2003-01-08 17:21
Some said that in 2002, it was a global "e-government year", and some said that in 2002, it was the golden year of the information security industry. On the network security platform of e-government, GAP technology based on physical isolation technology has become a hot spot for public and media due to their safety practical. So what is the GAP technology?
GAP is not a firewall
Whether the GAP and firewalls are completely different from both functions or in principle.
Many people know that the Chinese name of GAP is a safety isolation gate. It is a network security device that cuts off the network between the network with a dedicated hardware with a variety of control functions, and can perform a safe moderate application data exchange between network security devices. GAP usually arranges between the trust network and the non-credible network, and the administrator can only manage the security isolation gatekeeper from the trust network.
GAP is disconnected by a dedicated isolation hardware, completely cut off network connection, only four specified static data is exchanged, and the request is not accessed, and the internal user uses a static page to return (filtering ActiveX) , Java, Cookie, etc.), Trojans cannot communicate through security isolation network brakes, so that internal networks do not need to be upgraded for external attacks.
The firewall is generally controlled by the TCP session while the IP packet forwarding is performed. It does not cut off the network connection, only for the network layer for security check, and the content of the application data is generally not checked. Of course, this mode of work cannot prevent leaks, and cannot prevent attacks of viruses and hacker programs. For a while, NIMDA has bypass a lot of firewalls and is a good example in the world.
It can be seen that the firewall is a border security tool that guarantees the security of the network, and the GAP focus is the security of the internal network. Both products cannot be replaced with each other due to different positioning. Previously, in the industrial and commercial business system of the public security e-government system and the need to exchange data inner and external network, the firewall and IDs have been used to couple the TopWalk-GAP, which will be widely used.
Domestic GAP security performance is stronger
GAP usually has seven security function modules: safety isolation, kernel protection, protocol conversion, virus killing, access control, security audit, and identity authentication. If the network seven-layer protocol is disabled on the hardware link layer. From the network architecture, GAP is the location of the gateway, and its security is self-evident.
First, the security of GAP is reflected in the link layer to disconnect, and the data exchanged between the network is the data of the application layer. Generally, complete application data is not included in a single IP package, so that comprehensive content check and control cannot be performed. Based on this, GAP is not directly or indirectly forwarding data in the form of IP packets, and truly ensures the security of the application layer.
Second, GAP can prevent unknown and known Trojan attacks. Most of the Trojans that usually see are based on TCP, while GAP cuts off all TCP connections from the principle implementation, including other protocols such as UDP, ICMP, so that all kinds of Trojans cannot communicate through safety isolation network gates.
Finally, in view of the main internal network, the data exchange on the GAP is configured by administrators. All of its requests are initiated by GAP, do not accept foreign requests, do not support interactive access, do not support reverse proxy No system services are available. On the other hand, since cookies need to read and write on the client, GAP does not support cookies from security.
In addition, GAP can prevent unknown viruses from malfunction. The author has been investigated, and GAP can effectively prevent NIMDA and Code Red II due to embedded antivirus modules.
It is worth noting that the device of the single system is not a GAP device, such as (information transformer). Once the system is subjected to attacks, the attacker is fully likely to establish a way between the two NICs of the single system, so that the internal network will be fully exposed. In fact, GAP cures the analog switch on the isolation hardware and cannot be changed through software programming; this is also essentially different from the pseudo-net gate connected to 1394 devices in the market. Pseudo Terrier through 1394 or serial port connection two or more systems, through software to achieve isolation and switch, its security and two PCs connected to standard Ethernet cards, such "soft isolation" in security and GAP The phase is far away. At present, foreign GAP products include Spearhead's Netgap and Whale's E-GAP. Foreign GAP from hardware to software is manufactured abroad. For the Chinese people, there is no independent copyright. Even if OEMs are secretly mastered in outsiders, it is difficult to ensure that there is no latter program. Domestic GAP has a lot of differences in functional and foreign GAP products due to design and protection focus. For example, the function of NETGAP products is similar to the firewall of the content check, accept non-credit requests, support interactive access; and domestic GAP, such as TopWalk-GAP, more focused on protecting internal networks, does not support interactive access, such as establishing a session Only several data exchanges are allowed. So from a security perspective, domestic GAP security is stronger.
