[go: up one dir, main page]

TWI673973B - Physically isolated network transport system - Google Patents

Physically isolated network transport system Download PDF

Info

Publication number
TWI673973B
TWI673973B TW106128355A TW106128355A TWI673973B TW I673973 B TWI673973 B TW I673973B TW 106128355 A TW106128355 A TW 106128355A TW 106128355 A TW106128355 A TW 106128355A TW I673973 B TWI673973 B TW I673973B
Authority
TW
Taiwan
Prior art keywords
data
server
output
proxy server
encoded data
Prior art date
Application number
TW106128355A
Other languages
Chinese (zh)
Other versions
TW201914262A (en
Inventor
蕭展凱
李政翰
陳裕元
羅鍵儒
李恆源
Original Assignee
永捷有限公司
蕭展凱
李政翰
陳裕元
羅鍵儒
李恆源
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 永捷有限公司, 蕭展凱, 李政翰, 陳裕元, 羅鍵儒, 李恆源 filed Critical 永捷有限公司
Priority to TW106128355A priority Critical patent/TWI673973B/en
Publication of TW201914262A publication Critical patent/TW201914262A/en
Application granted granted Critical
Publication of TWI673973B publication Critical patent/TWI673973B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本發明係一種實體隔離之網路傳輸系統,適用於設於一資料需求端與一資料提供端之間,該資料需求端用以輸出一需求資料,該資料提供端用以根據該需求資料而輸出一提供資料,所述實體網路隔離之傳輸系統包含一第一伺服器、一第一代理伺服器、一第一單向閘道器、一第二代理伺服器、一第二伺服器、一第三代理伺服器、一第二單向閘道器、及一第四代理伺服器,透過上述伺服器之間互相連接,並且以單向傳輸內部資料;藉此,達到杜絕軟體漏洞的可能性與資料能夠互相交換且不降低安全防護之目的。The invention is an entity-isolated network transmission system, which is suitable for being disposed between a data demand end and a data providing end, the data demand end is used to output a demand data, and the data supply end is used according to the demand data to Outputting a provided data, the transmission system of the physical network isolation includes a first server, a first proxy server, a first unidirectional gateway, a second proxy server, a second server, A third proxy server, a second unidirectional gateway, and a fourth proxy server are connected to each other through the above servers and transmit internal data in one direction; thereby, the possibility of software vulnerabilities is eliminated. The nature and data can be exchanged without reducing the purpose of security protection.

Description

實體隔離之網路傳輸系統Physically isolated network transmission system

本發明關於一種網路傳輸系統,特別是實體隔離之網路傳輸系統。The present invention relates to a network transmission system, particularly a physically isolated network transmission system.

網際網路與資訊科技的普及應用,已大幅的改變了傳統的商業模式與環境,也改變了人們的工作與生活方式,網際網路也促成電子商務、娛樂與社群的興起,這些創新除了開啟許多商業機會外,也同時對現代人的生活帶來很大的衝擊。The widespread application of the Internet and information technology has greatly changed the traditional business model and environment, and also changed people's work and lifestyle. The Internet has also promoted the rise of e-commerce, entertainment and the community. These innovations in addition to In addition to opening up many business opportunities, it also has a great impact on the lives of modern people.

資安的重要性,隨著資訊的發展越趨重要,如圖1所示,為一般傳統資安防禦架構1,大多採用軟體或硬體式防火牆10的方式來解決此問題,例如一種封包過濾防火牆,該封包過濾防火牆具有狀態封包檢測之功能,該功能能夠檢測封包標頭,缺點是難以設計出一組長期有效又正確的無誤過濾規則和無法處理應用層協定,所以對於封包資料或特定應用服務弱點的工作及方式無能為力。另外一種是狀態檢視防火牆,該狀態檢視防火牆不僅採用封包過濾類似的方式來監控網路傳輸,還會更進一步檢查封包資料流的內容與行為,但該狀態檢視防火牆效能較該封包過濾防火牆稍差,而且無法處理應用層協定。該上述的防火牆即便能防禦網路病毒之入侵,但是還是不能有效阻擋日新月異的病毒攻擊,存在可能造成大規模中毒的危機。The importance of information security is becoming more and more important with the development of information. As shown in Figure 1, it is a general traditional security security architecture1. Most of them use software or hardware firewalls 10 to solve this problem, such as a packet filtering firewall. The packet filtering firewall has the function of stateful packet detection. This function can detect the packet header. The disadvantage is that it is difficult to design a set of long-term effective and correct error-free filtering rules and unable to process application layer agreements. Weak work and methods are powerless. The other is a stateful inspection firewall. The stateful inspection firewall not only monitors network transmissions in a similar way to packet filtering, but also further examines the content and behavior of packet data streams. However, the stateful inspection firewall performs slightly worse than the packet filtering firewall. , And cannot handle application-level agreements. Although the above-mentioned firewall can prevent the invasion of network viruses, it still cannot effectively block the rapidly changing virus attacks, and there is a crisis that may cause large-scale poisoning.

另外,電腦周邊控制的設備也越趨複雜,設備通常需要進行更新的動作,且資料更頻繁地交換,防火牆就越來越不可靠。當電腦管理人員進行更新動作時有兩種模式,第一種模式是先將網路中斷且親自到現場才能進行更新,不僅浪費時間外,人力成本也會相對的增加,第二種模式是將設備接上網路,進行遠端操作,或是讓供應商進行設備更新,導致網路端又暴露在高風險的環境中,攻擊病毒就有機會穿透該防火牆到該網路端。因此傳統的防護機制已無法滿足瞬息萬變的各種資安危險。In addition, the devices controlled by the computer are becoming more and more complicated. The devices usually need to be updated and the data is exchanged more frequently. The firewall becomes more and more unreliable. There are two modes when the computer administrator performs the update action. The first mode is to interrupt the network and go to the site in person to perform the update. Not only is it a waste of time, the labor cost will also increase relatively. The second mode is to The device is connected to the network for remote operation or the vendor updates the device. As a result, the network end is exposed to a high-risk environment. Attack viruses have the opportunity to penetrate the firewall to the network end. Therefore, the traditional protection mechanism has been unable to meet the ever-changing various security risks.

鑒於上述習知技術的缺點,因此,本發明提供一種實體隔離之網路傳輸系統,其主要是杜絕軟體漏洞的可能性與資料能夠互相交換且不降低安全防護之目的。In view of the shortcomings of the above-mentioned conventional technologies, the present invention provides a physically-isolated network transmission system, which is mainly to prevent the possibility of software vulnerabilities and data from being exchanged with each other without reducing the security protection.

本發明之一實施例提供了一種實體隔離之網路傳輸系統,適用於設於一資料需求端與一資料提供端之間。An embodiment of the present invention provides a physically isolated network transmission system, which is suitable for being disposed between a data demand end and a data providing end.

該資料需求端用以輸出一需求資料,該資料提供端用以根據該需求資料而輸出一提供資料,所述實體網路隔離之傳輸系統包含:一第一伺服器、一第一代理伺服器、一第一單向閘道器、一第二代理伺服器、一第二伺服器、一第三代理伺服器、一第二單向閘道器、及一第四代理伺服器。The data demand end is used to output a demand data, and the data supply end is used to output a provide data according to the demand data. The physical network isolation transmission system includes a first server and a first proxy server. A first unidirectional gateway, a second proxy server, a second server, a third proxy server, a second unidirectional gateway, and a fourth proxy server.

該第一伺服器,具有一連接該資料需求端的第一伺服器端、一第一傳送端、及一第一接收端,該第一伺服器端能夠接收該資料需求端輸出的該需求資料並將該需求資料編碼成一第一編碼資料,且該第一編碼資料由該第一傳送端輸出。 The first server has a first server end, a first transmitting end, and a first receiving end connected to the data demand end. The first server end can receive the demand data output by the data demand end and The demand data is coded into a first coded data, and the first coded data is output by the first transmitting end.

該第一代理伺服器,連接該第一伺服器的該第一傳送端,接收該第一傳送端輸出的該第一編碼資料,並將該第一編碼資料編碼成一第二編碼資料。 The first proxy server is connected to the first transmitting end of the first server, receives the first encoded data output from the first transmitting end, and encodes the first encoded data into a second encoded data.

該第一單向閘道器,具有一連接該第一代理伺服器的第一輸入端、及一第一輸出端,該第一輸入端接收該第一代理伺服器輸出的該第二編碼資料,並將該第二編碼資料由第一輸出端輸出。 The first unidirectional gateway has a first input terminal connected to the first proxy server and a first output terminal, and the first input terminal receives the second encoded data output by the first proxy server. And output the second encoded data from the first output terminal.

該第二代理伺服器,連接該第一單向閘道器的該第一輸出端,接收該第一輸出端輸出的該第二編碼資料,並將該第二編碼資料解碼還原成該第一編碼資料。 The second proxy server is connected to the first output end of the first unidirectional gateway, receives the second encoded data output from the first output end, and decodes and restores the second encoded data into the first Encoding information.

該第二伺服器,設於該第二代理伺服器與該資料提供端之間,具有一連接該第二代理伺服器的第二接收端、一第二傳送端、及一連接該資料提供端的第二伺服器端,該第二接收端接收該第二代理伺服器輸出的該第一編碼資料,並將該第一編碼資料進行解碼,由該第二伺服器端輸出至該資料提供端,該資料提供端用以根據該需求資料而輸出該提供資料,該第二伺服器端接收該資料提供端輸出的該提供資料,並將該提供資料編碼成一第三編碼資料,且該第三編碼資料由該第二傳送端輸出。 The second server is provided between the second proxy server and the data providing end, and has a second receiving end connected to the second proxy server, a second transmitting end, and a data connecting end connected to the data providing end. A second server end, the second receiving end receiving the first encoded data output by the second proxy server, decoding the first encoded data, and outputting the second server end to the data providing end, The data provider is used to output the provided data according to the demand data, the second server receives the provided data output by the data provider, and encodes the provided data into a third coded data, and the third coded The data is output by the second transmitting end.

該第三代理伺服器,連接該第二傳送端,接收該第二傳送端輸出的該第三編碼資料,並將該第三編碼資料編碼成一第四編碼資料。 The third proxy server is connected to the second transmitting end, receives the third encoded data output by the second transmitting end, and encodes the third encoded data into a fourth encoded data.

該第二單向閘道器,具有一連接該第三代理伺服器的第二輸入端、及一第二輸出端,該第二輸入端接收該第三代理伺服器輸出的該第四編碼資料,且由該第二輸出端輸出。 The second unidirectional gateway has a second input terminal connected to the third proxy server and a second output terminal, and the second input terminal receives the fourth encoded data output by the third proxy server. And is output by the second output terminal.

該第四代理伺服器,設於該第一接收端與該第二輸出端之間,接收該第二輸出端輸出的該第四編碼資料,並將該第四編碼資料解碼還原成該第三編碼資料輸出至該第一接收端。 The fourth proxy server is disposed between the first receiving end and the second output end, receives the fourth encoded data output from the second output end, and decodes and restores the fourth encoded data to the third The encoded data is output to the first receiving end.

藉此,該第一伺服器與該第二伺服器之間為兩條單向實體傳輸隔離的架構,該第一接收端接收該第四代理伺服器輸出的第三編碼資料,並將該第三編碼資料進行解碼的動作,由該第一伺服器端輸出至該資料需求端。 Thereby, the first server and the second server transmit two-way entities with an isolated structure. The first receiving end receives the third encoded data output by the fourth proxy server, and sends the first The three coded data are decoded and output from the first server to the data demand.

在本發明之實體隔離之網路傳輸系統中,該第一伺服器與該第二伺服器之間所有設備連接的纜線為光纖線或是RJ45。 In the physically-isolated network transmission system of the present invention, the cables connecting all the devices between the first server and the second server are optical fiber cables or RJ45.

在本發明之實體隔離之網路傳輸系統中,更設有一企業匯流排連接該第二伺服器端與該資料提供端之間。 In the physically isolated network transmission system of the present invention, an enterprise bus is further provided to connect the second server end and the data providing end.

在本發明之實體隔離之網路傳輸系統中,該第一單向閘道器與該第二單向閘道器為實體隔離設備。 In the physically isolated network transmission system of the present invention, the first unidirectional gateway and the second unidirectional gateway are physical isolation devices.

在本發明之實體隔離之網路傳輸系統中,一條該單向實體傳輸隔離的架構,包含:該第一代理伺服器、該第一單向閘道器、及該第二代理伺服器,透過該第一單向閘道器,該第二代理伺服器無法藉由網路存取該第一代理伺服器的資料。另外一條該單向實體傳輸隔離的架構,包含:該第三代理伺服器、該第二單向閘道器、及該第四代理伺服器,透過該第二單向閘道器,該第四代理伺服器無法藉由網路存取該第三代理伺服器的資料。In the entity-isolated network transmission system of the present invention, a one-way entity transmission isolation architecture includes: the first proxy server, the first unidirectional gateway, and the second proxy server. The first unidirectional gateway and the second proxy server cannot access the data of the first proxy server through the network. Another one-way entity transmission isolation architecture includes: the third proxy server, the second one-way gateway, and the fourth proxy server. Through the second one-way gateway, the fourth The proxy server cannot access the data of the third proxy server through the network.

在本發明之實體隔離之網路傳輸系統中,該第一伺服器與該第二伺服器具有能夠互相封包編碼和解碼的功能。In the physically-isolated network transmission system of the present invention, the first server and the second server have a function of being able to packet-encode and decode each other.

綜上所述,本發明實施例所提供的實體隔離之網路傳輸系統,使用硬體裝置實現網路傳輸功能,能夠在使用者存取資料的便利性下,同時又可以杜絕駭客入侵的威脅,大幅度地降低機密性的資料被入侵及外洩的風險。In summary, the physically-isolated network transmission system provided by the embodiment of the present invention uses a hardware device to implement the network transmission function, which can facilitate the user's access to data, and at the same time can prevent hackers from invading. Threats greatly reduce the risk of confidential information being invaded and leaked.

有關於本發明之前述及其他技術內容、特點與功效,在以下配合參考圖式之較佳實施例的詳細說明中,將可清楚的呈現。The foregoing and other technical contents, features, and effects of the present invention will be clearly presented in the following detailed description of the preferred embodiments with reference to the drawings.

請參閱圖2,本發明之實體隔離之網路傳輸系統2,適用於設於一資料需求端3與一資料提供端4之間,該資料需求端3用以輸出一需求資料,該資料提供端4用以根據該需求資料而輸出一提供資料。Please refer to FIG. 2. The physically isolated network transmission system 2 of the present invention is suitable for being disposed between a data demand terminal 3 and a data providing terminal 4. The data demand terminal 3 is used to output a demand data. The data provides The terminal 4 is used to output a provided data according to the demand data.

請參閱圖3,上述實體網路隔離之傳輸系統4包含一第一伺服器20、一第一代理伺服器30、一第一單向閘道器40、一第二代理伺服器50、一第二伺服器60、一第三代理伺服器70、一第二單向閘道器80、及一第四代理伺服器90。另外,該資料需求端3與該第一伺服器20之間、及該第二伺服器60與該資料提供端4之間可為TCP/IP(Transmission Control Protocol/Internet Protocol)或UDP(User Datagram Protocol)或SOAP協定或(Simple Object Access Protocol簡單物件存取協定),但不以此為限。Please refer to FIG. 3. The above-mentioned physical network-isolated transmission system 4 includes a first server 20, a first proxy server 30, a first unidirectional gateway 40, a second proxy server 50, and a first server. Two servers 60, a third proxy server 70, a second one-way gateway 80, and a fourth proxy server 90. In addition, the data requester 3 and the first server 20, and the second server 60 and the data provider 4 may be TCP / IP (Transmission Control Protocol / Internet Protocol) or UDP (User Datagram). Protocol) or SOAP protocol or (Simple Object Access Protocol), but not limited to this.

該第一伺服器20具有一連接該資料需求端3的第一伺服器端21、一第一傳送端22、及一第一接收端23,該第一伺服器端21能夠接收該資料需求端3輸出的該需求資料並將該需求資料編碼成一第一編碼資料,且該第一編碼資料由該第一傳送端輸出22。The first server 20 has a first server end 21, a first transmitting end 22, and a first receiving end 23 connected to the data demand end 3. The first server end 21 can receive the data demand end The demand data output by 3 encodes the demand data into a first coded data, and the first coded data is output 22 by the first transmitting end.

該第一代理伺服器30,連接該第一伺服器20的該第一傳送端22,接收該第一傳送端22輸出的該第一編碼資料,並將該第一編碼資料編碼成一第二編碼資料。The first proxy server 30 is connected to the first transmitting end 22 of the first server 20, receives the first encoded data output by the first transmitting end 22, and encodes the first encoded data into a second encoding. data.

該第一單向閘道器40為實體隔離設備,具有一連接該第一代理伺服器30的第一輸入端41、及一第一輸出端42,該第一輸入端41接收該第一代理伺服器30輸出的該第二編碼資料,並將該第二編碼資料由第一輸出端輸出42。The first unidirectional gateway 40 is a physical isolation device, and has a first input terminal 41 and a first output terminal 42 connected to the first proxy server 30. The first input terminal 41 receives the first proxy. The server 30 outputs the second encoded data, and outputs the second encoded data 42 from the first output terminal.

該第二代理伺服器50,連接該第一單向閘道器40的該第一輸出端42,接收該第一輸出端42輸出的該第二編碼資料,並將該第二編碼資料解碼還原成該第一編碼資料。The second proxy server 50 is connected to the first output terminal 42 of the first unidirectional gateway 40, receives the second encoded data output from the first output terminal 42, and decodes and restores the second encoded data. Into the first coded data.

該第二伺服器60,設於該第二代理伺服器50與該資料提供端4之間,具有一連接該第二代理伺服器50的第二接收端61、一第二傳送端62、及一連接該資料提供端4的第二伺服器端63,該第二接收端61接收該第二代理伺服器50輸出的該第一編碼資料,並將該第一編碼資料進行解碼,由該第二伺服器端63輸出至該資料提供端4,該資料提供端4用以根據該需求資料而輸出該提供資料,該第二伺服器端63接收該資料提供端4輸出的該提供資料,並將該提供資料編碼成一第三編碼資料,且該第三編碼資料由該第二傳送端62輸出。The second server 60 is disposed between the second proxy server 50 and the data providing terminal 4, and has a second receiving end 61, a second transmitting end 62, and a second transmitting end 62 connected to the second proxy server 50, and A second server end 63 connected to the data providing end 4, the second receiving end 61 receives the first encoded data output by the second proxy server 50, and decodes the first encoded data, and the first The second server terminal 63 outputs to the data providing terminal 4, the data providing terminal 4 is configured to output the provided data according to the required data, the second server terminal 63 receives the provided data output from the data providing terminal 4, and The provided data is encoded into a third encoded data, and the third encoded data is output by the second transmitting end 62.

如圖4所示,本實施例中更設有一企業匯流排5連接該第二伺服器端60與該資料提供端4之間,但不以此為限,亦可該第二伺服器60與該資料提供端4直接連接。該企業匯流排5提供可靠消息傳輸,服務接入,協議轉換,數據格式轉換,基於內容的路由等功能,屏蔽了服務的物理位置,協議和數據格式。As shown in FIG. 4, in this embodiment, an enterprise bus 5 is further connected between the second server end 60 and the data providing end 4, but it is not limited thereto, and the second server 60 and The data provider 4 is directly connected. The enterprise bus 5 provides functions such as reliable message transmission, service access, protocol conversion, data format conversion, and content-based routing, which shields the physical location, protocol, and data format of the service.

該第三代理伺服器70,連接該第二傳送端62,接收該第二傳送端62輸出的該第三編碼資料,並將該第三編碼資料編碼成一第四編碼資料。The third proxy server 70 is connected to the second transmitting end 62, receives the third encoded data output from the second transmitting end 62, and encodes the third encoded data into a fourth encoded data.

該第二單向閘道器80為實體隔離設備,具有一連接該第三代理伺服器70的第二輸入端81、及一第二輸出端82,該第二輸入端81接收該第三代理伺服器70輸出的該第四編碼資料,且由該第二輸出端82輸出。The second one-way gateway 80 is a physical isolation device, and has a second input terminal 81 and a second output terminal 82 connected to the third proxy server 70. The second input terminal 81 receives the third proxy. The fourth coded data output by the server 70 is output by the second output terminal 82.

該第四代理伺服器90,設於該第一接收端23與該第二輸出端82之間,接收該第二輸出端82輸出的該第四編碼資料,並將該第四編碼資料解碼還原成該第三編碼資料輸出至該第一接收端23。The fourth proxy server 90 is disposed between the first receiving end 23 and the second output end 82, receives the fourth encoded data output from the second output end 82, and decodes and restores the fourth encoded data. The third encoded data is output to the first receiving end 23.

藉此,該第一接收端23接收該第四代理伺服器90輸出的第三編碼資料,並將該第三編碼資料進行解碼的動作,由該第一伺服器端21輸出至該資料需求端3。Thereby, the first receiving end 23 receives the third encoded data output by the fourth proxy server 90, and decodes the third encoded data, and the first server end 21 outputs the data to the data demand end. 3.

本實施例中,該第一伺服器20與該第二伺服器60之間所有設備連接的纜線舉光纖線為例,但不此為限,亦能夠為RJ45。另外,該第一伺服器20與該第二伺服器60之間為兩條單向實體傳輸隔離的架構。其中一條單向實體傳輸隔離的架構,包含:該第一代理伺服器30、該第一單向閘道器40、及該第二代理伺服器50,透過該第一單向閘道器40,該第二代理伺服器50無法藉由網路存取該第一代理伺服器30的資料。另外一條單向實體傳輸隔離的架構,包含:該第三代理伺服器70、該第二單向閘道器80、及該第四代理伺服器90,透過該第二單向閘道器80,該第四代理伺服器30無法藉由網路存取該第三代理伺服器70的資料。讓資料能夠在這兩條單向實體傳輸隔離的架構傳遞,既符合安全性原則外,也保有傳輸的便利性。因此外界無法藉網路入侵機密,資料也無從外洩,並且使用者能夠存取資料的便利性下,同時防止機密性文件被入侵的風險。In this embodiment, the cable connecting all the devices between the first server 20 and the second server 60 is an optical fiber cable, but it is not limited to this, and it can also be RJ45. In addition, the first server 20 and the second server 60 are isolated from each other by two unidirectional entities. One of the unidirectional physical transmission isolation architectures includes the first proxy server 30, the first unidirectional gateway 40, and the second proxy server 50 through the first unidirectional gateway 40, The second proxy server 50 cannot access the data of the first proxy server 30 through the network. Another one-way entity transmission isolation architecture includes: the third proxy server 70, the second one-way gateway 80, and the fourth proxy server 90 through the second one-way gateway 80, The fourth proxy server 30 cannot access the data of the third proxy server 70 through the network. Allowing data to be transmitted in these two unidirectional physical transmission isolation structures not only meets the security principles, but also maintains the convenience of transmission. Therefore, the outside world cannot invade the secrets through the Internet, and the data cannot be leaked out, and users can access the data conveniently, while preventing the risk of confidential documents being invaded.

值得一提的是,該第一伺服器20與該第二伺服器60具有能夠互相封包編碼和解碼的功能,本實施例中該第一伺服器20接收該資料需求端3的需求資料,由該第一伺服器內部的軟體封包編碼,並透過該第二伺服器60解碼,達到保護所傳送的資料之目的。另外,該第二伺服器60亦能夠將該提供資料封包編碼,並透過該第一伺服器20解碼,達到上述功效。It is worth mentioning that the first server 20 and the second server 60 have the function of packet encoding and decoding with each other. In this embodiment, the first server 20 receives the demand data of the data demand end 3, and The software packet code in the first server is decoded by the second server 60 to achieve the purpose of protecting the transmitted data. In addition, the second server 60 can also encode the provided data packet and decode it through the first server 20 to achieve the above-mentioned effect.

以上述為本發明所提供一實體隔離之網路傳輸系統之各部構件之結構及其組態說明。Based on the above, the structure and configuration description of each component of a physically isolated network transmission system provided by the present invention.

本發明具有下述功效:The invention has the following effects:

其一,資料能夠互相交換且不降低安全防護。實體網路隔離透過硬體的物理架構讓資料僅能單向傳遞,絕無反向傳輸的可能性,在安全性上或許可以接近百分之百的安全,但是這樣的做法卻毫無實用性。因為實體網路的隔離,仍然有需要資料處理和交換資料的需求,這時如果採用可攜式儲存裝置在該資料需求端3與該資料提供端4來回交換資料,不僅浪費許多時間外又浪費人力,導致追蹤與稽核不易的問題,且有資安上的疑慮。因此本發明改良上述缺失,其手段係在該第一伺服器20與該第二伺服器60之間,建立兩條單向實體傳輸隔離的架構,形成一雙向實體隔離之網路傳輸系統2,該第一伺服器20接收一個檔案並將該檔案封包,產生另一封包過的檔案,例如:xml檔等,將該封包過的檔案輸出至該第一代理伺器30,再由該第一單向匣道器40接收該封包過的檔案,傳遞至該第二代理伺服器50,這傳輸運作的過程皆都在網路的實體層。讓本發明具備原本實體網路隔離安全性的優點,又能夠快速地且不需透過人力使用可攜式儲存裝置,即可在該資料需求端3與該資料提供端4之間達到自動交換資料 。First, data can be exchanged with each other without reducing security protection. Physical network isolation allows data to be transmitted only in one direction through the physical structure of the hardware. There is no possibility of reverse transmission. It may be close to 100% secure, but this approach is not practical. Because of the isolation of the physical network, there is still a need for data processing and data exchange. If a portable storage device is used to exchange data back and forth between the data demand side 3 and the data provider side 4, not only is it a waste of time and manpower , Which leads to problems in tracking and auditing, and has financial concerns. Therefore, the present invention improves the above-mentioned shortcomings by means of establishing a two-way physical transmission isolation architecture between the first server 20 and the second server 60 to form a two-way physical isolation network transmission system 2, The first server 20 receives a file and packages the file, generates another packaged file, such as an xml file, etc., outputs the packaged file to the first proxy server 30, and then the first server 30 The unidirectional box server 40 receives the packaged file and transmits it to the second proxy server 50. The processes of the transmission operation are all at the physical layer of the network. The invention has the advantages of the original physical network isolation security, and can use the portable storage device quickly and without manpower, and can automatically exchange data between the data demand end 3 and the data supply end 4 .

其二,防止網路病毒入侵。透過該第一單向閘道器40與該第二單向閘道器80於該第一伺服器20與該第二伺服器60之間,僅能單向傳遞的特性,可達成該資料需求端3與該資料提供端4之間實體隔離的效果;可讓駭客或是使用者無法透過網路直接存取該資料提供端4的資料或是機密文件,進而隔絕網路威脅,任何木馬程式、網路攻擊、入侵與破壞的網路病毒皆無法對該實體隔離之網路傳輸系統2進行修改或是寫入,讓該實體隔離之網路傳輸系統2能夠完全隔絕外部威脅外,又能達到傳輸資料的目的。 Second, prevent network viruses from invading. Through the first unidirectional gateway 40 and the second unidirectional gateway 80 between the first server 20 and the second server 60, only one-way transmission characteristics can be achieved to meet the data requirements. The effect of physical isolation between the terminal 3 and the data provider 4; it can prevent hackers or users from directly accessing the data or confidential documents of the data provider 4 through the network, thereby isolating network threats. Programs, network attacks, invasion and destruction of network viruses cannot modify or write to the entity's isolated network transmission system 2 so that the entity's isolated network transmission system 2 can completely isolate external threats. Can achieve the purpose of transmitting data.

其三,能夠採用光纖線傳輸。光纖線除了不受雜訊和電磁波的干擾,而且光纖具有極大的通信頻寬,頻寬可達到1~2GHz以上,相較於一般普通同軸電纜,光纖有著極高之載訊容量。另外,其機密性高,光信號不會從光纖中輻射出去,適於電腦網路或是銀行連線。 Third, it can be transmitted by optical fiber lines. In addition to being free of interference from noise and electromagnetic waves, the optical fiber line has a large communication bandwidth, which can reach more than 1 ~ 2GHz. Compared with ordinary ordinary coaxial cables, the optical fiber has a very high carrying capacity. In addition, it has high confidentiality, and the optical signal will not be radiated from the optical fiber, which is suitable for computer network or bank connection.

〈習知〉 <Learning>

1‧‧‧傳統資安防禦架構 1‧‧‧ Traditional Information Security Defense Architecture

10‧‧‧防火牆 10‧‧‧Firewall

〈本發明〉 <this invention>

2‧‧‧實體隔離之網路傳輸系統 2‧‧‧ Physically Isolated Network Transmission System

3‧‧‧資料需求端 3‧‧‧ Data Demand Side

4‧‧‧資料提供端 4‧‧‧ data provider

5‧‧‧企業匯流排 5‧‧‧Business Bus

20‧‧‧第一伺服器 20‧‧‧First server

21‧‧‧第一伺服器端 21‧‧‧First server

22‧‧‧第一傳送端 22‧‧‧ the first transmitting end

23‧‧‧第一接收端 23‧‧‧ the first receiving end

30‧‧‧第一代理伺服器 30‧‧‧First proxy server

40‧‧‧第一單向閘道器 40‧‧‧The first one-way gateway

41‧‧‧第一輸入端 41‧‧‧first input

42‧‧‧第一輸出端 42‧‧‧first output

50‧‧‧第二代理伺服器 50‧‧‧Second proxy server

60‧‧‧第二伺服器 60‧‧‧Second server

61‧‧‧第二接收端 61‧‧‧Second receiver

62‧‧‧第二傳送端 62‧‧‧Second transmitting end

63‧‧‧第二伺服器端 63‧‧‧Second server

70‧‧‧第三代理伺服器 70‧‧‧Third proxy server

80‧‧‧第二單向閘道器 80‧‧‧Second one-way gateway

81‧‧‧第二輸入端 81‧‧‧second input

82‧‧‧第二輸出端 82‧‧‧Second output

90‧‧‧第四代理伺服器 90‧‧‧Fourth proxy server

圖1為一般傳統資安防禦系統,說明一般傳統資安防禦系統的防火牆設於一資料需求端與一資料提供端之間的架構圖;FIG. 1 is a general traditional information security defense system, illustrating a structure diagram in which a general traditional information security defense system firewall is disposed between a data demand end and a data providing end;

圖2為一實施例有關實體隔離之網路傳輸系統之架構圖,說明一實體隔離之網路傳輸系統設於一資料需求端與一資料提供端之間的態樣;FIG. 2 is a structural diagram of an isolated network transmission system according to an embodiment, illustrating a state in which an isolated network transmission system is disposed between a data demand end and a data supply end;

圖3為圖2之實施例的架構圖,說明之一實體隔離之網路傳輸系統內部的架構;及FIG. 3 is a structural diagram of the embodiment of FIG. 2, illustrating an internal structure of a physically isolated network transmission system; and

圖4為圖3之實施例連接一企業匯流排之架構圖,說明該企業匯流排設於一第二伺服器與一資料提供端之間。FIG. 4 is a structural diagram of an embodiment of FIG. 3 connected to an enterprise bus, illustrating that the enterprise bus is disposed between a second server and a data providing terminal.

Claims (5)

一種實體隔離之網路傳輸系統,適用於設於一資料需求端與一資料提供端之間,該資料需求端用以輸出一需求資料,該資料提供端用以根據該需求資料而輸出一提供資料,所述實體網路隔離之傳輸系統包含:一第一伺服器,具有一連接該資料需求端的第一伺服器端、一第一傳送端、及一第一接收端,該第一伺服器端能夠接收該資料需求端輸出的該需求資料並將該需求資料編碼成一第一編碼資料,且該第一編碼資料由該第一傳送端輸出;一第一代理伺服器,連接該第一伺服器的該第一傳送端,接收該第一傳送端輸出的該第一編碼資料,並將該第一編碼資料編碼成一第二編碼資料;一第一單向閘道器,具有一連接該第一代理伺服器的第一輸入端、及一第一輸出端,該第一輸入端接收該第一代理伺服器輸出的該第二編碼資料,並將該第二編碼資料由第一輸出端輸出;一第二代理伺服器,連接該第一單向閘道器的該第一輸出端,接收該第一輸出端輸出的該第二編碼資料,並將該第二編碼資料解碼還原成該第一編碼資料;一第二伺服器,設於該第二代理伺服器與該資料提供端之間,具有一連接該第二代理伺服器的第二接收端、一第二傳送端、及一連接該資料提供端的第二伺服器端,該第二接收端接收該第二代理伺服器輸出的該第一編碼資料,並將該第一編碼資料進行解碼,由該第二伺服器端輸出至該資料提供端,該資料提供端用以根據該需求資料而輸出該提供資料,該第二伺服器端接收該資料提供端輸出的該提供資料,並將該提供資料編碼成一第三編碼資料,且該第三編碼資料由該第二傳送端輸出; 一第三代理伺服器,連接該第二傳送端,接收該第二傳送端輸出的該第三編碼資料,並將該第三編碼資料編碼成一第四編碼資料;一第二單向閘道器,具有一連接該第三代理伺服器的第二輸入端、及一第二輸出端,該第二輸入端接收該第三代理伺服器輸出的該第四編碼資料,且由該第二輸出端輸出;以及一第四代理伺服器,設於該第一接收端與該第二輸出端之間,接收該第二輸出端輸出的該第四編碼資料,並將該第四編碼資料解碼還原成該第三編碼資料輸出至該第一接收端;藉此,該第一伺服器與該第二伺服器之間為兩條單向實體傳輸隔離的架構,其中一條該單向實體傳輸隔離的架構,包含:該第一代理伺服器、該第一單向閘道器、及該第二代理伺服器,透過該第一單向閘道器,該第二代理伺服器無法藉由網路存取該第一代理伺服器的資料,另外一條該單向實體傳輸隔離的架構,包含:該第三代理伺服器、該第二單向閘道器、及該第四代理伺服器,透過該第二單向閘道器,該第四代理伺服器無法藉由網路存取該第三代理伺服器的資料,這傳輸運作的過程皆都在網路的實體層,該第一接收端接收該第四代理伺服器輸出的第三編碼資料,並將該第三編碼資料進行解碼的動作,由該第一伺服器端輸出至該資料需求端。 A physically isolated network transmission system is suitable for being located between a data demand end and a data supply end, the data demand end is used to output a demand data, and the data supply end is used to output a provision according to the demand data Data, the physical network isolated transmission system includes: a first server having a first server end connected to the data demand end, a first transmitting end, and a first receiving end, the first server The terminal can receive the demand data output by the data demand side and encode the demand data into a first coded data, and the first coded data is output by the first transmitting end; a first proxy server connected to the first server The first transmitting end of the receiver, receiving the first encoded data output by the first transmitting end, and encoding the first encoded data into a second encoded data; a first unidirectional gateway having a connection to the first A first input end of a proxy server and a first output end, the first input end receives the second encoded data output by the first proxy server, and passes the second encoded data from the first Outgoing output; a second proxy server connected to the first output of the first unidirectional gateway, receiving the second encoded data output from the first output, and decoding and restoring the second encoded data Into the first coded data; a second server is provided between the second proxy server and the data providing end, and has a second receiving end, a second transmitting end, And a second server end connected to the data providing end, the second receiving end receives the first encoded data output by the second proxy server, decodes the first encoded data, and the second server end Output to the data provider, the data provider is used to output the provided data according to the demand data, the second server receives the provided data output by the data provider, and encodes the provided data into a third code Data, and the third encoded data is output by the second transmitting end; A third proxy server connected to the second transmitting end, receiving the third encoded data output by the second transmitting end, and encoding the third encoded data into a fourth encoded data; a second one-way gateway Having a second input terminal connected to the third proxy server and a second output terminal, the second input terminal receives the fourth encoded data output by the third proxy server, and the second output terminal Output; and a fourth proxy server, disposed between the first receiving end and the second output end, receiving the fourth encoded data output from the second output end, and decoding and restoring the fourth encoded data into The third encoded data is output to the first receiving end; thereby, the first server and the second server transmit an isolated architecture for two unidirectional entities, and one of the unidirectional entities transmits an isolated architecture. Including: the first proxy server, the first unidirectional gateway, and the second proxy server, through which the second proxy server cannot be accessed through the network Data of the first proxy server, and The one-way entity transmission isolation architecture includes the third proxy server, the second one-way gateway, and the fourth proxy server. Through the second one-way gateway, the fourth agent The server cannot access the data of the third proxy server through the network. The transmission and operation processes are all in the physical layer of the network. The first receiving end receives the third encoded data output by the fourth proxy server. And decode the third coded data from the first server to the data requester. 如請求項1所述之實體隔離之網路傳輸系統,其中該第一伺服器與該第二伺服器之間所有設備連接的纜線為光纖線或是RJ45。 The physically isolated network transmission system according to claim 1, wherein the cables connecting all the devices between the first server and the second server are optical fiber cables or RJ45. 如請求項1所述之實體隔離之網路傳輸系統,其中更設有一企業匯流排連接該第二伺服器端與該資料提供端之間。 The physically isolated network transmission system according to claim 1, further comprising an enterprise bus connected between the second server end and the data providing end. 如請求項1所述之實體隔離之網路傳輸系統,其中該第一單向閘道器與該第二單向閘道器為實體隔離設備。 The physically isolated network transmission system according to claim 1, wherein the first unidirectional gateway and the second unidirectional gateway are physical isolation devices. 如請求項1所述之實體隔離之網路傳輸系統,其中該第一伺服器與該第二伺服器具有能夠互相封包編碼和解碼的功能。 The physically isolated network transmission system according to claim 1, wherein the first server and the second server have a function of being able to encode and decode packets with each other.
TW106128355A 2017-08-22 2017-08-22 Physically isolated network transport system TWI673973B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW106128355A TWI673973B (en) 2017-08-22 2017-08-22 Physically isolated network transport system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW106128355A TWI673973B (en) 2017-08-22 2017-08-22 Physically isolated network transport system

Publications (2)

Publication Number Publication Date
TW201914262A TW201914262A (en) 2019-04-01
TWI673973B true TWI673973B (en) 2019-10-01

Family

ID=66992164

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106128355A TWI673973B (en) 2017-08-22 2017-08-22 Physically isolated network transport system

Country Status (1)

Country Link
TW (1) TWI673973B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070019622A1 (en) * 2005-07-20 2007-01-25 Mci, Inc. Method and system for providing secure communications between proxy servers in support of interdomain traversal
US20100257353A1 (en) * 2009-04-01 2010-10-07 Cheng Kelvin Y Data diode system
US20120198055A1 (en) * 2011-01-28 2012-08-02 Oracle International Corporation System and method for use with a data grid cluster to support death detection
CN105391613A (en) * 2015-11-19 2016-03-09 四川中鼎自动控制有限公司 Hydropower station Ethernet-type security isolation device inside-outside universal data bridge
US20160261561A1 (en) * 2015-03-04 2016-09-08 Electronics And Telecommunications Research Institute One-way gateway, and vehicle network system and method for protecting network within vehicle using one-way gateway
TW201717094A (en) * 2015-11-12 2017-05-16 台灣電力股份有限公司 System and method for one-way transmission for network physical isolation

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070019622A1 (en) * 2005-07-20 2007-01-25 Mci, Inc. Method and system for providing secure communications between proxy servers in support of interdomain traversal
US20100257353A1 (en) * 2009-04-01 2010-10-07 Cheng Kelvin Y Data diode system
US20120198055A1 (en) * 2011-01-28 2012-08-02 Oracle International Corporation System and method for use with a data grid cluster to support death detection
US20160261561A1 (en) * 2015-03-04 2016-09-08 Electronics And Telecommunications Research Institute One-way gateway, and vehicle network system and method for protecting network within vehicle using one-way gateway
TW201717094A (en) * 2015-11-12 2017-05-16 台灣電力股份有限公司 System and method for one-way transmission for network physical isolation
CN105391613A (en) * 2015-11-19 2016-03-09 四川中鼎自动控制有限公司 Hydropower station Ethernet-type security isolation device inside-outside universal data bridge

Also Published As

Publication number Publication date
TW201914262A (en) 2019-04-01

Similar Documents

Publication Publication Date Title
US11652792B2 (en) Endpoint security domain name server agent
US7391770B1 (en) Network access control system and method using adaptive proxies
US8713302B1 (en) Firewall-tolerant voice-over-internet-protocol (VoIP) emulating SSL or HTTP sessions embedding voice data in cookies
JP5754572B2 (en) Using Hypertext Transfer Protocol as a transport for bidirectional data streams
CN110362992B (en) Method and apparatus for blocking or detecting computer attacks in cloud-based environment
US20090265777A1 (en) Collaborative and proactive defense of networks and information systems
US20110252469A1 (en) System for preventing normal user being blocked in network address translation (nat) based web service and method for controlling the same
TWI625641B (en) Methods for preventing computer attacks in two-phase filtering and apparatuses using the same
Noonan et al. Firewall fundamentals
KR101472685B1 (en) Network connection gateway, a network isolation method and a computer network system using such a gateway
US9800550B2 (en) Method and system for pervasive access to secure file transfer servers
Mani et al. An extensive evaluation of the internet's open proxies
US12375482B2 (en) Enhanced cloud access security broker functionality utilizing in-band application observability
CN101651711B (en) HTTP network access achieving method based on serial communication
Uroz et al. Characterization and evaluation of IoT protocols for data exfiltration
US11736516B2 (en) SSL/TLS spoofing using tags
KR20210001728A (en) Ship security system for Ethernet network based ship network protection.
US7970878B1 (en) Method and apparatus for limiting domain name server transaction bandwidth
TWI673973B (en) Physically isolated network transport system
CN108390868B (en) A covert communication method based on HTTP cache records
Dey et al. Warezmaster and Warezclient: An implementation of FTP based R2L attacks
CN105721481A (en) Transparent-computing-based network access system and method
KR19990069355A (en) How to block site access
Bergen Dynamic data exfiltration over common protocols via socket layer protocol customization
KR102777462B1 (en) Data security system in a network separation environment and method performing thereof