CN106453389A - Network isolation method based on combination of firewall and gatekeeper - Google Patents
Network isolation method based on combination of firewall and gatekeeper Download PDFInfo
- Publication number
- CN106453389A CN106453389A CN201610994311.3A CN201610994311A CN106453389A CN 106453389 A CN106453389 A CN 106453389A CN 201610994311 A CN201610994311 A CN 201610994311A CN 106453389 A CN106453389 A CN 106453389A
- Authority
- CN
- China
- Prior art keywords
- isolation
- network
- host
- firewall
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 49
- 238000000034 method Methods 0.000 claims abstract description 6
- 230000008521 reorganization Effects 0.000 claims description 4
- 238000004519 manufacturing process Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 12
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
技术领域technical field
本发明涉及计算机网络信息系统防火墙技术、安全隔离与信息交换技术领域,尤其涉及多系统安全互联。The invention relates to the technical fields of firewall technology, security isolation and information exchange of computer network information systems, and in particular relates to multi-system security interconnection.
背景技术Background technique
传统的网络隔离技术中,防火墙技术与网闸技术(安全隔离与信息交换技术)适用于不同安全需求的场景。其中防火墙由于采用单机单系统,通常适用于对通信性能要求较高,安全性要求相对较低的网络隔离场景;而网闸由于采用双机或多机多系统,系统间适用专用通信协议摆渡,其适用于对安全性要求相对较高,而通信性能要求相对较低的场景。而对于在较为复杂的应用场景中,可能在单个或多个网络连接处,需同时存在防火墙与网闸两种不同的网络隔离需求,因此,需要一种防火墙与网闸相结合的网络隔离方法。Among traditional network isolation technologies, firewall technology and gatekeeper technology (security isolation and information exchange technology) are applicable to scenarios with different security requirements. Among them, because the firewall adopts a single machine and a single system, it is usually suitable for network isolation scenarios that require high communication performance and relatively low security requirements; and because the gatekeeper uses dual machines or multiple machines and multiple systems, special communication protocols are used for ferrying between systems. It is suitable for scenarios with relatively high security requirements and relatively low communication performance requirements. However, in more complex application scenarios, there may be two different network isolation requirements of a firewall and a gatekeeper at a single or multiple network connections. Therefore, a network isolation method that combines a firewall and a gatekeeper is required. .
发明内容Contents of the invention
为了解决上述的技术问题,本发明的目的是提供一种防火墙与网闸相结合的网络隔离方法,该方法可在同一网络应用场景中,实现防火墙与网闸两种不同的网络隔离技术以适用较为复杂的网络隔离需求。In order to solve the above-mentioned technical problems, the object of the present invention is to provide a network isolation method combining a firewall and a gatekeeper, which can realize two different network isolation technologies of a firewall and a gatekeeper in the same network application scenario to apply More complex network isolation requirements.
为了实现上述的目的,本发明采用了以下的技术方案:In order to achieve the above object, the present invention adopts the following technical solutions:
一种防火墙与网闸相结合的网络隔离方法,该方法由网闸方式隔离和防火墙方式隔离构成;所述的网闸方式隔离包括以下的步骤:A network isolation method combining a firewall and a network gatekeeper, the method is composed of a network gatekeeper mode isolation and a firewall mode isolation; the network gatekeeper mode isolation comprises the following steps:
①:A网数据交换源向生产网发起访问,连接至宿主机A;①: The data exchange source of network A initiates access to the production network and connects to host A;
②:宿主机A流量牵引模块将数据牵引至虚拟主机VM2,由虚拟主机VM2的协议重组模块对数据进行剥离与重组;②: The traffic traction module of the host machine A pulls the data to the virtual host VM2, and the protocol reorganization module of the virtual host VM2 strips and reorganizes the data;
③:宿主机A的VM2通过协议隔离通道传送至宿主机B的虚拟主机VM2;③: The VM2 of the host machine A is transmitted to the virtual host VM2 of the host machine B through the protocol isolation channel;
④:虚拟主机VM2的协议重组模块将接受的数据还原;④: The protocol reorganization module of the virtual host VM2 restores the accepted data;
⑤:数据传输至B网,完成安全互联;⑤: The data is transmitted to the B network to complete the secure interconnection;
所述的防火墙方式隔离包括以下的步骤:The firewall mode isolation includes the following steps:
①:A网数据交换源向B网发起访问,连接至宿主机A;①: The data exchange source of network A initiates access to network B and connects to host A;
②:宿主机A流量牵引模块将数据牵引至虚拟主机VM1,由虚拟主机VM1的防火墙隔离模块对数据进行解析与过滤;②: The host A traffic pulling module pulls the data to the virtual host VM1, and the firewall isolation module of the virtual host VM1 analyzes and filters the data;
③:宿主机A的虚拟主机VM1通过协议隔离通道传送至宿主机B的虚拟主机VM1;③: The virtual host VM1 of host A is transmitted to the virtual host VM1 of host B through the protocol isolation channel;
④:虚拟主机VM1的防火墙隔离模块对接收的数据进行解析与过滤;④: The firewall isolation module of the virtual host VM1 analyzes and filters the received data;
⑤:数据传输至B网,完成安全互联。⑤: The data is transmitted to the B network to complete the secure interconnection.
本发明由于采用了上述的技术方案,该方法可在同一网络应用场景中,实现防火墙与网闸两种不同的网络隔离技术以适用较为复杂的网络隔离需求。Because the present invention adopts the above-mentioned technical solution, the method can realize two different network isolation technologies of a firewall and a gatekeeper in the same network application scene, so as to be applicable to relatively complex network isolation requirements.
附图说明Description of drawings
图1为网闸方式隔离的结构示意图。Figure 1 is a schematic structural diagram of gatekeeper isolation.
图2为防火墙方式隔离的结构示意图。FIG. 2 is a schematic structural diagram of firewall isolation.
具体实施方式detailed description
下面结合附图对本发明的具体实施方式做一个详细的说明。The specific implementation manner of the present invention will be described in detail below in conjunction with the accompanying drawings.
如图1、图2所示一种防火墙与网闸相结合的网络隔离方法,该方法由网闸方式隔离和防火墙方式隔离构成。As shown in Fig. 1 and Fig. 2, a network isolation method combining a firewall and a gatekeeper is composed of a gatekeeper mode isolation and a firewall mode isolation.
如图1所示,所述的网闸方式隔离包括以下的步骤:As shown in Figure 1, the gatekeeper mode isolation includes the following steps:
①:A网数据交换源向生产网发起访问,连接至宿主机A;①: The data exchange source of network A initiates access to the production network and connects to host A;
②:宿主机A流量牵引模块将数据牵引至虚拟主机VM2,由虚拟主机VM2的协议重组模块对数据进行剥离与重组;②: The traffic traction module of the host machine A pulls the data to the virtual host VM2, and the protocol reorganization module of the virtual host VM2 strips and reorganizes the data;
③:宿主机A的VM2通过协议隔离通道传送至宿主机B的虚拟主机VM2;③: The VM2 of the host machine A is transmitted to the virtual host VM2 of the host machine B through the protocol isolation channel;
④:虚拟主机VM2的协议重组模块将接受的数据还原;④: The protocol reconstruction module of the virtual host VM2 restores the accepted data;
⑤:数据传输至B网,完成安全互联。⑤: The data is transmitted to the B network to complete the secure interconnection.
如图2所示,所述的防火墙方式隔离包括以下的步骤:As shown in Figure 2, the firewall mode isolation includes the following steps:
①:A网数据交换源向B网发起访问,连接至宿主机A;①: The data exchange source of network A initiates access to network B and connects to host A;
②:宿主机A流量牵引模块将数据牵引至虚拟主机VM1,由虚拟主机VM1的防火墙隔离模块对数据进行解析与过滤;②: The traffic pulling module of the host machine A pulls the data to the virtual host VM1, and the firewall isolation module of the virtual host VM1 analyzes and filters the data;
③:宿主机A的虚拟主机VM1通过协议隔离通道(非协议转换)传送至宿主机B的虚拟主机VM1;③: The virtual host VM1 of host A is transmitted to the virtual host VM1 of host B through the protocol isolation channel (non-protocol conversion);
④:虚拟主机VM1的防火墙隔离模块对接收的数据进行解析与过滤;④: The firewall isolation module of the virtual host VM1 analyzes and filters the received data;
⑤:数据传输至B网,完成安全互联。⑤: The data is transmitted to the B network to complete the secure interconnection.
Claims (1)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610994311.3A CN106453389A (en) | 2016-11-11 | 2016-11-11 | Network isolation method based on combination of firewall and gatekeeper |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610994311.3A CN106453389A (en) | 2016-11-11 | 2016-11-11 | Network isolation method based on combination of firewall and gatekeeper |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106453389A true CN106453389A (en) | 2017-02-22 |
Family
ID=58207541
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610994311.3A Pending CN106453389A (en) | 2016-11-11 | 2016-11-11 | Network isolation method based on combination of firewall and gatekeeper |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106453389A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110351220A (en) * | 2018-04-02 | 2019-10-18 | 蓝盾信息安全技术有限公司 | One kind realizing gateway efficient data scanning technique based on packet filtering |
| CN112714182A (en) * | 2020-12-28 | 2021-04-27 | 广州金越软件技术有限公司 | Cross-network data exchange technology and method based on distributed message architecture |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101325565A (en) * | 2008-07-30 | 2008-12-17 | 北京华电天仁电力控制技术有限公司 | A One-way Isolation Gatekeeper with Protocol Conversion Function |
| US20120005741A1 (en) * | 2002-09-20 | 2012-01-05 | Fortinet, Inc. | Firewall interface configuration to enable bi-directional voip traversal communications |
| CN202737912U (en) * | 2012-07-27 | 2013-02-13 | 中华人民共和国湖北出入境检验检疫局 | System for accessing intranet OA from Internet based on L2TP and gatekeeper technology |
| CN103532838A (en) * | 2013-10-09 | 2014-01-22 | 中国联合网络通信集团有限公司 | Method and system for realizing data exchange between isolation networks |
| CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
-
2016
- 2016-11-11 CN CN201610994311.3A patent/CN106453389A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120005741A1 (en) * | 2002-09-20 | 2012-01-05 | Fortinet, Inc. | Firewall interface configuration to enable bi-directional voip traversal communications |
| CN101325565A (en) * | 2008-07-30 | 2008-12-17 | 北京华电天仁电力控制技术有限公司 | A One-way Isolation Gatekeeper with Protocol Conversion Function |
| CN202737912U (en) * | 2012-07-27 | 2013-02-13 | 中华人民共和国湖北出入境检验检疫局 | System for accessing intranet OA from Internet based on L2TP and gatekeeper technology |
| CN103532838A (en) * | 2013-10-09 | 2014-01-22 | 中国联合网络通信集团有限公司 | Method and system for realizing data exchange between isolation networks |
| CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
Non-Patent Citations (1)
| Title |
|---|
| 吴欢: "一种高效虚拟化多级网络安全互联机制", 《山东大学学报(理学版)》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110351220A (en) * | 2018-04-02 | 2019-10-18 | 蓝盾信息安全技术有限公司 | One kind realizing gateway efficient data scanning technique based on packet filtering |
| CN112714182A (en) * | 2020-12-28 | 2021-04-27 | 广州金越软件技术有限公司 | Cross-network data exchange technology and method based on distributed message architecture |
| CN112714182B (en) * | 2020-12-28 | 2024-02-23 | 广州金越软件技术有限公司 | Cross-network data exchange technology and method based on distributed message architecture |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102104544B (en) | Order preserving method for fragmented message flow in IP (Internet Protocol) tunnel of multi-nuclear processor with accelerated hardware | |
| CN103888386A (en) | Extensible virtual local area network message transmission method, device and system | |
| TW201406110A (en) | 50 Gb/s Ethernet using serializer/deserializer lanes | |
| CN103401772B (en) | A kind of ETHERNET/IP EPA is to the conversion equipment of Profibus-DP fieldbus | |
| CN104104616A (en) | Method, device and system for data scheduling and exchange | |
| US9313050B2 (en) | Method and gateway for extending EtherCAT network | |
| WO2017128953A1 (en) | Server virtualization network sharing apparatus and method | |
| CN108790941A (en) | The real time synchronization network control device and method of distributed-driving electric automobile | |
| CN103595598A (en) | Remote transparent transmission serial server based on fiber and control mode thereof | |
| CN104468309A (en) | Efficient adaptation method for low-speed SMP and high-speed password card | |
| CN104798010A (en) | at least partially serial memory protocol compatible frame conversion | |
| CN107656884A (en) | A kind of data processing method and system, the quick interconnection equipment of peripheral assembly and main frame | |
| CN106453389A (en) | Network isolation method based on combination of firewall and gatekeeper | |
| CN103257946A (en) | High-speed interconnecting method of controllers of tight-coupling multi-control storage system | |
| EP3042469A1 (en) | Work mode negotiation | |
| CN102520678A (en) | Remote control system for active reflection panel of radio telescope | |
| CN109606290B (en) | Double-topology networked control system of electric automobile and scheduling method thereof | |
| CN205179099U (en) | Realize serial ports agreement and change high -speed real -time network communication agreement circuit | |
| US20160380890A1 (en) | Intermediate Unicast Network and Method for Multicast Data Networks | |
| CN107301145B (en) | RapidIO-based publish/subscribe software bus in FPGA environment | |
| CN104038569A (en) | Trunking communication model based on address mapping | |
| CN1972314B (en) | Method for simulating serial interface on Ethernet interface and components applying the method | |
| CN105471718A (en) | Realization method of full duplex message queue | |
| CN103812751A (en) | SSL VPN (secure sockets layer virtual private network) terminal data interaction method based on NDIS (network driver interface standard) | |
| CN115883149A (en) | A method of internal and external network communication based on FPGA-based PCIE link |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170222 |
|
| RJ01 | Rejection of invention patent application after publication |