CN101640595B - Method, device and system for controlling switching of isolation card - Google Patents
Method, device and system for controlling switching of isolation card Download PDFInfo
- Publication number
- CN101640595B CN101640595B CN200810117280.9A CN200810117280A CN101640595B CN 101640595 B CN101640595 B CN 101640595B CN 200810117280 A CN200810117280 A CN 200810117280A CN 101640595 B CN101640595 B CN 101640595B
- Authority
- CN
- China
- Prior art keywords
- port
- user password
- switching
- information
- hardware device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a method, a device and a system for controlling the switching of an isolation card. The method is applied to a system which comprises a security hardware device, a host computer and the isolation card, controls the switching of the isolation card through the security hardware device so as to ensure that the host computer can operate in different network environments. The method comprises the following steps: receiving a switching request transmitted by the host computer by the security hardware device, wherein the switching request comprises a user password and switching port information; judging whether the user password is in accordance with a user password which is stored in advance, and determining whether a switching port corresponding to the switching port information is usable or not according to currently recorded switching port information; and transmitting a switching command to the isolation card when the user password is in accordance with the user password which is stored in advance, and the switching port corresponding to the switching port information is usable. The method, the device and the system control the switching process by adopting the security hardware device which is used as a black box and cannot be attacked by Trojan and the like so as to improve the security of switching.
Description
Technical field
The present invention relates to communication technical field, particularly a kind of methods, devices and systems controlling isolation card and switch.
Background technology
Two net isolation card for physically a PC is divided into two, make this PC be in different network environments, and the data run in different network environments can not be read, revises, destroy.Usual each isolation card has three network interfaces, being respectively used to connect Intranet, outer net and network interface card, also there are three hard-disk interfaces, for connecting the hard-disk interface on the hard disk and mainboard corresponding respectively to Inside and outside network.Two net isolation card is arranged in the physical layer of the computer with operating system usually, and Inside and outside network is only used alone respective hard disk, each hard disk has separately independently operating system, and CPU and internal memory etc. is undertaken by this PC multiplexing.
Isolation card is provided with relay, this relay is equivalent to unidirectional selector switch, when needs switch between Inside and outside network, can be controlled by this relay, at least comprise power line switch and data wire switch two kinds of patterns, when being issued password by this relay and switching, single knife switch mode can be adopted, namely control relay or upper layer software (applications) send switching command to the chip of isolation card by pci interface, but no matter adopt which kind of switching mode, owing to being all be switched to another operating system from an operating system, therefore cannot audit to the switching action of the operating system before switching, and this switching is also difficult to be rejected, when being switched by software mode, because password is often fairly simple, being therefore easy to by attacks such as wooden horses, reducing the fail safe of switching, isolation card is provided with chip, is recorded the code of switching state by FLASH (flash memory), but only can complete the isolation between heterogeneous networks due to isolation card, therefore lack based on cryptographic fail safe.
Summary of the invention
The object of the present invention is to provide a kind of methods, devices and systems controlling isolation card and switch, be difficult to control and the not high problem of fail safe to solve the mode switched by isolation card of the prior art.
For solving the problems of the technologies described above, the invention provides following technical scheme:
Control the method that isolation card switches, described method is applied in the system comprising secure hardware device, main frame and isolation card, is controlled the switching of isolation card, to make main frame operate in different network environments, comprising by secure hardware device:
The handover request that secure hardware device Receiving Host sends, comprises user password and port switching information in described handover request;
Judge that whether described user password is consistent with the user password prestored, and whether the port switching that port switching information is corresponding according to the port switching validation of information of current record can be used;
Consistent with the user password prestored at described user password, and when port switching corresponding to described port switching information is available, send switching command to isolation card.
Control the device that isolation card switches, be applied in the system comprising main frame and isolation card, controlled the switching of isolation card by described device, to make main frame operate in different network environments, comprising:
Request reception unit, for the handover request that Receiving Host sends, comprises user password and port switching information in described handover request;
Judge performance element, for consistent with the user password prestored at described user password, and when port switching corresponding to described port switching information is available, send switching command to isolation card.
Control the system that isolation card switches, comprising: main frame, isolation card and secure hardware device,
Described main frame, for sending handover request to secure hardware device, comprises user password and port switching information in described handover request;
Described secure hardware device, for receiving described handover request, consistent with the user password prestored at described user password, and when port switching corresponding to described port switching information is available, send switching command to isolation card.
From above technical scheme provided by the invention, the present invention adopts third-party secure hardware device to control handoff procedure, therefore can carry out unified record and monitoring to the state switched and process, and can select flexibly whether to send switching command according to the condition pre-set; Because issuing of switching command performs by this secure hardware device, secure hardware device, as a black box, is not easy by attacks such as wooden horses, improves the fail safe of switching; There is in secure hardware device the space of special storaging state information and port information, record can be carried out to all handoff procedures, and carry out the operations such as renewal deletion, query function is provided thus to upper layer devices such as main frames, make user can grasp the relevant information of switching at any time, and the information of record is not easily lost, and improves integrality and the fail safe of whole system.
Accompanying drawing explanation
Fig. 1 is the first embodiment flow chart that the present invention controls the method that isolation card switches;
Fig. 2 is the second embodiment flow chart that the present invention controls the method that isolation card switches;
Fig. 3 is the 3rd embodiment flow chart that the present invention controls the method that isolation card switches;
Fig. 4 is the 4th embodiment flow chart that the present invention controls the method that isolation card switches;
Fig. 5 is the first embodiment block diagram that the present invention controls the device that isolation card switches;
Fig. 6 is the second embodiment block diagram that the present invention controls the device that isolation card switches;
Fig. 7 is the 3rd embodiment block diagram that the present invention controls the device that isolation card switches;
Fig. 8 is the 4th embodiment block diagram that the present invention controls the device that isolation card switches;
Fig. 9 is the first embodiment block diagram that the present invention controls the system that isolation card switches;
Figure 10 is the second embodiment block diagram that the present invention controls the system that isolation card switches.
Embodiment
Core of the present invention there is provided a kind of method controlling isolation card and switch, device and system, the handover request that secure hardware device Receiving Host sends, user password and port switching information is comprised in described handover request, judge that whether described user password is consistent with the user password prestored, and whether the port switching that port switching information is corresponding according to the port switching validation of information of current record can be used, consistent with the user password prestored at described user password, and port switching corresponding to described port switching information available time, switching command is sent to isolation card.
In order to make those skilled in the art person understand the present invention program better, and enable above-mentioned purpose of the present invention, feature and advantage become apparent more, below in conjunction with the drawings and specific embodiments, the present invention is further detailed explanation.
The present invention controls the first embodiment flow process of the method that isolation card switches as shown in Figure 1:
Step 101: the handover request that secure hardware device Receiving Host sends.
Wherein, comprise user password and port switching information in the handover request that main frame sends, send the foundation of switching command as whether to isolation card.
Step 102: judge that whether the user password in handover request is consistent with the password prestored, if so, then performs step 103; Otherwise, process ends.
Concrete, the user password sent by main frame prestored when secure hardware device reads in initialization operation, compares the user password prestored whether consistent with the user password in described handover request.
Step 103: whether can use according to the port switching that the port information of current record judges in handover request, if so, then performs step 104; Otherwise, process ends.
Concrete, secure hardware device is according to the use record of this port switching read, judge whether this port switching is current occupied, when unoccupied, judge this port switching whether in the time range that its time stab is recorded according to the timestamp arranged for each port in advance, if so, then judge that this port switching can be used, otherwise, judge that this port switching is unavailable.
Step 104: secure hardware device sends switching command to isolation card.
Wherein, switching command can be sent to main frame by secure hardware device, by main frame, switching command is forwarded to described isolation card; Or switching command is directly sent to the transfer relay of isolation card by secure hardware device by output port, namely isolation card does not communicate with main frame.
The present invention controls the second embodiment flow process of the method that isolation card switches as shown in Figure 2, this example show secure hardware device detailed process to transmission switching command from initialization operation:
Step 201: the user password that secure hardware device Receiving Host sends and port definition list.
When user uses main frame for the first time, user needs to arrange user password (also claiming administrator password) by the upper layer software (applications) of main frame, and generate port definition list according to the port in isolation card, then user password and port definition list are sent to secure hardware device.
Secure hardware device can be specially TPM (Trusted Platform Module, trusted root) safety chip, TCM safety chip or MTM safety chip.For TPM safety chip, refer to the safety chip meeting TPM standard, it can effectively protected host to prevent the access of disabled user.TPM safety chip purposes is very extensive, can store, manage BIOS startup password and harddisk password, and these passwords store in the chips, even if power down information also can not be lost.TPM safety chip can carry out the wider encryption of scope, namely except carrying out traditional start encryption and hard disk be encrypted, can also system login, application software be logged in and be encrypted, transmit again after being encrypted by TPM, so just do not worry that information and password are stolen by people.
Step 202: carry out initialization operation according to user password and port definition list.
Secure hardware device carries out initialization operation according to the user password received and port definition list, at least preserves this user password and port definition list.
Step 203: the handover request comprising user password and port switching that Receiving Host sends.
When user uses this system, if there is switching demand, then need to main frame input user password and the port switching chosen, main frame sends the handover request comprising user password and port switching to secure hardware device.
Step 204: the user password sent by main frame prestored when secure hardware device reads in initialization operation.
Step 205: compare the user password prestored whether consistent with the user password in handover request, if so, then performs step 206; Otherwise, process ends.
Step 206: secure hardware device reads the use record of this port switching.
The all of the port in isolation card is comprised in the port definition list of secure hardware device, and all real-time update and record are carried out to the current use of each port, therefore, after user password coupling, need reading the use record that in handover request, port switching is current.
Step 207: judge whether port switching is current occupied according to use record, if so, then process ends; Otherwise, perform step 208.
Step 208: judge port switching whether in the time range that its time stab is recorded according to the timestamp arranged for each port in advance, if so, then execution step 209; Otherwise, process ends.
In the embodiment of the present invention, in advance for each port is provided with timestamp, this timestamp shows the time range that port switches, to control certain port only carrying out work sometime.By arranging RTC (Real-Time Clock, safety chip real-time clock) or monotone counter controls timestamp, such as, when adopting RCT, certain port can be set within certain clock cycle, be operated in outer net.
Step 209: secure hardware device sends the switching command comprising described port switching to isolation card, process ends.
When port switching is current unoccupied, and judge in its current time range switching according to the timestamp of this port switching, then secure hardware device can send switching command to main frame, by main frame, switching command is transmitted to isolation card, realizes the switching of software control; Or secure hardware device does not pass through main frame, but directly by output port GPIO (General Purpose Input Output, universal input exports) with the connection of isolation card transfer relay, switching command is directly sent to isolation card, realize the switching of hardware controls, because the upper layer software (applications) not by main frame sends switching command, therefore improve switch safety.
The present invention controls the 3rd embodiment flow process of the method that isolation card switches as shown in Figure 3, this example show when being communicated by secret key encryption mode between secure hardware device and main frame, the detailed process to the switching of isolation card controls:
Step 301: prestore administrator key in secure hardware device and main frame.
In order to strengthen the fail safe communicated between main frame with secure hardware device, can store up at secure hardware device and host memory the administrator key being used for being encrypted communicating in advance.
Step 302: judge whether choice for use administrator key, if so, then performs step 303; Otherwise, perform step 309.
Although all store administrator key in secure hardware device and main frame, when intercommunication, can select flexibly as required whether to use this administrator key to be encrypted communication.
Step 303: the handover request through administrator key encryption that secure hardware device Receiving Host sends.
When secure hardware device and the equal choice for use administrator key of main frame carry out communication encryption, the main frame administrator key prestored is encrypted the handover request comprising user password and port switching, and the handover request after encryption is sent to secure hardware device.
Step 304: handover request is decrypted.
After secure hardware device receives the handover request of encryption, according to the manner of decryption corresponding with this cipher mode, this handover request is decrypted.
Step 305: judge that whether the user password in handover request is consistent with the password prestored, if so, then performs step 306; Otherwise, process ends.
Step 306: whether can use according to the port switching that the port information of current record judges in handover request, if so, then performs step 307; Otherwise, process ends.
Step 307: secure hardware device sends the switching command through administrator key encryption to main frame.
Because secure hardware device communicates with Choice encryption between main frame, therefore secure hardware device is also encrypted through administrator key at the switching command sent to main frame.
Step 308: the switching command after deciphering is forwarded to isolation card, process ends by main frame.
Step 309: the handover request that secure hardware device Receiving Host sends.
When secure hardware device and main frame all select that use management person's key does not carry out communication encryption, then the handover request that the main frame that secure hardware device receives sends is unencrypted handover request.
Step 310: when user password is consistent with the user password prestored, and when confirming that port switching is available according to the port information of current record, forward switching command by main frame to isolation card, process ends.
The present invention controls the 4th embodiment flow process of the method that isolation card switches as shown in Figure 4, this example show in secure hardware device when having state information and switching information record function further, controls the detailed process that isolation card switches:
Step 401: carry out initialization operation after the user password that secure hardware device Receiving Host sends and port definition list.
Step 402: the handover information of secure hardware device recording status information and each port.
Wherein, the state information of secure hardware device comprises state flag bit, state index and state backup information.State backup information specifically refers to the data space of secure hardware device under current state, comprises PCR, user and KEY etc., and using state information etc.
The use record that the handover information of each port comprises each port, the timestamp etc. arranged for each port.
Step 403: the handover request comprising user password and port switching that Receiving Host sends.
Step 404: the user password sent by main frame prestored when secure hardware device reads in initialization operation.
Step 405: compare the user password prestored whether consistent with the user password in handover request, if so, then performs step 406; Otherwise, process ends.
Step 406: judge that whether the memory space of recording status information and handover information is enough, if so, then perform step 407; Otherwise, perform step 410.
Due to real-time servicing, renewal and record will be carried out to the handover information of the state information of secure hardware device and each port in the present embodiment, therefore need the memory space judging recording status information and handover information whether enough, record can be carried out to state information corresponding to current port switching and handover information, for the upper layer software (applications) in main frame, state information and port handover information are inquired about.
Step 407: whether can use according to the port switching that the port information of current record judges in handover request, if so, then performs step 408; Otherwise, process ends.
Step 408: upgrade the state information of secure hardware device and the handover information of port switching according to port switching in corresponding stored space.
Owing to judging that according to the port information of current record the port switching in handover request can be used, and current memory space is enough, therefore in corresponding stored space, upgrades the state information of secure hardware device and the handover information of port switching according to port switching.
Step 409: described switching command is directly sent to the transfer relay of described isolation card by secure hardware device by output port, process ends.
Step 410: delete the state information and handover information that record the earliest in memory space, return step 407.
Due to the insufficient memory of recording status information and handover information, because the state information that records in memory space and port handover information all arrange according to time sequencing, therefore under can being set in advance in the full state of memory space, the state information and handover information of deleting record the earliest according to putting in order, there to be the state information and handover information that the current port switching of sufficient space record is corresponding.
To control the method that isolation card switches corresponding with the present invention, present invention also offers the embodiment controlling device that isolation card switches and system.
The present invention controls the first embodiment block diagram of the device that isolation card switches as shown in Figure 5, and this device comprises: request reception unit 510 and judge performance element 520.
Wherein, the handover request that request reception unit 510 sends for Receiving Host, comprises user password and port switching information in described handover request;
Judge that performance element 520 is for consistent with the user password prestored at described user password, and when port switching corresponding to described port switching information is available, send switching command to isolation card.
The present invention controls the second embodiment block diagram of the device that isolation card switches as shown in Figure 6, and this device comprises: initialization information receiving element 610, initialization performance element 620, request reception unit 630 and judge performance element 640.
Wherein, the user password that initialization information receiving element 610 sends for Receiving Host and port definition list, described user password is the user password of user's input that main frame stores when first use, comprises all of the port in described isolation card in described port definition list;
Initialization performance element 620 is for carrying out initialization operation according to described user password and port definition list;
The handover request that request reception unit 630 sends for Receiving Host, comprises user password and port switching information in described handover request;
Judge that performance element 640 comprises further:
User password reading unit, the user password sent by main frame prestored during for reading in initialization operation;
User password comparing unit, whether consistent with the user password in described handover request for the user password prestored described in relatively;
Port switching judging unit, for when the user password prestored is consistent with the user password in described handover request, according to the use record of the described port switching read, judge whether described port switching is current occupied, when unoccupied, judge described port switching whether in the time range that its time stab is recorded according to the timestamp arranged for each port in advance, if, then described port switching can be used, otherwise described port switching is unavailable;
Switching command transmitting element, for sending switching command when described port switching is available to described isolation card.
The present invention controls the 3rd embodiment block diagram of the device that isolation card switches as shown in Figure 7, and this device comprises: initialization information receiving element 710, initialization performance element 720, key storing unit 730, communication encryption unit 740, request reception unit 750 and judge performance element 760.
Wherein, the user password that initialization information receiving element 710 sends for Receiving Host and port definition list, described user password is the user password of user's input that main frame stores when first use, comprises all of the port in described isolation card in described port definition list;
Initialization performance element 720 is for carrying out initialization operation according to described user password and port definition list;
Key storing unit 730 is for prestoring the administrator key consistent with main frame;
Communication encryption unit 740, for when described in choice for use during key, is encrypted the information transferring to main frame by described administrator key;
The handover request through administrator key encryption that request reception unit 750 sends for Receiving Host, comprises user password and port switching information in described handover request;
Judge performance element 760 for when judge deciphering after handover request in described user password consistent with the user password prestored, and when confirming that port switching corresponding to described port switching information is available according to the port information of current record, send the switching command through administrator key encryption to main frame, by main frame, the switching command after deciphering is forwarded to isolation card.
The present invention controls the 4th embodiment block diagram of the device that isolation card switches as shown in Figure 8, and this device comprises: initialization information receiving element 810, initialization performance element 820, state information record cell 830, port information record cell 840, request reception unit 850, memory space judging unit 860, upgrade memory space unit 870 and judge performance element 880.
Wherein, the user password that initialization information receiving element 810 sends for Receiving Host and port definition list, described user password is the user password of user's input that main frame stores when first use, comprises all of the port in described isolation card in described port definition list;
Initialization performance element 820 is for carrying out initialization operation according to described user password and port definition list;
State information record cell 830 is for recording the state information of described secure hardware device, and described state information comprises state flag bit, state index and state backup information;
Port information record cell 840 for recording the handover information of each port, the use record that described handover information comprises each port, the timestamp arranged for each port;
The handover request that request reception unit 850 sends for Receiving Host, comprises user password and port switching information in described handover request;
Whether memory space judging unit 860 is enough for judging the memory space recording described state information and described handover information;
Upgrade memory space unit 870 for when described memory space is enough, the state information of described secure hardware device and the handover information of described port switching is upgraded according to described port switching in corresponding stored space, when described insufficient memory, after deleting the state information and handover information recorded the earliest in described memory space, upgrade the state information of described secure hardware device and the handover information of described port switching according to described port switching;
Judge that performance element 880 is for consistent with the user password prestored at described user password, and when port switching corresponding to described port switching information is available, send switching command to isolation card.
The present invention controls the first embodiment of the system that isolation card switches as shown in Figure 9, and this system comprises: main frame 910, isolation card 920 and secure hardware device 930.In this system, secure hardware device 930 sends switching command by main frame 910 to isolation card 920.
Wherein, main frame 910, for sending handover request to secure hardware device 930, comprises user password and port switching information in described handover request;
Secure hardware device 930 is for receiving described handover request, when judging that described user password is consistent with the user password prestored, and when confirming that port switching corresponding to described port switching information is available according to the port information of current record, send switching command to main frame 910, switching command is forwarded to isolation card 920 by main frame 910.
Further, whole system is before carrying out switching controls, main frame 910 is also for sending user password and port definition list to described secure hardware device 930, described user password is the user password of user's input that main frame stores when first use, comprises all of the port in described isolation card in described port definition list; Described secure hardware device 930 is also for carrying out initialization operation according to described user password and port definition list.
The present invention controls the second embodiment of the system that isolation card switches as shown in Figure 10, and this system comprises: main frame 1010, isolation card 1020 and secure hardware device 1030.In this system, secure hardware device 1030 sends switching command directly to isolation card 1020.
Wherein, main frame 1010, for sending handover request to secure hardware device 1030, comprises user password and port switching information in described handover request;
Secure hardware device 1030 is for receiving described handover request, when judging that described user password is consistent with the user password prestored, and when confirming that port corresponding to described port switching information is available according to the port information of current record, by output port, described switching command is directly sent to the transfer relay of described isolation card 1020.
Further, whole system is before carrying out switching controls, main frame 1010 is also for sending user password and port definition list to described secure hardware device 1030, described user password is the user password of user's input that main frame stores when first use, comprises all of the port in described isolation card in described port definition list; Described secure hardware device 1030 is also for carrying out initialization operation according to described user password and port definition list.
As seen through the above description of the embodiments, unified record and monitoring can be carried out to the state switched and process, and can select flexibly whether to send switching command according to the condition pre-set; Because issuing of switching command performs by this secure hardware device, secure hardware device, as a black box, is not easy by attacks such as wooden horses, improves the fail safe of switching; There is in secure hardware device the space of special storaging state information and port information, record can be carried out to all handoff procedures, and carry out the operations such as renewal deletion, query function is provided thus to upper layer devices such as main frames, make user can grasp the relevant information of switching at any time, and the information of record is not easily lost, and improves integrality and the fail safe of whole system.Those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realize.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
Above-described embodiment of the present invention, does not form limiting the scope of the present invention.Any amendment done within the spirit and principles in the present invention, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.
Claims (17)
1. the method controlling isolation card and switch, described method is applied to and comprises secure hardware device, main frame, in the system of hard disk and isolation card, described isolation card comprises three network interfaces, be respectively used to connect Intranet, outer net and network interface card, described isolation card also comprises three hard-disk interfaces, be respectively used to connect the hard disk corresponding to Intranet, corresponding to the hard-disk interface on the hard disk of outer net and mainboard, the switching of isolation card is controlled by secure hardware device, to make main frame with Intranet and be connected corresponding to the hard disk of Intranet or be connected with outer net and corresponding to the hard disk of outer net, it is characterized in that, described method comprises:
The handover request that secure hardware device Receiving Host sends, comprises user password and port switching information in described handover request;
Judge that whether described user password is consistent with the user password prestored, and whether the port switching that port switching information is corresponding according to the port switching validation of information of current record can be used;
Consistent with the user password prestored at described user password, and when port switching corresponding to described port switching information is available, send switching command to isolation card, connect to make network that described main frame is corresponding with described port switching and hard disk.
2. method according to claim 1, is characterized in that, before the handover request that described Receiving Host sends, also comprises:
The user password that secure hardware device Receiving Host sends and port definition list, described user password is the user password of user's input that main frame stores when first use, comprises all of the port in described isolation card in described port definition list;
Secure hardware device carries out initialization operation according to described user password and port definition list.
3. method according to claim 1, is characterized in that, describedly judges that whether user password and the user password prestored be consistent and comprises:
The user password sent by main frame that secure hardware device prestores when reading in initialization operation;
Whether the user password prestored is relatively consistent with the user password in described handover request.
4. method according to claim 1, is characterized in that, whether the described port switching that port switching information is corresponding according to the port switching validation of information of current record can with comprising:
Secure hardware device, according to the use record of the described port switching read, judges whether described port switching is current occupied;
When unoccupied, judge described port switching whether in the time range that its time stab is recorded according to the timestamp arranged for each port in advance, if so, then described port switching can be used, otherwise described port switching is unavailable.
5. method according to claim 1, is characterized in that, described to isolation card send switching command comprise:
Described switching command is sent to main frame by secure hardware device, by main frame, described switching command is forwarded to described isolation card; Or
Described switching command is directly sent to the transfer relay of described isolation card by secure hardware device by output port.
6. the method according to claim 1 to 5 any one, is characterized in that, also comprises before the handover request that described Receiving Host sends:
Administrator key is prestored in secure hardware device and described main frame;
When described in choice for use during key, the information transmitted between described secure hardware device and described main frame is all encrypted by described administrator key.
7. method according to claim 1, is characterized in that, also comprises before the handover request that described secure hardware device Receiving Host sends:
Record the state information of described secure hardware device, described state information comprises state flag bit, state index and state backup information;
Record the handover information of each port, the use record that described handover information comprises each port, the timestamp arranged for each port.
8. method according to claim 7, is characterized in that, described transmission before switching command to isolation card also comprises:
Judge that whether the memory space recording described state information and described handover information is enough;
If so, then in corresponding stored space, the state information of described secure hardware device and the handover information of described port switching is upgraded according to described port switching;
Otherwise, after deleting the state information and handover information recorded the earliest in described memory space, upgrade the state information of described secure hardware device and the handover information of described port switching according to described port switching; Or return the full information of memory space to main frame, and stop sending switching command to isolation card.
9. the device controlling isolation card and switch, be applied in the system comprising main frame, hard disk and isolation card, described isolation card comprises three network interfaces, be respectively used to connect Intranet, outer net and network interface card, described isolation card also comprises three hard-disk interfaces, be respectively used to connect the hard-disk interface on the hard disk corresponding to Intranet, the hard disk corresponding to outer net and mainboard, the switching of isolation card is controlled by described device, to make main frame with Intranet and be connected corresponding to the hard disk of Intranet or be connected with outer net and corresponding to the hard disk of outer net, it is characterized in that, comprising:
Request reception unit, for the handover request that Receiving Host sends, comprises user password and port switching information in described handover request;
Judge performance element, for consistent with the user password prestored at described user password, and port switching corresponding to described port switching information available time, send switching command to isolation card, connect to make network that described main frame is corresponding with described port switching and hard disk.
10. device according to claim 9, is characterized in that, also comprises:
Initialization information receiving element, the user password sent for Receiving Host and port definition list, described user password is the user password of user's input that main frame stores when first use, comprises all of the port in described isolation card in described port definition list;
Initialization performance element, for carrying out initialization operation according to described user password and port definition list.
11. devices according to claim 9, is characterized in that, described judgement performance element comprises:
User password reading unit, the user password sent by main frame prestored during for reading in initialization operation;
User password comparing unit, whether consistent with the user password in described handover request for the user password prestored described in relatively;
Port switching judging unit, for when the user password prestored is consistent with the user password in described handover request, according to the use record of the described port switching read, judge whether described port switching is current occupied, when unoccupied, judge described port switching whether in the time range that its time stab is recorded according to the timestamp arranged for each port in advance, if, then described port switching can be used, otherwise described port switching is unavailable;
Switching command transmitting element, for sending switching command when described port switching is available to isolation card.
12. devices according to claim 9, is characterized in that, also comprise:
Key storing unit, for prestoring the administrator key consistent with main frame;
Communication encryption unit, for when described in choice for use during key, is encrypted the information transferring to main frame by described administrator key.
13. devices according to claim 9, is characterized in that, also comprise:
State information record cell, for recording the state information of described device, described state information comprises state flag bit, state index and state backup information;
Port information record cell, for recording the handover information of each port, the use record that described handover information comprises each port, the timestamp arranged for each port.
14. devices according to claim 13, is characterized in that, also comprise:
Memory space judging unit, whether enough for judging the memory space recording described state information and described handover information;
Upgrade memory space unit, for when described memory space is enough, the state information of described device and the handover information of described port switching is upgraded according to described port switching in corresponding stored space, when described insufficient memory, after deleting the state information and handover information recorded the earliest in described memory space, upgrade the state information of described device and the handover information of described port switching according to described port switching.
15. 1 kinds of systems controlling isolation card and switch, it is characterized in that, comprise: main frame, isolation card and secure hardware device, hard disk, described isolation card comprises three network interfaces, be respectively used to connect Intranet, outer net and network interface card, described isolation card also comprises three hard-disk interfaces, is respectively used to connect the hard-disk interface on the hard disk corresponding to Intranet, the hard disk corresponding to outer net and mainboard;
Described main frame, for sending handover request to secure hardware device, comprises user password and port switching information in described handover request;
Described secure hardware device, for receiving described handover request, consistent with the user password prestored at described user password, and port switching corresponding to described port switching information available time, send switching command to isolation card, connect to make network that described main frame is corresponding with described port switching and hard disk.
16. systems according to claim 15, it is characterized in that, described main frame also for, user password and port definition list is sent to described secure hardware device, described user password is the user password of user's input that main frame stores when first use, comprises all of the port in described isolation card in described port definition list;
Described secure hardware device also for, carry out initialization operation according to described user password and port definition list.
17. systems according to claim 15, is characterized in that, described switching command is forwarded to described isolation card by main frame by described secure hardware device; Or
Described switching command is directly sent to the transfer relay of described isolation card by described secure hardware device by output port.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810117280.9A CN101640595B (en) | 2008-07-28 | 2008-07-28 | Method, device and system for controlling switching of isolation card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810117280.9A CN101640595B (en) | 2008-07-28 | 2008-07-28 | Method, device and system for controlling switching of isolation card |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101640595A CN101640595A (en) | 2010-02-03 |
| CN101640595B true CN101640595B (en) | 2015-03-25 |
Family
ID=41615404
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810117280.9A Active CN101640595B (en) | 2008-07-28 | 2008-07-28 | Method, device and system for controlling switching of isolation card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101640595B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102279337A (en) * | 2011-04-19 | 2011-12-14 | 珠海经济特区伟思有限公司 | Network security separated card testing system |
| CN104486289B (en) * | 2014-10-30 | 2017-09-29 | 中国人民解放军信息工程大学 | Data unidirectional transmission method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1281190A (en) * | 2000-08-23 | 2001-01-24 | 深圳市宏网实业有限公司 | Network security computer with single motherboard |
| CN2492979Y (en) * | 2001-07-27 | 2002-05-22 | 赵敏 | Network isolator unit with identity confirmation |
| CN1419198A (en) * | 2002-11-28 | 2003-05-21 | 李大东 | Safety protective computer |
-
2008
- 2008-07-28 CN CN200810117280.9A patent/CN101640595B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1281190A (en) * | 2000-08-23 | 2001-01-24 | 深圳市宏网实业有限公司 | Network security computer with single motherboard |
| CN2492979Y (en) * | 2001-07-27 | 2002-05-22 | 赵敏 | Network isolator unit with identity confirmation |
| CN1419198A (en) * | 2002-11-28 | 2003-05-21 | 李大东 | Safety protective computer |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101640595A (en) | 2010-02-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1717893B (en) | Device keys | |
| CN102945355B (en) | Fast Data Encipherment strategy based on sector map is deferred to | |
| KR100861104B1 (en) | Apparatus and method for preservation of usb keyboard | |
| CN101102180B (en) | Inter-system binding and platform integrity verification method based on hardware security unit | |
| CN104335548B (en) | A kind of secure data processing unit and method | |
| EP2357859B1 (en) | An authentication method for the mobile terminal and a system thereof | |
| WO2014199197A1 (en) | A method, system and product for securely storing data files at a remote location by splitting and reassembling said files | |
| CN101441601B (en) | Ciphering transmission method of hard disk ATA instruction and system | |
| CN101593252B (en) | Method and system for controlling access of computer to USB equipment | |
| CN100385860C (en) | Method and device for safety of storaged network data | |
| CN103973715B (en) | Cloud computing security system and method | |
| EP4064084A1 (en) | Password management method and related device | |
| CN111736783A (en) | Self-service printing method based on block chain | |
| CN101640595B (en) | Method, device and system for controlling switching of isolation card | |
| CN1964272A (en) | A method and device to safely exchange computer data | |
| CN100476841C (en) | Method and system for centrally managing code to hard disk of enterprise | |
| CN103824014A (en) | Isolation certificating and monitoring method of USB (universal serial bus) port within local area network | |
| US20040034768A1 (en) | Data encryption device based on protocol analyse | |
| KR100390086B1 (en) | Total system for preventing information outflow from inside | |
| CN101777097A (en) | Monitorable mobile storage device | |
| CN114340051B (en) | Portable gateway based on high-speed transmission interface | |
| CN100550735C (en) | The method of multifunction intelligent key equipment and security control thereof | |
| CN112149167B (en) | Data storage encryption method and device based on master-slave system | |
| CN104202166A (en) | Erp(enterprise resource planning) system data encryption method | |
| CN209608668U (en) | Network isolation password board card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160606 Address after: 201203 Shanghai Zhangjiang High Tech Park of Pudong New Area Chunxiao Road No. 289 Room 501 Patentee after: Lenovo (Shanghai) Information Technology Co., Ltd. Address before: 100085 Beijing, Haidian District information industry base on the road No. 6 Patentee before: Lenovo (Beijing) Co., Ltd. |