CN104363231B - A kind of network security isolation and information switching method and system based on half-duplex channel - Google Patents
A kind of network security isolation and information switching method and system based on half-duplex channel Download PDFInfo
- Publication number
- CN104363231B CN104363231B CN201410652474.4A CN201410652474A CN104363231B CN 104363231 B CN104363231 B CN 104363231B CN 201410652474 A CN201410652474 A CN 201410652474A CN 104363231 B CN104363231 B CN 104363231B
- Authority
- CN
- China
- Prior art keywords
- data
- module
- nets
- arp
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/106—Mapping addresses of different types across networks, e.g. mapping telephone numbers to data network addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/565—Conversion or adaptation of application format or content
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/23—Bit dropping
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2592—Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a kind of network security isolation based on half-duplex channel and information switching method and system, belong to computer network security field.Network security is isolated includes data acquisition module, protocol assembly module, Data Audit module, information unloading and package module and data transmission blocks with Information Exchange System.The realization of each module can be realized using hardware or software.Network security isolation includes data acquisition, protocol assembly, Data Audit, information unloading and the step such as encapsulation and data transmission with information switching method.The present invention transmits data using half-duplex channel, and by special data package processing method, the data to transmission are audited and unloaded, when a failure occurs, can form physical isolation.Network security isolation and the information switching method and system of the present invention can significantly improve data throughput, effectively the data safety between protection heterogeneous networks, prevent the invasion and control of disabled user, and reduce the cost of system.
Description
Technical field
The present invention relates to computer network security field, saying more precisely, the present invention relates to a kind of isolation of network security with
Information switching method and its system.
Background technology
Informationization is the main trend of World Science technology and society development, and national economy and society are for information and information
The dependence of system is increasing, and the application of ICT has penetrated into people's production, the every aspect of life, network
Between communication equipment have become between different institutions, it is personal between the basic tool that exchanges.We offer convenience in enjoyment network
While puzzlement the problems such as also suffer from malicious code attack, hacker attacks, leakage of information.Information between heterogeneous networks is handed over
Mutually one side will meet the requirement of progress information sharing between different networks, the problem of solving information island.On the other hand,
To prevent core concerning security matters network from, by external attack, preventing information leakage while information system is opened.From network security
From the point of view of angle, network security isolation with message-switching technique be it is a kind of can guarantee critical network isolate with other network securitys
Meanwhile, realize the technology of efficient, controlled secure data interaction.In this context, network security isolation is exchanged with information
With great application value.Traditional implementation is as follows:
(1) system architecture of " 2+1 ".Including " interior terminal "+" exchanging isolation matrix "+" outer terminal ", isolated part use
Duplexing binary channels physical isolation guard plate design, guard plate uses asic chip for core.The complete simulated implementation of whole framework
The artificial safety data transmission process for copying disk (Sneaker-net security architectures).Interior terminal and outer end machine have independent storage
And arithmetic element, and with independent bus line.Interior terminal and outer terminal are the terminal of Intranet and outer net procotol respectively.All mistakes
Toward application layer data peeled off all from the ICP/IP protocol of Intranet and outer net, the data being stripped pass through Data Migration control again
It is transmitted including unit between outer terminal.Because security is ensured by physical isolation guard plate, data visit not only slow down
The efficiency asked, and poor is supported to most network application agreement.
The system architecture of (2) three machine three.Including " interior terminal "+" arbitration machine "+" outer terminal ", interior terminal and outer terminal are respectively
The terminal of Intranet and outer net procotol.All passing application layer messages are peeled off all from Intranet and the procotol of outer net,
It is reduced to application layer message.These information are sent to arbitration system by specialized hardware and private communication protocol again.Arbitration machine
The information content propagated between filtering inspection, control network is carried out to the application layer message received, while energy killing malicious code, such as
Virus etc..Arbitration system is carried out to the information content after examination processing, then will confirm that the data for safety issue inside/outside terminal
The opposing party, is finally reduced to general procotol bag form.In a sense, for the appropriate message of validated user
Request is exchanged, the system of three machine three is " transparent ", while safety guarantee is provided, provide the user the service of smoothness.But
The framework holistic cost of the system of three machine three is higher, handling capacity also due to the complexity of framework and it is impacted.
The content of the invention
Data access efficiency of the invention for legacy network security isolation and message-switching technique presence is low, framework cost
High the problems such as, it is proposed that a kind of network security isolation and information switching method and system based on half-duplex channel.
The invention discloses a kind of network security isolation based on half-duplex channel and information switching method, data are netted by A and sent out
B nets are sent to, specific steps include:
Step 1:Data acquisition:A network data messages are gathered from specified network interface, and data message is located as follows
Reason, is specifically included:
Step 1.1:If data message is ARP broadcast frames, and inquiry be this network interface card MAC Address, then it is the ARP is wide
Broadcast frame and reverse data transmission blocks are forwarded to by one-way data passage, otherwise abandon the ARP broadcast frames;
Step 1.2:, then should by the ARP if data message is arp reply frame, and answers the inquiry of this MAC Address of Network Card
Answer frame and reverse data transmission blocks are forwarded to by one-way data passage, otherwise abandon the arp reply frame;
Step 1.3:If data message is the ethernet frame of IP agreement, step 2 is sent to by half-duplex channel.
Step 2:Protocol assembly:By in ethernet frame IP packets carry out upper-layer protocol reduction, parse TCP or
UDP upper layer application protocol.Specifically include:
Step 2.1:If the agreement of IP packets is TCP, TCP data bag is subjected to protocol assembly, on identifying
During layer application protocol, the TCP data bag of reduction is unidirectionally forwarded to step 3;
Step 2.2:If the agreement of IP packets is UDP, UDP message bag is subjected to protocol assembly, on identifying
During layer application protocol, the UDP message bag of reduction is unidirectionally forwarded to step 3;
Step 2.3:If IP packets are other protocol fields, when agreement is not TCP or UDP, the packet is abandoned.
Step 3:Data Audit:Filtered and examined according to audit configuration rule to entering the packet in the step,
The data for meeting audit configuration rule are forwarded a packet into step 4;Data packet discarding to not meeting audit configuration rule.
Step 4:Information is unloaded and encapsulated:The payload segment in packet is extracted in this step, according to encapsulation
Configuration rule, is reassembled into new packet, specifically includes:
Step 4.1:If there is load information in packet, load information is extracted in the one-way transmission of truncated data bag,
Mapping address and port in package arrangements rule, encapsulation forms new packet on load information again, will be new
Packet is unidirectionally transmitted to step 5;
Step 4.2:If load information is not present in packet, mapping address and end in package arrangements rule
Mouthful, it is transmitted to step 5 after the specific fields being directly unidirectionally transmitted to packet in step 5 or modification packet.Described
Specific fields include but is not limited to source IP and source port.
Step 5:Data are sent:For the one-way data transmission netted from A net to B, the data flow for being unidirectionally sent to B nets is
Forward direction, the data flow for being unidirectionally sent to A nets is reverse;If X is A or B;Data transmission blocks to receive ARP broadcast frames,
Arp reply frame and IP packets are handled as follows respectively:
Step 5.1:If ARP broadcast frames, then IP and MAC Address construction ARP in the configuration rule table of address should
Answer frame and be sent to X nets;
Step 5.2:If arp reply frame, then by arp reply frame<IP,MAC>Address is to being added to ARP mappings
In table;
Step 5.3:If the IP packets that step 4 is sent, then check addresses forwarding table (Address
Forwarding Table, AFT) whether purposeful IP MAC Address, be sent directly to X nets if then constructing data frame, it is no
Then go to step 5.4;
Step 5.4:Corresponding route table items are searched in the routing table, if not finding corresponding route table items, are configured
Searched again after route;If finding corresponding route table items, the IP address of next hop router is obtained, according to router
IP address searches corresponding MAC Address in ARP mapping list, and the MAC that ARP broadcast frames inquire router is constructed if not finding
Address, and the temporary cache IP packets, wait reverse data acquisition to be forwarded back to the arp reply frame that comes to obtain router
MAC Address;After the MAC Address of router is obtained, construction data frame is sent to X nets, while updating addresses forwarding table.
Step 6:1~5 is repeated the above steps until data are sent completely.
The present invention correspondingly also discloses that a kind of network security isolation based on half-duplex channel and Information Exchange System, including
Data acquisition module, protocol assembly module, Data Audit module, information unloading and package module and data transmission blocks.Institute
The network security stated is isolated data with Information Exchange System from A nets one-way transmission to B nets, or conversely.Here is based on number
Illustrated according to situation about being netted from A nets one-way transmission to B.
Data acquisition module gathers A network data messages from specified network interface, and classification processing is carried out to data message:
(1) if data message is ARP broadcast frames, and the ARP broadcast frames inquire the MAC Address of this network interface card, then lead to the ARP broadcast frames
Cross one-way data passage and be forwarded to reverse data transmission blocks, otherwise abandon the ARP broadcast frames;Described reverse data hair
It is to net data to A to send to send module;(2) if data message is arp reply frame, and the inquiry of this MAC Address of Network Card is answered,
The arp reply frame is then forwarded to reverse data transmission blocks by one-way data passage, the arp reply frame is otherwise abandoned;
(3) if data message is the ethernet frame of IP agreement, ethernet frame is sent to protocol assembly module by half-duplex channel;
(4) if data message is not any one in the ethernet frame of ARP broadcast frames, arp reply frame and IP agreement, the number is abandoned
According to message.
Protocol assembly module carries out the IP packets in ethernet frame the reduction of upper-layer protocol, parses TCP's or UDP
Upper layer application protocol, Data Audit module is unidirectionally forwarded to by the TCP of reduction or UDP message bag.If the agreement of IP packets
During for TCP, TCP data bag is subjected to protocol assembly, when identifying upper layer application protocol, the data flow of reduction unidirectionally forwarded
To Data Audit module;If the agreement of IP packets is UDP, UDP message bag is subjected to protocol assembly, when identifying upper strata
During application protocol, the data flow of reduction is unidirectionally forwarded to Data Audit module.If the agreement of IP packets be not TCP with
UDP, when being other protocol fields, abandons the packet.
Data Audit module is filtered and examined to packet according to audit configuration rule, will meet audit configuration rule
Data forward a packet to information unloading and package module;The data packet discarding of audit configuration rule will not met.Audit configuration rule
Then include but is not limited to white list, any combination of five-tuple, protocol characteristic string of machine learning acquisition etc..
Information is unloaded and package module is handled the packet received, is specifically:Carried if existed in packet
The one-way transmission of lotus information, then truncated data bag, extracts load information, regular according to package arrangements, on load information again
Encapsulation forms new packet, and new packet is unidirectionally transmitted into data transmission blocks;If load is not present in packet
Packet, then according to package arrangements rule, be directly unidirectionally transmitted in data transmission blocks, or modification packet by information
Data transmission blocks are relayed to after specific fields.Defined specific fields include but is not limited to source IP and source port.It is described
Package arrangements rule, the mapping relations of recording address and port, by source IP address and source port be transformed into different addresses and
Port so that the packet that A nets are sent to B nets hides A net topology structures.
For the one-way data transmission netted from A net to B, data are unidirectionally sent to B nets by positive data transmission blocks, instead
To data transmission blocks data are unidirectionally sent to A nets;If X is A or B.Data transmission blocks are broadcasted the ARP received
Frame, arp reply frame and IP packets are handled as follows respectively:(1) for ARP broadcast frames, according to address configuration rule table
In IP and MAC Address construction arp reply frame be sent to X nets;Record data acquisition module in described address configuration rule list
IP and MAC Address.(2) for arp reply frame, by arp reply frame<IP,MAC>Address is to being added to ARP mapping list
In.(3) for IP packets, the whether purposeful IP of addresses forwarding table MAC Address is checked, it is direct if then constructing data frame
X nets are sent to, corresponding route table items are otherwise searched in the routing table, the IP address of next hop router are obtained, according to route
The IP address of device searches corresponding MAC Address in ARP mapping list, and ARP broadcast frames inquiry router is constructed if not finding
MAC Address, and the temporary cache IP packets wait and are forwarded back to the arp reply frame come to obtain the MAC Address of router,
After the MAC Address of router is obtained, construction data frame is sent to X nets, while updating addresses forwarding table.Described address forwarding
Table is the mapping table of IP and MAC Address.
The invention discloses a kind of network security isolation based on half-duplex channel and information switching method and system, with public affairs
The method opened is compared, and is had the following advantages that:
(1) high-performance:Network security is isolated with each module of Information Exchange System using half-duplex channel transmission data, with tradition
" 2+1 system architecture " compared with " system of three machine three ", data throughput can be significantly improved.
(2) security:Network security isolation is connected with each module of Information Exchange System by half-duplex channel, using special
Data package processing method, the data to transmission are audited and unloaded, when a failure occurs, can form physical isolation, are effectively protected
The data safety protected between heterogeneous networks, prevents the invasion and control of disabled user.
(3) cost is low:Network security, which is isolated, can use the behaviour of general hardware platform and security kernel with Information Exchange System
Make system.Significantly reduce the cost of system.
Brief description of the drawings
Fig. 1 is network security isolation and the step flow chart of information switching method of the present invention;
Fig. 2 is network security isolation and the deployment diagram of Information Exchange System of the present invention;
Fig. 3 is network security isolation and the structural representation of Information Exchange System of the present invention.
Embodiment
Below in conjunction with drawings and examples, the present invention is described in further detail.
Fig. 1 gives the present invention network security isolation and information switching method steps flow chart based on half-duplex channel.Data
B nets are sent to by A nets, in system initialization and read after correlation takes configuration information, specific implementation step is as follows:
Step 1:Data acquisition:A network data messages are gathered from specified network interface, at data message type
Reason, is specifically included:
Step 1.1:If data message is ARP broadcast frames, and inquires the MAC Address of this network interface card, then by the ARP broadcast frames
Reverse data transmission blocks are forwarded to by one-way data passage, the ARP broadcast frames are otherwise abandoned;Reverse data are sent out herein
Module is sent to be sent to A nets by corresponding arp reply frame is built.For the one-way data transmission netted from A net to B, B is unidirectionally sent to
The data flow of net is forward direction, and the data flow for being unidirectionally sent to A nets is reverse.
Step 1.2:If data message is arp reply frame, and answers the inquiry of this MAC Address of Network Card, then the arp reply
Frame is forwarded to reverse data transmission blocks by one-way data passage, otherwise abandons the arp reply frame.
Step 1.3:If data message is the ethernet frame of IP agreement, protocol assembly is sent to by half-duplex channel and walked
Rapid 2.
If data message is not any one in the ethernet frame of ARP broadcast frames, arp reply frame and IP agreement, lose
The data message is abandoned, continues to gather and according to the processing data message of previous step 1.1~1.3.
Security isolation and message exchange equipment in the embodiment of the present invention, by special data package processing method from specified
Network interface gathered data frame.This method is:Judge whether data frame is ARP protocol in data link layer, and verify its content
It is whether relevant with this network interface card, if then changing the forward-path of ARP data frames, carry out reverse data and send, otherwise abandoning should
Frame;If the IP data frames of Ethernet, then protocol assembly step is forwarded directly to, otherwise abandons the frame.The special data
Packet processing method is improved based on available data packet processing method, is had the property that:A) in order to improve process performance, do not enter
The copy of row kernel;B) in order to improve security, traditional ICP/IP protocol stack is not walked yet.
Step 2:Protocol assembly:By in ethernet frame IP packets carry out upper-layer protocol reduction, parse TCP and
UDP upper layer application protocol.Specifically include:
Step 2.1:If the agreement of IP packets is TCP, TCP data bag is subjected to protocol assembly, on identifying
During layer application protocol, the data flow of reduction is unidirectionally forwarded to step 3;
Step 2.2:If the agreement of IP packets is UDP, UDP message bag is subjected to protocol assembly, on identifying
During layer application protocol, the data flow of reduction is unidirectionally forwarded to step 3;
Step 2.3:If IP packets are other protocol fields, the packet is abandoned.
In the step, the application protocol for parsing upper strata is thought to complete protocol assembly, it is not necessary to cache whole data
The bag of stream.
Step 3:Data Audit:Filtered and examined to entering the packet in the step, according to audit configuration rule,
The data for meeting audit configuration rule are forwarded a packet into step 4;Packet to not meeting audit configuration rule, abandons the data
Bag.
In the step, audit configuration rule includes but is not limited to 1) white list;2) any combination of five-tuple;Described five
Tuple is { source IP, purpose IP, source port, destination interface, agreement };3) the protocol characteristic string that machine learning is obtained.
Step 4:Information is unloaded and encapsulated:The payload segment in packet is extracted in this step, according to encapsulation
Configuration rule, is reassembled into new packet, specifically includes:
Step 4.1:If there is load information in packet, load information is extracted in the one-way transmission of truncated data bag,
Mapping address and port in package arrangements rule, encapsulation forms new packet on load information again, will be new
Packet is unidirectionally transmitted to step 5;
Step 4.2:If load information is not present in packet, mapping address and end in package arrangements rule
Mouthful, it is transmitted to step 5 after the specific fields being directly unidirectionally transmitted to packet in step 5 or modification packet.Defined
Specific fields include but is not limited to source IP and source port.
In this step, the extraction to data is directly operated in raw data packets, without the copy function of internal memory;Its
Mapping ruler in package arrangements has blocked unidirectional data transfer.The mapping of package arrangements regular records address and port is closed
System, source IP address and source port is transformed into different addresses and port so that the hiding A nets of packet that A nets are sent to B nets are opened up
Flutter structure.
Step 5:Data are sent:Data transmission blocks are to the ARP broadcast frames, arp reply frame and IP packets that receive
It is handled as follows respectively:
Step 5.1:If ARP broadcast frames, for positive data transmission blocks, come from reverse data acquisition forwarding
ARP broadcast frames, IP and MAC Address construction arp reply frame in the configuration rule table of address are sent to B nets;For step 1.1
IP and MAC of the ARP broadcast frames that forward data collection is obtained by reverse data transmission blocks in the configuration rule table of address
The corresponding arp reply frame of address architecture is sent to A nets;
Step 5.2:If arp reply frame, then by arp reply frame<IP,MAC>Address is to being added to ARP mappings
In table;
Step 5.3:If the IP packets that step 4 is sent, then the whether purposeful IP of addresses forwarding table MAC is checked
Address, is sent directly to B nets if then constructing data frame, otherwise goes to step 5.4;
Step 5.4:Corresponding route table items are searched in the routing table, if not finding corresponding route table items, are configured
Searched again after route;If finding corresponding route table items, the IP address of next hop router is obtained, according to router
IP address searches corresponding MAC Address in ARP mapping list, and the MAC that ARP broadcast frames inquire router is constructed if not finding
Address, temporary cache IP packets wait reverse data acquisition to be forwarded back to the arp reply frame come, arp reply frame are gone to
Step 5.2 is performed, to obtain the MAC Address of router;If it is found, then construction data frame is sent to B nets, while updating address
Forward table.Described addresses forwarding table includes the mapping of purpose IP address and target MAC (Media Access Control) address, and is each mapping relations<IP,
MAC>Life cycle is set, mapping relations overtime in addresses forwarding table will be deleted.Addresses forwarding table AFT, routing table, ARP
The renewal of mapping table is adaptive learning, and data need reverse data acquisition to provide.
The information such as the addresses forwarding table AFT, routing table, the ARP mapping list that are used in the step can by special hardware Lai
Realize, can also be realized by software.Addresses forwarding table AFT includes the mapping of purpose IP address and target MAC (Media Access Control) address, and
Its<Purpose IP, purpose MAC>To life cycle set according to network environment, time-out will delete the mapping relations.
Step 6:1~5 is repeated the above steps until information exchanges completion.
Network security isolation and Information Exchange System disclosed by the invention based on half-duplex channel, with reliable high rate
Information exchange capacity between net, major deployments in can not directly interconnect and existence information share demand two or more networks it
Between.Network security isolation and the Information Exchange System of the present invention is used between standalone module, module independently of one another, each module
Realizing can be realized using hardware, can be realized using software, it would however also be possible to employ software is realized with the mode that hardware is combined.
Access network security isolation and Information Exchange System:System access position is network egress interchanger or route
Device, access point is the critical point module of interchanger or router, and shown in system deployment such as Fig. 2 (a) and (b), access way is light
Fine unidirectional connection.In Fig. 2 (a), network security isolation and Information Exchange System access A network switch and B network switch it
Between;In Fig. 2 (b), network security isolation and Information Exchange System access are between A network switch and B net egress routers.
Network security isolation and the Information Exchange System of the present invention mainly includes following module:Data acquisition module, agreement
Recovery module, Data Audit module, information unloading and package module and data transmission blocks.These modules are by data from A nets
One-way transmission is to B nets, or by data from B nets one-way transmission to A nets.Modules are unidirectionally connected along data flow direction.Such as Fig. 3
It is shown, it is network security isolation and the structural representation of Information Exchange System.Illustrate the work(of modules with reference to Fig. 3
Energy.
Network security is isolated carries out system initialization first before application with Information Exchange System, system initialization refer to from
The configuration information of system is read in configuration management file.Data acquisition module IP address of the configuration information of system including system,
Audit configuration rule, package arrangements rule, address configuration rule list, addresses forwarding table AFT, routing table and ARP mapping list.Match somebody with somebody
After confidence breath is loaded successfully, system monitors the data to be received such as network interface card.
The information such as addresses forwarding table AFT, routing table, ARP mapping list can realize by special hardware, can also be by soft
Part is realized.Addresses forwarding table AFT includes the mapping of purpose IP address and target MAC (Media Access Control) address, and its interior map entry<
IP, MAC>Life cycle set according to network environment, time-out will delete the mapping relations.Addresses forwarding table AFT design is carried
The high efficiency of data forwarding.
Situation about being netted below based on data from A nets one-way transmission to B is illustrated.
Data acquisition module:A network data messages are gathered from specified network interface.The message of collection is classified as follows
Processing:(1) if data message is ARP broadcast frames, and the MAC Address of this network interface card of inquiry, then the ARP broadcast frames are passed through into list
Reverse data transmission blocks are forwarded to data channel, the ARP broadcast frames are otherwise abandoned;Described reverse data send mould
Block refers to netting data into the data transmission blocks sent to A, with data from A nets to the in opposite direction of B net one-way transmissions, reverse
IP in the configuration rule table of address and MAC Address construction arp reply frame are sent to A nets by data transmission blocks;(2) if
Data message is arp reply frame, and answers the inquiry of this MAC Address of Network Card, then the arp reply frame is passed through into one-way data passage
Reverse data transmission blocks are forwarded to, the arp reply frame is otherwise abandoned;(3) if data message is the Ethernet of IP agreement
Frame, then be sent to protocol assembly module by the ethernet frame by half-duplex channel;(4) it is any described in (1)~(3) to being not belonging to
Data message, abandon the data message.
Protocol assembly module:IP packets in ethernet frame are carried out to the reduction of upper-layer protocol, TCP and UDP is parsed
Upper layer application protocol.The TCP of reduction or UDP message bag are unidirectionally forwarded to Data Audit module.If the association of IP packets
When discussing as TCP, TCP data bag is subjected to protocol assembly, when identifying upper layer application protocol, the data flow of reduction unidirectionally turned
It is dealt into Data Audit module;If the agreement of IP packets is UDP, UDP message bag is subjected to protocol assembly, on identifying
During layer application protocol, the data flow of reduction is unidirectionally forwarded to Data Audit module;If IP packets are other protocol fields
When, abandon the packet.
Data Audit module:Packet is filtered and examined, according to audit configuration rule, by legal data
Forward a packet to information unloading and package module;Otherwise, the packet is abandoned.Audit configuration rule include but is not limited to white list,
Protocol characteristic string that any combination of five-tuple, machine learning are obtained etc..Described five-tuple includes source IP, purpose IP, source
Mouth, destination interface and agreement.
Information is unloaded and package module extracts the payload segment in packet, regular according to package arrangements, again
It is assembled into new packet.Package arrangements regular record address and port mapping relationship, source IP address and source port are converted
Into different address and port, make local terminal network transparent to correspondent network so that A nets are sent to the packet of B nets, hidden is netted to B
Hide A net topology structures.The address and port mapping that package arrangements rule is recorded are a mappings pair that can be reverse, by reflecting
Penetrate relation and the effect for hiding A net topology structures is netted to B to reach, realize packet one-way transmission and isolation.If packet
In there is load information, then load information is extracted in the one-way transmission of truncated data bag, according to the mapping in package arrangements rule
Location and port, new packet is packaged into the information of load, data transmission blocks are unidirectionally transmitted to again;If packet
In be not present load information, then according to package arrangements rule in mapping address and port, be directly unidirectionally transmitted to data transmission
Data transmission blocks are transmitted to after specific fields in module or modification packet.Defined specific fields include but not limited
In source IP and source port.
For the one-way data transmission netted from A net to B, data are unidirectionally sent to B nets by positive data transmission blocks, instead
To data transmission blocks data are unidirectionally sent to A nets.For the data transmission netted from B net to A, positive data send mould
Data are unidirectionally sent to A nets by block, and data are unidirectionally sent to B nets by reverse data transmission blocks.Below with regard to data flow
Illustrate the function of data transmission blocks for the positive data transmission blocks netted from A net to B.
Data transmission blocks are mainly by packet according to addresses forwarding table (Address Forwarding Table, AFT)
Data frame is configured to, B nets are sent to by half-duplex channel.Data transmission blocks receive three kinds of data:ARP broadcast frames, ARP should
Answer frame and IP packets.If ARP broadcast frames, then IP and MAC Address construction ARP in the configuration rule table of address should
Answer frame and be sent to B nets.If arp reply frame, then by arp reply frame<IP,MAC>Address is to being added to ARP mapping list
In.If the common IP packets that information unloading and package module are sent, then check whether addresses forwarding table is purposeful
IP MAC Address, is sent directly to B nets if then constructing data frame, corresponding route table items is otherwise searched in the routing table,
If not finding corresponding route table items, configuration is needed to route;If finding corresponding route table items, next hop router is obtained
IP address, the MAC Address of router is searched in ARP mapping list according to the IP address of router, is constructed if not finding
ARP broadcast frames inquire the MAC Address of accessor, and the temporary cache IP packets to be sent wait the ARP for being forwarded back to should
Answer frame to obtain the MAC Address of router, after the MAC Address for obtaining router, construction data frame is sent to B nets, updates simultaneously
Addresses forwarding table.Addresses forwarding table is updated, is exactly the mapping relations for adding new-found purpose IP and MAC Address in the table.
What described address configuration rule list was recorded is upper end network interface card, that is, data acquisition module IP address and MAC Address, be used for
Used when construction arp reply bag, when data transmission blocks receive ARP broadcast frames, it is necessary to according to address configuration rule table
The IP and MAC of the data acquisition module of middle record construct arp reply frame, act on behalf of upper end network interface card and carry out response.Can by routing table
The IP address of forwarding router is obtained, the corresponding MAC Address of known IP address is obtained by ARP mapping list.
Due to network security isolation and each module in Information Exchange System inside along data flow direction to be unidirectionally connected, such as Fig. 3
Shown, the connection method of each module is as follows:Upper end controls the engine of A nets to B network data streams to be I, and lower end controls B nets to A netting indexs
It is II according to the engine of stream.Engine I and engine II net end and B nets end in A respectively all has the port of data transmit-receive.Engine I is in A nets
The data acquisition module 1 at end unidirectionally connects the data transmission blocks II that engine II nets end in A, and engine II is adopted in the B data for netting end
Collection module ii unidirectionally connects the data transmission blocks I that engine I nets end in B.Data transmission blocks II just nets unidirectional as A nets to B
The reverse data transmission blocks of data transfer, data transmission blocks I is just as B nets to the reverse of A net one-way data transfers
Data transmission blocks.Data acquisition module, data transmission blocks, a protocol assembly mould are included in each engine
Block, a data Audit Module and an information unloading and package module.Engine I:Data are connected in the A input ports for netting end
Acquisition module I, data acquisition module the I unidirectional connection protocol recovery module I of output, the output of protocol assembly module I unidirectionally connect
Connect Data Audit module I, the unidirectional link information unloading of output and package module I, information unloading and encapsulation of Data Audit module I
The output of module I unidirectionally connects data transmission blocks I, and the data transmission blocks I unidirectional connection A of output nets the output port at end.
Connected in the B input ports for netting end connect data acquisition module II, engine II along B nets to each module in A network data streams direction
Structure is identical with each module connection structure in engine I along A nets to B network data streams direction, by being added to module title in figure
The numbering I and II of two engines is to distinguish.
By special data package processing method from specified network interface gathered data frame.This method is:In Data-Link
Road floor judges whether data frame is ARP protocol, and whether verify its content relevant with this network interface card, if then changing ARP data frames
Forward-path, the ARP data frames are sent to reverse data transmission blocks, the frame is otherwise abandoned;If Ethernet
IP data frames, then be forwarded directly to protocol assembly module, if nor the IP data frames of Ethernet, abandon the frame.This is special
Data package processing method be improved based on available data packet processing method, in order to improve process performance, without kernel
Copy;Simultaneously in order to improve security, traditional ICP/IP protocol stack is not walked yet.
Claims (7)
1. it is a kind of based on half-duplex channel network security isolation and Information Exchange System, for by data from A nets one-way transmission to B
Net, it is characterised in that described network security isolation and Information Exchange System include data acquisition module, protocol assembly module,
Data Audit module, information unloading and package module and data transmission blocks;
Data acquisition module gathers A network data messages from specified network interface, and classification processing is carried out to data message:(1) such as
Fruit data message is ARP broadcast frames, and the ARP broadcast frames inquire the MAC Address of this network interface card, then the ARP broadcast frames is passed through into list
Reverse data transmission blocks are forwarded to data channel, the ARP broadcast frames are otherwise abandoned;(2) answered if data message is ARP
Frame is answered, and the arp reply frame answers the inquiry of this MAC Address of Network Card, then forwards the arp reply frame by one-way data passage
To reverse data transmission blocks, the arp reply frame is otherwise abandoned;(3) if data message is the ethernet frame of IP agreement,
The ethernet frame is sent to protocol assembly module by half-duplex channel;(4) if data message be not ARP broadcast frames, ARP should
Any one in the ethernet frame of frame and IP agreement is answered, the data message is abandoned;
Protocol assembly module carries out the IP packets in ethernet frame the reduction of upper-layer protocol;When the agreement in IP packets is
During TCP or UDP, protocol assembly module parses TCP or UDP upper layer application protocol, by the TCP of reduction or UDP message Bao Dan
To being forwarded to Data Audit module;When the agreement of IP packets is not TCP or UDP, the packet is abandoned;
Data Audit module is filtered and examined to packet according to audit configuration rule, and legal packet is forwarded
To information unloading and package module;
Information is unloaded and package module is handled the packet received, is specifically:If there is load letter in packet
Breath, extracts load information, and according to package arrangements rule, encapsulation forms new packet on the load information extracted again,
And new packet is unidirectionally transmitted to data transmission blocks;If load information is not present in packet, according to package arrangements
Number is transmitted to after rule, the specific fields that packet is directly unidirectionally transmitted in data transmission blocks, or modification packet
According to sending module;
For the one-way data transmission netted from A net to B, data are unidirectionally sent to B nets by positive data transmission blocks, reverse
Data are unidirectionally sent to A nets by data transmission blocks;If X is A or B;
The ARP broadcast frames, arp reply frame and IP packets that receive are handled as follows data transmission blocks respectively:(1)
For ARP broadcast frames, IP and MAC Address construction arp reply frame in the configuration rule table of address are sent to X nets;Described
The IP and MAC Address of record data acquisition module in address configuration rule list;(2) for arp reply frame, by arp reply frame
's<IP,MAC>Address is to being added in ARP mapping list;(3) for IP packets, the whether purposeful IP of addresses forwarding table is checked
MAC Address, be sent directly to X nets if then constructing data frame, corresponding route table items otherwise searched in the routing table, are obtained
The IP address of next hop router is taken, corresponding MAC Address is searched in ARP mapping list according to the IP address of router, if
The MAC Address that then construction ARP broadcast frames inquire router is not found, waits the arp reply frame for being forwarded back to obtain router
MAC Address, obtain router MAC Address after, construction data frame be sent to X nets, while update addresses forwarding table;It is described
Addresses forwarding table for IP and MAC Address mapping table;
When described network security isolation and Information Exchange System carry out data interaction between A nets and B nets, if upper end controls A
The engine of net to B network data streams is I, and lower end controls the engine of B nets to A network data streams to be II;Engine I and engine II are respectively in A
Netting end and B nets end all has the port of data transmit-receive;Five functional modules are included in each engine:One data acquisition module
Block, a protocol assembly module, a data Audit Module, an information unloading and package module and a data send mould
Block;Engine I unidirectionally connects the data transmission blocks that engine II nets end in A in the A data acquisition modules for netting end, and engine II is in B nets
The data acquisition module at end unidirectionally connects the data transmission blocks that engine I nets end in B;In each engine:The input at correspondence net end connects
Data acquisition module is connect, the unidirectional connection protocol recovery module of output of data acquisition module, the output of protocol assembly module is unidirectional
Connect Data Audit module, the unidirectional link information unloading of output and package module, information unloading and encapsulation of Data Audit module
The output of module unidirectionally connects data transmission blocks, the output port at the unidirectional connection correspondence net end of output of data transmission blocks.
2. a kind of network security isolation and Information Exchange System based on half-duplex channel according to claim 1, its feature
It is, described Data Audit module, its audit configuration rule used includes:1) white list;2) five-tuple { source IP, purpose
IP, source port, destination interface, agreement } in any combination;3) the protocol characteristic string that machine learning is obtained.
3. a kind of network security isolation and Information Exchange System based on half-duplex channel according to claim 1, its feature
It is, described package arrangements rule that source IP address and source port are transformed into difference by the mapping relations of recording address and port
Address and port so that the packet that A nets are sent to B nets hides A net topology structures.
4. a kind of network security isolation and information switching method based on half-duplex channel, it is characterised in that between A nets and B nets
Data interaction is carried out, if upper end control the engine of A nets to B network data streams to be I, lower end controls the engine of B nets to A network data streams to be
II;Engine I and engine II net end and B nets end in A respectively all has the port of data transmit-receive;Five work(are included in each engine
Can module:One data acquisition module, a protocol assembly module, a data Audit Module, an information unloading and encapsulation
Module and a data transmission blocks;Engine I unidirectionally connects the number that engine II nets end in A in the A data acquisition modules for netting end
According to sending module, engine II unidirectionally connects the data transmission blocks that engine I nets end in B in the B data acquisition modules for netting end;Respectively draw
In holding up:The input connection data acquisition module at correspondence net end, the unidirectional connection protocol recovery module of output of data acquisition module, association
The output of view recovery module unidirectionally connects Data Audit module, the unidirectional link information unloading of output and encapsulation of Data Audit module
Module, information unloading and the output of package module unidirectionally connect data transmission blocks, and the output of data transmission blocks is unidirectionally connected
The output port at correspondence net end;
Data are unidirectionally sent to B nets by A nets, comprise the following steps:
Step 1:Data acquisition:A network data messages are gathered from specified network interface, and data message is handled as follows,
Specifically include:
Step 1.1:If data message is ARP broadcast frames, and inquires the MAC Address of this network interface card, then the ARP broadcast frames are passed through
One-way data passage is forwarded to reverse data transmission blocks, otherwise abandons the ARP broadcast frames;
Step 1.2:If data message is arp reply frame, and answers the inquiry of this MAC Address of Network Card, then by the arp reply frame
Reverse data transmission blocks are forwarded to by one-way data passage, the arp reply frame is otherwise abandoned;
Step 1.3:If data message is the ethernet frame of IP agreement, ethernet frame is sent to by step by half-duplex channel
2 processing;
Step 2:Protocol assembly:IP packets in ethernet frame are carried out to the reduction of upper-layer protocol, parse TCP's or UDP
Upper layer application protocol, is specifically included:
Step 2.1:If the agreement of IP packets be TCP, by TCP data bag carry out protocol assembly, when identify upper strata should
When using agreement, the TCP data bag of reduction is unidirectionally forwarded to step 3;
Step 2.2:If the agreement of IP packets be UDP, by UDP message bag carry out protocol assembly, when identify upper strata should
When using agreement, the UDP message bag of reduction is unidirectionally forwarded to step 3;
Step 2.3:If the agreement of IP packets is not TCP or UDP, the packet is abandoned;
Step 3:Data Audit:Filtered and examined according to audit configuration rule to entering the packet in the step, will be accorded with
Data normally forward a packet to step 4;To not being inconsistent data packet discarding normally;
Step 4:Information is unloaded and encapsulated, and is specifically:
Step 4.1:If there is load information in packet, load information is extracted, the mapping in package arrangements rule
Location and port, encapsulation forms new packet on load information again, and new packet is unidirectionally transmitted into step 5;
Step 4.2:If load information is not present in packet, mapping address and port in package arrangements rule,
Step 5 is transmitted to after the specific fields being directly unidirectionally transmitted in step 5 or modification packet;
Step 5:Data are sent:For the one-way data transmission netted from A net to B, the data flow of B nets is unidirectionally sent to for just
To the data flow for being unidirectionally sent to A nets is reverse;If X is A or B;Data transmission blocks to receive ARP broadcast frames,
Arp reply frame and IP packets are handled as follows respectively:
Step 5.1:If ARP broadcast frames, then IP and MAC Address construction arp reply frame in the configuration rule table of address
It is sent to X nets;
Step 5.2:If arp reply frame, then by arp reply frame<IP,MAC>Address is to being added in ARP mapping list;
Step 5.3:If IP packets, then the whether purposeful IP of addresses forwarding table MAC Address is checked, if then constructing
Data frame is sent directly to X nets, otherwise goes to step 5.4;
Step 5.4:Corresponding route table items are searched in the routing table, if not finding corresponding route table items, configuration route
Searched again afterwards;If finding corresponding route table items, the IP address of next hop router is obtained, according to the IP of router
Corresponding MAC Address is searched in location in ARP mapping list, the MAC of ARP broadcast frames inquiry router is constructed if not finding
Location, and the temporary cache IP packets, wait reverse data acquisition to be forwarded back to the arp reply frame that comes to obtain router
MAC Address;After the MAC Address of router is obtained, construction data frame is sent to X nets, while updating addresses forwarding table;
Step 6:1~5 is repeated the above steps until data are sent completely.
5. network security isolation and information switching method according to claim 4 based on half-duplex channel, it is characterised in that
Audit configuration rule described in step 3 includes:1) white list;2) five-tuple source IP, purpose IP, source port, destination interface,
Agreement } in any combination;3) the protocol characteristic string that machine learning is obtained.
6. network security isolation and information switching method according to claim 4 based on half-duplex channel, it is characterised in that
The mapping relations of package arrangements rule described in step 4, recording address and port, source IP address and source port are transformed into not
Same address and port so that the packet that A nets are sent to B nets hides A net topology structures.
7. network security isolation and information switching method according to claim 4 based on half-duplex channel, it is characterised in that
Addresses forwarding table described in step 5 includes the mapping of purpose IP address and target MAC (Media Access Control) address, and is each mapping relations<IP,
MAC>Life cycle is set, mapping relations overtime in addresses forwarding table are deleted.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410652474.4A CN104363231B (en) | 2014-11-17 | 2014-11-17 | A kind of network security isolation and information switching method and system based on half-duplex channel |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410652474.4A CN104363231B (en) | 2014-11-17 | 2014-11-17 | A kind of network security isolation and information switching method and system based on half-duplex channel |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104363231A CN104363231A (en) | 2015-02-18 |
CN104363231B true CN104363231B (en) | 2017-09-19 |
Family
ID=52530457
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410652474.4A Active CN104363231B (en) | 2014-11-17 | 2014-11-17 | A kind of network security isolation and information switching method and system based on half-duplex channel |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104363231B (en) |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2536059B (en) | 2015-03-06 | 2017-03-01 | Garrison Tech Ltd | Secure control of insecure device |
CN105007272A (en) * | 2015-07-21 | 2015-10-28 | 陈巨根 | Information exchange system with safety isolation |
CN105162803A (en) * | 2015-09-30 | 2015-12-16 | 深圳市金城保密技术有限公司 | Safe information output method and safe information output system of secret-relating network |
GB2545010B (en) | 2015-12-03 | 2018-01-03 | Garrison Tech Ltd | Secure boot device |
CN107948165B (en) * | 2017-11-29 | 2023-10-20 | 成都东方盛行电子有限责任公司 | Secure broadcast system and method based on private protocol |
CN108429729B (en) * | 2018-01-19 | 2023-07-18 | 昆明理工大学 | Data communication isolation system and isolation method in industrial big data acquisition environment |
CN109347794A (en) * | 2018-09-06 | 2019-02-15 | 国家电网有限公司 | A kind of Web server safety defense method |
CN109756475B (en) * | 2018-11-27 | 2021-07-16 | 中国船舶重工集团公司第七0九研究所 | Data transmission method and device in unidirectional network |
JP7312769B2 (en) * | 2018-12-28 | 2023-07-21 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | Statistical Information Generating Device, Statistical Information Generating Method, and Program |
FR3093879B1 (en) * | 2019-03-15 | 2021-04-09 | Renault Sas | Reducing the attack surface in a communications system |
CN110061999A (en) * | 2019-04-28 | 2019-07-26 | 华东师范大学 | A kind of network data security analysis ancillary equipment based on ZYNQ |
CN110365649B (en) * | 2019-06-17 | 2022-12-02 | 北京旷视科技有限公司 | Data transmission method, data access device, data output device and system |
CN111770210B (en) * | 2020-06-05 | 2021-09-21 | 深圳爱克莱特科技股份有限公司 | Multi-controller grouping method and readable medium |
CN111970256A (en) * | 2020-07-31 | 2020-11-20 | 深圳市研锐智能科技有限公司 | Intelligent isolation and information exchange network brake system |
CN112910963A (en) * | 2021-01-18 | 2021-06-04 | 翰克偲诺水务集团有限公司 | Method and system for cross-domain data interaction between local area network and Internet of water treatment equipment |
CN114553577B (en) * | 2022-02-28 | 2023-09-26 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | Network interaction system and method based on multi-host double-isolation secret architecture |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101127761A (en) * | 2006-08-16 | 2008-02-20 | 北京城市学院 | Unidirectional protocol isolation method and device in network |
CN101383813A (en) * | 2007-09-03 | 2009-03-11 | 深圳市维信联合科技有限公司 | Method and system for network uni-directional forwarding |
CN101986638A (en) * | 2010-09-16 | 2011-03-16 | 珠海市鸿瑞软件技术有限公司 | Gigabit one-way network isolation device |
CN102843352A (en) * | 2012-05-15 | 2012-12-26 | 广东电网公司茂名供电局 | Cross-physical isolation data transparent transmission system and method between intranet and extranet |
-
2014
- 2014-11-17 CN CN201410652474.4A patent/CN104363231B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101127761A (en) * | 2006-08-16 | 2008-02-20 | 北京城市学院 | Unidirectional protocol isolation method and device in network |
CN101383813A (en) * | 2007-09-03 | 2009-03-11 | 深圳市维信联合科技有限公司 | Method and system for network uni-directional forwarding |
CN101986638A (en) * | 2010-09-16 | 2011-03-16 | 珠海市鸿瑞软件技术有限公司 | Gigabit one-way network isolation device |
CN102843352A (en) * | 2012-05-15 | 2012-12-26 | 广东电网公司茂名供电局 | Cross-physical isolation data transparent transmission system and method between intranet and extranet |
Non-Patent Citations (1)
Title |
---|
网络单向隔离控制***的设计与实现;唐晋;《中国优秀硕士论文全文数据库信息科技辑》;20130515;正文第14页第3章第1行-第20页第9行 * |
Also Published As
Publication number | Publication date |
---|---|
CN104363231A (en) | 2015-02-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104363231B (en) | A kind of network security isolation and information switching method and system based on half-duplex channel | |
US10050970B2 (en) | System and method for data center security enhancements leveraging server SOCs or server fabrics | |
US10523551B1 (en) | Methods and apparatus related to a virtual multi-hop network topology emulated within a data center | |
CN103930882B (en) | The network architecture with middleboxes | |
US8488466B2 (en) | Systems, methods, and apparatus for detecting a pattern within a data packet and detecting data packets related to a data packet including a detected pattern | |
CN1153416C (en) | MAC address based telecommunication limiting method | |
US7633889B2 (en) | Carrier network of virtual network system and communication node of carrier network | |
CN101013962B (en) | Integrated security switch | |
CN104767752A (en) | Distributed network isolating system and method | |
CN101499965B (en) | Method for network packet routing forwarding and address converting based on IPSec security association | |
CN102571738A (en) | Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof | |
CN1777142A (en) | Method for realizing data communication utilizing virtual network adapting card in network environment simulating | |
CN104168257A (en) | Data isolation device based on non-network mode, and method and system thereof | |
CN102480485A (en) | System, method and switching device for realizing cross-device isolation of ports in same VLAN (virtual local area network) | |
US20120106523A1 (en) | Packet forwarding function of a mobility switch deployed as routed smlt (rsmlt) node | |
CN1297105C (en) | Method for implementing multirole main machine based on virtual local network | |
CN100399767C (en) | Method for access of IP public net of virtual exchanger system | |
US9893989B2 (en) | Hard zoning corresponding to flow | |
Bederna et al. | Modelling computer networks for further security research | |
CN112367263B (en) | Multicast data message forwarding method and equipment | |
CN110233800A (en) | A kind of message forwarding method and system of open programmable | |
US6658012B1 (en) | Statistics for VLAN bridging devices | |
CN104363185B (en) | A kind of miniature composite network data exchange system | |
CN100452763C (en) | Network unit for forwarding an Ethernet packet | |
CN111885068B (en) | Bypass deployment traffic distribution method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |