprises step:
S100: set up the TCP agent client in TCP agency service end and the described intranet host in described outer net main frame;
S200: adopt port redirection technology, the TCP setting up between described TCP agency service end and outer net packet client is connected socket1;
S300: obtain the privately owned communication protocol of isolated communication module, according to the privately owned communication protocol of described isolated communication module, set up the non-network isolated channel between described TCP agency service end and described TCP agent client;
S400: adopt source network address conversion query technology, set up described TCP agent client and be connected socket2 with the TCP of outer net packet service end;
S500: socket1 and socket2 are maintained as to logical channel, so that the business datum of transmitting between outer net packet client and outer net packet service end wraps in transmission in socket1, channel isolation and tri-sections of intervals of socket2;
S600: in the time having business data packet to pass through described non-network isolated channel transmission, divest the TCP head of described business data packet and following heading, only carry out pure business datum load transmission.
The present invention is based on the data isolation method of the data isolation apparatus of non-network mode, can guarantee under the physically-isolated prerequisite of internal host and external host, according to the privately owned communication protocol of isolated communication module, pure application data between mutual intranet host and outer net main frame, can efficiently transmit outer net packet by the data isolation apparatus based on non-network mode.
Therein in an embodiment, described employing port redirection technology, set up TCP between described TCP agency service end and outer net packet client and be connected socket1 and specifically comprise step:
The outside host's machine of outer net packet client sends TCP connection request packet;
In the time that described TCP connection request packet arrives outer net main frame, adopt port redirection technology that described TCP connection request packet is redirected to described TCP agency service end, TCP agency service end accept creates new socket 1;
Described TCP agency service end is inwardly verified inquiry, and the destination address obtaining before described socket1 is redirected is outer net packet service end;
Described TCP agency service end sends request to described TCP agent client by isolated communication module, and request is set up outer net packet client and connected to the TCP of outer net packet service end.
Therein in an embodiment, described employing source network address conversion query technology, set up described TCP agent client and be connected socket2 with the TCP of outer net packet service end and specifically comprise step:
Described TCP agent client is set up socket 2, and binds port3 interface;
Described TCP agent client adds source network address switching strategy to kernel, TCP agency service end is mapped as to the address of outer net packet client to the source data packet address of described TCP agent client;
Described TCP agent client uses the outside network data bag of socket2 service end to initiate TCP connection request, and outer net packet service end reads the address that this connection source address is outer net packet client, and connection is successfully established.
As shown in Figure 2, therein in an embodiment, before described S600 also in steps:
S520: in the time that socket1 or socket2 main quilt dynamic circuit breaker are opened, delete all source network address switching strategies in intranet host.
In the above-described embodiments, in the time that socket1 or socket2 main quilt dynamic circuit breaker are opened or when main frame, interior outdoor main unit need to be restarted, delete all source network address switching strategies in intranet host.Can guarantee like this safety of intranet host, avoid the appearance of abnormal conditions cause intranet host kidnapped by hacker or intranet host in data be tampered.
As shown in Figure 3, a kind of data isolation system of data isolation apparatus of non-network mode, the data isolation apparatus of non-network mode comprises intranet host, outer net main frame and isolated communication module, described intranet host and described outer net main frame are by described isolated communication module physical connection, and described intranet host and described outer net main frame are loaded with respectively channel isolation proprietary protocol, operating system and network protocol stack;
The data isolation system of the data isolation apparatus of non-network mode comprises:
TCP agent side is set up module 310, for setting up the TCP agent client in TCP agency service end and the described intranet host of described outer net main frame;
The first communication link is set up module 320, and for adopting port redirection technology, the TCP setting up between described TCP agency service end and outer net packet client is connected socket1;
Channel isolation is set up module 330, for obtaining the privately owned communication protocol of isolated communication module, according to the privately owned communication protocol of described isolated communication module, sets up the non-network isolated channel between described TCP agency service end and described TCP agent client;
Second communication link establishment module 340, for adopting source network address conversion query technology, sets up described TCP agent client and is connected socket2 with the TCP of outer net packet service end;
Logical channel forms module 350, for socket1 and socket2 are maintained as to logical channel, so that the business datum of transmitting between outer net packet client and outer net packet service end wraps in transmission in socket1, channel isolation and tri-sections of intervals of socket2;
Message divests module 360, in the time having business data packet to pass through described non-network isolated channel transmission, divests the TCP head of described business data packet and following heading, only carries out pure business datum load transmission.
The present invention is based on the data isolation system of the data isolation apparatus of non-network mode, can guarantee under the physically-isolated prerequisite of internal host and external host, according to the privately owned communication protocol of isolated communication module, pure application data between mutual intranet host and outer net main frame, can efficiently transmit outer net packet by the data isolation apparatus based on non-network mode.
In an embodiment, described the first communication link is set up module and is specifically comprised therein:
Transmitting element, for sending outside outer net packet client host's machine TCP connection request packet;
The first communication link is set up unit, for in the time that described TCP connection request packet arrives outer net main frame, adopt port redirection technology that described TCP connection request packet is redirected to described TCP agency service end, TCP agency service end accept creates new socket 1;
Be redirected unit, for described TCP agency service end is inwardly verified to inquiry, the destination address obtaining before described socket1 is redirected is outer net packet service end;
Request unit, sends request to described TCP agent client by isolated communication module for state TCP agency service end in utilization, and request is set up outer net packet client and connected to the TCP of outer net packet service end;
In an embodiment, described second communication link establishment module specifically comprises therein:
Second communication link establishment unit, for setting up socket 2 by described TCP agent client, and binds port3 interface;
Address mapping unit, for adding source network address switching strategy by described TCP agent client to kernel, is mapped as TCP agency service end the address of outer net packet client to the source data packet address of described TCP agent client;
Linkage unit, for use the outside network data bag of socket2 service end to initiate TCP connection request by described TCP agent client, outer net packet service end reads the address that this connection source address is outer net packet client, and connection is successfully established.
As shown in Figure 4, a kind of data isolation apparatus based on non-network mode, comprise intranet host 100, outer net main frame 200 and isolated communication module 300, described intranet host 100 and described outer net main frame 200 are by described isolated communication module 300 physical connections, described intranet host and described outer net main frame are loaded with respectively channel isolation proprietary protocol, operating system and network protocol stack, outer net host maintenance TCP agency service end module, intranet host is safeguarded TCP agent client module;
Described isolated communication module 300 is for according to built-in proprietary protocol, pure application data between mutual described intranet host and described outer net main frame, and isolate the non-pure application data between described intranet host and described outer net main frame, described pure application data is the data that do not comprise the TCP/IP network information, link information and transport layer information.
The data isolation apparatus that the present invention is based on non-network mode comprises intranet host, outer net main frame and isolated communication module, the equal network protocol stack of intranet and extranet main frame, and safeguard respectively TCP agent client module and TCP agency service end module.TCP agency service end module is built TCP with business data packet client and is connected socket1 and data retransmission, TCP agent client module is responsible for setting up TCP with business data packet service end and is connected socket2 and data retransmission, isolated communication module is used proprietary protocol, divest business data packet TCP head and following heading, only carried out pure business datum load and forward.Realize on the whole four layers of separaant system communication between inside and outside end main frame, effectively stop the all-network except " based on the attack of proprietary protocol inside " to be attacked, guarantee under the prerequisite of internal network and external network physical isolation the high efficiency of network data exchange.
As shown in Figure 5, therein in an embodiment, described isolated communication module 300 comprises inverter circuit sexual isolation dividing plate 320 and data isolation card 340, described inverter circuit sexual isolation dividing plate 320 is for isolating the non-pure application data between described intranet host and described outer net main frame, described data isolation card 340 is for according to described built-in proprietary protocol, the pure application data between mutual described intranet host and described outer net main frame.
Isolated communication module can be divided into Liang Ge district in a sense, one is isolated area, one is interactive areas, isolated area is for isolating the non-pure application data between described intranet host and described outer net main frame, interactive areas is used for according to described built-in proprietary protocol, the pure application data between mutual described intranet host and described outer net main frame.Obvious in the present embodiment, isolated area is inverter circuit sexual isolation dividing plate, and interactive areas is data isolation card, and both co-ordinations can guaranteed under the prerequisite of internal network and external network physical isolation, inside and outside network data exchange high efficiency.
As shown in Figure 5, therein in an embodiment, the described data isolation apparatus based on non-network mode also comprises Intranet network interface card 400 and outer net network interface card 500, and described Intranet network interface card 400 is connected with described intranet host 100, and described outer net network interface card 500 is connected with described outer net main frame 200.
In order to be further explained in detail the data isolation method of the data isolation apparatus that the present invention is based on non-network mode, detailed decryption is wrapped in to the process of transmitting in socket1, channel isolation and tri-sections of intervals of socket2 below.For the ease of explaining, in being described below, outer net main frame one side of the data isolation apparatus based on non-network mode is called client, intranet host one side is called service end, and wherein the destination address of client, outer net main frame, intranet host and service end is defined as respectively ip1, ip2, ip3, ip4.
Fig. 6 is the process that socket1 passage, channel isolation and socket2 set up.
1, user end to server is initiated TCP connection request, and this connection is from ip1 to ip4;
2, when connection request bag arrives outer end main frame, arrive ip2 by port redirection, outer end agency service end module accept creates new socket 1;
3, outer end agency service end module is inwardly verified and is ask the destination address ip4 obtaining before socket1 is redirected;
4, outer end agency service end module sends request to inner agent client module by isolated communication module, and request is set up ip1 and connected to the TCP of ip4;
6, inner agent client module model socket 2, and bind port3;
7, inner agent client module is added source network address switching strategy to kernel, and the source data packet address from ip3 to ip4 is mapped as ip1;
8, last inner agent client module is used socket2 to initiate TCP connection request to server, and it is client address (ip1) that server reads this connection source address, and connection is successfully established.
Fig. 7 is the processing procedure of packet from client to service end.
1, when acting on behalf of after Path Setup success, user end to server sends TCP business datum, and this packet is from ip1 to ip4;
2, in the time that business data packet arrives outer end main frame, arrive ip2 by port redirection, receive this packet by outer end agency service end module socket 1;
3, outer end agency service end module, by isolated communication module, is used self-defined proprietary protocol encapsulation by pure business data packet load part, delivers to inner agent client module;
4, inner agent client module is used socket2 that this data load is mail to server ip4;
5, before inner main frame sends, kernel is found ip3 and is had source network address switching strategy to ip4, changes source data packet address into client;
6, server receives that source address is the business data packet of client, and carries out corresponding service processing.
Fig. 8 is packet returns to client after service end is processed process from service end.
1, when acting on behalf of after Path Setup success, server sends business datum to client, and this packet is from ip4:port4 to ip1;
2,, in the time that business data packet arrives inner main frame, kernel, by requester network ATT, is given inner agent client program by this Packet Generation;
3, inner agent client program is by isolated communication module, pure business data packet load part used and make 4 by oneself, the encapsulation of adopted proprietary protocol, delivers to outer end agency service end module;
5, outer end agency service end module is used socket1 that this data load is mail to client ip1;
6, before outer end main frame sends, kernel, by Network Search ATT, changes this source data packet address into server address ip4;
7, client receives that source address is the business data packet of server, and carries out corresponding service processing.
The above embodiment has only expressed several execution mode of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.
Claims (10)
1. the data isolation method of the data isolation apparatus of a non-network mode, it is characterized in that, the data isolation apparatus of non-network mode comprises intranet host, outer net main frame and isolated communication module, described intranet host and described outer net main frame are by described isolated communication module physical connection, and described intranet host and described outer net main frame are loaded with respectively channel isolation proprietary protocol, operating system and network protocol stack;
The data isolation method of the data isolation apparatus of non-network mode comprises step:
Set up the TCP agent client in TCP agency service end and the described intranet host in described outer net main frame; Adopt port redirection technology, the TCP setting up between described TCP agency service end and outer net packet client is connected socket1;
Obtain the privately owned communication protocol of isolated communication module, according to the privately owned communication protocol of described isolated communication module, set up the non-network isolated channel between described TCP agency service end and described TCP agent client;
Adopt source network address conversion query technology, set up described TCP agent client and be connected socket2 with the TCP of outer net packet service end;
Socket1 and socket2 are maintained as to logical channel, so that the business datum of transmitting between outer net packet client and outer net packet service end wraps in transmission in socket1, channel isolation and tri-sections of intervals of socket2;
In the time having business data packet to pass through described non-network isolated channel transmission, divest the TCP head of described business data packet and following heading, only carry out pure business datum load transmission.
2. the data isolation method of the data isolation apparatus based on non-network mode according to claim 1, it is characterized in that, described employing port redirection technology, set up TCP between described TCP agency service end and outer net packet client and be connected socket1 and specifically comprise step:
The outside host's machine of outer net packet client sends TCP connection request packet;
In the time that described TCP connection request packet arrives outer net main frame, adopt port redirection technology that described TCP connection request packet is redirected to described TCP agency service end, TCP agency service end accept creates new socket 1;
Described TCP agency service end is inwardly verified inquiry, and the destination address obtaining before described socket1 is redirected is outer net packet service end;
Described TCP agency service end sends request to described TCP agent client by isolated communication module, and request is set up outer net packet client and connected to the TCP of outer net packet service end.
3. the data isolation method of the data isolation apparatus based on non-network mode according to claim 1 and 2, it is characterized in that, described employing source network address conversion query technology, set up described TCP agent client and be connected socket2 with the TCP of outer net packet service end and specifically comprise step:
Described TCP agent client is set up socket 2, and binds port3 interface;
Described TCP agent client adds source network address switching strategy to kernel, TCP agency service end is mapped as to the address of outer net packet client to the source data packet address of described TCP agent client;
Described TCP agent client uses the outside network data bag of socket2 service end to initiate TCP connection request, and outer net packet service end reads the address that this connection source address is outer net packet client, and connection is successfully established.
4. the data isolation method of the data isolation apparatus based on non-network mode according to claim 1 and 2, it is characterized in that, described in the time having business data packet to pass through described non-network isolated channel transmission, divest the TCP head of described business data packet and following heading, only carry out pure business datum load transmission before also in steps:
In the time that socket1 or socket2 main quilt dynamic circuit breaker are opened, delete all source network address switching strategies in intranet host.
5. the data isolation system of the data isolation apparatus of a non-network mode, it is characterized in that, the data isolation apparatus of non-network mode comprises intranet host, outer net main frame and isolated communication module, described intranet host and described outer net main frame are by described isolated communication module physical connection, and described intranet host and described outer net main frame are loaded with respectively channel isolation proprietary protocol, operating system and network protocol stack;
The data isolation system of the data isolation apparatus of non-network mode comprises:
TCP agent side is set up module, for setting up the TCP agent client in TCP agency service end and the described intranet host of described outer net main frame; The first communication link is set up module, and for adopting port redirection technology, the TCP setting up between described TCP agency service end and outer net packet client is connected socket1;
Channel isolation is set up module, for obtaining the privately owned communication protocol of isolated communication module, according to the privately owned communication protocol of described isolated communication module, sets up the non-network isolated channel between described TCP agency service end and described TCP agent client;
Second communication link establishment module, for adopting source network address conversion query technology, sets up described TCP agent client and is connected socket2 with the TCP of outer net packet service end;
Logical channel forms module, for socket1 and socket2 are maintained as to logical channel, so that the business datum of transmitting between outer net packet client and outer net packet service end wraps in transmission in socket1, channel isolation and tri-sections of intervals of socket2;
Message divests module, in the time having business data packet to pass through described non-network isolated channel transmission, divests the TCP head of described business data packet and following heading, only carries out pure business datum load transmission.
6. the data isolation system of the data isolation apparatus based on non-network mode according to claim 5, is characterized in that, described the first communication link is set up module and specifically comprised:
Transmitting element, for sending outside outer net packet client host's machine TCP connection request packet;
The first communication link is set up unit, for in the time that described TCP connection request packet arrives outer net main frame, adopt port redirection technology that described TCP connection request packet is redirected to described TCP agency service end, TCP agency service end accept creates new socket 1;
Be redirected unit, for described TCP agency service end is inwardly verified to inquiry, the destination address obtaining before described socket1 is redirected is outer net packet service end;
Request unit, sends request to described TCP agent client by isolated communication module for state TCP agency service end in utilization, and request is set up outer net packet client and connected to the TCP of outer net packet service end.
7. according to the data isolation system of the data isolation apparatus based on non-network mode described in claim 5 or 6, it is characterized in that, described second communication link establishment module specifically comprises:
Second communication link establishment unit, for setting up socket 2 by described TCP agent client, and binds port3 interface;
Address mapping unit, for adding source network address switching strategy by described TCP agent client to kernel, is mapped as TCP agency service end the address of outer net packet client to the source data packet address of described TCP agent client;
Linkage unit, for use the outside network data bag of socket2 service end to initiate TCP connection request by described TCP agent client, outer net packet service end reads the address that this connection source address is outer net packet client, and connection is successfully established.
8. the data isolation apparatus based on non-network mode, it is characterized in that, comprise intranet host, outer net main frame and isolated communication module, described intranet host and described outer net main frame are by described isolated communication module physical connection, described intranet host and described outer net main frame are loaded with respectively channel isolation proprietary protocol, operating system and network protocol stack, outer net host maintenance TCP agency service end module, intranet host is safeguarded TCP agent client module;
Described isolated communication module is used for according to built-in proprietary protocol, pure application data between mutual described intranet host and described outer net main frame, and isolate the non-pure application data between described intranet host and described outer net main frame, described pure application data is the data that do not comprise the TCP network information, link information and transport layer information.
9. the data isolation apparatus based on non-network mode according to claim 8, is characterized in that, described isolated communication module comprises inverter circuit sexual isolation dividing plate and data isolation card;
Described inverter circuit sexual isolation dividing plate is for isolating the non-pure application data between described intranet host and described outer net main frame, described data isolation card is used for according to described built-in proprietary protocol, the pure application data between mutual described intranet host and described outer net main frame.
10. the data isolation apparatus based on non-network mode according to claim 8 or claim 9, is characterized in that, also comprise Intranet network interface card and outer net network interface card, described Intranet network interface card is connected with described intranet host, and described outer net network interface card is connected with described outer net main frame.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410042475.7A CN104168257B (en) | 2014-01-28 | 2014-01-28 | The data isolation method and system of data isolation apparatus based on non-network mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410042475.7A CN104168257B (en) | 2014-01-28 | 2014-01-28 | The data isolation method and system of data isolation apparatus based on non-network mode |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104168257A true CN104168257A (en) | 2014-11-26 |
| CN104168257B CN104168257B (en) | 2018-08-17 |
Family
ID=51911883
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410042475.7A Active CN104168257B (en) | 2014-01-28 | 2014-01-28 | The data isolation method and system of data isolation apparatus based on non-network mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104168257B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104601575A (en) * | 2015-01-16 | 2015-05-06 | 网神信息技术(北京)股份有限公司 | One-way safety isolation net gap based data transmission method and system |
| CN104767752A (en) * | 2015-04-07 | 2015-07-08 | 西安汇景倬元信息技术有限公司 | Distributed network isolating system and method |
| CN105635338A (en) * | 2015-12-31 | 2016-06-01 | 迈普通信技术股份有限公司 | Data transmission method and device |
| CN105991568A (en) * | 2015-02-09 | 2016-10-05 | 苏州精易会信息技术有限公司 | Proxy realizing device |
| CN106685992A (en) * | 2017-02-14 | 2017-05-17 | 厦门畅享信息技术有限公司 | Over-network safe exchange and interactive application system based on unidirectional transmission technology, and method thereof |
| CN107948122A (en) * | 2016-10-12 | 2018-04-20 | 成都鼎桥通信技术有限公司 | Isolating device traversing method and device |
| CN111049823A (en) * | 2019-12-10 | 2020-04-21 | 浩云科技股份有限公司 | Physical isolation transmission equipment and method based on two-dimension code |
| WO2020113817A1 (en) * | 2018-12-07 | 2020-06-11 | 网宿科技股份有限公司 | Network isolation method and apparatus based on user mode protocol stack |
| CN112596483A (en) * | 2020-12-17 | 2021-04-02 | 浙江国利网安科技有限公司 | Data acquisition method and system based on unidirectional import equipment |
| CN113179556A (en) * | 2021-04-27 | 2021-07-27 | 广州海格通信集团股份有限公司 | Multimode isolation integration system and control method |
| CN114401133A (en) * | 2022-01-13 | 2022-04-26 | 中电福富信息科技有限公司 | Equipment monitoring vulnerability detection system based on agent |
| CN114499849A (en) * | 2022-01-27 | 2022-05-13 | 王立娟 | A service user terminal, secure transmission system and method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1571398A (en) * | 2004-04-29 | 2005-01-26 | 上海交通大学 | Network safety isolating and information exchanging system and method based on proxy mapping |
| CN102006307A (en) * | 2010-12-16 | 2011-04-06 | 中国电子科技集团公司第三十研究所 | Application proxy-based network management system isolation control device |
| CN103491065A (en) * | 2012-06-14 | 2014-01-01 | 中兴通讯股份有限公司 | Transparent proxy and transparent proxy realization method |
-
2014
- 2014-01-28 CN CN201410042475.7A patent/CN104168257B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1571398A (en) * | 2004-04-29 | 2005-01-26 | 上海交通大学 | Network safety isolating and information exchanging system and method based on proxy mapping |
| CN102006307A (en) * | 2010-12-16 | 2011-04-06 | 中国电子科技集团公司第三十研究所 | Application proxy-based network management system isolation control device |
| CN103491065A (en) * | 2012-06-14 | 2014-01-01 | 中兴通讯股份有限公司 | Transparent proxy and transparent proxy realization method |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104601575A (en) * | 2015-01-16 | 2015-05-06 | 网神信息技术(北京)股份有限公司 | One-way safety isolation net gap based data transmission method and system |
| CN105991568A (en) * | 2015-02-09 | 2016-10-05 | 苏州精易会信息技术有限公司 | Proxy realizing device |
| CN104767752A (en) * | 2015-04-07 | 2015-07-08 | 西安汇景倬元信息技术有限公司 | Distributed network isolating system and method |
| CN105635338A (en) * | 2015-12-31 | 2016-06-01 | 迈普通信技术股份有限公司 | Data transmission method and device |
| CN105635338B (en) * | 2015-12-31 | 2019-03-05 | 迈普通信技术股份有限公司 | A kind of data transmission method and device |
| CN107948122A (en) * | 2016-10-12 | 2018-04-20 | 成都鼎桥通信技术有限公司 | Isolating device traversing method and device |
| CN106685992A (en) * | 2017-02-14 | 2017-05-17 | 厦门畅享信息技术有限公司 | Over-network safe exchange and interactive application system based on unidirectional transmission technology, and method thereof |
| CN106685992B (en) * | 2017-02-14 | 2023-05-23 | 厦门畅享信息技术有限公司 | Cross-network security switching and interactive application system and method based on unidirectional transmission technology |
| WO2020113817A1 (en) * | 2018-12-07 | 2020-06-11 | 网宿科技股份有限公司 | Network isolation method and apparatus based on user mode protocol stack |
| CN111049823B (en) * | 2019-12-10 | 2022-08-30 | 浩云科技股份有限公司 | Physical isolation transmission equipment and method based on two-dimension code |
| CN111049823A (en) * | 2019-12-10 | 2020-04-21 | 浩云科技股份有限公司 | Physical isolation transmission equipment and method based on two-dimension code |
| CN112596483A (en) * | 2020-12-17 | 2021-04-02 | 浙江国利网安科技有限公司 | Data acquisition method and system based on unidirectional import equipment |
| CN113179556A (en) * | 2021-04-27 | 2021-07-27 | 广州海格通信集团股份有限公司 | Multimode isolation integration system and control method |
| CN114401133A (en) * | 2022-01-13 | 2022-04-26 | 中电福富信息科技有限公司 | Equipment monitoring vulnerability detection system based on agent |
| CN114401133B (en) * | 2022-01-13 | 2023-12-01 | 中电福富信息科技有限公司 | Equipment monitoring vulnerability detection system based on agent |
| CN114499849A (en) * | 2022-01-27 | 2022-05-13 | 王立娟 | A service user terminal, secure transmission system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104168257B (en) | 2018-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104168257A (en) | Data isolation device based on non-network mode, and method and system thereof | |
| US9781052B2 (en) | Virtual machine and application movement over local area networks and a wide area network | |
| CN101296238B (en) | Method and equipment for remaining persistency of security socket layer conversation | |
| CN107046542B (en) | Method for realizing consensus verification by adopting hardware at network level | |
| CN104767752A (en) | Distributed network isolating system and method | |
| CN101651597B (en) | A Deployment Method of IPSec-VPN in Address Separation Mapping Network | |
| CN102546658A (en) | Method and system for preventing address resolution protocol (ARP) gateway spoofing | |
| CN104270355A (en) | A method for transmitting data across security zones based on network bus | |
| CN102055765A (en) | Network communication system | |
| CN104065731A (en) | FTP file transfer system and transfer method | |
| CN110351233A (en) | A kind of two-way transparent transmission technology based on safety isolation network gate | |
| CN101577729A (en) | Method for blocking bypass by combining DNS redirection with Http redirection | |
| CN106330479A (en) | Equipment operation and maintenance method and equipment operation and maintenance system | |
| CN109474507A (en) | A kind of message forwarding method and device | |
| CN102761534A (en) | Method and device for realizing transparent proxy of media access control layer | |
| CN107360154A (en) | A kind of intranet security cut-in method and system | |
| CN109245982B (en) | A real-time exchange system for internal and external network data based on one-way splitting and stateless end-to-end connection | |
| CN103001966B (en) | The process of a kind of private network IP, recognition methods and device | |
| CN102710518B (en) | The method and system that NAT penetrates are realized under wide area network | |
| CN101753438A (en) | Router for realizing passage separation and transmitting method of passage separation thereof | |
| CN101621528B (en) | Conversation system based on Ethernet switch cluster management and method for realizing conversation passage | |
| CN110602225A (en) | Efficient packet receiving and sending method of linux system suitable for industrial control environment | |
| JP2004158923A (en) | HTTP session tunneling system, method and program therefor | |
| CN102984167A (en) | Traversal method for universal firewall based on Socks5 protocol | |
| CN113794715A (en) | Virtual point-to-point network data transmitting, receiving and responding method and system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 510080 Dongfeng East Road, Dongfeng, Guangdong, Guangzhou, Zhejiang Province, No. 8 Patentee after: ELECTRIC POWER RESEARCH INSTITUTE, GUANGDONG POWER GRID CO., LTD. Address before: 510080 Dongfeng East Road, Dongfeng, Guangdong, Guangzhou, Zhejiang Province, No. 8 Patentee before: Electrical Power Research Institute of Guangdong Power Grid Corporation |
|
| CP01 | Change in the name or title of a patent holder |