Do you have to use a dedicated switch integrated circuit?
A: No. In the implementation of the switch, the most straightforward approach is to use a dedicated switch integrated circuit to directly control the bus mode. Due to the level restrictions, performance and quality of my country's chip manufacturing industry, it is necessary to carry out circuit design and worry about safety issues. Another problem is the mass production and price problem of special chips, and it is difficult to solve this problem in the United States. At present, there is not much physically isolated network gate manufacturer in the United States.
How does the physical isolation network gate use SCSI to achieve switching technology?
A: First, SCSI is not a communication protocol, but an agreement for the host to store peripherals. Connect a storage device by two hosts, as shown below:
The intermediate solid storage medium is not a file system mode, but a block mode (block). The external host can initiate a read and write request to the solid state storage medium, and the internal host can also initiate a read and write request to the solid state storage medium, but the solid state storage medium is only accepts one. The solid state storage medium itself cannot initiate a connection request to the host. Therefore, the external host and the internal host do not have a connection, and only a ferrier can be performed by a solid storage medium. This has a simple switching principle. In practice, there is much more complex technologies, manufacturers should solve the existing clock problems, efficiency issues, synchronous problems, reliability issues, blocking issues, etc., can achieve SCSI-based switching technology. Since the SCSI connection does not have any upper-level protocol programming interface, only read / write functions can be blocked, any upper communication protocol includes TCP / IP, and has high reliability and stability. Therefore, the switch design between the host between the main unit is very popular in the world in the operating system core layer, and is also the mainstream trend.
Physical isolation network gate can use USB, FireWire and so too to achieve soft switches?
A: No. USB, FireWire and Ethernet are communication protocols, which is not different from the firewall security. Due to USB mode, fire lines and Ethernet easy to increase programming interfaces, such as loading TCP / IP, may be controlled by some software programming, unable to interrupt TCP / IP and application services. The disconnection of the above medium (manufacturer claims that the soft switch) is not required by the physical isolation network gate. The line is turned on, which is not physical isolation. (For details, please refer to the Physical Isolation Network Gate Common Concept Problem)
Why is SCSI, and USB, FireWire and Ethernet?
A: To say that the integrated circuit switches are easier to accept. And SCSI is also line, USB, fire line and Ethernet are also lines, why is SCSI, and other can't you? The reason is very simple, SCSI is not a communication protocol, which is the document reading and writing protocol, SCSI line and solid storage medium as a system to implement switching principles. USB, FireWire and Ethernet are communication protocols, and two hosts are connected, and the isolation characteristics and security features of physical isolation network gate are no longer.
Is the speed of the physical isolation network gate very slow?
A: Not slow. A 33MHz 32Bit bus BUS PCI can provide a bandwidth of 132Mb / s, i.e., 1056Mbit / s. A 66MHz 64 bit of PCI can provide with a bandwidth of 528MB / s, ie 4224 Mbit / s. The total bandwidth of 640Mb / s can be obtained by using a two-channel 320MB / s SCSI, which is 640Mb / s, which is 5120 Mbit / s. The 5G bandwidth should be sufficient.
Physical isolation network gate works at the layer of the OSI model?
A: All seven layers are working. (For details, please refer to China Network Physical Isolation Network Gate White Paper)
How does the physical isolation network gate work in the 5th floor of the OSI model?
A: Physical Isolation Network Gate is interrupted in the 5th floor, interrupt TCP session, and "restore" a set of IP packages is an application data. Therefore, it is removed from the attack of the TCP protocol. For example, SYNFLOoding attack, etc.
How does the physical isolation network gate work in the 7th floor of the OSI model?
A: Physical Isolation Network Gate must provide specific application proxy services on the exterior and internal hosts. The package that does not provide a proxy service application service will not pass. Only the relevant application proxy service is provided, on the stripping TCP / IP, to "strip", shield the application protocol, to ensure security. Application proxy will apply data "restore" out, "ferry" to each other through the switch circuit.
How does the information security switching system work?
A: The OSI model diagram of the information security switching system is as follows. External host agent. Internal host agent and intermediate security check host. The three hosts are connected by Ethernet. There is a literature that an intermediate security check host can be used to manually switch. Some system applications similar to safety systems and physical isolation cards can be considered physically isolated, but not physical isolation network locks.
How is the security isolation network gate work in the OSI model?
A: There are many kinds of safety isolation working models. One of the highest security is as shown below.
However, there is no found that this structure is different from a single agent, unless the operating system of the internal host is different from the outside. The other two models of this structure are as follows, respectively, circuit proxy and package filtering.
After executing authentication and session check, the circuit agent is pre-released, efficient than the application agent.
The double host structure of the package filtered is a lowest security. Almost can't see, it is different from two pack filtration firewalls. Some vendors take data from the external host's kernel, set the network card to a mixed mode, directly transferred to the internal host's kernel, sound seemingly safe, do not do anything. For example, some physical isolation is between the two hosts, which are directly used inside the chassis.
Is the protocol conversion, is it physically isolated?
A: No. The double host form is implemented between the two hosts, or the category of safety isolation or logically isolation. Because the conversion of the protocol does not mean eliminating the protocol-based attack, there is a communication connection, there is a communication connection.
What are the types and forms of two host structures based on protocol conversion?
A: There are three main types, application agents, circuit proxy and package filter types. The protocol conversion form includes, but is not limited to, USB, FireWire, serial port, parallel port, ATM, MyRinet, special ASIC card.
Many people do not think that the dual host is connected to the Taiwan, which can increase security, nor does it think is physically isolated. Because in theory, hackers can discover host vulnerabilities through the vulnerability scan of the operating system, thus invading the host, then scans the next host, step by step. Therefore, some vendors will change the Ethernet to serial port, parallel port, usb or fire line, and some simply run the TCP / IP protocol on the USB or FireWire. Overall, it can be summarized, and there is a communication protocol between the two hosts, even the TCP / IP protocol, in some cases, the package directly reaches the internal host, and the package-based attack may occur, in some cases, may occur Based on the connection attack, in some cases, command-based attacks may occur. Therefore, it does not mean safety based on private communication protocols.
Some vendors use TCP Stream to restore data streams to increase the contents of the content in order to increase the contents of the content. These features can also be added to the firewall. This is such a function if there is a manufacturer's launch filter. This is just a variant of the above figure, and there is a connection-based attack, a session-based attack, and an agreement-based attack. This is another variant that uses the application agent to enhance security on the dual host, eliminating the possibility of using the protocol vulnerability attack, but there is still the possibility of communication connection attacks. Therefore, it is not a physical isolation mesh gate.
Each application of physical isolation network gate requires the corresponding agent?
A: Yes. In addition to standard universal applications, each application can be customized as long as there is a protocol specification. Therefore, any industry can use physical isolation mesh, regardless of its application.
Does the application agent of physical isolation network gates meet the relevant RFC specification?
A: Equity. Only in line can guarantee the transparency and interoperability of the application.
Is it a physical isolation network gate from the external network?
A: Not necessarily. Ping is of course unable to ping the physically isolated gateway, but ping is not necessarily a physical isolation network gate. The ICMP protocol is banned on the router, and ping does not work, but it is not a physical isolation network gate.
Is it physically isolated net gate from the external network?
A: Not necessarily. The scanning software cannot scan the internal host by physical isolating the gatekeeper, but the scanning cannot be physically isolated on the network. Scanning software cannot scan internal hosts through the proxy server, but the proxy server is not a physical isolation gate.
By the switch to achieve the package forward, is it physically isolated?
A: No. As long as the package contains the TCP / IP protocol, the TCP connection can be established even if the switch is used. There is an attack based on packet and TCP protocol.
Why can't I invade the internal host even if I invade the external host of the gatekeeper?
A: The external host and the internal host of the physically isolated gatekeeper are not communicating by dialogue, but do not communicate with the "good" convention. For example, in the worst possible case, the hacker invades the external host, and the hacker can also write files to solid-state storage media. After the internal host gets these files, internal applications can't understand these files, I have to lose it, even It is found that it does not meet the security policy, it is also lost. The decision of the internal host is not determined by the files sent by the external host, but determines the internal security policy. Therefore, it is impossible to control the interior. Plus no connection, no communication, no agreement, is impossible to invade the interior.
What are the way to prevent intrusion?
A: The external host must be allowed to be accessed because of the service. From an absolute technical point of view, there is no operating system to say that I have no vulnerability in this operating system, so the likelihood that there is attacked, even one million small probability events. This does not mean that the external host will be attacked. There are many technical means to ensure that hackers invades, such as lightweight intrusion detection, closing the host service, such as lightweight intrusion detection. The risk of hosting is minimized.
Why do physical isolation network brakes from unknown attacks?
A: At the current discovery, according to the classification, there are application protocol vulnerabilities, there are TCP / IP protocol vulnerabilities, with command-based, and packaged. Physical Isolation Gates fundamentally solves these four types of attacks. Therefore, new attacks, as long as they are based on the above four principles, whether known or unknown, can be blocked. Is the safety of physical isolation network brakes?
A: Yes. Physical Isolation Table Gate is positioned in providing the highest security, the access, protecting the core assets, protects the key database, protects the key database, protects the system from an attack from the Internet.
