Beijing Gaotic Information Security Technology Company Technology Director Wang Xiaobing
In the face of new network attack methods and high security networks for security special needs, new security technology network security technology - "Network Isolation Technology" came into being. The goal of network isolation technology is to ensure the safety exchange of network data in addition to harmful attack isolation, outside the trusted network and to ensure the internal information of the credible network, and complete the security exchange between network data. Network isolation technology is developed on the basis of the original security technology, which makes up for the shortcomings of the original security technology, highlighting your own advantages. The development of isolation technology network isolation, English name is NetWork isolation, mainly refers to the two or more routable networks (such as TCP / IP) through causal protocols (such as: IPX / SPX, NetBeui, etc.) Data exchange is performed to reach the isolation purpose. Due to its principle, it is mainly used by different protocols, so it is usually called protocol isolation. In 1997, information security expert Mark Joseph Edwards could be classified in the Understanding Network Security book in his book. In the book, he clearly pointed out that the agreement isolation and firewall do not belong to similar products. The isolation concept is in order to protect the high security network environment; the large number of isolation products has emerged, and it has experienced the constant practice and theory of five generation isolation techniques. First generation isolation technology - complete isolation. This method makes the network in the state of information island, which makes complete physical isolation, at least two networks and systems, more importantly, the inconvenience and cost of information exchange, which brings great inconvenience to maintenance and use. Second generation isolation technology - hardware card isolation. In the client, the client hard disk or other storage device is first connected to the card, and then connect to the motherboard, control the client hard disk or other storage devices via the card. When choosing different hard drives, different network interfaces on the card are selected, and different networks are connected to different networks. However, this isolation product still requires a network wiring as a dual network cable structure, and there is a large safety hazard. Third Generation Technology - Data Broadcast Isolation. The pathway to replicate files with the broadcast system is isolated, and the switching time is very long, even need to be hand-made, not only significantly slow down the speed, not support common network applications, and lose the meaning of the network. The fourth generation of isolation technology - air switch isolation. It is by using a single-knife double throw switch, so that the internal and external networks access the temporary buffer to complete the data exchange, but there are many problems in security and performance. The fifth generation isolation technology - secure channel isolation. This technology achieves isolation and data exchange of internal and external networks through security mechanisms such as private communication hardware and proprietary security protocols, which not only solves the problems of previous isolation technology, and effectively isolates the inside and outside networks, and efficiently The security exchange of internal and external network data is realized, and transparently supports multiple network applications, and has become the development direction of current isolation technology. Isolation technology needs to have a high level of self-safety isolation products to ensure that they have high security, at least one level of security than the firewall. From a technical implementation, the key is to reinforce the operating system in addition to the firewall, and the key is to separate the outer network interface and the intranet interface from a set of operating systems. That is to say, at least two sets of host systems, a set of control external network interfaces, another set of internal network interfaces, and then exchange data between two host systems through causing protocols, so that hackers attack The external network system is still unable to control the internal network system, which has reached a higher level of security.
To ensure that the key to ensuring that the network isolation is that the network package is not routed to the other party network, no matter what the conversion method has been used, as long as one of the network packages can enter the other party, it is impossible to call it. For isolation, the effect of no isolation is reached. Obviously, just forwarding the package, and allowing the firewall to establish an end to the end connection, there is no isolation effect. In addition, those products that only convert the network package to text. After switching to the other party network, the product converts the text into the network package is not isolated. To ensure that the network exchange is just the application of the data to be interposed, it must be thoroughly guarded the network-based protocol attack, that is, it is not possible to let the network layer attack package to reach the network to be protected, so it is necessary to conduct protocol analysis, Complete the extraction of the application layer data, then perform data exchange, this, such as Teardrop, Land, Smurf, and Syn Flood, thoroughly blocking the trusted network, thereby clearly enhance the security of trusted networks Sex. To make rigorous control and inspection of the Internet access as a secure device for high security networks, ensure that each data exchange is trusted and controlled, strictly prevent the occurrence of illegal channels to ensure The security and access of information data can be auditively. Therefore, a certain technique must be applied to ensure that each data exchange process is trusted, and the content is controllable, and the session-based authentication technology and content analysis and control engine can be adopted. To ensure that the network is unblocked and applied transparent isolation products will be deployed in a variety of complex network environments, and the products are often highly processed and cannot be made. The bottleneck exchanged in the network, there is a good stability; it is not possible to show the situation of time-break, it must be strong, it can transparently access the network, and transparently supports multiple applications. The key point of network isolation of network isolation is that the system is controlled to the communication data, that is, through the default protocol to complete the network data exchange. Since the communication hardware device works in the uppermost layer of the network seven layers, it is impossible to perceive the confidentiality, integrity, availability, controllability, resistance and other security elements such as exchange data, so this is subject to access control, identity, encrypted signature. The safety mechanism is achieved, and the implementation of these mechanisms is achieved by software. Therefore, the key points of isolation becomes the speed to increase the inter-network data exchange, and the application can be transparently supported to adapt to network data exchange between complex and high bandwidth requirements. Due to the problem of design principles, the third generation and fourth generation isolation products are difficult to break through this, and there is also a huge cost, and the "moderate security" concept is contrary. The emergence of the fifth generation of isolation technology in the future development direction of isolation technology is to generate it in detailed analysis of network isolation products and high security network requirements, it is not only well solved the third generation and fourth generation. It is difficult to solve the speed bottleneck problem, and advanced security concepts and design ideas clearly improve the safety function of the product is an innovative isolation and protection. The implementation principle of the Isolation principle The implementation of the third generation of isolation technology is the data exchange between different security level networks through special communication devices, special security protocols and encrypted verification mechanisms and application layer data extraction and authentication certification technology, and thoroughly blocks the network. Direct TCP / IP connections, simultaneous on both sides, content, procedures of network communications, content, content filtration, safety audit, etc., to ensure the safety and controllable network data exchange To eliminate the security risks brought by the operating system and network protocol itself. Product Realization Beijing Gatejia's R & D staff has begun research on network isolation technology since 1999, and has experienced the research and development process from serial ports and parallel ports.
