WO2024223876A1 - Data backup system - Google Patents

Abstract

The invention relates to a data backup system (1, 101) for data of a data network (31) to be backed up, the data backup system (1, 101) comprising a backup memory (33), the data backup system (1, 101) also comprising a first bridge (21), a cache (32), and a second bridge (22), the data backup system (1, 101) and/or the first bridge (21) comprising a data backup system interface (221) for a first data transmission connection (41) for directly or indirectly connecting the data network (31) and the first bridge (21) for data transmission, the first bridge (21) and the cache (32) being connected for data transmission by means of a second data transmission connection (42), the cache (32) and the second bridge (22) being connected for data transmission by means of a third data transmission connection (43), the second bridge (22) and the backup memory (33) being connected for data transmission by means of a fourth data transmission connection (44), the data backup system (1, 101) comprising a controller (2, 102) designed to interrupt a power supply for the first bridge (21) and to interrupt the power supply for the second bridge (22) in such a way that at least the power supply for the first bridge (21) or the power supply for the second bridge (22) is interrupted.

Description

data backup system

The invention relates to a data backup system. The invention also relates to a network system with a data backup system. The invention also relates to a method for operating a network system.

A data backup system is disclosed, for example, in the article Shon et al., “A robust and secure backup system for protecting malware”, dl.acm.org/doi/abs/10.1145/ 3297280.3297424.

EP 2 953 150 B1 discloses a device for current limiting or current interruption of a circuit and a control method therefor. The device comprises a current interruption branch and a bridge branch. The bridge branch comprises two bridge arms formed by four identical current commutation branches. Two branches of each of the four current commutation branches are connected in series, and the two bridge arms formed are then connected in parallel. The two bridge arms are both connected in parallel to the current interruption branch, and the midpoints of the two bridge arms are separately connected to two points of the circuit. Each current commutation branch comprises at least one high-speed interruption switch and at least one bidirectional power semiconductor switch, both of which are connected in series. The device can interrupt a bidirectional current.

DE 196 47 655 A1 discloses a security device that allows a primary server to be removed from the network and a secondary server to be connected, regardless of the type of malfunction occurring in a network. This is achieved by providing means to interrupt the power supply to the first primary server.

DE 10 2008 029 902 A1 discloses a method for operating a bus system that includes a first and at least one second network node (MASTER, SLAVE). A first and a second line (BUS, GND) are provided for supplying energy to the at least one second network node (SLAVE) and for communication between the first and the at least one second network node (MASTER, SLAVE). The communication between the first and the at least one second network node (MASTER, SLAVE) and the energy supply to the at least one second network node (SLAVE) takes place via the first line (BUS) and at different times.

The object of the invention is to provide a data backup system that is particularly well protected against manipulation or to improve data backup in a network system. It is desirable to achieve simple handling and minimize the risk of external attacks when backing up and/or restoring data.

The above object is achieved by a data backup system for a data network (basic network, also known as LAN (e.g. company network), wherein the data backup system comprises a back-up memory (in particular for storing data of the data network), wherein the data backup system further comprises a (lock comprising a) first bridge, a buffer and a second bridge, wherein the data backup system and/or the first bridge comprises a data backup system interface for a first data transmission connection for the indirect or direct data connection of the data network and the first bridge, wherein the first bridge and the buffer are connected for data purposes by means of a second data transmission connection, wherein the buffer and the second bridge are connected for data purposes by means of a third data transmission connection, wherein the second Bridge and the backup memory are connected for data purposes by means of a fourth data transmission connection, wherein the data backup system comprises a control system configured in such a way for interrupting a voltage supply for the first bridge and for interrupting a voltage supply for the second bridge such that (during normal operation) at least the voltage supply for the first bridge or the voltage supply for the second bridge is interrupted.

A bridge in the sense of this disclosure can be a switch. A bridge in the sense of this disclosure can be understood as connecting two segments in the computer network at the level of layer 2 (data link layer) of the OSI model. A bridge in the sense of this disclosure can optionally be designed in such a way that it operates on the MAC sublayer or the LLC sublayer. A bridge in the sense of this disclosure can be a MAC bridge. A bridge in the sense of this disclosure can be an LLC bridge. A bridge in the sense of this disclosure can be a transparent bridge. A bridge in the sense of this disclosure can be a source routing bridge. A bridge in the sense of this disclosure can be a coupling element in computer networks. A bridge in the sense of this disclosure can be a switch that ensures that the data packets, so-called "frames", reach their destination within a segment (broadcast domain). A bridge in the sense of this disclosure can be a switch, which generally refers to a multiport bridge (or an active network device) that forwards frames based on information from the data link layer (layer 2) of the OSI model. A bridge in the sense of this disclosure can be a bridging hub. A bridge in the sense of this disclosure can be a switching hub. A bridge in the sense of this disclosure can be an optical fiber LAN converter, which can be used in the same way as the switch, and can be connected to an optical fiber connection on the outside or an optical fiber connection on the inside (converter to cache) via light bridging. In an advantageous embodiment of the invention, the controller has a first switch for interrupting the voltage supply for the first bridge by opening the first switch. A first switch in the sense of this disclosure is in particular a MOSFET. A first switch in the sense of this disclosure is in particular a switch that is open in the de-energized state. A first switch in the sense of this disclosure can also be a control board that has a function comparable to a MOSFET, but has implemented further control instances such as an IC.

The control can include a bridge control, also called a bridge appliance (e.g. Raspberry, microcontroller, etc.). This bridge control controls the MOSFETs via their GPIOs and supplies them with voltage at the GATE. If a voltage is present at the GATE, the source voltage (e.g. 5V) is switched and activates the bridge or switch. By switching the bridge or switch, a physical connection exists between all connected lines on the bridge/switch. The buffer/cache can be a memory that accepts data and forwards it, provided the appropriate bridge is switched.

In a further advantageous embodiment of the invention, the controller has a second switch for interrupting the voltage supply for the second bridge by opening the second switch. A second switch in the sense of this disclosure is in particular a MOSFET. A second switch in the sense of this disclosure is in particular a switch that is open in the de-energized state. A second switch in the sense of this disclosure can also be a control board that has a function comparable to a MOSFET, but has implemented further control instances such as an IC.

The interruption of a voltage supply within the meaning of this disclosure is in particular a physical interruption. In a further advantageous embodiment of the invention, it is provided that the bridge control is designed to generate a first switch signal for closing the first switch and to generate a second switch signal for closing the second switch, the control comprising the bridge control. In a further advantageous embodiment of the invention, it is provided that the data backup system comprises a logic circuit with a first input for the first switch signal and a second input for the second switch signal, the logic circuit comprising a first output and a second output and is designed such that the first switch signal is output at the first output if the second switch signal is not output at the second output, and that the second switch signal is output at the second output if the second switch signal is applied to the second input and the first switch signal is not output at the first output.

The second data transmission connection and/or the third data transmission connection and/or the fourth data transmission connection within the meaning of this disclosure are non-wireless data transmission connections. Non-wireless data transmission connections within the meaning of this disclosure are in particular data transmission connections in which the signals "carrying the data" are transmitted in a solid state.

In a further advantageous embodiment of the invention, it is provided that the first data transmission connection is designed as an optical fiber or comprises an optical fiber.

In a further advantageous embodiment of the invention, it is provided that the second data transmission connection is designed as an optical waveguide or comprises an optical waveguide. In a further advantageous embodiment of the invention, it is provided that the third data transmission connection and/or the fourth data transmission connection is designed as an optical waveguide or comprises an optical waveguide. Optical fibers (OFC) in the sense of this disclosure are, for example, optical fiber cables (LLK). Optical fibers (OFC) in the sense of this disclosure are, for example, cables and lines consisting of optical fibers and partially assembled with connectors for transmitting light. The light is guided in fibers, for example made of quartz glass or plastic (polymer optical fiber). They are often also referred to as fiber optic cables, whereby several optical fibers are typically bundled in these, which are or can be mechanically reinforced to protect and stabilize the individual fibers. A single mode or a multimode can be provided.

From a physical point of view, optical waveguides within the meaning of this disclosure are, for example, dielectric waveguides. They are constructed from concentric layers, for example, with the light-guiding core in the center, which is surrounded by a cladding with a slightly lower refractive index and, for example, by further protective layers made of plastic. Depending on the application, the core has a diameter of a few micrometers to over a millimeter. Optical waveguides are differentiated, for example, according to the course of the refractive index between the core and the cladding (step index or gradient index fibers) and the number of vibration modes that can propagate, which is limited by the core diameter.

The aforementioned object is also achieved by a network system, wherein the network system comprises a data backup system, for example a data backup system with one or more of the aforementioned features, and wherein the network system comprises a data network and the first data transmission connection between the data network and the first bridge by means of the data backup system interface. The aforementioned object is also achieved by a method for operating a network system with a backup memory, in particular by a method for operating a network system with the aforementioned features, wherein the network system comprises a (lock comprising a) first bridge, a buffer and a second bridge, wherein the network system comprises a first data transmission connection for data-technically connecting a/the data network and the first bridge, wherein the first bridge and the buffer are data-technically connected by means of a second data transmission connection of the network system, wherein the buffer and the second bridge are data-technically connected by means of a third data transmission connection of the network system, and wherein the second bridge and the backup memory are data-technically connected by means of a fourth data transmission connection of the network system, wherein it is provided in particular that data of the data network to be backed up is transmitted from the data network to the buffer.

In an advantageous embodiment of the invention, it is provided that data to be backed up (of the data network) is stored in encrypted form on the backup memory. In a further advantageous embodiment of the invention, it is provided that data to be backed up is encrypted in the buffer memory, transmitted in encrypted form from the buffer memory to the backup memory and stored in encrypted form on the backup memory.

In a further advantageous embodiment of the invention, the power supply for the second bridge is interrupted, with data to be backed up then being transferred from the data network to the buffer, with the power supply for the first bridge then being interrupted, with the interruption of the power supply for the second bridge then being lifted, with the data to be backed up then being transferred from the buffer to the backup memory and stored in the backup memory. In a further advantageous embodiment of the invention, the power supply for the second bridge is then interrupted. In order to restore data saved using the backup memory, an advantageous embodiment of the invention provides that the interruption of the power supply for the second bridge is removed. In a further advantageous embodiment of the invention, the saved data is transferred from the backup memory to the buffer and decrypted if necessary. In a further advantageous embodiment of the invention, the power supply for the second bridge is then interrupted.

In an advantageous embodiment of the invention, the interruption of the power supply for the first bridge is cancelled. In a further advantageous embodiment of the invention, the saved data is transferred from the buffer to the data network. In a further advantageous embodiment of the invention, the power supply for the first bridge is then interrupted.

The two bridges in conjunction with the buffer form a gate or implement a gate functionality. The power supply for the first bridge is interrupted when the power supply interruption for the second bridge is lifted, and the power supply for the second bridge is interrupted when the power supply interruption for the first bridge is lifted. This ensures that both bridges cannot be switched at any time.

A circuit board can prevent both gates, i.e. both bridges, from opening simultaneously, even in the event of hardware defects.

The bridge control (bridge appliance that controls suitable bridges with its GPIOs) is advantageously not connected to the buffer/cache or another module by any connector. Rather, it is advantageous It is intended that the bridge control runs independently, in particular to completely prevent unwanted external access. It is advantageously intended that switching times etc. can only be set and edited by direct access to the bridge control.

The measures listed ensure that both bridges cannot be switched at any time. A distinction is made between a first lock phase and a second lock phase. A phase referred to as the first lock phase concerns the case in which data from the data network (hereinafter also referred to as LAN) is to be fed into the intermediate storage (hereinafter also referred to as cache). In this case, the bridge control (bridge appliance (manager)) switches on the first bridge in such a way that the first bridge is supplied with power. From this point on, the LAN is "connected" to the cache. This allows data to be transferred to the cache. This can continue until the bridge control or bridge appliance switches the first bridge off again, i.e. the first bridge is disconnected from the power supply. From this point on, a thorough analysis of the data in the cache takes place. This means that it is analyzed for malware and finally encrypted (symmetric encryption method).

In a second lock phase, the data can be transferred from the cache to the backup storage using a standardized and supported protocol of the backup storage/backup server (e.g. FTP/SMB/NFS). This also only takes place within the framework defined by the bridge controller/bridge appliance. All data or content transferred to the backup storage/backup server is encrypted without exception. This means that no malicious code can cause damage to the main memory without knowledge of the key (for encryption), since encrypted malicious code cannot be executed.

The setting options for bridge control/bridge appliance are deliberately very limited. In order to ensure ease of use and minimize the risk of security incidents, it is only possible to set schedules for switching. The duration and/or number of time intervals is advantageously limited so as not to jeopardize the security of the system without reason. It is also possible to invert the switching process to restore the data. This also means that the number of transmitting end devices is limited. Certain processes in the cache also require computing capacity that is dependent on time and here too limits the number of end devices.

In addition to normal operation for the backup function, the Bridge appliance can also be put into restore mode. In this case, data is loaded back into the buffer/cache in bursts and from there transported to the relevant end device in the LAN (). The lock principle is completely inverted here. The buffer/cache is solely responsible for loading/encrypting and decrypting/analyzing data.

Further advantages and details emerge from the following description of embodiments. They show:

Fig. 1 shows an embodiment of a network system,

Fig. 2 an embodiment of an alternative network system,

Fig. 3 shows an embodiment of a logic circuit,

Fig. 4 shows an embodiment of a method for operating a network system according to Fig. 1, and

Fig. 5 shows an embodiment of a modified method for operating a network system.

Fig. 1 shows an embodiment of a network system 11 with a data network 31 and with a data backup system 1 for the data network 31, wherein the data backup system 1 comprises a backup memory 33 for storing data of the data network 31. The data backup system 1 also comprises which comprises a bridge 21, a buffer 32 and a bridge 22. The network system 11 comprises a first, in particular non-wireless, data transmission connection 41 for the data-technical connection of the data network 31 to the bridge 21, wherein the bridge 21 comprises a data backup system interface 211 for implementing the data transmission connection 41.

The bridge 21 and the buffer 32 are connected for data purposes by means of a second, in particular non-wireless, data transmission connection 42. The second data transmission connection 42 can be designed as an optical waveguide or can comprise an optical waveguide. The buffer 32 and the bridge 22 are connected for data purposes by means of a third, in particular non-wireless, data transmission connection 43. The third data transmission connection 43 can be designed as an optical waveguide or can comprise an optical waveguide.

The bridge 22 and the backup memory 33 are connected for data purposes by means of a fourth, in particular non-wireless, data transmission connection 44. The fourth data transmission connection 44 can be designed as an optical fiber or can comprise an optical fiber.

Special technical requirements for the data network (e.g. LAN network) or backup storage are not necessary. The operating system of end devices in the data network 31 or LAN and the backup storage 33, for example, only supports the (network) sockets defined in RFCs.

The voltage supply of the bridge 21 and the voltage supply of the bridge 22 is provided by a voltage source 5.

The data backup system 1 comprises a controller 2 configured to interrupt a power supply for the bridge 21 and to interrupt the power supply for the bridge 22 such that at least the power supply for the bridge 21 or the power supply for the bridge 22 is interrupted. chen. For this purpose, the controller 2 comprises a switch RLY1 designed as a MOSFET for interrupting the voltage supply for the bridge 21 by opening the switch RLY1 so that the line between the bridge 21 and the voltage source 5 is interrupted, and a switch RLY2 designed as a MOSFET for interrupting the voltage supply for the bridge 22 by opening the switch RLY2 so that the line between the bridge 22 and the voltage source 5 is interrupted. A bridge controller 3 or bridge appliance (e.g. Raspberry, microcontroller, etc.) controls the switches RLY1 and RLY2 designed as MOSFETs via the GPIOs of the bridge controller 3 and supplies them with voltage - referred to here as a switch signal - at the GATE. If voltage is present at the GATE of the respective MOSFET, this means that the bridge assigned to this MOSFET is supplied with voltage.

Fig. 2 shows an embodiment of an alternative network system 101 with an alternatively designed controller 102, wherein the network system 101, in a modification to the network system 1 according to Fig. 1, comprises a logic circuit 4 shown by way of example in Fig. 3.

Fig. 4 describes an embodiment of a method for operating the network system 11 or 111. In this case, a distinction is made between the idle phase described in Fig. 4 (a), the back-up phase described in Fig. 4 (b) with a first lock phase and a second lock phase, and the data recovery phase (restore) described in Fig. 4 (c) with the second lock phase and the first lock phase.

In the idle phase according to Fig. 4 (a) it is ensured that GPIO1 and GPIO2 do not output any switch signals, ie in step S1 GPIO1 is set to logical zero (GPIO1 = 0) and in step S2 GPIO2 is set to logical zero (GPIO2 = 0). In this case both switches RLY1 and RLY2 are open and the voltage supply (from voltage source 5) is interrupted for the bridge 21 and for the bridge 22. broken. Voltage supply is used here as a synonym for power supply and voltage source is used as a synonym for current source.

If a data backup is desired (see query in step S3 or "backup?"), the backup phase is started with the first lock phase, as described in Fig. 4 (b). In step S11, GPIO2 is logically set to zero (GPIO2 = 0) and in step S12 GPIO1 is logically set to 1 (GPIO1 = 1). Then, in step S13, data to be backed up from the data network 31 is transferred via the bridge 21 to the buffer/cache 32. The data to be backed up is transferred until a termination condition in step S14 (see "terminate?") is met. This termination condition can mean that all data to be backed up has been transferred to the buffer 32. However, it can also mean that a certain time has been exceeded or a certain amount of data has been reached.

If the termination condition is met in step S14, the power supply for the bridge 21 is interrupted by setting GPIO1 to logical zero in step S15 (GPIO1 = 0). This interrupts the power supply for the bridge 21 and switches off the bridge 21. Then, in step S16, the bridge 22 is switched on or supplied with power by setting GPIO2 to logical 1 (GPIO2 = 1). Then, in step S17, the data stored in the buffer 32 is analyzed for malware and encrypted, and the encrypted data is transferred from the buffer 32 to the backup memory 33 using the bridge 22. Alternatively, the encryption and checking for malware can take place before step S16, so that in step S17 only the encrypted data is transferred from the buffer 32 to the backup memory 33 using the bridge 22. If the query in step S18 shows that not all data of the data network 31 to be backed up has been transferred (compare query in step S18 "complete?"), the steps are executed again starting with step S11. Otherwise, the network system 11, 111 returns to the idle phase according to Fig. 4 (a). If backed up data, which is stored in encrypted form in the backup memory 33, is to be restored in the data network 31, the network system 11 or 111 goes into the data restoration phase (restore) starting with the second lock phase according to Fig. 4 (c). To do this, it is first ensured in step S21 that the power supply for the bridge 21 is interrupted by setting GPIO1 to logical zero (GPIO1 = 0). Then, in step S22, the bridge 22 is supplied with power by setting GPIO2 to logical 1 (GPIO2 = 1). Then, in step S23, the encrypted, saved data is transferred from the backup memory 33 to the buffer 32 and the data transferred to the buffer 32 is decrypted. Then, in step S24, GPIO2 is set to logical zero (GPIO2 = 0), i.e. the power supply for the bridge 22 is interrupted. Then, in step S25, GPIO1 is set to logical 1 (GPIO1 = 1 ), ie the interruption of the power supply for the bridge 21 is canceled. This is followed by a step S26 in which the data to be restored is transferred from the buffer 32 to the data network 31 by means of the bridge 21. The transfer can take place as described in one transfer process or alternatively in bursts, ie divided into several transfer processes.

Both steps S11 and S12 as well as steps S24 and S25 form a first lock phase. Both steps S15 and S16 as well as steps S21 and S22 form a second lock phase.

The disclosed procedure provides a high level of security for the backup data (i.e. the data in the backup memory 33). In order to protect the backup data even better against destruction, the following attack option must be addressed:

• Waiting for Bridge 21 to switch.

• Exploit the Linux system (cache) using an unknown "super exploit" and place malicious code past the encryption.

Waiting for Bridge 22 to switch. Access data in backup storage and delete/overwrite files.

This attack option only describes a theoretical model and is currently hardly possible in practice. In relation to the effort required to attack current systems, this attack option represents a significantly increased effort for the attacker, as the attacker must overcome the first lock phase and the second lock phase. Thus, the risk of an attack on the main memory/backup memory is not actually impossible, but very unlikely, as in most cases it is not proportionate to the time/computing/financial resources.

The main unit HSS (Main SafeStorage), which is part of the cache, achieves the basic goals of protection against ransomware. However, there are also various challenges that can cause the HSS (Main SafeStorage) to reach its processing limits:

• The amount of data in the initialization phase exceeds an acceptable processing time.

• The amount of processing in systems exceeds the capacity of the data in the 24-hour cycle (or even shorter cycles).

• The use of parallel HSS is not efficient, as such a configuration requires different HSS, although technically only one valid configuration is required. Smart restoring can cause problems when providing netboot images, as more than one PXE server within a network would be required via DHCP.

The performance of the system is a limitation in each of the points mentioned. This particularly applies to the evaluation by anti-malware software that is integrated in SafeStorage. In addition, the clear assignment should be possible in the case of smart restoring. Therefore, it is advantageous to only provide one main SafeStorage (HSS), which is the central management point for the client It takes over configurations, saves the network infrastructure and thus also implements smart restoring (data recovery). Since the process of the lock is reversed in the case of smart restoring, there is no loss of speed here. Malware analysis is no longer necessary when the process is reversed and the netboot images are made available.

In a further advantageous embodiment of the system, additional performance is ensured by the use of LMUs (performance module supports). The principle is clear from Fig. 5, where reference numerals 53, 54, 55 designate client networks, such as the data network 32. The HSS 50 in conjunction with the LMUs 51 and 52 replaces the described intermediate memory 32 (also referred to as the cache memory), whereby the authentication methods with the LMUs 51 and 52 are enabled according to the same method as the main system or main SafeStorage (HSS) designated with reference numeral 50. The lock process including the bridge appliance controller, i.e. the bridge control, is also integrated. This enables a complete lock process. An equivalent analysis of malware with equivalent software components takes place on the LMUs.

The differences between the HSS and the LMUs can arise from the responsibilities. Smart restoring, i.e. restoring data, for example, only takes place on the HSS, although it can be stipulated that LMUs are not involved in the process. It can be stipulated that the client database used for authentication is carried out in synchronization loops. This is done, for example, via the internal communication circuit, provided that the HSS and an LMU are physically connected in a network (in Fig. 5: connected by bridge 22/switch on the left).

It may be specified that an LMU requires the following configuration information:

• (Fixed) IPv4 address and/or domain

Bridge appliance switching times of the lock system • Login data of an LMU at the HSS for synchronizing the client authorization data

The LMU is 1 U high and has no screen. The settings are transmitted via a web panel (bridge control/bridge appliance and buffer/cache are separate). In the initial configuration, the client notes which LMU (domain/IPv4) it should use for initial synchronization and whether this LMU is integrated into the network in the long term or is only used for initial data processing. The IPv4/domain of the HSS is also noted for restoring (applies to restoring levels that do not correspond to PXE boot).

In order to ensure higher data transfer rates in the initialization phase, since all data from the entire network should be transferred to the backup storage at the beginning, LMUs are issued to the customer as standard. The number of initialization LMUs used depends on the amount of data to be processed. When the initial processing is complete, the LMUs mentioned are removed and used for initialization by the next customer. As an alternative, SafeStorage can make the LMUs available to the network in the long term using the known business models (leasing/buying/indirect sales). This can also happen retrospectively.

A new scaling for the need for additional LMUs can be achieved in particular by

• the use of more clients,

• a shorter backup cycle or an increasing data flow. list of reference symbols

1 , 101 data backup system

2, 102 Control

3 Bridge control

4 logic circuit

5 voltage source

11 , 111 network system

RLY1 switch/Mosfet

RLY2 switch/Mosfet

21 Bridge/Switch

22 Bridge/Switch

31 data network

32 cache

33 backup storage

41 first (e.g. non-wireless) data transmission connection (between the first bridge and the data network)

42 second (non-wireless) data transmission connection (between the first bridge and the buffer)

43 third (non-wireless) data transmission connection (between the buffer and the second bridge)

44 fourth (non-wireless) data transfer connection (between the second bridge and the backup storage)

50 HSS

51 LMU1/Power Module Support

52 LMU2/Power Module Support 53 Client System 1

54 Client System 2

55 Client System 3

211 Data backup system interface S1 , S2, S11 ,

S12, S13, S15,

S16, S17, S21 ,

S22, S23, S24,

S25, S26 Step S3, S4, S14,

S18 query

Claims

patent claims 1 . Data backup system (1, 101) for data to be backed up in a data network (31), wherein the data backup system (1, 101) comprises a back-up memory (33), wherein the data backup system (1, 101) further comprises a first bridge (21), a buffer (32) and a second bridge (22), wherein the data backup system (1, 101) and/or the first bridge (21) comprises a data backup system interface (221) for a first data transmission connection (41) for data-technically connecting the data network (31) and the first bridge (21), wherein the first bridge (21) and the buffer (32) are data-technically connected by means of a second data transmission connection (42), wherein the buffer (32) and the second bridge (22) are data-technically connected by means of a third data transmission connection (43), wherein the second bridge (22) and the backup memory (33) are connected for data purposes by means of a fourth data transmission connection (44), wherein the data backup system (1, 101) comprises a controller (2, 102) configured in such a way for interrupting a voltage supply for the first bridge (21) and for interrupting the voltage supply for the second bridge (22) that at least the voltage supply for the first bridge (21) or the voltage supply for the second bridge (22) is interrupted. 2. Data backup system (1, 101) according to claim 1, characterized in that the controller (2, 102) has a first switch (RLY1) for interrupting the voltage supply for the first bridge (21) by opening the first switch (RLY1). 3. Data backup system (1, 101) according to claim 1 or 2, characterized in that the controller (2, 102) has a second switch (RLY2) for interrupting the voltage supply for the second bridge (22) by opening the second switch (RLY2). 4. Data backup system (1, 101) according to claim 3, characterized in that the controller (2, 102) has a bridge controller (3) for generating a first switch signal for closing the first switch (RLY1) and for generating a second switch signal for closing the second switch (RLY2). 5. Data backup system (101) according to claim 4, characterized in that the data backup system (101) and/or the controller (102) comprises a logic circuit (4) with a first input for the first switch signal and a second input for the second switch signal, wherein the logic circuit (4) comprises a first output and a second output and is designed such that • that the first switch signal is output at the first output, but only if the first switch signal is applied to the first input and the second switch signal is not output at the second output, and/or • that the second switch signal is output at the second output, but only if the second switch signal is applied to the second input and the first switch signal is not output at the first output. 6. Data backup system (1, 101) according to one of the preceding claims, characterized in that the second data transmission connection (42) is designed as an optical fiber or comprises an optical fiber. 7. Data backup system (1, 101) according to one of the preceding claims, characterized in that the third data transmission connection (43) and/or the fourth data transmission connection (44) is designed as an optical waveguide or comprises an optical waveguide. 8. Network system (11, 111), characterized in that it comprises a data backup system (1, 101) according to one of the preceding claims, a data network (31) and the first data transmission connection (41) between the data network (31) and the first bridge (21) by means of the data backup system interface (211). 9. Method for operating a network system (11, 111) with a back-up memory (33), in particular method for operating a network system (11, 111) according to claim 8, wherein the network system (11, 111) comprises a first bridge (21), a buffer (32) and a second bridge (22), wherein the network system (11, 111) comprises a first data transmission connection (41) for data-technically connecting a data network (31) and the first bridge (21), wherein the first bridge (21) and the buffer (32) are data-technically connected by means of a second data transmission connection (42) of the network system (11, 111), wherein the buffer (32) and the second bridge (22) are data-technically connected by means of a third data transmission connection (43) of the network system (11, 111), and wherein the second bridge (22) and the backup memory (33) are connected for data purposes by means of a fourth data transmission connection (44) of the network system (11, 111). 10. The method according to claim 9, characterized in that data of the data network (31) to be backed up are stored in encrypted form in the backup memory (33). 11. Method according to claim 9, characterized in that data of the data network (31) to be backed up are encrypted in the buffer (32), are transmitted in encrypted form from the buffer (32) to the backup memory (33) and are stored in encrypted form in the backup memory (33). 12. Method according to claim 9, 10 and 11, characterized in that the power supply for the second bridge (22) is interrupted, wherein data of the data network (31) to be backed up is then transferred from the data network to the buffer (32), wherein the power supply for the first bridge (21) is then interrupted, wherein the interruption of the power supply for the second bridge (22) is then lifted, wherein the data of the data network (31) to be backed up is then transferred from the buffer (32) to the backup memory (33) and stored in the backup memory (33). 13. Method according to claim 12, characterized in that the voltage supply for the second bridge (22) is subsequently interrupted.