Safety isolation network gate: from the first generation to the second generation
Beijing Gaetijia Information Security Technology Co., Ltd. Technology Director Wang Xiaobing
Safety isolation and information exchange system, the network gate, is a new generation of high security enterprise security protection equipment, which relying on safety isolation technology to provide a higher level of security for information networks, not only make information network anti-attack The ability is greatly enhanced, and it effectively prevents the occurrence of information leakage events. The mesh gate technique originated from Israel, which is usually exchanged between the external network and the internal network in the case of physically isolation, and is generally manually exchanged by a disk or other storage device, and simulates this in an automatic manner. The data exchange process is actually the prototype of the gatekeeper. Today, the actual safety switching process of the gatekeeper is first extracting the application data in the network package. After the safety review, the data exchange is completed, and the whole process is automatically completed by the software, and increases security. The process of review, thereby greatly improving the exchange efficiency. However, since the entire exchange process continues to continue, it is a stable data stream in the network, which means there is a logically connected connection, although the network gate has a safety review process. But still cannot completely guarantee the security of the exchange data, so the gatekeeper cannot meet the physical isolation requirements and belong to the non-physical isolation equipment. The technical principle of the first generation of net gate is to use a single-knife double-throw switch to allow the interior network processing unit to accommodate the shared storage device to complete the data exchange, realize data exchange, safety in the case of air gap isolation (Air GAP). The principle is to eliminate the effectiveness of the protocol-based attack and enhance application safety. It can be known that by analyzing that the network gate is peeled off from the network characteristics due to the application layer data extraction technology, thus completely solving the attack based on network protocol. However, due to the GAP technology-based gatekeeping, the internal and external network is shared by the storage device, so it is not possible to meet the requirements of physical isolation, and since the restriction of the switching speed by the electronic switch, the overall processing performance is caused, the consequences are more Low throughput, lower concurrent connections and larger exchange delays, it is easy to become a bottleneck of the network, and then, the storage device is generally shortened due to the influence of sustained and rapid power-on and power-off, often Data exchange process is interrupted due to failure or damage. From another perspective, there is no GAP air gap between the two networks, and it is not implying to the security, such as two networks connected through the wireless network card, although physical is not connected, but they And there is no difference with the direct connection. Therefore, it is determined whether the standard between the intercom has a connection, but it should be logically analyzed from a logically analyzed, that is, the different networks can be automatically done in any device or any form. It belongs to the existence of logically connected, obviously does not meet physical isolation requirements, because the security of exchange data can be fundamentally fully guaranteed, that is, this data exchange process exists Safe risks.
On the basis of absorbing the first generation of net gate, the second generation of network gate is to create a new idea's dedicated exchange channel PET (Private Exchange Tunnel) technology, which can complete the internal and external network without reducing security. High-speed data exchange, effectively overcomes the drawback of the first generation of Terrace, the safety data exchange process of the second generation of net gate is achieved by dedicated hardware communication cards, private communication protocols, and encrypted signature mechanisms, although it is still through Application layer data extraction and security review reach an end to the protocol-based attack and enhance application safety effect, but it provides more network application support than the first generation of Tablet, and due to its special high-speed hardware communication card Make the processing power greatly improve, reaching a few more times the first generation of net gates, while private communication protocols and encrypted signature mechanisms guarantee the confidentiality, integrity, and credibility of data exchange between internal and external processing units, thus To ensure safety, provide better processing performance, which can adapt to the needs of complex network pairs of isolation applications. Implementing security information exchange currently in the domestic market is mostly based on host, host-based network isolation products in line with national, external network physical isolation requirements, and information exchange between different networks will completely depend on manual operation. The way, the magnetic disk or the like is carried out as the intermediate medium. This information exchange method is poor in real time, and the efficiency is low, often causes blocking of information transfer. At the same time, this method is guaranteed to support the legality and security of the transferred data, and the possibility of changing the mistakes in human factors, and there is still a network security hazard. The isolation network gate product with protocol conversion is not theoretically explained in theory, and how to achieve physical isolation and network disconnection, and these products also have some security issues in practical use. Safety Isolation and Information Exchange System (X-GAP) developed by China Network companies, it is possible to better solve problems in isolation and data exchange. The X-GAP interrupts link connectivity between two networks, communication connection, network connection, and application connections, and implements data exchange in non-network in the case where the two networks are completely disconnected and protocol. Without any packages, commands, and TCP / IP protocols, including UDP and ICMP), can penetrate X-GAP, which has the advantages of high security, high bandwidth, high speed, and high availability. In addition, since SCSI technology is used, the backplane rate is as high as 5G, the switching efficiency reaches the nanosecond, completely solves the problem of slow speed and low efficiency. In addition, the SCSI control system itself has unacceptable characteristics and conflict mechanisms to form a simple switching principle, thus completely solving the security problem of the gate switch. The isolation system is considered to be the highest security equipment. It is guaranteed to support information exchange in the case of ensuring safety, if it is disconnected if it is not safe. Isolation technology is widely used between private networks and public networks, internal network and external networks, physical isolation in user requirements, while need to exchange data in real time, solve physical isolation and information exchange issues, The network X-GAP series can realize the necessary "ferry" between the two networks, but also guarantees that there will be no security issues in mutual invasion. (China Network Communication Network Co., Ltd.) related links to safety isolation network brakes for safety gate gates apply to networks such as government, military, public security, banking, industrial and commercial, aviation, electricity, and e-commerce, etc. Typical applications in e-government is installed between government affairs networks and Internet or in a diverse security domain in government Internet, or is installed between government Internet and other networks that are not connected to Internet. Of course, the gatekeeper can also be used to isolate the host server or special isolation protection database servers. Safety Isolation of Inner and Foreign Network Since the 1990s, the public security organs of all localities combined with their own actual construction of the hotel accommodation management registration system and played a role in combating crimes.
