[go: up one dir, main page]

CN1305271C - Network safety isolating and information exchanging system and method based on proxy mapping - Google Patents

Network safety isolating and information exchanging system and method based on proxy mapping Download PDF

Info

Publication number
CN1305271C
CN1305271C CNB2004100180176A CN200410018017A CN1305271C CN 1305271 C CN1305271 C CN 1305271C CN B2004100180176 A CNB2004100180176 A CN B2004100180176A CN 200410018017 A CN200410018017 A CN 200410018017A CN 1305271 C CN1305271 C CN 1305271C
Authority
CN
China
Prior art keywords
network
data
information
processing unit
counterfoil
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2004100180176A
Other languages
Chinese (zh)
Other versions
CN1571398A (en
Inventor
潘理
李建华
王凯
王杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiao Tong University
Original Assignee
Shanghai Jiao Tong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiao Tong University filed Critical Shanghai Jiao Tong University
Priority to CNB2004100180176A priority Critical patent/CN1305271C/en
Publication of CN1571398A publication Critical patent/CN1571398A/en
Application granted granted Critical
Publication of CN1305271C publication Critical patent/CN1305271C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

一种基于代理映射的网络安全隔离与信息交换系统及方法。用于信息安全、网络数据交换领域。本发明系统内、外网处理单元分别连接着内网和外网,隔离交换单元包括隔离切换控制器和隔离存储器,内、外网处理单元通过高速数据传输线与隔离切换控制器相连,隔离切换控制器还连接着隔离存储器,内、外网处理单元只能有一个访问隔离存储器,内外网处理单元通过隔离交换单元交换信息,内网处理单元包含一个代理存根,外网处理单元包含一个代理引擎。本发明方法通过代理存根和代理引擎调用内部定义的传输接口并通过隔离交换单元来完成内、外网处理单元间的数据交换,从而以代理映射的方式建立一条内网客户端与外网服务器之间的信息交换通路。

Figure 200410018017

A system and method for network security isolation and information exchange based on proxy mapping. It is used in the fields of information security and network data exchange. The internal and external network processing units of the system of the present invention are respectively connected to the internal network and the external network. The isolated switching unit includes an isolated switching controller and an isolated memory. The internal and external network processing units are connected to the isolated switching controller through a high-speed data transmission line, and the isolated switching control The device is also connected to the isolated storage, the internal and external network processing units can only have one access isolation storage, the internal and external network processing units exchange information through the isolated switching unit, the internal network processing unit contains a proxy stub, and the external network processing unit contains a proxy engine. The method of the present invention calls the internally defined transmission interface through the proxy stub and the proxy engine and completes the data exchange between the internal and external network processing units by isolating the switching unit, thereby establishing a link between the internal network client and the external network server in the form of proxy mapping. information exchange channels between them.

Figure 200410018017

Description

基于代理映射的网络安全隔离与信息交换系统及方法System and method for network security isolation and information exchange based on proxy mapping

技术领域technical field

本发明涉及一种网络安全隔离与信息交换系统及方法,具体是一种基于代理映射的网络安全隔离与信息交换系统及方法。用于信息安全、网络数据交换领域。The invention relates to a system and method for network security isolation and information exchange, in particular to a system and method for network security isolation and information exchange based on proxy mapping. It is used in the fields of information security and network data exchange.

背景技术Background technique

目前普遍采用的网络边界安全防护机制是通过防火墙来实现的。防火墙的实现技术有主要包过滤、应用代理和状态检测等。由于防火墙的硬件体系结构采用单一的堡垒主机的方式,一旦被黑客攻占,则防火墙则完全失去效用。因此普通的网络防火墙产品已无法满足重要网络和数据的安全需求。对于金融、政府和科研机构等对网络安全有高等级要求的用户,它们往往是建立一个专用的内部网络,内网和外网之间采用物理隔离。这就给不同信任域之间的信息交换带来了不便。安全隔离与信息交换是一种新型的能够在保证内外网之间链路隔离的基础上进行适度安全的信息交换的技术。该技术的特点是在安全隔离与信息交换系统中连接内外网的链路断开,通过隔高存储器用摆渡的方式交换数据,在网络之间交换的数据都是应用层的数据,系统不直接或者间接地转发IP包形式的数据。由于用硬件隔离交换数据的方式打断了内外网间的直接协议交互,因此从原理上能提供比防火墙更高的安全性。The currently widely used network border security protection mechanism is implemented through firewalls. The implementation technologies of firewall include mainly packet filtering, application proxy and state inspection. Since the hardware architecture of the firewall adopts a single bastion host, once it is captured by hackers, the firewall will completely lose its effectiveness. Therefore, ordinary network firewall products can no longer meet the security requirements of important networks and data. For users with high-level requirements for network security, such as finance, government and scientific research institutions, they often establish a dedicated internal network, and use physical isolation between the internal network and the external network. This brings inconvenience to information exchange between different trust domains. Security isolation and information exchange is a new type of technology that can perform moderately secure information exchange on the basis of ensuring link isolation between internal and external networks. The feature of this technology is that in the security isolation and information exchange system, the link connecting the internal and external networks is disconnected, and the data is exchanged by means of ferry through the high-isolation memory. The data exchanged between the networks are all application layer data, and the system does not directly Or indirectly forward data in the form of IP packets. Because the way of exchanging data with hardware isolation interrupts the direct protocol interaction between the internal and external networks, it can provide higher security than the firewall in principle.

目前安全隔离与信息交换系统一般采用双代理中继的方法进行信息交换,经检索发现,北京京泰网络科技有限公司是一家专门从事信息安全隔离产品研发和生产的公司,该公司2003年的产品京泰安全信息交流系统就采用了双代理中继的方式。如对于邮件业务,内网和外网中分别安装一个邮件代理服务器,内网用户发送的邮件完全被内网代理服务器接收,然后通过京泰安全信息交流系统切换到外网代理服务器,外网代理服务器再发送到外部网络,反之亦然。此方法的缺点在于用户接收或者发送数据需要经过两次完整的缓存转发,相当于内外网两个代理服务器通过安全隔高与信息交换系统进行数据的镜像和同步,实时性和可扩展性差。此外,除安全隔离与信息交换系统外,还需要用户额外配置内外网服务器增加了用户成本和管理的复杂度。At present, the security isolation and information exchange system generally adopts the method of double-agent relay for information exchange. After searching, it is found that Beijing Jingtai Network Technology Co., Ltd. is a company specializing in the research and development and production of information security isolation products. The company's product in 2003 Jingtai Security Information Exchange System adopts the double-agent relay method. For example, for the mail business, a mail proxy server is installed in the intranet and the extranet respectively, and the mails sent by the intranet users are completely received by the intranet proxy server, and then switched to the extranet proxy server through Jingtai security information exchange system, and the extranet proxy The server then sends to the external network and vice versa. The disadvantage of this method is that the user needs to go through two complete caches and forwards to receive or send data, which is equivalent to two proxy servers on the internal and external networks mirroring and synchronizing data with the information exchange system through a security gap, and the real-time performance and scalability are poor. In addition, in addition to the security isolation and information exchange system, users are required to additionally configure internal and external network servers, which increases user costs and management complexity.

发明内容Contents of the invention

本发明的目的在于针对基于双代理中继的网络安全隔离与信息交换方法的不足,提出了一种基于代理映射的网络安全隔离与信息交换系统及方法,即在安全隔离与信息交换系统内部对因特网的应用层数据进行映射代理交换,该方法能对基于传输控制协议(TCP)的交互式网络服务提供代理服务,使得安全隔离与信息交换设备既可以支持非实时的网络间数据交换也可以支持万维网(WEB)浏览、电子邮件(Email)传输等实时网络业务。它提高了信息交互的实时性,并且不需要用户在安全隔离与信息交换系统外再额外配置服务器,减少了用户成本和管理复杂性。The purpose of the present invention is to address the shortcomings of the network security isolation and information exchange method based on double-agent relay, and propose a network security isolation and information exchange system and method based on agent mapping, that is, within the security isolation and information exchange system. Internet application layer data is mapped and exchanged by proxy. This method can provide proxy services for interactive network services based on Transmission Control Protocol (TCP), so that security isolation and information exchange equipment can support both non-real-time inter-network data exchange and support World Wide Web (WEB) browsing, e-mail (Email) transmission and other real-time network services. It improves the real-time performance of information interaction, and does not require users to configure additional servers outside the security isolation and information exchange system, reducing user costs and management complexity.

本发明是通过以下技术方案实现的,本发明安全隔离与信息交换系统包括三部分:内网处理单元、外网处理单元和隔离交换单元。内、外网处理单元各自拥有一个网络接口及独立的IP地址,分别连接着信任域网络(内网)和非信任域网络(外网),它们是两个独立的服务器系统,隔离交换单元包括隔离切换控制器和隔离存储器,内、外网处理单元分别通过高速数据传输线与隔离交换单元的隔离切换控制器相连,隔离切换控制器还连接着隔离存储器,在任意一个时间点上,内、外网处理单元只能有一个访问隔离存储器,内外网处理单元通过隔离交换单元交换信息,内网处理单元包含一个代理存根,外网处理单元包含一个代理引擎,对内网用户而言,安全隔离与信息交换系统是一个应用代理服务器,由代理存根和代理引擎协同工作完成一个完整的应用代理服务器功能,两者基于隔离交换单元通过应用传输协议进行对话和数据交换。The present invention is realized through the following technical solutions. The safety isolation and information exchange system of the present invention includes three parts: an internal network processing unit, an external network processing unit and an isolation exchange unit. The internal and external network processing units each have a network interface and an independent IP address, which are respectively connected to the trusted domain network (intranet) and the non-trusted domain network (external network). They are two independent server systems, and the isolated switching unit includes The isolation switching controller and the isolation storage, the internal and external network processing units are respectively connected to the isolation switching controller of the isolation switching unit through high-speed data transmission lines, and the isolation switching controller is also connected to the isolation storage. At any point in time, the internal and external The network processing unit can only have one access isolation memory. The internal and external network processing units exchange information through the isolated switching unit. The internal network processing unit contains a proxy stub, and the external network processing unit contains a proxy engine. For internal network users, security isolation and The information exchange system is an application proxy server. The proxy stub and the proxy engine work together to complete a complete application proxy server function. The two communicate and exchange data through the application transmission protocol based on the isolated switching unit.

隔离切换控制单元的作用相当于一个单刀双掷的电子开关,它周期地在内、外网处理单元与之连接的高速数据传输线之间切换,保证在任意一个时间点上,内、外网处理单元只能有一个访问隔高存储器。The function of the isolation switching control unit is equivalent to a single-pole double-throw electronic switch, which periodically switches between the internal and external network processing units and the high-speed data transmission lines connected to it, ensuring that at any point in time, the internal and external network processing Units can only have one access to high-isolation memory.

安全隔高与信息交换系统工作在代理服务器模式。内网用户可视该系统为一个普通的应用代理服务器。在使用万维网和电子邮件服务时,用户需要在相应的客户端软件(IE或OUTLOOK)中设置代理,代理服务器的地址为该系统内网处理单元地址。一个完整的代理服务器功能被分割为位于外网处理单元的代理引擎和位于内网处理单元的代理存根两部分,代理存根和代理引擎通过调用内、外网中的传输接口进行通信。传输接口将信息传递给切换控制软件,并通过它来驱动隔离交换单元完成信息在内、外处理单元之间的切换:The security high-isolation and information exchange system works in the proxy server mode. Intranet users can view the system as a common application proxy server. When using the World Wide Web and e-mail services, the user needs to set a proxy in the corresponding client software (IE or OUTLOOK), and the address of the proxy server is the address of the system intranet processing unit. A complete proxy server function is divided into two parts: the proxy engine located in the external network processing unit and the proxy stub located in the internal network processing unit. The proxy stub and the proxy engine communicate by calling the transmission interface in the internal and external networks. The transmission interface transmits the information to the switching control software, and through it drives the isolated switching unit to complete the switching between the internal and external processing units of information:

所述的代理存根,在安全隔高与信息交换系统的内网处理单元上,对每一种网络业务它是一个系统守护进程。它在网络接口端通过SOCKET调用与TCP/IP协议栈通信,在隔高交换端通过传输接口用内部映射协议通信。代理存根主要实现一个代理服务器的前端处理,包括:The proxy stub is a system daemon process for each network service on the intranet processing unit of the security isolation and information exchange system. It communicates with the TCP/IP protocol stack through SOCKET call at the network interface end, and communicates with the internal mapping protocol through the transmission interface at the high-isolation exchange end. The proxy stub mainly implements the front-end processing of a proxy server, including:

对来自信任域用户的连接请求进行检查。在记录每个合法连接的状态后,连接请求将通过内部映射协议转发给外网处理单元的代理引擎。Checks for connection requests from users in trusted domains. After recording the status of each legal connection, the connection request will be forwarded to the proxy engine of the external network processing unit through the internal mapping protocol.

处理映射协议从外网处理单元接收的数据,并根据保存的连接状态将数据转发给内网相应的连接。Process the data received by the mapping protocol from the external network processing unit, and forward the data to the corresponding connection in the internal network according to the saved connection status.

所述的代理引擎,在外网处理单元中,它在网络接口端通过网络插口(SOCKET)调用与TCP/IP协议栈通信,在隔离交换端通过传输接口与内部映射协议通信。对每一种网络业务,它是一个系统守护进程,实现一个完整代理服务器的绝大多数处理,包括:The proxy engine, in the external network processing unit, communicates with the TCP/IP protocol stack through network socket (SOCKET) calls at the network interface end, and communicates with the internal mapping protocol through the transmission interface at the isolation exchange end. For each type of network traffic, it is a system daemon that implements most of the processing of a complete proxy server, including:

通过传输接口接收来自内网处理单元的业务请求,向外部网络服务器发出应用请求。Receive service requests from the intranet processing unit through the transmission interface, and send application requests to the external network server.

接收外部网络服务器返回的数据,对数据进行内容检查和病毒查杀。Receive the data returned by the external network server, and perform content inspection and virus inspection on the data.

调用传输接口,将外部网络返回的信息通过隔离传输通道切换回内网。Call the transmission interface to switch the information returned from the external network back to the internal network through the isolated transmission channel.

所述的传输接口,是代理引擎和代理存根与内部映射协议之间通信的接口,主要进行以下处理:The transmission interface is an interface for communication between the proxy engine and the proxy stub and the internal mapping protocol, and mainly performs the following processing:

接收来自代理存根或代理引擎的需要交换的信息,将其编码、封装成内部映射协议报文后通过切换控制程序写入到隔离存储器中。Receive the information to be exchanged from the proxy stub or proxy engine, encode and encapsulate it into an internal mapping protocol message, and then write it into the isolated memory through the switching control program.

从切换控制程序中读入内外网处理单元交换的数据,根据内部映射协议解析报文后,将报文信息分发到不同的代理存根或代理引擎。Read the data exchanged by the internal and external network processing units from the switching control program, and after analyzing the message according to the internal mapping protocol, distribute the message information to different proxy stubs or proxy engines.

所述的切换控制软件,实现对隔高交换单元硬件的识别和控制,保证在传输协议层读写数据时是物理设备真实连接的,并且保证读写的可靠性。它在系统中为隔离交换单元的硬件驱动程序,并提供与内部映射协议进程的通信接口。The switching control software realizes the identification and control of the hardware of the high-isolation switching unit, ensures that the physical device is actually connected when reading and writing data at the transmission protocol layer, and ensures the reliability of reading and writing. It is the hardware driver of the isolated switching unit in the system and provides a communication interface with the internal mapping protocol process.

本发明基于代理映射的网络安全隔离与信息交换方法,由上述的安全隔离与信息交换系统作为一个网络代理服务器向内网用户提供网络代理服务,是通过分别位于安全隔离与信息交换系统内、外网处理单元的代理存根和代理引擎调用内部定义的传输接口并通过隔离交换单元来完成内、外网处理单元间的数据交换,从而以代理映射的方式建立一条内网客户端与外网服务器之间的信息交换通路。In the network security isolation and information exchange method based on agent mapping in the present invention, the above-mentioned security isolation and information exchange system serves as a network proxy server to provide network proxy services to intranet users, and is respectively located inside and outside the security isolation and information exchange system. The proxy stub and proxy engine of the network processing unit call the internally defined transmission interface and complete the data exchange between the internal and external network processing units by isolating the switching unit, thereby establishing a link between the internal network client and the external network server in the form of proxy mapping. information exchange channels between them.

以下对本发明方法进一步限定,内网用户通过安全隔离与信息交换系统完成网络信息交换的方法,其步骤如下:The method of the present invention is further limited below, the intranet user completes the method for network information exchange through security isolation and information exchange system, and its steps are as follows:

(1)内网处理单元通过代理存根向内网用户提供网络代理服务,采用TCP/IP协议与内网用户通信。它在网络连接端为每一种提供的网络业务开放一个公共TCP端口,在此端口上不断侦听内网用户的网络请求。(1) The intranet processing unit provides network proxy services to intranet users through proxy stubs, and uses TCP/IP protocol to communicate with intranet users. It opens a public TCP port for each network service provided at the network connection end, and continuously listens to the network requests of intranet users on this port.

(2)在接收到一个内网用户发出的网络应用请求后,代理存根根据应用协议的不同对用户连接进行相应的身份认证,并对协议数据进行安全检查和过滤。如未通过检查则通知内网用户并断开连接。(2) After receiving a network application request from an intranet user, the proxy stub performs corresponding identity authentication on the user connection according to different application protocols, and performs security checks and filters on the protocol data. If the check fails, the intranet user will be notified and the connection will be disconnected.

(3)代理存根接受的应用请求在内部为其保留连接信息,连接请求根据内部映射协议被封装后,代理存根调用传输接口,将数据写入隔离交换单元。(3) The application request accepted by the proxy stub internally reserves the connection information for it. After the connection request is encapsulated according to the internal mapping protocol, the proxy stub calls the transmission interface and writes the data into the isolation switching unit.

(4)外网处理单元的代理引擎一直在通过调用传输接口检测隔离交换单元中的是否有代理存根写入的数据,如果没有新数据则处理进程被阻塞,否则读取代理存根传来的数据。(4) The proxy engine of the external network processing unit has been detecting whether there is data written by the proxy stub in the isolated switching unit by calling the transmission interface. If there is no new data, the processing process is blocked, otherwise the data sent by the proxy stub is read. .

(5)代理引擎收到内网处理单元传来的信息后根据内部映射协议进行解析,如果是新的网络应用请求则保留连接信息,并返回代理存根确认信息建立起一条通过隔离交换单元的数据传输通道。(5) After the proxy engine receives the information from the intranet processing unit, it analyzes it according to the internal mapping protocol. If it is a new network application request, it retains the connection information and returns the proxy stub confirmation information to establish a piece of data passing through the isolation switching unit. transmission channel.

(6)代理引擎根据收到的网络应用请求提供完整的代理服务,即从外网处理单元的网络端向外部服务器用TCP/IP协议发出连接请求并获得数据,该过程根据网络应用不同按照标准的因特网通信协议进行。(6) The proxy engine provides a complete proxy service according to the received network application request, that is, the network end of the external network processing unit sends a connection request to the external server using the TCP/IP protocol and obtains data. This process is based on different network applications according to the standard internet communication protocol.

(7)代理引擎收到的数据经安全检查后,如内容过滤和病毒查杀,调用传输接口将数据按内部映射协议封装后写入隔离交换单元。(7) After the data received by the proxy engine is checked for security, such as content filtering and virus killing, the transmission interface is called to encapsulate the data according to the internal mapping protocol, and then write it into the isolation exchange unit.

(8)内网处理单元中的代理存根在隔离交换单元一侧,如步骤(4)中代理引擎操作,接收来自外网处理单元传输的数据。(8) The proxy stub in the internal network processing unit is on the side of the isolated switching unit, and operates as the proxy engine in step (4), to receive the data transmitted from the external network processing unit.

(9)代理存根接收到的外网处理单元传输的数据用映射协议解析,如果是步骤(5)中代理引擎返回的数据传输通道确认信息,则建立数据传输通道并保留其信息。(9) The data transmitted by the external network processing unit received by the proxy stub is analyzed with the mapping protocol, if it is the data transmission channel confirmation information returned by the proxy engine in step (5), then the data transmission channel is established and its information is retained.

(10)代理存根收到的是应用数据则用步骤(9)中保留的数据传输通道信息检索步骤(3)中保留的内网用户连接信息,根据该信息将数据用TCP/IP协议发送给内网用户。(10) What the proxy stub receives is the application data, then use the data transmission channel information retained in the step (9) to retrieve the intranet user connection information retained in the step (3), and send the data to the user with the TCP/IP protocol according to the information Intranet users.

(11)代理存根完成用户请求或代理引擎完成数据传输后都可以调用传输接口写入数据传输通道释放请求,删除并释放步骤(3)、(5)和(9)中保留的网络应用请求的连接信息和数据传输通道信息及其资源。(11) After the proxy stub completes the user request or the proxy engine completes the data transmission, it can call the transmission interface to write the data transmission channel release request, delete and release the network application requests reserved in steps (3), (5) and (9) Connection information and data transmission channel information and its resources.

(12)代理存根或代理引擎收到对方发出的数据传输通道释放请求,删除并释放步骤(3)、(5)和(9)中保留的网络应用请求的连接信息和数据传输通道信息及其资源,结束一次网络应用数据传输。(12) The proxy stub or the proxy engine receives the data transmission channel release request sent by the other party, deletes and releases the connection information and data transmission channel information and the information requested by the network application retained in steps (3), (5) and (9) resource, ends a web application data transfer.

本发明的安全隔离与信息交换系统采用内外网处理单元加隔离交换单元的双主机隔离交换方式,断开了内外网间直接的链路连接,并打断了内外网之间的交互式网络协议,用代理映射的方法进行纯数据隔离交换,可以抵抗一切基于交互式协议的网络攻击。本发明的安全隔离与信息交换方法中,网络应用请求完全由内网用户发起,外网用户不能主动向内网发送任何数据,严格保护了内部网络的安全。此外,内网用户可以实时请求外部网络服务,而外部网络应用数据只需要在外网处理单元缓存并安全检查一次,从而避免了双代理中继模式的缺点。The safety isolation and information exchange system of the present invention adopts the dual-host isolation exchange mode of the internal and external network processing unit plus the isolation exchange unit, disconnects the direct link connection between the internal and external networks, and interrupts the interactive network protocol between the internal and external networks , using the proxy mapping method for pure data isolation and exchange, can resist all network attacks based on interactive protocols. In the safety isolation and information exchange method of the present invention, the network application request is completely initiated by the internal network user, and the external network user cannot actively send any data to the internal network, which strictly protects the security of the internal network. In addition, intranet users can request external network services in real time, while external network application data only needs to be cached and checked for security once in the external network processing unit, thereby avoiding the disadvantages of the dual-agent relay mode.

附图说明Description of drawings

图1本发明安全隔离与信息交换系统结构示意图Fig. 1 Structural schematic diagram of safety isolation and information exchange system of the present invention

图2系统协议栈结构图Figure 2 System protocol stack structure diagram

图3应用传输协议对话过程图Figure 3 Diagram of the dialogue process of the application transport protocol

图4支持邮件和WEB服务的代理引擎结构图Figure 4 Proxy engine structure diagram supporting mail and WEB services

图5支持邮件和WEB服务的代理存根结构图Figure 5 Proxy stub structure diagram supporting mail and WEB services

具体实施方式:Detailed ways:

以下结合附图对本发明技术方案作进一步的描述。图1是安全隔离与信息交换系统结构框图。在原型系统中内、外网处理单元选用了X86架构的工控系统,高速数据传输线可采用SCSI或USB等总线,根据总线的不同可实现不同的隔离切换控制单元,并选用相应的隔离存储器,如SCSI或USB接口硬盘。The technical solution of the present invention will be further described below in conjunction with the accompanying drawings. Figure 1 is a block diagram of the security isolation and information exchange system. In the prototype system, the internal and external network processing units choose the X86-based industrial control system, and the high-speed data transmission line can use SCSI or USB buses. According to the different buses, different isolation switching control units can be realized, and the corresponding isolation memory can be selected, such as SCSI or USB interface hard disk.

内、外网处理单元的操作系统选择了Linux操作系统,系统中的协议栈如图2所示。代理引擎通过隔离交换单元同内网处理单元通信,并对数据进行病毒过滤和安全性检查。在内网处理单元,使用代理存根进行各种业务(如EMAIL和WEB)的代理服务,并通过隔离交换单元与外网处理单元通信,代理存根同时也实现了访问控制、数据安全性检查以及病毒过滤等工作。The operating system of the internal and external network processing units selects the Linux operating system, and the protocol stack in the system is shown in Figure 2. The proxy engine communicates with the intranet processing unit through the isolation switching unit, and performs virus filtering and security inspection on the data. The internal network processing unit uses the proxy stub to perform proxy services for various businesses (such as EMAIL and WEB), and communicates with the external network processing unit through the isolated switching unit. The proxy stub also realizes access control, data security check and virus protection. filtering etc.

代理引擎同代理存根之间通过隔离交换单元传输应用层数据,并采用自定义的应用传输协议来保持对话过程,基本的协议对话过程如图3所示,代理存根收到内网请求后保留相关信息并向代理引擎请求建立连接,代理引擎回复连接建立确认后保留此连接的相关信息,这样内外网处理单元之间就建立了一条数据映射通道,代理引擎从外部网络获得的信息可以通过这条通道进行传输。代理存根收到的信息可以根据先前保留的内网请求信息发送给相应的内网主机。当信息交换结束后,代理引擎和代理存根都可以提出断开连接并释放相关资源。The proxy engine and the proxy stub transmit application layer data through an isolated exchange unit, and use a custom application transport protocol to maintain the dialogue process. The basic protocol dialogue process is shown in Figure 3. The proxy stub retains the relevant information after receiving the intranet request. Information and request to the proxy engine to establish a connection, the proxy engine replies with the connection establishment confirmation and retains the relevant information of the connection, so that a data mapping channel is established between the internal and external network processing units, and the information obtained by the proxy engine from the external network can pass through this channel for transmission. The information received by the proxy stub can be sent to the corresponding intranet host according to the previously reserved intranet request information. When the information exchange is over, both the proxy engine and the proxy stub can propose to disconnect and release related resources.

以支持邮件服务和万维网服务为例,图4是在原型系统的外网处理单元中实现的代理引擎结构图。为减少实施难度,代理引擎采用了增强安全检查功能的通用邮件代理QMAIL软件和万维网代理SQUID软件,代理引擎用这些通用代理服务程序来完成具体的网络代理服务工作。连接管理模块只负责数据的转发工作,即它从传输接口收发数据,并通过本机网络插口SOCKET同通用网络代理服务程序(如QMAIL)通信,完成转发功能。连接管理模块在传输接口端单独开一个线程读取来自隔离切换单元的数据,它每收到一个映射过来的连接请求就新创建一个工作线程进行处理,并通过本机网络插口SOCKET与通用代理服务程序建立连接,通过该连接收发数据。图5是在原型系统中内网处理单元实现的代理存根的结构图。通用子模块是进行数据转发的基本模块,主要功能为;从两端收发数据、对各工作线程进行管理、对传输接口数据进行拆包和数据分发等。邮件处理子模块和万维网处理子模块都是通用子模块的扩展模块,用于对特定协议的分析和处理。代理存根模块采用C++多线程方式实现,所以采用由对象控制线程的方式,即每个对象对应有单个或多个工作线程执行其任务,并且该对象控制其下所有线程的创建、执行、停止等管理工作,线程间的通信采用无名管道的方式来完成。代理存根同时从SOCKET和传输接口收发数据,通过数据处理后进行双向转发。在SOCKET端,代理存根按照配置要求打开服务端口进行监听,如在80端口监听内网用户发起的WEB请求,每收到一个连接请求就创建一个工作线程进行处理;在传输接口端,STUB模块单独开一个线程读取传输接口的数据,并将数据转发到对应的工作线程。工作线程对收到的数据进行处理和检查,然后进行转发。Taking support for mail service and World Wide Web service as an example, Figure 4 is a structural diagram of the proxy engine implemented in the external network processing unit of the prototype system. In order to reduce the difficulty of implementation, the agent engine adopts the general mail agent QMAIL software and the World Wide Web agent SQUID software with enhanced security inspection functions, and the agent engine uses these general agent service programs to complete the specific network agent service work. The connection management module is only responsible for data forwarding, that is, it sends and receives data from the transmission interface, and communicates with the general network agent service program (such as QMAIL) through the local network socket SOCKET to complete the forwarding function. The connection management module opens a separate thread at the transmission interface to read the data from the isolation switching unit. It creates a new working thread for processing each time it receives a mapped connection request, and provides services through the local network socket SOCKET and the general proxy. The program establishes a connection through which data is sent and received. Fig. 5 is a structural diagram of the proxy stub implemented by the intranet processing unit in the prototype system. The general sub-module is the basic module for data forwarding. Its main functions are: sending and receiving data from both ends, managing each working thread, unpacking and distributing data on the transmission interface, etc. Both the mail processing sub-module and the World Wide Web processing sub-module are extension modules of the general sub-module, and are used for analyzing and processing specific protocols. The proxy stub module is implemented in C++ multi-threaded mode, so the thread is controlled by the object, that is, each object corresponds to a single or multiple worker threads to perform its tasks, and the object controls the creation, execution, and stop of all threads under it. Management work, communication between threads is done by means of unnamed pipes. The proxy stub sends and receives data from the SOCKET and the transmission interface at the same time, and performs bidirectional forwarding after data processing. On the SOCKET side, the proxy stub opens the service port to monitor according to the configuration requirements. For example, it listens to the WEB request initiated by the intranet user on port 80, and creates a worker thread for processing every time a connection request is received; on the transmission interface side, the STUB module independently Open a thread to read the data of the transmission interface, and forward the data to the corresponding worker thread. The worker thread processes and checks the received data, and then forwards it.

本系统和方法避免了双代理中继安全隔高与信息交换方法实时性差、管理复杂及要求额外服务器资源的缺点,可提供对多种网络服务的支持。根据本发明设计实现的安全隔离与信息交换系统,可在内、外网安全隔离的情况下支持安全电子邮件、安全WEB浏览,安全数据库交换和安全文件交换。目前该系统已经通过国家信息安全测评认证中心检测认证并获得公安部信息安全产品销售许可证,并在多家单位推广使用,效果良好。The system and method avoid the disadvantages of double-agent relay high isolation and poor real-time information exchange method, complicated management and extra server resources, and can provide support for various network services. The safety isolation and information exchange system designed and realized according to the present invention can support safe e-mail, safe WEB browsing, safe database exchange and safe file exchange under the condition of safety isolation between internal and external networks. At present, the system has passed the inspection and certification of the National Information Security Evaluation and Certification Center and obtained the information security product sales license of the Ministry of Public Security, and has been promoted and used in many units with good results.

Claims (8)

1, a kind of network security based on agency's mapping is isolated and Information Exchange System, comprise: the Intranet processing unit, outer net processing unit and isolation crosspoint, it is characterized in that, in, the outer net processing unit has a network interface and independent IP address separately, connecting Intranet and outer net respectively, they are two independently server systems, isolate crosspoint and comprise isolation switch controller and sequestering memory, in, the outer net processing unit links to each other with the isolation switch controller of isolating crosspoint by high speed data transmission line respectively, isolate switch controller and also connecting sequestering memory, at any time, in, the outer net processing unit can only have a visit sequestering memory, the intranet and extranet processing unit is by isolating the crosspoint exchange message, the Intranet processing unit comprises one and acts on behalf of counterfoil, the outer net processing unit comprises an agent engine, acts on behalf of counterfoil and agent engine association and engages in the dialogue and exchanges data by the application transport agreement based on isolating crosspoint.
2, the network security based on agency's mapping according to claim 1 is isolated and Information Exchange System, it is characterized in that, for Intranet user, it is an Application Launcher, finish a complete Application Launcher function by acting on behalf of counterfoil and agent engine collaborative work, acting on behalf of counterfoil and agent engine communicates by the coffret that calls in the inside and outside net, coffret passes to switching controls software with information, and drives by it and to isolate the switching hardware unit and finish the switching of information between inside and outside processing unit.
3, the network security based on agency's mapping according to claim 1 and 2 is isolated and Information Exchange System, it is characterized in that, the described counterfoil of acting on behalf of, on the Intranet processing unit, it is system's finger daemon to each Network, and it calls with the ICP/IP protocol stack by SOCKET at the network interface end and communicates by letter, isolate exchange end by coffret with inner shadowing agreement communication, act on behalf of counterfoil and realize the front-end processing of an acting server, comprising:
To checking from trust domain user's connection request, behind the state of each legal connection of record, connection request will be transmitted to the agent engine of outer net processing unit by inner shadowing agreement;
Handle the data that shadowing agreement receives from the outer net processing unit, and connect for Intranet accordingly data forwarding according to the connection status of preserving.
4, the network security based on agency's mapping according to claim 1 and 2 is isolated and Information Exchange System, it is characterized in that, described agent engine, in the outer net processing unit, it calls with the ICP/IP protocol stack by SOCKET at the network interface end and communicates by letter, and communicates by letter with inner shadowing agreement by coffret at the isolation exchange end, to each Network, it is system's finger daemon, realizes that the overwhelming majority of a complete acting server handles, and comprising:
By the service request of coffret reception, send application request to external network server from the Intranet processing unit;
Receive the data that external network server is returned, data are carried out Content inspection and checking and killing virus;
Call coffret, the information that external network returns is switched back Intranet by isolated transmission channel.
5, the network security based on agency mapping according to claim 2 is isolated and Information Exchange System, it is characterized in that, described coffret is an agent engine and act on behalf of the interface of communicating by letter between counterfoil and the inner shadowing agreement, mainly carries out following processing:
Reception is from the information of the needs exchange of acting on behalf of counterfoil or agent engine, is written in the sequestering memory by switching control program with its coding, after being packaged into inner shadowing agreement message;
From switching control program, read in the data of intranet and extranet processing unit exchange, behind inner shadowing agreement analytic message, message information is distributed to acts on behalf of counterfoil or agent engine.
6, the network security based on agency's mapping according to claim 2 is isolated and Information Exchange System, it is characterized in that, described switching controls software, realization is to isolating the identification and the control of crosspoint hardware, guarantee when transmission protocol layer reads and writes data it is the true connection of physical equipment, and guarantee the reliability of read-write, it for isolating the hardware drive program of crosspoint, and provides communication interface with inner shadowing agreement process in system.
7, a kind of network security based on agency's mapping is isolated and information switching method, it is characterized in that, provide network agent service as a network agent server to Intranet user with Information Exchange System by the safety isolation, by laying respectively in safety isolation and the Information Exchange System, the outer net processing unit act on behalf of that counterfoil and agent engine are called the coffret of inner definition and by isolating in crosspoint finishes, exchanges data between the outer net processing unit, thus information exchange path between an Intranet client and the outer network server set up in the mode of agency mapping.
8, the network security based on agency's mapping according to claim 7 is isolated and information switching method, it is characterized in that, below the inventive method is further limited, Intranet user is isolated the method for finishing network information exchange with Information Exchange System by safety, its step is as follows:
(1) the Intranet processing unit provides the network agent service by acting on behalf of counterfoil to Intranet user, adopt TCP/IP to communicate by letter with Intranet user, it for the open public tcp port of each Network that provides, intercepts the network requests of Intranet user at the network link on this port;
(2) after receiving the network application request that an Intranet user sends, act on behalf of counterfoil and carry out corresponding authentication according to application protocol the user is connected, and protocol data carried out safety inspection and filtration, as then notifying Intranet user and disconnect and connecting by checking;
(3) act on behalf of the application request that counterfoil accepts and be its reservation link information in inside, connection request according to inner shadowing agreement packed after, act on behalf of counterfoil and call coffret, data are write the isolation crosspoint;
(4) agent engine acting on behalf of the data that counterfoil writes by calling whether having in the coffret detection isolation crosspoint, if new data is arranged, then reads and act on behalf of the data that counterfoil transmits, otherwise treatment progress gets clogged always;
(5) agent engine is resolved according to inner shadowing agreement after receiving the information that the Intranet processing unit transmits, if new network application request then keeps link information, and return and act on behalf of the counterfoil confirmation and set up one by isolating the data transmission channel of crosspoint;
(6) agent engine provides complete agency service according to the network application request of receiving, promptly send connection request and obtain data with ICP/IP protocol to external server from outer net network of processing units end, this process is carried out according to the Internet communication protocol of standard according to network application;
(7) data received of agent engine are after safety inspection, call coffret data are write the isolation crosspoint after by inner shadowing agreement encapsulation;
(8) act on behalf of counterfoil and isolating crosspoint one side,, receive data from the transmission of outer net processing unit as agent engine operation in the step (4);
(9) data of acting on behalf of the outer net processing unit transmission that counterfoil receives are resolved with shadowing agreement, if the data transmission channel confirmation that agent engine is returned in the step (5) is then set up data transmission channel and kept its information;
What (10) act on behalf of that counterfoil receives is that application data is then used the Intranet user link information that keeps in the data transmission channel information retrieval step (3) that keeps in the step (9), according to this information data is sent to Intranet user with ICP/IP protocol;
(11) acting on behalf of counterfoil finishes user request or agent engine and finishes and can both call coffret after the transfer of data and write data transmission channel and discharge request, link information and the data transmission channel information and the resource thereof of network application request of reservation in deletion and release steps (3), (5) and (9);
(12) act on behalf of the data transmission channel release request that counterfoil or agent engine receive that the other side sends, link information and the data transmission channel information and the resource thereof of the network application request that keeps in deletion and release steps (3), (5) and (9) finish the transmission of primary network application data.
CNB2004100180176A 2004-04-29 2004-04-29 Network safety isolating and information exchanging system and method based on proxy mapping Expired - Fee Related CN1305271C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100180176A CN1305271C (en) 2004-04-29 2004-04-29 Network safety isolating and information exchanging system and method based on proxy mapping

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100180176A CN1305271C (en) 2004-04-29 2004-04-29 Network safety isolating and information exchanging system and method based on proxy mapping

Publications (2)

Publication Number Publication Date
CN1571398A CN1571398A (en) 2005-01-26
CN1305271C true CN1305271C (en) 2007-03-14

Family

ID=34479299

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100180176A Expired - Fee Related CN1305271C (en) 2004-04-29 2004-04-29 Network safety isolating and information exchanging system and method based on proxy mapping

Country Status (1)

Country Link
CN (1) CN1305271C (en)

Families Citing this family (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101083607B (en) * 2006-05-30 2010-12-08 倪海生 Internet accessing server for inside and outside network isolation and its processing method
US7991128B2 (en) * 2006-11-01 2011-08-02 International Business Machines Corporation Mirroring of conversation stubs
CN101282328B (en) * 2007-04-02 2011-07-06 北京下午茶科技有限公司 Method for accessing internet inner-network Web service
CN101286871B (en) * 2008-05-22 2010-12-01 上海交通大学 Configuration Method of Isolation System Based on Digital Certificate and Security Protocol
CN101277308B (en) * 2008-05-23 2012-04-18 杭州华三通信技术有限公司 Method for insulating inside and outside networks, authentication server and access switch
CN101697536B (en) * 2009-10-16 2012-05-30 深圳市科陆电子科技股份有限公司 Method for real-time transmission of large amount of data through forward physical isolation device
CN102006307A (en) * 2010-12-16 2011-04-06 中国电子科技集团公司第三十研究所 Application proxy-based network management system isolation control device
CN102045365A (en) * 2010-12-30 2011-05-04 中国民航信息网络股份有限公司 ETerm connection system and method thereof based on TCP/IP protocol
CN102333022B (en) * 2011-05-31 2014-01-15 广东省电力调度中心 Method for interacting cross-safety protection region information in power communication network and protection system
CN102780609A (en) * 2012-05-17 2012-11-14 江苏中科梦兰电子科技有限公司 Data exchange system and exchange method under multi-network environment
CN102820994A (en) * 2012-08-20 2012-12-12 广州易宝信息技术有限公司 Data exchange device and data exchange method for network isolation environment
CN103634274B (en) * 2012-08-21 2017-02-08 北京天行网安信息技术有限责任公司 Safe method for video exchange and system
CN103561033B (en) * 2013-11-08 2016-11-02 西安电子科技大学宁波信息技术研究院 User remotely accesses the device and method of HDFS cluster
CN104168257B (en) * 2014-01-28 2018-08-17 广东电网公司电力科学研究院 The data isolation method and system of data isolation apparatus based on non-network mode
CN105282174A (en) * 2015-11-10 2016-01-27 浪潮(北京)电子信息产业有限公司 A secure transmission system and method
CN105635161A (en) * 2016-01-12 2016-06-01 浪潮(北京)电子信息产业有限公司 Data transmission method and system
CN105915658B (en) * 2016-07-04 2019-07-23 优刻得科技股份有限公司 Obtain data calling method, the data transmission method of client ip address
CN107948122A (en) * 2016-10-12 2018-04-20 成都鼎桥通信技术有限公司 Isolating device traversing method and device
CN107273540B (en) * 2017-07-05 2021-09-24 北京三快在线科技有限公司 Distributed search and index update method, system, server and computer equipment
CN108173883A (en) * 2018-03-06 2018-06-15 国云科技股份有限公司 Dual-network isolated cloud desktop connection method and system
CN110351179A (en) * 2018-04-02 2019-10-18 蓝盾信息安全技术有限公司 A kind of mail security access technique based on Net Strobe System
CN110351219A (en) * 2018-04-02 2019-10-18 蓝盾信息安全技术有限公司 A kind of database security access technique based on Net Strobe System
CN110351320A (en) * 2018-04-08 2019-10-18 蓝盾信息安全技术有限公司 The management of gateway proxy module and data forwarding technology
CN110839047B (en) * 2018-08-15 2022-07-12 成都鼎桥通信技术有限公司 Method and device for realizing multimode service communication by dual-system terminal
CN109698837B (en) * 2019-02-01 2021-06-18 重庆邮电大学 A kind of internal and external network isolation and data exchange device and method based on unidirectional transmission physical medium
CN110049059A (en) * 2019-04-26 2019-07-23 深圳市网心科技有限公司 A kind of outer net equipment and Intranet communication between devices method and relevant apparatus
CN110691095B (en) * 2019-10-14 2021-04-27 腾讯科技(深圳)有限公司 Data processing method, device and equipment based on data security room and storage medium
CN110933385B (en) * 2019-11-20 2021-05-14 安徽中骄智能科技有限公司 Video streaming transmission system based on visible light unidirectional network isolation
CN111083040B (en) * 2019-11-28 2022-03-29 福建亿榕信息技术有限公司 Heterogeneous data moving method, system, device and medium in strong isolation environment
CN111371741B (en) * 2020-02-19 2024-04-26 中国平安人寿保险股份有限公司 Method, device, computer equipment and storage medium for transmitting external network data to internal network
CN111526124B (en) * 2020-03-26 2022-06-24 郑州信大捷安信息技术股份有限公司 Isolated communication system and method based on internal and external networks
CN112468571B (en) * 2020-11-24 2022-02-01 中国联合网络通信集团有限公司 Intranet and extranet data synchronization method and device, electronic equipment and storage medium
CN112866351B (en) * 2020-12-31 2023-08-04 成都佳华物链云科技有限公司 Data interaction method, device, server and storage medium
CN114301625A (en) * 2021-11-24 2022-04-08 国网北京市电力公司 Network security system, data processing method, and non-volatile storage medium
CN114513444B (en) * 2022-02-15 2024-01-23 南京鑫蓝优图信息技术有限公司 Patrol gateway with gateway function and data uploading and issuing method
CN114745454A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Border guards, systems, methods, computer equipment, and storage media
CN114584399B (en) * 2022-04-29 2022-08-12 华能国际电力江苏能源开发有限公司 Distributed heat supply network and photovoltaic data acquisition method and system
CN115242446B (en) * 2022-06-22 2024-10-11 中国电子科技集团公司第五十二研究所 Cloud desktop unidirectional data importing system and method in intranet environment
CN117319093A (en) * 2023-11-30 2023-12-29 国网江苏省电力有限公司 A data access service method based on isolation device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999046882A2 (en) * 1998-03-12 1999-09-16 Whale Communications Ltd. Techniques for protection of data-communication networks

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999046882A2 (en) * 1998-03-12 1999-09-16 Whale Communications Ltd. Techniques for protection of data-communication networks

Also Published As

Publication number Publication date
CN1571398A (en) 2005-01-26

Similar Documents

Publication Publication Date Title
CN1305271C (en) Network safety isolating and information exchanging system and method based on proxy mapping
CN100558089C (en) A Realization Method of Content Filtering Gateway Based on Network Filter
EP2158546B1 (en) Providing enhanced data retrieval from remote locations
US8234361B2 (en) Computerized system and method for handling network traffic
US6535518B1 (en) System for bypassing a server to achieve higher throughput between data network and data storage system
CN1185843C (en) Method of surveilling intennet communication
US20030182580A1 (en) Network traffic flow control system
EP2283670B1 (en) Security message processing within constrained time
US20060230148A1 (en) TCP forwarding of client requests of high-level file and storage access protocols in a network file server system
GB2318031A (en) Network firewall with proxy
CN102761534B (en) Realize the method and apparatus of media access control layer Transparent Proxy
US9264495B2 (en) Apparatus and methods for handling network file operations over a fibre channel network
KR101472685B1 (en) Network connection gateway, a network isolation method and a computer network system using such a gateway
GB2394382A (en) Monitoring the propagation of viruses through an Information Technology network
Romanow et al. Remote direct memory access (RDMA) over ip problem statement
CN1157664C (en) SSLL proxy method with MIME data type filter technology
US20120226307A1 (en) Devices and methods for reshaping cartilage structures
CN1521993A (en) Network control method and device
CN113783885B (en) Honeypot network proxy method and related device
CN1859398A (en) System and method for reverse network fishing
WO2022120974A1 (en) Virtualization security gateway system
CN116418573A (en) Data packet acquisition method and device
US20160205135A1 (en) Method and system to actively defend network infrastructure
CN101277302A (en) Device and method for centralized security protection of distributed network equipment
CN101056235A (en) System for realizing the real time data backup in the digital home network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20070314

Termination date: 20110429