CN105376207A - Network security device - Google Patents
Network security device Download PDFInfo
- Publication number
- CN105376207A CN105376207A CN201410436711.3A CN201410436711A CN105376207A CN 105376207 A CN105376207 A CN 105376207A CN 201410436711 A CN201410436711 A CN 201410436711A CN 105376207 A CN105376207 A CN 105376207A
- Authority
- CN
- China
- Prior art keywords
- data
- security device
- terminal
- network security
- media access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network security device. The network security device comprises at least a USB interface, at least a control and processing module, and an Ethernet interface. The network security device is connected between a first data transmit-receive terminal and an Internet and used for converting MAC addresses included in a data packet transmitted to a remote second data transmit-receive terminal from the first data transmit-receive terminal via the Internet, and the security of network data transmission is provided. When the second data transmit-receive terminal transmits the data to the first data transmit-receive terminal via the Internet, the network security device also converts the MAC addresses included in the data packet transmitted by the second data transmit-receive terminal, and effective security protection of bidirectional data transmission is provided.
Description
Technical field
The present invention relates to a kind of network security device, espespecially with a kind of network security device that MAC switch technology is major networks security means.
Background technology
The object of communication is data to be sent to the other end from one end, reaches teleinformatic interchange, the data transmission, radio broadcasting, satellite communication etc. of such as computer and intercomputer.Wherein, by server and the network equipment, personal computer or mainframe are reached resource-sharing and information exchange person with line or wireless mode, be just referred to as network.
With regard to incorporated business, carry out by network the business that information interchange contributes to accelerating incorporated business and expand, but bring the secret worry that secret leaks also.In order to prevent secret from leaking, incorporated business adopts Safe Architecture For eNet as shown in Figure 1 and the external world to carry out network service usually.Wherein, the data (packet) that intra-company's computer 11 ' spreads out of first need be sent to NS software equipment 12 ' (comprising route device), through IP source address and the IP destination-address of NS software equipment 12 ' Identification Data bag, again by this data packets to internet (Internet) 13 ', and then by internet 13 ' by data packets to the receiving end computer 14 ' at IP destination-address place.Wherein, modal network access control device 12 ' such as fire compartment wall.
As everyone knows, the fail safe that fire compartment wall provides only covers the part of TCP (TransmissionControlProtocol) and cannot cover the part of UDP (UserDatagramProtocol), time reason is to carry out transfer of data by Transmission Control Protocol, package must be transmitted by IP agreement; On the contrary, carried out the time marquis of transfer of data by udp protocol, then do not need to verify IP, therefore also do not ensure the correctness of transfer of data.
Because traditional conventional TCP/IP is unsafe agreement; its data transmission applications produces the leak in much safety on the internet; therefore the fire compartment wall of advanced type includes the function of IP conversion and/or DNS conversion, to reach the object that protection intra-company organizational information does not leak outside.The fire compartment wall inside of advanced type possesses the mapping mechanism of an IP address.Carry out IP conversion and have two benefits: the first hides the real IP of internal network, make hacker cannot directtissima internal network; Another benefit is the IP that Internal users can be allowed to use reservation, and this is helpful to the enterprise of many IP deficiencies.
But, ICP/IP protocol finally still cannot effectively prevent the secret of incorporated business from leaking, reason is that enterprise staff still can be changed after the IP of its said computer to convert to the IP of other people computer by webpage (as NewIPNow.com) or IP switching software (as SafeIP) by IP, is more externally transmitted by company's confidential data; In such event, to leak a thing even if the NS software equipment 12 ' of company monitors company's confidential data, be also difficult to trace the arch-criminal of being leaked by company's confidential data.
Therefore, the present inventor because existing NS software technology still has shortcoming with not enough, therefore does one's utmost to be studied invention, has has finally researched and developed a kind of network security device of the present invention.
Summary of the invention
Provide hereinafter about brief overview of the present invention, to provide about the basic comprehension in some of the present invention.Should be appreciated that this general introduction is not summarize about exhaustive of the present invention.It is not that intention determines key of the present invention or pith, and nor is it intended to limit the scope of the present invention.Its object is only provide some concept in simplified form, in this, as the preorder also described in detail discussed after a while.
Main purpose of the present invention, be to provide a kind of network security device, it is connected to one first data and passes between receipts terminal and an internet, change in order to these first data biography receipts terminal is sent to by this internet the MAC Address comprised in the data packet of long-range one second data biography receipts terminal, the fail safe of network data transmission is provided by this mode.And, when the second data biography receipts terminal gives the first data biography receipts terminal by internet transmission data, network security device of the present invention also the second data can be passed receive that terminal send data packet in the MAC Address that comprises change, provide the security protection in effective bidirectional data transfers by this mode.
Therefore, in order to reach the above-mentioned object of the present invention, the invention provides a kind of network security device, comprising:
One USB interface, passes receipts terminal (datatransceiverterminal) in order to be electrically connected to one first outside data, and wherein, these first data pass receipts terminal and have one first media access control address;
At least one control and processing module, couple this USB interface, and have one first converting unit and the second converting unit; And
One Ethernet interface, there is one second media access control address, and in order to reach communication with an internet of outside, these first data are passed receive terminal to pass by this internet and long-range one second data to receive terminal and carry out information exchange, wherein, these second data biography receipts terminal has one the 3rd media access control address.So, this first media access control address among this first data packet is converted to this second media access control address when these first data pass this control and processing module when receipts terminal passes receipts terminal transmission one first data packet to these second data by this first converting unit.And, when these second data pass receipts terminal to these first data biography receipts terminal transmission one second data packet, this control and processing module convert the 3rd media access control address among this second data packet to this second media access control address by this second converting unit.
Further, this USB interface at least comprises:
One USB physical layer, passes receipts terminal in order to be electrically connected to these outside first data; And
One USB serial interface engine, is coupled to this USB physical layer by a USB Transmit-Receive Unit.
Further, this control and processing module also comprise a mnemon, store this first media access control address and the 3rd media access control address, access it for this first converting unit and this second converting unit.
Further, this Ethernet interface at least comprises:
One networked physics layer, in order to reach communication with this internet of outside; And
One MAC layer, is coupled to this networked physics layer through a Media Independent Interface (MediaIndependentInterface, MII).
Further, the quantity of this at least one USB interface and this at least one control and processing module is more than 2 groups.
Further, also comprise an exchcange core module (switchingfabric), be coupled to this at least one control and between processing module and this Ethernet interface.
Compared with prior art, the invention has the beneficial effects as follows:
Network security device of the present invention is connected to one first data and passes between receipts terminal and an internet, change in order to these first data biography receipts terminal is sent to by this internet the MAC Address comprised in the data packet of long-range one second data biography receipts terminal, the fail safe of network data transmission is provided by this mode.And, when the second data biography receipts terminal gives the first data biography receipts terminal by internet transmission data, the MAC Address comprised in the data packet that second data biography receipts terminal also can be sent by network security device of the present invention is changed, and provides the security protection in effective bidirectional data transfers.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic diagram of Safe Architecture For eNet;
Fig. 2 is the application schematic diagram of a kind of network security device of the present invention;
Fig. 3 is the square Organization Chart of network security device; And
Fig. 4 is the application schematic diagram that second of network security device implements framework.
In figure:
1 network security device
2 first data pass receives terminal
3 internets
11USB interface
12 control and processing module
13 Ethernet interfaces
111USB physical layer
112USB serial interface engine
113USB Transmit-Receive Unit
121 first converting units
122 second converting units
123 mnemons
4 second data pass receives terminal
131 networked physics layers
132 MAC layer
133 Media Independent Interface
2a the 3rd data passes receives terminal
14 exchcange core modules
11 ' intra-company's computer
12 ' network access control device
13 ' internet
14 ' receiving end computer
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.The element described in an accompanying drawing of the present invention or a kind of execution mode and feature can combine with the element shown in one or more other accompanying drawing or execution mode and feature.It should be noted that for purposes of clarity, accompanying drawing and eliminate expression and the description of unrelated to the invention, parts known to persons of ordinary skill in the art and process in illustrating.Based on the embodiment in the present invention, those of ordinary skill in the art, not paying the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Refer to Fig. 2, the application schematic diagram of a kind of network security device of the present invention; Further, please refer to Fig. 3, the square Organization Chart of network security device.As shown in Figure 2 and Figure 3, network security device 1 of the present invention mainly comprises: a usb 11, controls and processing module 12 and an Ethernet interface 13, wherein, this usb 11 is electrically connected to one first outside data with its USB physical layer 111 and passes receipts terminal 2, such as: the computer with media access control address (MediaAccessControlAddress).Simultaneously, the USB serial interface engine 112 of usb 11 is coupled to this USB physical layer 111 by a USB Transmit-Receive Unit (USBtransceiver) 113, the differential signal that USB physical layer 111 is received can be sent to this USB serial interface engine 112, then to carry out the NRZI decoding (Nonreturntozeroinverted: non-return-to-zero-inverse) of this differential signal by this USB Transmit-Receive Unit 113.
In this network security device 1, this control and processing module 12 are an integrated circuit (IC) chip, and its inside is provided with one first converting unit 121, second converting unit 122 and a mnemon 123 especially, wherein, the media access control address that the first data pass media access control address and the second data biography receipts terminal 4 receiving terminal 2 is stored in mnemon 123.Separately, this Ethernet interface 13 reaches communication with its networked physics layer 131 with an outside internet (Internet) 3, MAC layer 132 simultaneously among Ethernet interface 13 is coupled to this networked physics layer 131 by a Media Independent Interface (MediaIndependentInterface, MII) 133.Setting like this, is made the first data pass to receive terminal 2 can be passed by this internet 3 and the second long-range data and receives terminal 4 and carry out information exchange.
Pass between receipts terminal 2 and internet 3 by network security device 1 of the present invention being connected to the first data, when these first data biography receipts terminal 2 transmits first data packet by internet 3 to these second data biography receipts terminal 4, the first media access control address among this first data packet can be turned (that is, the first data pass the MAC Address receiving terminal 2) by the first converting unit 121 of its inside and change one second media access control address into by the control of this network security device 1 and processing module 12; Second media access control address that flies described herein refers to the media access control address had of Ethernet interface 13 own.For example, if the first data pass and receive the MAC Address of terminal 2 and be A and the MAC Address of Ethernet interface 13 is B, then the first data pass and receive contained MAC Address in data packet that terminal 2 sends and will be converted into B by A.
On the contrary, when these second data biography receipts terminal 4 transmits second data packet by internet 3 to these first data biography receipts terminal 2, (namely the 3rd media access control address among this second data packet can turn by the second converting unit 122 of its inside by the control of this network security device 1 and processing module 12, second data pass the MAC Address receiving terminal 4) change this second media access control address into, that is, the own media access control address had of Ethernet interface 13.For example, if the second data pass and receive the MAC Address of terminal 4 and be C and the MAC Address of Ethernet interface 13 is B, then the second data pass and receive contained MAC Address in data packet that terminal 4 sends and will be converted into B by C.
So, above-mentioned complete and clearly the network security device of the present invention is described, and, via above-mentioned, can learn that the present invention has following advantage:
Network security device 1 of the present invention is connected to one first data and passes between receipts terminal 2 and an internet 3, change in order to these first data biography receipts terminal 2 is sent to by this internet 3 MAC Address comprised in the data packet of long-range one second data biography receipts terminal 4, the fail safe of network data transmission is provided by this mode.And, when second data pass receive terminal 4 by internet 3 transmit data give first data pass receive terminal 2 time, the MAC Address comprised in the data packet that second data biography receipts terminal 4 also can be sent by network security device 1 of the present invention is changed, and provides the security protection in effective bidirectional data transfers.
In addition, except first of the network security device 1 shown in Fig. 3 is implemented except framework, the present invention also provides one second of this network security device 1 to implement framework simultaneously.Second of network security device 1 as shown in Figure 4 implements the application schematic diagram of framework, this second implement framework special feature be to contain two groups of usb 1s 1, two groups control with processing module 12, Ethernet interface 13, with an exchcange core module (switchingfabric) 14.Wherein, two groups of usb 1s 1 connect one first data respectively and pass and receive terminal 2 and passes with one the 3rd data and receives terminal 2a, these first data biography receipts terminal 2 and the 3rd data are passed receive terminal 2a to reach communication by network security device 1 of the present invention with internet 3.Implement in framework second, this exchcange core module (switchingfabric) 14 is coupled in this and two controls and between processing module 12 and this Ethernet interface 13, in order to effectively manage distribute these first data pass receive terminal 2 and the 3rd data pass receive terminal 2a pass the data of receipts.
In addition, among the second enforcement framework, the first data biography must be stored in mnemon 123 and receive the media access control address that the media access control address of terminal 2, the media access control address of the second data biography receipts terminal 4 and the 3rd data pass receipts terminal 2a; So, when this first data biography receipts terminal 2 (or the 3rd data pass receipts terminal 2a) transmits data packet by internet 3 to these second data biography receipts terminal 4, media access control address in this data packet can be turned by the first converting unit 121 of its inside by the control of this network security device 1 and processing module 12, and (that is, the first data pass and receive terminal 2 or the 3rd data pass the MAC Address receiving terminal 2a) changes the media access control address had of Ethernet interface 13 own into.For example, if the 3rd data pass and receive the MAC Address of terminal 2a and be A ' and the MAC Address of Ethernet interface 13 is B, then the first data pass and receive data packet that terminal 2 sends among contained MAC Address will be converted into B by A '.
State in each embodiment on the invention, the sequence number of embodiment is only convenient to describe, and does not represent the quality of embodiment.The description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part described in detail, can see the associated description of other embodiments.
In the embodiments such as apparatus and method of the present invention, obviously, each parts or each step reconfigure after can decomposing, combine and/or decomposing.These decompose and/or reconfigure and should be considered as equivalents of the present invention.Simultaneously, above in the description of the specific embodiment of the invention, the feature described for a kind of execution mode and/or illustrate can use in one or more other execution mode in same or similar mode, combined with the feature in other execution mode, or substitute the feature in other execution mode.
Should emphasize, term " comprises/comprises " existence referring to feature, key element, step or assembly when using herein, but does not get rid of the existence or additional of one or more further feature, key element, step or assembly.
Although last it is noted that described the present invention and advantage thereof in detail above, be to be understood that and can carry out various change when not exceeding the spirit and scope of the present invention limited by appended claim, substituting and converting.And scope of the present invention is not limited only to the specific embodiment of process, equipment, means, method and step described by specification.One of ordinary skilled in the art will readily appreciate that from disclosure of the present invention, can use perform the function substantially identical with corresponding embodiment described herein or obtain and its substantially identical result, existing and that will be developed in the future process, equipment, means, method or step according to the present invention.Therefore, appended claim is intended to comprise such process, equipment, means, method or step in their scope.
Claims (6)
1. a network security device, is characterized in that, comprising:
At least one USB interface, passes receipts terminal in order to be electrically connected to one first outside data, and wherein, these first data pass receipts terminal and have one first media access control address;
At least one control and processing module, couple this USB interface, and have one first converting unit and the second converting unit; And
One Ethernet interface, there is one second media access control address, and in order to reach communication with an internet of outside, these first data are passed receive terminal to be passed by this internet and long-range one second data to receive terminal and carry out information exchange, wherein, these second data biography receipts terminal has one the 3rd media access control address;
Wherein, when this first data passes receipts terminal to these second data biography receipts terminal transmission one first data packet, this control and processing module convert this first media access control address among this first data packet to this second media access control address by this first converting unit;
Wherein, when this second data passes receipts terminal to these first data biography receipts terminal transmission one second data packet, this control and processing module convert the 3rd media access control address among this second data packet to this second media access control address by this second converting unit.
2. network security device as claimed in claim 1, it is characterized in that, this USB interface at least comprises:
One USB physical layer, passes receipts terminal in order to be electrically connected to these outside first data; And
One USB serial interface engine, is coupled to this USB physical layer by a USB Transmit-Receive Unit.
3. network security device as claimed in claim 1, it is characterized in that, this control and processing module also comprise a mnemon, store this first media access control address and the 3rd media access control address, access it for this first converting unit and this second converting unit.
4. network security device as claimed in claim 1, it is characterized in that, this Ethernet interface at least comprises:
One networked physics layer, in order to reach communication with this internet of outside; And
One MAC layer, is coupled to this networked physics layer through a Media Independent Interface (MediaIndependentInterface, MII).
5. network security device as claimed in claim 1, it is characterized in that, the quantity of this at least one USB interface and this at least one control and processing module is more than 2 groups.
6. network security device as claimed in claim 5, is characterized in that, also comprise an exchcange core module (switchingfabric), is coupled to this at least one control and between processing module and this Ethernet interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410436711.3A CN105376207A (en) | 2014-08-29 | 2014-08-29 | Network security device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410436711.3A CN105376207A (en) | 2014-08-29 | 2014-08-29 | Network security device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105376207A true CN105376207A (en) | 2016-03-02 |
Family
ID=55378018
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410436711.3A Pending CN105376207A (en) | 2014-08-29 | 2014-08-29 | Network security device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105376207A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1440604A (en) * | 2000-07-03 | 2003-09-03 | 智谋有限公司 | Firewall system combined with embedded hardware and general-purpose computer |
| CN101802837A (en) * | 2007-05-30 | 2010-08-11 | 约吉安全***公司 | System and method for providing network and computer firewall protection with dynamic address isolation to a device |
-
2014
- 2014-08-29 CN CN201410436711.3A patent/CN105376207A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1440604A (en) * | 2000-07-03 | 2003-09-03 | 智谋有限公司 | Firewall system combined with embedded hardware and general-purpose computer |
| CN101802837A (en) * | 2007-05-30 | 2010-08-11 | 约吉安全***公司 | System and method for providing network and computer firewall protection with dynamic address isolation to a device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7042875B2 (en) | Secure dynamic communication networks and protocols | |
| CN106022080B (en) | A kind of data ciphering method based on the cipher card of PCIe interface and the cipher card | |
| CN100481832C (en) | Communication device, edge router device, server device, communication system and communication method | |
| CN102571790B (en) | A kind of method and apparatus of the encrypted transmission for realize target file | |
| CN104486589A (en) | Assess method and device of GVRP-based video monitoring system | |
| CN104038505A (en) | Method and device for preventing IPSec (internet protocol security) replaying | |
| CN106134522B (en) | A kind of one-way data transmission method and device based on wireless laser | |
| CN103905467A (en) | Efficient and safe image data network one-way physical channel importing system and application thereof | |
| CN103152328B (en) | A kind of conferencing information control system based on wireless network and control method thereof | |
| CN206629070U (en) | Satellite communication encryption system and quantum key distribution network | |
| CN109962987A (en) | A kind of method for building up of communication connection, apparatus and system | |
| CN105376207A (en) | Network security device | |
| CN103001929A (en) | Terminal communication system and terminal communication method on basis of different internet protocols | |
| RU2449361C2 (en) | Method of protecting computer network having dedicated server | |
| CN104125201A (en) | Communication transmission system and method | |
| CN101860544A (en) | Transmitting system and method of session initiation protocol message | |
| CN205249272U (en) | Multistage information encapsulation encryption device | |
| CN105812166B (en) | Connection implementation method and system, network server, gateway network element and management method | |
| RU2801835C1 (en) | Internal network formed by network cryptographic protection modules | |
| CN106911468B (en) | A kind of method and apparatus for realizing key agreement | |
| CN103220378A (en) | Reporting method and equipment of unified certificated user IP (Internet Protocol) | |
| CN105323326A (en) | Universal transformation platform for communication among terminals, server, system, and method | |
| CN101197659B (en) | Supervisor encrypting type anti-attack information communication network safety defending method and system | |
| CN117614729A (en) | Cross-domain network access method, system, device and readable storage medium | |
| WO2019025376A1 (en) | Data communication with devices having no direct access or only restricted access to communication networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160302 |