First, the concept of physical isolation network gate, "Computer Information System International Network Secret" Regulations, issued, implemented on January 1, 2000, stipulates that "computer information systems involving national secrets should not directly or indirectly Connect to the Internet or other public information networks, physical isolation must be implemented. " Physical Isolation Network Gates emerged in the United States, Israel and other countries, the military to solve the security of the network and the public network connection. my country also has a huge government-related network and military-related networks, but my country's related networks and public networks, especially those with the Internet do not have any associated independent network, there is no information exchange with the Internet, and do not use physical isolation Weblock to resolve information security issues. Therefore, before e-government and e-commerce, physical isolation network gate in my country is slower due to no market demand, product and technology. In recent years, with the acceleration of my country's information construction, "e-government" has emerged, and it has developed at an unprecedented speed. E-government reflects all aspects of social life: industrial and commercial registration declaration, online tax return, online customs declaration, fund project declaration, etc. E-government is closely related to the interests of national and individuals. In the construction of my country's e-government system, external networks are connected to the general public, and the internal network is connected to government civil servant desktop office systems. The private network is connected to the information system of governments at all levels. The exchange information between the intranet and the private network is the basic requirements. How to ensure that the Internet and private network resources are guaranteed, the network is unobstructed from the public to the government, and the resource sharing, convenient and fast is a technical issue that must be solved in the construction of e-government system. The generally taken method is to implement the logic isolation of the firewall between the internal network and the external network, and physical isolation is implemented between the inside network and the private network. Physical Isolation Network Gate is a device that must be configured by e-government information system. It has begun, and the physical isolation network gate product and technology have rapidly rise in my country and become a new growth point in my country's information security industry. 1.1 Definition of Physical Isolation Table Gates The physical isolation network gate is a information security device for connecting two independent host systems using a solid-state switch read and write medium with multiple control functions. Due to the physical connection between the two independent host systems connected to the physical isolation gate, there is no physical connection, logical connection, information transmission command, information transmission protocol, and no agreement with the information package in accordance with the agreement. " Dairy, and only "read" and "write" for solid state storage media. Therefore, physical isolation network brakes are physically isolated, blocking all connections with potential attacks, making "hackers" unable to invade, unable to attack, unable to destroy, real safety. 1.2 Information Exchange of Physical Isolation Network Gates We know that the computer network implements information exchange between different networks in accordance with physical connection and logical connections, between different hosts, information exchange between host and terminals. Since the physical isolation network gate is isolated, all the connections of the network are blocked, in fact, isolation, block the connection between the network. After the network is isolated, after blocking, how to exchange information between two independent host systems? The network is only one way of information exchange, not all of the information exchange. Before the Internet era, information is swapped, such as data file replication (copy), data ferry, data image, data reflection, etc., physical isolation network gate is to implement information exchange between two networks using data "ferry". . The external host system of the network is "connected" by physical isolating gatekeeper and the internal host system of the network. The physical isolation gatekeeper peels all the TCP / IP protocols of the external host, and the original data is imported into the "ferry". To the internal host system, implement information exchange. When it comes to the "ferry", we will think of in 1957, the Yangtze River divided my country into the north and south part, the train of Jinghan Railway only passed the ferry "ferry" to the Yuehan railway. The railroad track of the Jinghan Railway and the railroad track of the Yuehan railway is always isolated and blocked. Ferry and trains cannot connect to the railroad track of the Jinghan Railway at the same time, and connected to the railroad track of the Yue Han. When travelers and trains are connected in the Jinghan railway, it will inevitably disconnect with the Yue Han Railway, which is still still.
Similarly, physical isolation network gates can only establish data connections for non-TCP / IP protocols at any time, that is, when it is connected to the host system of the external network, it must It is broken, and it is still still. That is, the external network cannot be connected to the physical isolation gate at the end. The original data "ferry" mechanism of the physical isolation network gate is the original data (write) and forwarding (read) of the original data. Physical Isolation Network Gates restores the data as raw data files in the seventh floor of the network, and then passes the original data in the form of "ferroad file". Any form of packets, information transmission commands, and TCP / IP protocols are not possible to penetrate physical isolation mesh. This is the essential difference between the transparent bridge, mixed mode, IP over USB, proxy host, and through switching methods. The following is an example of the physical isolation network gate between the internal network and the private network, indicating the information exchange process of physically isolating the gatekeeper. When there is no information exchange between the intranet and the private network, physical isolation network gate and intranet, physical isolation network gate and private network, the intranet and private networks are completely disconnected, that is, there is no physics between the three Connection and logical connections, as shown in Figure 1. When the internal network data needs to be transferred to a private network, the physical isolation gatekeeper actively initiates a data connection request for non-TCP / IP protocol to the intranet server data exchange agent, and issues a "write" command to write the switch, and put it All protocols are peeled off, and the original data is written to the storage medium. Before writing, according to different applications, the necessary integrity, security checks, such as viruses and malicious code checks, etc.
In this process, the private network server and the physical isolation network gate are always in the off state, see Figure 2.
Once the data is completely written to the storage medium of the physical isolation gate gate, the switch is turned on immediately, and the connection to the intranet is interrupted. Turning the data connection request for non-TCP / IP protocols for the private network, when the private network server receives the request, issue the "Read" command, the data-oriented network of the physical isolation network gate storage medium. After receiving the data, the private network server receives the data, and the received data is rescued, and the application is handed over to the application system to complete the information exchange of the intranet. See Figure 3 as shown in Figure 3.
As for information exchange from a private network to the intranet, it is similar to the above, but the direction is opposite.
It is not difficult to see: Every data exchange, physical isolation network gate has experienced the writing of data, and the data reads two processes; the intranet and external network (or intranet and private network) never connect; intranet and The external network (or intranets and private networks) is only one of the data connections to the Non-TCP / IP protocol with physical isolation network gates at the same time.
1.3 Physical Isolation Table Gate Composition 1) Three parts of the physical isolation network gate:
External processing unit;
Internal processing unit;
Isolation hardware.
2) Main safety modules of physical isolation network gates:
Safety Isolation Module: Separation hardware switches on two networks, through the reading and writing of the memory chip on the hardware, completing the data exchange. Ensure that the two networks are disconnected in the link layer, not connected to both networks, and the data exchanged data must be done on the application layer after the TCP / IP protocol is peeled off.
Nuclear protection module: Internal, external processing unit embeds a securely reinforced operating system, setting the kernel-based IDS, etc.
Safety inspection module: data integrity check, virus killing, malicious attack code check, etc.
Identity Authentication Module: Support identity authentication, digital signature.
Access Control Module: Implement Forced Access Control.
Safety Audit Module: Establish a Improvement Log System.
1.4 Main function of physical isolation network gate
Blocking the direct physical connection of the network: Physical Isolation Network Gates can only connect to one of the non-trusted networks and trusted networks at any time, and cannot connect to both networks;
Blocking the logical connection of the network: Physical isolation network gate does not depend on the operating system, does not support TCP / IP protocol. The information exchange between the two networks must pee out the TCP / IP protocol, and the original data is used through the non-TCP / IP connection method of P2P, and the "write" of the storage medium completes data forwarding; data transmission mechanism Inappropriate: Data Transportation Mechanism of Physical Isolation Gates has uncharacted features;
Safety review: Physical isolation network gate has a safety review function, that is, the network is inspected by the security of the original data as needed, and eliminates the possible virus code, malicious attack code, the possible virus code, malicious attack code, the network Wait;
The original data is not harmful: the original data of the physically isolated gateway, does not have an attack or harmful to network security. Just like TXT text, there is no virus, or you will not execute the command.
Management and Control Functions: Establish a sound log system.
Establish a data character library as needed: In the application initialization phase, combine the application requirements, extract the features of the application data, form the user-specific data feature library, as the basis for the data check during the operation. When the user requests, extract the user's application data, extract data characteristics, and the original data feature library comparison, the data request to enter the requested queue is in line with the data request of the original feature library, and the non-compliant return user is implemented.
Provides custom security policies and transport policies as needed: users can set data transmission policies, such as transmission units (data or tasks based on data), transmission intervals, transmission, transmission time, startup time, etc.
Support timing / real-time file exchange; support for single-way / two-way file exchange; support digital signature, content filtration, viral check and other functions.
Mail synchronization: Support for standard SMTP services, security, high availability mail filtering policies, can configure different email exchange policies, internal and external mail mirroring, etc.
Support web way;
Database synchronization: two-way / one-way data synchronization, synchronous content can be customized, multiple synchronous mode, data can be updated when it is scheduled.
Support multiple databases: Oracle, Sybase, INFOMIX, DB2, SQL Server and other mainstream databases.
1.5 Physical Isolation Network Gate main indicator
Data exchange rate: Supports data exchange rates for 100M network and Gigabit networks.
Switch Time: Use high speed safety isolation electronic switches to support high-speed switching of milliseconds.
1.6 Physical Isolation Network Gate Application
1) Between the confidential network and the non-confidential network:
2) Between the local area network and the Internet (between the internal network and the external network):
Some local networks, especially government office networks, involve government sensitive information, sometimes need to be physically intermitted with the Internet, using physical isolation mesh is a common way.
3) between office network and business network:
Since the information of the information and business networks are different, for example, bank office networks and banking networks are two types of networks that are very sensitive. In order to improve work efficiency, office networks sometimes need to exchange information with business networks. In order to solve the security of business networks, a better way is to use physical isolation networks between office networks and business networks to realize physical isolation of two types of networks.
4) The internal network and private network of e-government:
In the construction of the e-government system, the government is required to use logically and external networks to use physical isolation between government private networks and intranet. The currently common method is to be implemented with a physical isolation gate.
5) Network between business network and the Internet:
The e-commerce network is connected to the business network server, while connecting the broad masses through the Internet. In order to protect the security of business network servers, physical isolation should be realized between business networks and the Internet.
Second, my country's physical isolation network gate market status and development trends
2.1 my country's physical isolation network gate market space
According to relevant parties, my country has undergone more than three years of government online construction, and the network construction direction of e-government will have major changes in the future: the construction of external networks, especially the construction of the portal has been basically completed, and the construction of the construction is over, invest It will be greatly reduced; the focus of e-government network construction will gradually turn to the construction of network application projects; the government network will become the focus of the construction of e-government networks in the future, and is also the main area of government e-government investment. Government network application project, including online registration approver, online application system, online tax system, government procurement online bidding system, online social security service system, online customs clearance system, entry and exit management system, etc. These projects are more invested in the construction of the portal, and the effectiveness is more obvious. For example, the Beijing Municipal Government Committee has launched an online declaration approval system in 2002. Each online declaration approval system has been investing in 400-220 million yuan. Yuan, the community service system also reached 70 million yuan.
My Government Internal Network (LAN) only implements the connection to the Internet, and the construction of a large number of information repository is still in its infancy, and many of the internal features have not been implemented. Central government website and local government website, local government departments are almost unable to connect, information is not open, not shared, forming information "island", which seriously restricts the development of national e-government business. At present, my country's government brings network only in a few cities (Beijing, Guangdong South China Sea, Shandong Qingdao, etc.), the domestic academic community has the necessary construction of a government-constructed network system, but from e-government development needs The government network is already an indispensable part of e-government construction. In the future, the number of government brings will be expected to increase. It is reported that Beijing government special network project has been listed as one of the four key construction projects of the "10th Five-Year Plan".
In recent years, the State Council has organized hundreds of experts to carry out multi-faceted research on national e-government, forming an e-government development framework. According to the Director of Yang Xueshan, the State Council Information Office, the government is currently being taken three measures to build e-government. The first is to build two unified e-government network platforms: government intranet - mainly assume office business and other business at all levels; government external network - mainly deal with business between enterprises, public services and government departments. The second is to build 12 key projects mainly based on "Gold" word project. The third is to speed up important strategic database construction, such as population database, legal personnel, spatial geography and natural resource information libraries, macroeconomic database, agricultural information library, etc.
The central and localities have invested strong funds for e-government construction. It is expected that the governments at all levels of my country will invest at 10 billion yuan for e-government construction, and the electronic government construction investment in the central government will be at least 1 billion yuan.
An e-government network is connected to the public, and a large network of internal networks and private networks connecting the government, e-government, runs important applications, and the special operating environment of e-government network, requires it to ensure high The security is safe, and the information is to be exchanged for convenience through the Internet. Only by firewall, it is impossible to prevent internal information leakage, viral infection, hacker invasion. Industry insiders believe that the extensive application of physical isolation network brakes in e-government construction is inevitable, and the construction of e-government network provides huge market space for physically isolated gatekeeper. Physical Isolation Network Gate accounts for 30% to 40% in information security in e-government. In the next few years, the information security market in e-government construction will account for 30% to 40% of the information security market. Since 2003, my country's total information security market is more than 10 billion yuan, of which 30% to 40% are the contribution of e-government. This can be calculated: in the construction of e-government, physical isolation network gate will have a market space of 9 to 1.6 billion yuan.
2.2 my country's physical isolation network gate product status my country's physical isolation network gate product development is a matter of nearly 2 years, and there are not many units participating in the development, and the product is small, the performance indicators, quality indicators, and technical level are in the first generation. As of May 31, 2003, the Department of Physical Isolation Network Gates, the Ministry of Public Security issued a sales license, and the Ministry of Public Security issued a list of physical isolation network gates of the Ministry of Public Security. Among them, Beijing Tianxing Netan Information Technology Co., Ltd. has been developed by TopWalk-GAP in September 2002, the technical appraisal of the State Secrecy Bureau. Due to the physical isolation network gate is in the special position of the gateway and non-secret network gateway, but also the last defense line of network security, the background of the background and R & D units of the product R & D personnel is also an important condition for choosing the product. Some product sales with foreign-funded companies cannot be affected. Therefore, products that can stand in the market are extremely limited. Ministry of Public Security issued a physical isolation network gate product of the sales license
Unit certificate Number Validity Product Name Beijing Jingtai Network Technology Co., Ltd. XKC30146 20030704 Jingtai Network Physical Isolation System BHLNET 1.0 Beijing Gaotic Information Safety Technology Co., Ltd. XKC30242 20040611 Table Dynamics Real Time Network Isolation System V1.0 Beijing Datang Yongchuang Technology Development Co. Lenovo Holdings Co., Ltd. XKC30361 20050307 Lenovo Network Royal Safety Isolation Network Gate Net Royal SIS-3000. China Network Information Technology Co., Ltd. XKC30363 20050312 中 网 隔 隔 网 闸 X-GAP V1.0 Zhuhai Special Economic Zone Wei Si Co., Ltd. Wei Si Network Safety Isolation Table Vigap
