[go: up one dir, main page]

CN119232472A - Network security one-way isolation system, method and electronic equipment for communication satellite system - Google Patents

Network security one-way isolation system, method and electronic equipment for communication satellite system Download PDF

Info

Publication number
CN119232472A
CN119232472A CN202411407673.9A CN202411407673A CN119232472A CN 119232472 A CN119232472 A CN 119232472A CN 202411407673 A CN202411407673 A CN 202411407673A CN 119232472 A CN119232472 A CN 119232472A
Authority
CN
China
Prior art keywords
network
unidirectional
switch
data
firewall
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411407673.9A
Other languages
Chinese (zh)
Inventor
孙洁
运朝青
郑军
羌胜莉
尹曙明
张超慧
李强
孙丰
王军
张永顺
苌敬辉
罗又天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
32039 Unit Of Chinese Pla
Original Assignee
32039 Unit Of Chinese Pla
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 32039 Unit Of Chinese Pla filed Critical 32039 Unit Of Chinese Pla
Priority to CN202411407673.9A priority Critical patent/CN119232472A/en
Publication of CN119232472A publication Critical patent/CN119232472A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/1851Systems using a satellite or space-based relay
    • H04B7/18513Transmission in a satellite or space-based system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/565Conversion or adaptation of application format or content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Astronomy & Astrophysics (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network security unidirectional isolation system, a method and electronic equipment of a communication satellite system, which relate to the technical field of communication, and comprise the following components: the method comprises the steps that a first unidirectional firewall, an intranet host system, a unidirectional gatekeeper, an extranet host system and a second unidirectional firewall are used, the intranet host system receives service data transmitted by a communication service network through the first unidirectional firewall, performs format conversion processing on the service data to obtain internal interface data in a preset format supported by the unidirectional gatekeeper, the internal interface data in the preset format is transmitted to the unidirectional gatekeeper, the unidirectional gatekeeper forwards the data to the extranet host system, the extranet host system recovers the internal interface data in the preset format into service data, and the recovered service data is transmitted to an external network through the second unidirectional firewall. The system adopts a multi-level deep security protection architecture of a 2-level firewall and a 1-level unidirectional gatekeeper, thereby ensuring the network security of a communication service network.

Description

Network security unidirectional isolation system and method of communication satellite system and electronic equipment
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a network security unidirectional isolation system and method for a communication satellite system, and an electronic device.
Background
The communication satellite system is an important space-based equipment, and it is important to maintain network security of a communication service network within the communication satellite system. In the prior art, communication between user centers of different levels is bidirectional, the security is not high, and the security threat to a communication service network is large, so how to improve the security of cross-network interaction in a communication satellite system is a technical problem to be solved at present.
Disclosure of Invention
The invention aims to provide a network security unidirectional isolation system, a network security unidirectional isolation method and electronic equipment of a communication satellite system, so that the security unidirectional transmission among networks of different grades is realized, and the network security of a communication service network is ensured.
The invention provides a network security unidirectional isolation system of a communication satellite system, which comprises a first unidirectional firewall, an intranet host system, a unidirectional gatekeeper, an extranet host system and a second unidirectional firewall, wherein the intranet host system is accessed to a communication service network of the communication satellite system through the first unidirectional firewall, the extranet host system is accessed to an external network through the second unidirectional firewall, the intranet host system and the extranet host system are in communication connection only through the unidirectional gatekeeper, the intranet host system is used for receiving service data transmitted by the communication service network through the first unidirectional firewall and carrying out format conversion processing on the service data to obtain internal interface data in a preset format supported by the unidirectional gatekeeper, the internal interface data in the preset format is transmitted to the unidirectional gatekeeper, the unidirectional gatekeeper is used for receiving the internal interface data in the preset format and forwarding the internal interface data to the extranet host system, and the extranet host system is used for recovering the internal interface data in the preset format into the service data and transmitting the recovered service data to the external network through the second unidirectional firewall.
In an alternative embodiment, the intranet host system comprises a first switch, a first cross-network interaction proxy server cluster, a second switch and a first monitoring terminal, wherein the first switch is connected with a first unidirectional firewall, the second switch is connected with an inner side service port of a unidirectional gatekeeper, first network cards of all servers in the first cross-network interaction proxy server cluster are accessed to the first switch, second network cards of all servers in the first cross-network interaction proxy server cluster are accessed to the second switch, the first monitoring terminal is respectively connected with the first switch and the second switch and used for supporting man-machine interaction, the first switch is used for receiving service data sent by the first unidirectional firewall and sending the service data to the first cross-network interaction proxy server cluster, and the first cross-network interaction proxy server cluster is used for carrying out format conversion processing on the service data to obtain preset format inner interface data supported by the unidirectional gatekeeper and sending the preset format inner interface data to the unidirectional gatekeeper through the second switch.
In an alternative implementation mode, the external network host system comprises a third switch, a second cross-network interaction proxy server cluster, a fourth switch and a second monitoring terminal, wherein the third switch is connected with an outside service port of a unidirectional network gate, the fourth switch is connected with a second unidirectional firewall, first network cards of all servers in the second cross-network interaction proxy server cluster are accessed to the third switch, second network cards of all servers in the second cross-network interaction proxy server cluster are accessed to the fourth switch, the second monitoring terminal is respectively connected with the third switch and the fourth switch and used for supporting man-machine interaction, the third switch is used for receiving internal interface data in a preset format and sending the internal interface data to the second cross-network interaction proxy server cluster, the second cross-network interaction proxy server cluster is used for carrying out format recovery processing on the internal interface data in the preset format to obtain recovered service data and sending the recovered service data to the fourth switch, and the fourth switch is used for sending the recovered service data to an external network through the second unidirectional firewall.
In an optional implementation manner, the network security unidirectional isolation system further comprises an intranet management switch and an extranet management switch, wherein the intranet management switch is respectively connected with the first unidirectional firewall, equipment on a data transmission link in an intranet host system and an inner service port of the unidirectional gatekeeper and is respectively provided with equipment state monitoring software, the extranet management switch is respectively connected with an outer service port of the unidirectional gatekeeper, equipment on the data transmission link in the extranet host system and a second unidirectional firewall and is respectively provided with equipment state monitoring software, the intranet management switch is used for carrying out equipment state monitoring on all hardware equipment connected with the intranet management switch and sending obtained equipment state information to a first service end through a first management network, and the extranet management switch is used for carrying out equipment state monitoring on all hardware equipment connected with the extranet management switch and sending obtained equipment state information to a second service end through a second management network.
In an alternative embodiment, the network security unidirectional isolation system further comprises a network security audit system, wherein the network security audit system is arranged on a fourth switch in the external network host system in a bypass mode and used for auditing network behaviors of the external network host system.
In an alternative embodiment, both the intranet host system and the extranet host system deploy antivirus policies and host management and control systems.
In an optional implementation mode, cross-network interaction proxy software is deployed in the network security unidirectional isolation system, the cross-network interaction proxy software comprises a text protocol transceiver module, a file protocol transceiver module, a data transceiver monitoring module and a state management module, the text protocol transceiver module and the file protocol transceiver module are deployed in a first cross-network interaction proxy server cluster and a second cross-network interaction proxy server cluster, the data transceiver monitoring module and the state management module are deployed in a first monitoring terminal and a second monitoring terminal, the text protocol transceiver module is used for supporting transmission of text data, the file protocol transceiver module is used for supporting transmission of file data, the data transceiver monitoring module is used for monitoring data transceiver states of the text protocol transceiver module and the file protocol transceiver module and providing a man-machine interaction interface, and the state management module is used for displaying duplex states and software running states of the cross-network interaction proxy server.
The network security unidirectional isolation method of the communication satellite system comprises the steps of receiving service data transmitted by a communication service network through a first unidirectional firewall, performing format conversion processing on the service data to obtain internal interface data in a preset format supported by the unidirectional gatekeeper, sending the internal interface data in the preset format to the unidirectional gatekeeper so that the unidirectional gatekeeper forwards the internal interface data in the preset format to an external network host system, wherein the external network host system is used for recovering the internal interface data in the preset format into the service data, and sending the recovered service data to the external network through a second unidirectional firewall.
In a third aspect, the present invention provides an electronic device, including a memory, and a processor, where the memory stores a computer program that can be executed on the processor, and the processor implements the steps of the network security unidirectional isolation method of the communication satellite system according to the foregoing embodiment when executing the computer program.
In a fourth aspect, the present invention provides a computer readable storage medium storing computer instructions that, when executed by a processor, implement the network security unidirectional isolation method of the communication satellite system according to the foregoing embodiment.
The network security unidirectional isolation system of the communication satellite system comprises a first unidirectional firewall, an intranet host system, a unidirectional gatekeeper, an extranet host system and a second unidirectional firewall, wherein the system adopts a multistage deep security protection architecture of a 2-level firewall and a 1-level unidirectional gatekeeper to carry out unidirectional forwarding control on communication service network service data of the communication satellite system, thereby realizing safe unidirectional transmission among different levels of networks and ensuring network security of the communication service network.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a block diagram of a network security unidirectional isolation system of a communication satellite system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an alternative system configuration of a network security unidirectional isolation system of a communications satellite system;
fig. 3 is a schematic functional composition diagram of cross-network interaction proxy software according to an embodiment of the present invention;
Fig. 4 is a software architecture diagram of cross-network interaction proxy software according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of the deployment of an alternative cross-network interactive proxy server;
Fig. 6 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Some embodiments of the present invention are described in detail below with reference to the accompanying drawings. The following embodiments and features of the embodiments may be combined with each other without conflict.
Example 1
Fig. 1 is a block diagram of a network security unidirectional isolation system of a communication satellite system according to an embodiment of the present invention, and as shown in fig. 1, the network security unidirectional isolation system includes a first unidirectional firewall 10, an intranet host system 20, a unidirectional gatekeeper 30, an extranet host system 40, and a second unidirectional firewall 50.
The intranet host system is accessed to a communication service network of the communication satellite system through a first one-way firewall, and the extranet host system is accessed to an external network through a second one-way firewall.
The intranet host system and the extranet host system are in communication connection only through a unidirectional gatekeeper.
The intranet host system is used for receiving service data transmitted by the communication service network through the first unidirectional firewall, performing format conversion processing on the service data, and obtaining internal interface data in a preset format supported by the unidirectional gatekeeper so as to send the internal interface data in the preset format to the unidirectional gatekeeper.
The unidirectional gatekeeper is used for receiving internal interface data in a preset format and forwarding the internal interface data to the external network host system.
The external network host system is used for recovering the internal interface data in the preset format into service data and sending the recovered service data to the external network through the second unidirectional firewall.
Specifically, the network security unidirectional isolation system in the embodiment of the invention can be regarded as a security isolation area of a communication satellite system, and based on the description of the composition structure of the security isolation area, the security isolation area adopts a multi-level deep security protection architecture of a two-level unidirectional firewall (a first unidirectional firewall and a second unidirectional firewall) and a 1-level unidirectional gatekeeper, and the basic design concept of the architecture is to realize data security and reliability unidirectional transmission between networks of different security levels by combining a physical layer disconnection technology, a link layer disconnection technology, a TCP/IP protocol stripping and reconstruction technology and an application protocol stripping and reconstruction technology while cutting off direct connection between a communication service network and an external network.
Optionally, the intranet host system, the extranet host system and the unidirectional gatekeeper all adopt a high-performance network data processing platform and a special customization system, so as to prevent an external hacker from attacking the equipment through a network and improve the safety of the equipment. Optionally, the unidirectional gatekeeper is implemented by an optical fiber isolation card, and the main function of the unidirectional gatekeeper is to realize unidirectional isolated transmission of messages and files from the communication service network to the external network based on a hardware isolation channel and a proprietary protocol.
The intranet host system and the extranet host system are two independent systems, and no direct or indirect connection exists between the two systems except for a unidirectional gatekeeper. The intranet host system is responsible for receiving the service data of the communication service network, converting the format of the service data and then sending the service data to the outside through the unidirectional gatekeeper, wherein the purpose of the format conversion is to adjust the internal interface data to the preset format supported by the unidirectional gatekeeper, and the extranet host system is responsible for receiving the data forwarded by the unidirectional gatekeeper and restoring the data into the service data of the communication service system and then sending the service data to the outside network through the second unidirectional firewall.
It is known that a first one-way firewall is connected to a communication service network of a communication satellite system, and a second one-way firewall is connected to an external network, so that an interface switch of the communication service network and a network security one-way isolation system is connected to the first one-way firewall, and in order to ensure security of the network security one-way isolation system, the second one-way firewall can also be connected to a networking router of the external network through a cryptographic engine. Optionally, the first unidirectional firewall and the second unidirectional firewall may be set in a mode of referring to the host and the standby, that is, the host and the standby may be set at the position of each unidirectional firewall in the system, so as to further ensure stability of the system. Furthermore, 2 interfaces (main and standby interfaces) are arranged between the unidirectional firewall and the switch for communication connection.
The network security unidirectional isolation system of the communication satellite system comprises a first unidirectional firewall, an intranet host system, a unidirectional gatekeeper, an extranet host system and a second unidirectional firewall, wherein the system adopts a multistage deep security protection architecture of a 2-stage firewall and a 1-stage unidirectional gatekeeper to carry out unidirectional forwarding control on communication service network service data of the communication satellite system, thereby realizing secure unidirectional transmission among different grades of networks and ensuring network security of the communication service network.
In an alternative embodiment, the intranet host system comprises a first switch, a first cross-network interaction proxy server cluster, a second switch and a first monitoring terminal.
The first switch is connected with the first unidirectional firewall, and the second switch is connected with the inner side service port of the unidirectional gatekeeper.
The first network cards of all servers in the first cross-network interaction proxy server cluster are accessed to the first switch, and the second network cards of all servers in the first cross-network interaction proxy server cluster are accessed to the second switch.
The first monitoring terminal is connected with the first switch and the second switch respectively and is used for supporting man-machine interaction.
The first switch is used for receiving the service data sent by the first unidirectional firewall and sending the service data to the first cross-network interaction proxy server cluster.
The first cross-network interaction proxy server cluster is used for carrying out format conversion processing on the service data to obtain internal interface data in a preset format supported by the unidirectional gatekeeper, and the internal interface data is sent to the unidirectional gatekeeper through the second switch.
As can be seen from the above description, the first switch and the second switch are devices that enable a cross-network interworking proxy server (hereinafter referred to as a server) in the first cross-network interworking proxy server cluster to access different broadcast domains, and the server in the first cross-network interworking proxy server cluster performs format conversion on service data received from the first switch, and then sends the processed data through the second switch. The first monitoring terminal can provide a man-machine interaction interface, and after being in communication connection with the first switch and the second switch, the first monitoring terminal can display the data receiving and transmitting states of all servers in the first cross-network interaction proxy server cluster and also support a user to issue control commands, such as link parameter control commands, data sending commands and the like, to the servers through the first monitoring terminal.
In an alternative embodiment, the external network host system comprises a third switch, a second cross-network interaction proxy server cluster, a fourth switch and a second monitoring terminal.
The third switch is connected with the outside service port of the unidirectional network gate, and the fourth switch is connected with the second unidirectional firewall.
The first network cards of all servers in the second cross-network interaction proxy server cluster are accessed to the third switch, and the second network cards of all servers in the second cross-network interaction proxy server cluster are accessed to the fourth switch.
The second monitoring terminal is connected with the third switch and the fourth switch respectively and is used for supporting man-machine interaction.
The third switch is used for receiving the internal interface data with the preset format sent by the unidirectional gatekeeper and sending the internal interface data to the second cross-network interaction proxy server cluster.
The second cross-network interaction proxy server cluster is used for carrying out format recovery processing on the internal interface data with the preset format, obtaining recovered service data and sending the recovered service data to the fourth switch.
And the fourth switch is used for sending the recovered service data to an external network through the second unidirectional firewall.
As can be seen from the above description, the third switch and the fourth switch are devices that enable the servers in the second cross-network interworking proxy cluster to access different broadcast domains, and the servers in the second cross-network interworking proxy cluster perform format recovery (i.e., format conversion) on the internal interface data of the preset format received from the third switch, and then send the recovered data through the fourth switch. The function of the second monitoring terminal is the same as that of the first monitoring terminal, a man-machine interaction interface can be provided, the data receiving and transmitting states of all servers in the second cross-network interaction proxy server cluster are displayed, and a user is supported to issue control commands to the servers through the second monitoring terminal.
In an alternative embodiment, the network security unidirectional isolation system further comprises an intranet management switch and an extranet management switch;
The intranet management switch is respectively connected with the first unidirectional firewall, equipment on a data transmission link in the intranet host system and an inner side service port of the unidirectional gatekeeper, and equipment state monitoring software is deployed.
The external network management switch is respectively connected with an external service port of the unidirectional gatekeeper, equipment on a data transmission link in the external network host system and a second unidirectional firewall, and equipment state monitoring software is deployed.
The intranet management switch is used for monitoring the equipment state of all hardware equipment connected with the intranet management switch, and sending the obtained equipment state information to the first service end through the first management network.
The external network management switch is used for monitoring the equipment state of all the hardware equipment connected with the external network management switch and sending the obtained equipment state information to the second server through the second management network.
In order to realize the device management in the network security unidirectional isolation system, a management switch is respectively arranged in an inner area (an area between a unidirectional gatekeeper and a communication service network) and an outer area (an area between the unidirectional gatekeeper and an external network) of the system, the intranet management switch is connected with a firewall of the inner area, devices (a server, a first switch and a second switch) on a data transmission link in an intranet host system and an inner service port of the unidirectional gatekeeper, the external network management switch is connected with a firewall of the outer area, devices (a server, a third switch and a fourth switch) on the data transmission link in the external host system and an outer service port of the unidirectional gatekeeper, and device state monitoring software is required to be deployed in all the devices, so that the internal/external network management switch can monitor the device state of the connected devices, and then the intranet management switch and the external network management switch respectively send acquired information to corresponding service ends through the respective accessed management networks. In order to ensure that the inner area and the outer area can only be communicatively connected by a unidirectional gatekeeper, the first management network and the second management network are two independent connectionless networks.
Optionally, if the device of the network security unidirectional isolation system is not connected to the intranet management switch/the extranet management switch, in order to implement management of the device, the device that is not connected to the intranet management switch/the extranet management switch reports its device status information to the server of the affiliated area (inside area/outside area) by means of a service network.
In an alternative embodiment, the network security unidirectional isolation system further comprises a network security audit system.
The network security audit system is arranged on a fourth switch in the external network host system in a bypass mode and is used for auditing network behaviors of the external network host system.
Specifically, the network security audit system is arranged on a fourth switch in the outside area in a bypass mode, ports on the switch are configured to be mirror image ports, the network security audit system has a network audit function, the security characteristics of network behaviors can be audited, the extension and customization of legal task data are supported, and the postmortem backtracking and audit of the network behaviors are supported. Optionally, the management configuration may select WEBUI modes, and the deployment implementation needs to modify the default management IP, add the default route, and add the configuration listening port.
In an alternative embodiment, both the intranet host system and the extranet host system deploy antivirus policies and host management and control systems.
In the embodiment of the invention, the anti-virus strategy mainly comprises client software and a management center, wherein the client is an Agent and a safety component which are deployed in the terminal and are mainly used for monitoring the environmental change of a user system, accurately determining the known threat, initially judging the unknown threat, alarming, capturing and reporting, blocking and intercepting various threats, clearing and disposing the already-treated threat and executing multiple disposal tasks issued by the management center. The management center is a server and mainly faces to security management personnel to perform unified security management on the endpoint type assets, and the endpoint security event is monitored and analyzed in a centralized mode, and relevant treatment task strategies are formulated and issued. The management center adopts a B/S architecture, and an administrator can access the management center by using a browser.
The first monitoring terminal and the first cross-network interaction proxy server cluster in the inner side area of the network security unidirectional isolation system uniformly issue an antivirus strategy and upgrade by a management center server through a first management network, and the second monitoring terminal and the second cross-network interaction proxy server cluster in the outer side area of the network security unidirectional isolation system deploy a single-machine version. The method comprises the steps of firstly, downloading an upgrade package on an original upgrade server by using an offline downloading tool, manufacturing an upgrade optical disc, then manually upgrading the equipment offline by using the optical disc, and secondly, downloading the upgrade package by using a official virus library, manufacturing an upgrade optical disc, and then manually upgrading offline.
The host management and control system consists of a server, a management and control platform and a client agent, an administrator logs in the server management and control platform of the host management and control system through a browser to formulate a management and control strategy, then the strategy is issued to the client, the client executes the management and control strategy, and logs are reported to the server.
The host management and control system is consistent with the anti-virus strategy deployment mode, namely, a first monitoring terminal and a first cross-network interaction proxy server cluster in an inner side area uniformly issue management and control strategies and upgrade by a host management and control server through a first management network, and a second monitoring terminal and a second cross-network interaction proxy server cluster in an outer side area deploy a single-machine version. The method comprises the steps of downloading an upgrade package on an original host management and control server by using an offline downloading tool, manufacturing an upgrade optical disc, and then manually upgrading the upgrade optical disc offline by using the optical disc.
Fig. 2 is a schematic diagram of an alternative system composition of a network security unidirectional isolation system of a communication satellite system, in this design, a first unidirectional firewall 10 on the inner side of the network security unidirectional isolation system (i.e. a security isolation area) is interconnected with an interface switch NS through 2 ports, and is interconnected with a tera-switch 1 (i.e. a first switch 101) through 2 ports, so as to implement a unidirectional control forwarding function for service data in a communication service network. The number of servers included in the first cross-network interaction proxy server cluster 102 and the second cross-network interaction proxy server cluster 103 is the same, and the servers are all N servers, the a network card of the inner N servers is connected to the tera-switch 1, and the B network card is connected to the tera-switch 2 (i.e., the second switch 104). The embodiment of the invention does not specifically limit the number of the servers in the two cross-network interaction proxy server clusters, and the user can set the cross-network interaction proxy server clusters according to actual requirements.
The system is internally provided with 2 tera-unidirectional gatekeepers 30 which divide the security isolation zone into an inner service port connected to the tera-switch 2 and an outer port connected to the tera-switch 3 (i.e., the third switch 105). The a network card of the outside N servers is connected to the tera-switch 3, and the B network card is connected to the tera-switch 4 (i.e., the fourth switch 106). 2 outside unidirectional firewalls (i.e., second unidirectional firewall 50), each interconnected with the tera switch 4 through 2 ports. In addition, the inside area and the outside area are provided with independent monitoring devices (the first monitoring device 107 and the second monitoring device 108) and management switches (the intranet management switch 109 and the extranet management switch 110), and the connection relationship between the devices is referred to above, which is not described herein.
The network security audit system 111 adopts a bypass deployment mode, and after the audit system is connected to the mirror image port of the tera switch 4, the audit system is subjected to basic configuration such as IP and the mirror image port.
According to the description, various devices in the network security unidirectional isolation system are all provided with device state monitoring software, the software is deployed for monitoring the network and the devices in the network security unidirectional isolation system in real time, daily management and task management functions such as collection, distribution, processing, storage and analysis of transportation management information are realized, comprehensive and accurate operation management information is provided for the system, the functions such as a graphical monitoring display interface, fault alarming, violation checking and statistical analysis are provided, the device state in the system is intuitively displayed in a multi-view mode such as a situation overview view, a topology view, a machine room view, a logic view, a task view and a panel view, and the device state of the specified device can be polled and checked in a fine-granularity device attribute value, and the attribute value of the specified device can be set according to requirements.
In addition, under the condition that the state of equipment in the system can be monitored, a log alarm function can be set in the system so as to intensively display and manage event logs and alarms generated by the system and the equipment, and specifically, corresponding performance alarm thresholds and alarm response modes are respectively configured for a plurality of preset alarm events, fault judgment is carried out according to the alarm thresholds, and alarms are carried out according to the alarm response modes.
In an alternative embodiment, cross-network interaction agent software is deployed in the network security unidirectional isolation system, and as shown in fig. 3, the cross-network interaction agent software comprises a message protocol transceiving module 21, a file protocol transceiving module 22, a data transceiving monitoring module 23 and a state management module 24.
The message protocol transceiver module and the file protocol transceiver module are deployed in a first cross-network interaction proxy server cluster and a second cross-network interaction proxy server cluster.
The data receiving and transmitting monitoring module and the state management module are deployed on the first monitoring terminal and the second monitoring terminal.
The message protocol transceiver module is used for supporting the transmission of message data.
The file protocol transceiver module is used for supporting transmission of file data.
The data receiving and transmitting monitoring module is used for monitoring the data receiving and transmitting states of the text protocol receiving and transmitting module and the file protocol receiving and transmitting module and providing a man-machine interaction interface.
The state management module is used for displaying the duplex state and the software running state of the cross-network interaction proxy server.
Specifically, the cross-network interaction proxy software adopts a C/S structure and consists of a text protocol receiving-transmitting module and a file protocol receiving-transmitting module of a server side, a data receiving-transmitting monitoring module and a state management module of a client side, wherein the server side of the software is a first cross-network interaction proxy server cluster and a second cross-network interaction proxy server cluster, and the client side of the software is a first monitoring terminal and a second monitoring terminal.
Fig. 4 is a software architecture diagram of cross-network interaction agent software provided by the embodiment of the invention, and as shown in fig. 4, the software architecture is divided into three layers, including an operation environment, cross-network interaction agent software and a user, wherein the operation environment provides an operation platform for the cross-network interaction agent software, and includes a hardware environment and a software environment, the hardware environment includes a cross-network interaction agent server, an operation monitoring terminal (including a first monitoring terminal and a second monitoring terminal), and the software environment includes a Linux operation system, platform soft duplex management software, platform time service software and equipment state monitoring software.
The main functions of the cross-network interaction agent software can be divided into a transport layer and an interface layer. The transmission layer is responsible for data transmission and comprises a text protocol receiving and transmitting module and a file protocol receiving and transmitting module, wherein the two modules provide background service and operate on a server in a resident process mode, and the interface layer is responsible for man-machine interaction of a user and comprises a data receiving and transmitting monitoring module and a state management module.
Fig. 5 is a schematic deployment diagram of an alternative cross-network interaction proxy server, as shown in fig. 5, if the first cross-network interaction proxy server cluster and the second cross-network interaction proxy server cluster are both provided with N cross-network interaction proxy servers, 2 servers in the N servers on the inner side of the unidirectional gatekeeper receive two paths of gigabit high-speed data of a specific type in a duplex hot standby mode, another 2 servers receive two paths of gigabit high-speed data of a non-specific type in a duplex hot standby mode, and the remaining servers can operate in a cold backup mode, and the two hot standby servers receive and process the data simultaneously, but only the host sends out data, and the standby does not send out data. The main-standby switching depends on bottom duplex software, and the current main-standby state is obtained through a duplex software library interface. N-cross-network interaction of outside station of unidirectional gatekeeper proxy server deployment is consistent with the inside.
In the embodiment of the invention, the cross-network interaction proxy software comprises a text protocol receiving-transmitting module, a file protocol receiving-transmitting module, a data receiving-transmitting monitoring module and a state management module. The message protocol receiving and transmitting module comprises a link management unit, an internal system data receiving unit, a data protocol conversion unit, a data collection processing unit and an external data transmitting unit.
The link management unit is used for reading a preset link configuration file, generating external data receiving and transmitting link parameter data, respectively transmitting the data to the internal system data receiving unit and the external data transmitting unit, receiving and caching data frame statistical data submitted by the internal system data receiving unit and the external data transmitting unit, reporting the link receiving and transmitting state to the monitoring terminal regularly, receiving a link control command transmitted by the monitoring terminal, and modifying the link configuration parameter in operation. The internal system data receiving unit receives the link configuration data sent by the link management unit, establishes a data receiving link with the internal service system by using a designated data transmission protocol, receives a data frame, performs data frame basic format check, forwards the data frame to the data protocol conversion unit, and completes data receiving frame statistics. The data protocol conversion unit processes the data frames according to the definition of the interface data format, analyzes each data item in the data frames, generates internal interface data with a uniform format, and distributes the internal interface data to the outside through the unidirectional gatekeeper. The data collection processing unit is used for receiving data which is forwarded by the unidirectional gatekeeper and needs to be sent to the outside, generating a real-time data frame which is sent to the outside by framing according to the definition of the interface data format, and sending the real-time data frame to the outside data sending unit. The external data transmitting unit receives the link configuration data transmitted by the link management unit, establishes a data transmission link with an external system by using a designated data transmission protocol, receives the data frames transmitted by the data aggregation processing unit, transmits the data frames outwards, and completes data transmission frame statistics.
The file protocol receiving and transmitting module comprises a file receiving and transmitting management unit, a file receiving unit, a file data protocol conversion unit, a file data recovery unit and a file transmitting unit. The file receiving and transmitting management unit reads a preset link configuration file, generates parameter data of a file receiving and transmitting link, enables the file receiving unit and the file transmitting unit to carry out file data receiving and transmitting link configuration, receives a link control command sent by the monitoring terminal, modifies the link configuration parameter during operation, and reports the file receiving and transmitting state to the monitoring terminal periodically. The file receiving unit can support the file receiving of the appointed protocol, wait for the file sending request of the other party on the appointed service address, receive the data file according to the interactive process of the protocol, save the data file to the local, finish the file receiving statistics. The file data protocol conversion unit is used for reading the local file, processing the file data according to the definition of the unidirectional network gate internal protocol data format, generating internal interface data with a uniform format, and distributing the internal interface data to the outside through the network gate. The file data recovery unit is used for receiving the file data which is forwarded by the unidirectional gatekeeper and needs to be sent outwards, recovering the file data into a local file and taking the local file as a data source of the file sending unit. The file sending unit is responsible for establishing connection with the other party, sending the file to the other party according to the protocol interaction process, and completing file sending statistics.
The data receiving and transmitting monitoring module comprises a text receiving and transmitting monitoring unit and a file receiving and transmitting monitoring unit. The message receiving and transmitting monitoring unit receives the real-time message receiving and transmitting state data sent by the message protocol receiving and transmitting module, displays the data in the form of images or tables, and provides an operation interface for modifying control commands of external data receiving and transmitting link parameters. The file receiving and transmitting monitoring unit receives the file receiving and transmitting state data sent by the file protocol receiving and transmitting module, displays the file receiving and transmitting state data in the form of images or tables, and provides a link parameter control command and file sending command control interface.
The state management module is used for displaying the duplex state and the software running state of the cross-network interaction proxy server, wherein the duplex state comprises a server IP, a host name and a server master-slave state, and the software running state comprises a software name, a starting time and a running server IP.
Based on the above description of the architecture of the cross-network interaction proxy software, the network security unidirectional isolation system forwards the service data of the telegram class to the outside, wherein the process comprises the steps of receiving the service data sent by the data distribution software in the communication service system, checking the basic format of the data frame, analyzing the data frame by the data protocol conversion unit according to the definition of the interface data format to generate internal interface data, defining the data collection processing unit outside the unidirectional gatekeeper according to the interface data format, framing to generate the real-time data frame sent to the outside, and sending the data frame to the outside network by the outside data sending unit.
In summary, the network security unidirectional isolation system provided by the embodiment of the invention adopts a multistage deep protection architecture of a 2-level firewall and a 1-level unidirectional gatekeeper, and further enhances security by adopting an application layer protocol audit and protocol conversion mechanism. The method realizes the safe unidirectional transmission among different grades of networks and ensures the network safety of the communication service network.
Example two
The embodiment of the invention also provides a network security unidirectional isolation method of the communication satellite system, which is applied to the network security unidirectional isolation system of the communication satellite system provided by the embodiment, and the network security unidirectional isolation method of the communication satellite system provided by the embodiment of the invention is specifically introduced below.
The network security unidirectional isolation method of the communication satellite system provided by the embodiment of the invention mainly comprises the following steps:
And receiving the service data transmitted by the communication service network through the first unidirectional firewall, and performing format conversion processing on the service data to obtain the internal interface data in the preset format supported by the unidirectional gatekeeper.
And the external network host system is used for recovering the internal interface data in the preset format into service data and transmitting the recovered service data to the external network through a second unidirectional firewall.
Example III
Referring to fig. 6, an embodiment of the present invention provides an electronic device comprising a processor 60, a memory 61, a bus 62 and a communication interface 63, the processor 60, the communication interface 63 and the memory 61 being connected by the bus 62, the processor 60 being arranged to execute executable modules, such as computer programs, stored in the memory 61.
The memory 61 may include a high-speed random access memory (RAM, random Access Memory), and may further include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. The communication connection between the system network element and at least one other network element is achieved via at least one communication interface 63 (which may be wired or wireless), and may use the internet, a wide area network, a local network, a metropolitan area network, etc.
Bus 62 may be an ISA bus, a PCI bus, an EISA bus, or the like. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 6, but not only one bus or type of bus.
The memory 61 is configured to store a program, and the processor 60 executes the program after receiving an execution instruction, and the method executed by the apparatus for defining a process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 60 or implemented by the processor 60.
The processor 60 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware or instructions in software in the processor 60. The processor 60 may be a general-purpose processor including a central Processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), a digital signal processor (DIGITAL SIGNAL Processing, DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable GATE ARRAY (FPGA), a discrete gate or transistor logic device, or a discrete hardware component. The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory 61 and the processor 60 reads the information in the memory 61 and in combination with its hardware performs the steps of the method described above.
The embodiment of the invention provides a network security unidirectional isolation system of a communication satellite system, a network security unidirectional isolation method of the communication satellite system and a computer program product of electronic equipment, which comprise a computer readable storage medium storing non-volatile program codes executable by a processor, wherein the program codes comprise instructions for executing the method described in the previous method embodiment, and specific implementation can be seen from the method embodiment and will not be repeated here.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. The storage medium includes a U disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, an optical disk, or other various media capable of storing program codes.
It should be noted that like reference numerals and letters refer to like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
In the description of the present invention, it should be noted that, directions or positional relationships indicated by terms such as "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., are directions or positional relationships based on those shown in the drawings, or are directions or positional relationships conventionally put in use of the inventive product, are merely for convenience of describing the present invention and simplifying the description, and are not indicative or implying that the apparatus or element to be referred to must have a specific direction, be constructed and operated in a specific direction, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and should not be construed as indicating or implying relative importance.
Furthermore, the terms "horizontal," "vertical," "overhang," and the like do not denote a requirement that the component be absolutely horizontal or overhang, but rather may be slightly inclined. As "horizontal" merely means that its direction is more horizontal than "vertical", and does not mean that the structure must be perfectly horizontal, but may be slightly inclined.
In the description of the present invention, it should also be noted that, unless explicitly specified and limited otherwise, the terms "disposed," "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, integrally connected, mechanically connected, electrically connected, directly connected, indirectly connected through an intermediary, or in communication between two elements. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
It should be noted that the above embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those skilled in the art that the technical solution described in the above embodiments may be modified or some or all of the technical features may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical solution deviate from the scope of the technical solution of the embodiments of the present invention.

Claims (10)

1.一种通信卫星系统的网络安全单向隔离系统,其特征在于,包括:第一单向防火墙、内网主机系统、单向网闸、外网主机系统和第二单向防火墙;1. A network security unidirectional isolation system for a communication satellite system, characterized in that it comprises: a first unidirectional firewall, an intranet host system, a unidirectional network gate, an extranet host system, and a second unidirectional firewall; 所述内网主机系统通过所述第一单向防火墙接入通信卫星系统的通信业务网络,所述外网主机系统通过所述第二单向防火墙接入外部网络;The intranet host system accesses the communication service network of the communication satellite system through the first unidirectional firewall, and the extranet host system accesses the external network through the second unidirectional firewall; 所述内网主机系统和所述外网主机系统仅通过所述单向网闸进行通信连接;The intranet host system and the extranet host system are connected for communication only through the one-way network gatekeeper; 所述内网主机系统用于接收所述通信业务网络通过所述第一单向防火墙传送的业务数据,并对所述业务数据进行格式转换处理,得到所述单向网闸支持的预设格式的内部接口数据,以将所述预设格式的内部接口数据发送至所述单向网闸;The intranet host system is used to receive the service data transmitted by the communication service network through the first unidirectional firewall, and perform format conversion processing on the service data to obtain internal interface data in a preset format supported by the unidirectional firewall, so as to send the internal interface data in the preset format to the unidirectional firewall; 所述单向网闸用于接收所述预设格式的内部接口数据,并将其转发至所述外网主机系统;The one-way network gate is used to receive the internal interface data in the preset format and forward it to the external network host system; 所述外网主机系统用于将所述预设格式的内部接口数据恢复为业务数据,并将恢复后的业务数据通过所述第二单向防火墙发送至所述外部网络。The external network host system is used to restore the internal interface data in the preset format into business data, and send the restored business data to the external network through the second unidirectional firewall. 2.根据权利要求1所述的通信卫星系统的网络安全单向隔离系统,其特征在于,所述内网主机系统包括:第一交换机、第一跨网交互代理服务器集群、第二交换机和第一监控终端;2. The network security one-way isolation system of the communication satellite system according to claim 1, characterized in that the intranet host system comprises: a first switch, a first cross-network interactive proxy server cluster, a second switch and a first monitoring terminal; 所述第一交换机与所述第一单向防火墙相连接,所述第二交换机与所述单向网闸的内侧业务口相连接;The first switch is connected to the first unidirectional firewall, and the second switch is connected to the inner service port of the unidirectional firewall; 所述第一跨网交互代理服务器集群内所有服务器的第一网卡接入所述第一交换机,所述第一跨网交互代理服务器集群内所有服务器的第二网卡接入所述第二交换机;The first network cards of all servers in the first cross-network interaction proxy server cluster are connected to the first switch, and the second network cards of all servers in the first cross-network interaction proxy server cluster are connected to the second switch; 所述第一监控终端分别与所述第一交换机和所述第二交换机相连接,用于支持人机交互;The first monitoring terminal is connected to the first switch and the second switch respectively, and is used to support human-computer interaction; 所述第一交换机用于接收所述第一单向防火墙发送的业务数据,并将其发送至所述第一跨网交互代理服务器集群;The first switch is used to receive the service data sent by the first unidirectional firewall, and send it to the first cross-network interaction proxy server cluster; 所述第一跨网交互代理服务器集群用于对所述业务数据进行格式转换处理,得到所述单向网闸支持的预设格式的内部接口数据,并将其通过所述第二交换机发送至所述单向网闸。The first cross-network interaction proxy server cluster is used to perform format conversion processing on the service data to obtain internal interface data in a preset format supported by the one-way network gatekeeper, and send the internal interface data to the one-way network gatekeeper through the second switch. 3.根据权利要求2所述的通信卫星系统的网络安全单向隔离系统,其特征在于,所述外网主机系统包括:第三交换机、第二跨网交互代理服务器集群、第四交换机和第二监控终端;3. The network security one-way isolation system of the communication satellite system according to claim 2, characterized in that the external network host system comprises: a third switch, a second cross-network interactive proxy server cluster, a fourth switch and a second monitoring terminal; 所述第三交换机与所述单向网闸的外侧业务口相连接,所述第四交换机与所述第二单向防火墙相连接;The third switch is connected to the external service port of the unidirectional network gate, and the fourth switch is connected to the second unidirectional firewall; 所述第二跨网交互代理服务器集群内所有服务器的第一网卡接入所述第三交换机,所述第二跨网交互代理服务器集群内所有服务器的第二网卡接入所述第四交换机;The first network cards of all servers in the second cross-network interaction proxy server cluster are connected to the third switch, and the second network cards of all servers in the second cross-network interaction proxy server cluster are connected to the fourth switch; 所述第二监控终端分别与所述第三交换机和所述第四交换机相连接,用于支持人机交互;The second monitoring terminal is connected to the third switch and the fourth switch respectively, and is used to support human-computer interaction; 所述第三交换机用于接收所述单向网闸发送的预设格式的内部接口数据,并将其发送至所述第二跨网交互代理服务器集群;The third switch is used to receive the internal interface data in a preset format sent by the one-way network gatekeeper, and send it to the second cross-network interaction proxy server cluster; 所述第二跨网交互代理服务器集群用于对所述预设格式的内部接口数据进行格式恢复处理,得到所述恢复后的业务数据,并将其发送至所述第四交换机;The second cross-network interaction proxy server cluster is used to perform format recovery processing on the internal interface data in the preset format, obtain the recovered service data, and send it to the fourth switch; 所述第四交换机用于将所述恢复后的业务数据通过所述第二单向防火墙发送至所述外部网络。The fourth switch is used to send the restored service data to the external network through the second unidirectional firewall. 4.根据权利要求1所述的通信卫星系统的网络安全单向隔离系统,其特征在于,所述网络安全单向隔离系统还包括:内网管理交换机和外网管理交换机;4. The network security one-way isolation system of the communication satellite system according to claim 1, characterized in that the network security one-way isolation system further comprises: an intranet management switch and an extranet management switch; 所述内网管理交换机分别与所述第一单向防火墙、所述内网主机系统内数据传送链路上的设备和所述单向网闸的内侧业务口相连接,且均部署设备状态监控软件;The intranet management switch is respectively connected to the first unidirectional firewall, the equipment on the data transmission link in the intranet host system and the inner service port of the unidirectional network gate, and all are deployed with equipment status monitoring software; 所述外网管理交换机分别与所述单向网闸的外侧业务口、所述外网主机系统内数据传送链路上的设备和所述第二单向防火墙相连接,且均部署所述设备状态监控软件;The external network management switch is respectively connected to the external service port of the one-way network gate, the equipment on the data transmission link in the external network host system and the second one-way firewall, and the equipment status monitoring software is deployed on all of them; 所述内网管理交换机用于对与其相连接的所有硬件设备进行设备状态监控,并将得到的设备状态信息通过第一管理网络发送至第一服务端;The intranet management switch is used to monitor the device status of all hardware devices connected thereto, and send the obtained device status information to the first server through the first management network; 所述外网管理交换机用于对与其相连接的所有硬件设备进行设备状态监控,并将得到的设备状态信息通过第二管理网络发送至第二服务端。The external network management switch is used to monitor the device status of all hardware devices connected thereto, and send the obtained device status information to the second server through the second management network. 5.根据权利要求3所述的通信卫星系统的网络安全单向隔离系统,其特征在于,所述网络安全单向隔离系统还包括:网络安全审计系统;5. The network security one-way isolation system of the communication satellite system according to claim 3, characterized in that the network security one-way isolation system further comprises: a network security audit system; 所述网络安全审计系统旁接部署于所述外网主机系统中的第四交换机上,用于对所述外网主机系统的网络行为进行审计。The network security audit system is deployed in parallel on the fourth switch in the external network host system, and is used to audit the network behavior of the external network host system. 6.根据权利要求1所述的通信卫星系统的网络安全单向隔离系统,其特征在于,所述内网主机系统和外网主机系统均部署防病毒策略和主机管控系统。6. The network security one-way isolation system of the communication satellite system according to claim 1 is characterized in that both the intranet host system and the extranet host system deploy anti-virus strategies and host management and control systems. 7.根据权利要求3所述的通信卫星系统的网络安全单向隔离系统,其特征在于,所述网络安全单向隔离系统中部署跨网交互代理软件;所述跨网交互代理软件包括:电文协议收发模块、文件协议收发模块、数据收发监视模块和状态管理模块;7. The network security one-way isolation system of the communication satellite system according to claim 3 is characterized in that cross-network interaction agent software is deployed in the network security one-way isolation system; the cross-network interaction agent software includes: a message protocol transceiving module, a file protocol transceiving module, a data transceiving monitoring module and a status management module; 所述电文协议收发模块和所述文件协议收发模块部署于所述第一跨网交互代理服务器集群和所述第二跨网交互代理服务器集群;The message protocol transceiver module and the file protocol transceiver module are deployed in the first cross-network interaction proxy server cluster and the second cross-network interaction proxy server cluster; 所述数据收发监视模块和所述状态管理模块部署于所述第一监控终端和所述第二监控终端;The data transceiver monitoring module and the status management module are deployed in the first monitoring terminal and the second monitoring terminal; 所述电文协议收发模块用于支持电文数据的传输;The telegram protocol transceiver module is used to support the transmission of telegram data; 所述文件协议收发模块用于支持文件数据的传输;The file protocol transceiver module is used to support the transmission of file data; 所述数据收发监视模块用于监控所述电文协议收发模块和所述文件协议收发模块的数据收发状态,并提供人机交互界面;The data transceiving monitoring module is used to monitor the data transceiving status of the telegram protocol transceiving module and the file protocol transceiving module, and provide a human-computer interaction interface; 所述状态管理模块用于展示跨网交互代理服务器的双工状态和软件运行状态。The state management module is used to display the duplex state and software running state of the cross-network interactive proxy server. 8.一种通信卫星系统的网络安全单向隔离方法,其特征在于,应用于权利要求1-7中任一项所述的通信卫星系统的网络安全单向隔离系统,包括:8. A network security unidirectional isolation method for a communication satellite system, characterized in that the network security unidirectional isolation system for a communication satellite system applied to any one of claims 1 to 7 comprises: 接收通信业务网络通过第一单向防火墙传送的业务数据,并对所述业务数据进行格式转换处理,得到单向网闸支持的预设格式的内部接口数据;Receiving service data transmitted by the communication service network through the first unidirectional firewall, and performing format conversion processing on the service data to obtain internal interface data in a preset format supported by the unidirectional firewall; 将所述预设格式的内部接口数据发送至所述单向网闸,以使所述单向网闸将其转发至外网主机系统;其中,所述外网主机系统用于将所述预设格式的内部接口数据恢复为业务数据,并将恢复后的业务数据通过第二单向防火墙发送至外部网络。The internal interface data in the preset format is sent to the one-way firewall so that the one-way firewall forwards it to the external network host system; wherein the external network host system is used to restore the internal interface data in the preset format into business data, and send the restored business data to the external network through a second one-way firewall. 9.一种电子设备,包括存储器、处理器,所述存储器上存储有可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现权利要求8所述的通信卫星系统的网络安全单向隔离方法的步骤。9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program that can be run on the processor, wherein when the processor executes the computer program, the steps of the network security one-way isolation method of the communication satellite system according to claim 8 are implemented. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机指令,所述计算机指令被处理器执行时实现权利要求8所述的通信卫星系统的网络安全单向隔离方法。10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer instructions, and when the computer instructions are executed by a processor, the network security one-way isolation method of the communication satellite system according to claim 8 is implemented.
CN202411407673.9A 2024-10-10 2024-10-10 Network security one-way isolation system, method and electronic equipment for communication satellite system Pending CN119232472A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411407673.9A CN119232472A (en) 2024-10-10 2024-10-10 Network security one-way isolation system, method and electronic equipment for communication satellite system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411407673.9A CN119232472A (en) 2024-10-10 2024-10-10 Network security one-way isolation system, method and electronic equipment for communication satellite system

Publications (1)

Publication Number Publication Date
CN119232472A true CN119232472A (en) 2024-12-31

Family

ID=94068207

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411407673.9A Pending CN119232472A (en) 2024-10-10 2024-10-10 Network security one-way isolation system, method and electronic equipment for communication satellite system

Country Status (1)

Country Link
CN (1) CN119232472A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120582910A (en) * 2025-08-05 2025-09-02 南京中孚信息技术有限公司 Physically isolated network forward proxy method, device and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120582910A (en) * 2025-08-05 2025-09-02 南京中孚信息技术有限公司 Physically isolated network forward proxy method, device and storage medium

Similar Documents

Publication Publication Date Title
US8843605B2 (en) Method and system for filtering and suppression of telemetry data
US9553831B2 (en) Adaptive publish/subscribe system
US10110667B2 (en) System and method for providing data and application continuity in a computer system
CN111752795A (en) Full-process monitoring alarm platform and method thereof
US10681006B2 (en) Application-context-aware firewall
US20060282886A1 (en) Service oriented security device management network
US8554980B2 (en) Triggered notification
CN115118705A (en) Industrial edge management and control platform based on micro-service
CN106326736B (en) Data processing method and system
CN119232472A (en) Network security one-way isolation system, method and electronic equipment for communication satellite system
US20200382396A1 (en) Data packet loss detection
US7900038B2 (en) Method and apparatus for a broker entity
EP4418576A2 (en) Apparatus and method for remote monitoring
US8046471B2 (en) Regressive transport message delivery system and method
CN109728957A (en) A method and device for interactive operation and maintenance
US20170346678A1 (en) Methods, systems, and computer readable media for providing high availability support at a bypass switch
CN115842716A (en) Method, device, equipment and storage medium for determining fault server
KR102657165B1 (en) Data management device, data management method and a computer-readable storage medium for storing data management program
CN115514670B (en) Data capturing method, device, electronic equipment and storage medium
KR102657163B1 (en) Data management device, data management method and a computer-readable storage medium for storing data management program
CN117234739B (en) Methods, devices, systems and storage media for industrial data analysis
CN118509204A (en) Honey court system defense method based on bypass deployment
US10505792B1 (en) Methods for facilitating network traffic analytics and devices thereof
KR100608917B1 (en) Failure Information Management Method of Distributed Forwarding Architecture Router
KR100604063B1 (en) Manager Layer Data Processing Method of Intelligent Integrated Security Management System

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination