Total Physical Isolation Products is used to solve network security problems. Especially in those confidential networks, private networks and special networks that need to be absolutely guaranteed to be connected to the Internet, in order to prevent attacks from the Internet and ensure confidentiality, security, integrity, defense reputation and high security networks. Availability, almost all requires physical isolation technology.
The academic community is generally believed that the earliest introduction of physical isolation technology should be the military of Israel and the United States. But so far, there is no complete definition and standard for physical isolation technology. It can also be seen from the use of different periods that physical isolation technology has been evolving and developing. The earlier use of physical disconnection, disconnection has the meaning of disconnect, cut, not connected, translated into physical disconnection. This situation is fully understood that after the confidential network is connected to the Internet, there will be many problems, and will be disconnected before the technical means without solving security problems or does not solve the problem. Later, there were Physical Separation, Separation, separated, separation, interval, and distance, direct translation for physical separation. The subsequent disconnection is not a way, the Internet is always used, and the strategy taken is more than the connection, and it is not even connected. Such a portion of this connection is separated from the portion where the connection is not. There are also physical isolation, isolation with isolated, isolated, closed, insulated, translation for physically enclosed. In fact, there is not much system that is connected to the Internet, the use of the Internet is still very large, so it is hoped that some high-security network isolation is closed. Later, PHYSICAL GAP, GAP has the meaning of gap, cleavage, gaps, and differences, directly translation for physical isolation, intended to reach the purpose of the physics's gap. At this time, Physical words are very stiff, so some people use Air Gap to replace Physical Gap. Air Gap means an air outlet, which is obviously physically separated. But some people disagree, the reason is that the air gap is "physically isolated"? No, electromagnetic radiation, wireless network, satellite, etc. are air outlets, but there is no physical isolation, even logically there is no isolation. Thus, E-GAP, NETGAP, I-GAP, etc. have come out. Now, it is generally called GAP Technology, meaning physically isolated, becoming a dedicated noun on the Internet.
The understanding of physics isolation is the following aspects:
1. Blocking the direct connection of the network, that is, there is no two networks simultaneously on the isolation device; 2. Blocking the Internet logical connection, that is, the TCP / IP protocol must be stripped, and the original data is passed through P2P non-TCP / IP connection protocol passes through the isolation device; 3. The transmission mechanism of the isolation device has incapacitated characteristics, therefore does not have infection characteristics; 4. Any data is completed by two-stage mobile agents, two-stage mobile agents It is physically isolated; 5. Isolation equipment has the function of review; 6. The original data transmitted by the isolation equipment does not have attacks or harmful to network security. Just like TXT text, there is no virus, or you will not execute the command. 7. Powerful management and control functions.
The evolution of network security system architecture has to have an in-depth understanding of physical isolation technology and must have in-depth research on network security architecture. To understand the architecture system of cybersecurity, from the current network security market, you can first see Ni. Firewall, anti-virus, VPN and intrusion detection (IDS) are mainstream products in the market. The security system is in the heart of the firewall to develop in the direction of the linkage. Therefore, to understand the evolution of the architecture system of network security, the firewall must be in-depth. Currently, the firewall, the first and second firewalls, the first and second firewalls, Stateful Inspection Packet Filtering (SIPF), which is called state detection package isolation. There are two major advantages in status detection. One is fast, and the second is to have great flexibility. This is also why SIPF is popular. Some people will notice that we have not even mentioned security, although people want to buy firewalls, it sounds to solve security problems, but security is not the first reason for people to choose firewalls. The first reason for people choose the firewall is to easily install and use, minimize trouble and changes to the network structure, and the impact on the business. Marcus Ranum, which is known as the "Father of Firewall", also noticed that the firewall customer has a vote, and the top three important characteristics are transparent characteristics, performance and convenience, not safety, no one. This is surprised. Safety architecture with only firewall is far less
At present, on the network security market, the most popular security architecture is a security system architecture with firewall as the core. Through the firewall to realize the security system of the network. However, the safety defense system of the firewall is failed to effectively prevent current frequent network attacks. Safety architecture with only firewall is far less. So many people are suspect, the firewall is not out of time. Continental quot; Father of the firewall "Malcos declared that he didn't believe the firewall.
So saying that the firewall seems to have a little. The main reason is that the firewall has become a sense of safety, and the words will talk about firewall. Many manufacturers have pushed all things that do not belong to the firewall to the firewall, such as routing function on the firewall, and even excessively moved the application service to the firewall, causing the firewall universal situation, so that "the higher the expectation, the more disappointment Big".
Although the firewall is not universal, there is no firewall, but it is not possible. The firewall is still the most important security tool so far. Any technique has its limitations, and the firewall is no exception.
Review of firewall architecture
Today, we find that we are in a network insecurity, calling us a careful review of the foundation of the firewall architecture.
The extent of the firewall to network security depends to a large extent on the firewall's architecture. The general firewall uses one or several of the following firewall architecture: L Dynamic Packet Filter L Dynamic or Stateful Packet Filter L Circuit Gateway L Application Level Gateway l Stateful Inspection Packet Filter L Switching Agent (Cutoff Proxy) L Physical Isolation (Air Gap)
Network security is a balance
Network security is just a simple balance between trusted and performance.
All firewalls are inspected on the information of the package through the firewall. The more you check, the safer. The focus of the inspection is the information on the network protocol, which is distributed at 7 floors by the model of OSI. Knowing that the firewall is running on that layer, knowing what it is architecture. Generally speaking, the higher the layers of the OSI, the more information about the firewall to check the package, the more requirements for CPU and memory are high. The higher the layer number of the L OSI, the more the contents of the firewall check, the safer. In the architecture of the firewall, the efficiency speed and the security of the firewall have always been a compromise. That is, high-security firewall is less efficient and low, and high-speed high-efficiency firewall is low. However, with the decline in the cost of multi-CPU computers, and the operating system supports the characteristics of the symmetrical multi-processing system (SMP), the gap between the traditional high-speed package filtered firewall and the large-scale agent firewall is gradually narrowed.
One of the most important factors of successful firewalls, who chooses to make decisions between security and performance: (1) firewall manufacturers, by restricting users' architecture, or (2) users, in a strong firewall require more Architecture. In fact, in the end, the user decides the market, but also makes the manufacturer to decide the market. There is no answer to this question, and it is necessary to see the final fact. The architecture of the firewall is generally shown below. We put OSI's obvious and TCP / IP model, compared to the problem.
In the architecture of the firewall, the most important information in the IP Baotou is: L IP HEADER L TCP HEADER L Application Header L Data Loading Baotou (Data-PayLoad) HEADER)
Static Packet Filter
The filtered firewall is one of the oldest firewall architectures. The filtered firewall is running on the network layer, that is, the third layer of OSI.
The firewall decides whether to release or reject a package, mainly for inspection based on some of the specific information on the IP Baotou and the protocol, including the Source Address L Application Agreement (Application or Protocol) l Source Port Number L Destination Port Number
Before forwarding a package, the firewall compares the information of the IP Baotou and TCP Baotou with the information of the user-defined rule table, decided to forward or refuse. The rule table is the security rule defined by the user. The rules are checked in order, only to the rule matching. If there is no rule match, press the default rule. The default rules of the firewall should be prohibited.
In fact, there are two ideas to determine the default rules of the firewall, (1) is easy to use, or (2) security first. Easy to use, is generally set to allow release. Safety first, generally set to prohibit release.
The static packages filter firewalls, users can define rules to determine what packages are allowed, or decide what packages prohibited. User-defined rules, by checking the information of the IP Baotou, to allow or deny what the package is from what address, what is the address, may be an address or group address. User defines the rules for the specific service, by checking the information of the TCP handle, allowing or rejecting the port to reach or from the relevant specific service. The decision mechanism for the filter firewall is that the final rule conflicts with the previous rules, the final rule is valid.
When the rule check is in order, the rule configuration of the package filter firewall is very complicated and difficult. We know that N rules are arranged in a variety of different order, and there may be a lot of possible results. The result of n! N! N! The result of the order is the same, otherwise, the result may be different. Plus a rule is easy, write a rule to achieve a certain security function, requires that the system administrator has very clear to the protocol, TCP / IP's work mechanism, but also understand the process. Some administrators always put the rules of the postales in the end, and some system administrators are always placed in front, and there are systems administrators, where the random insertion is in the rules. The biggest problem is that the emission order of rules A, B, and C is different, and the structure of the rules is not necessarily the same. It may be emissions, A "B" C, A "C" B, B "a" C, B "C "A, C" a "B, C" a "B, which may be the same, may be different, and cannot know that the same or different, only specific to analyze. If there is 100 rules of a system, there is 100! = 9.33E 157 possibility results, even if only one thousands of results are different, it is also a huge astronomical figure. In fact, if the relevance of different rules is very low, the result is a small probability event. However, if the relevance of different rules is high, the result is difficult to expect. The result is that consistency check is difficult. This is why it often occurs, sometimes, adding a rule, no problem, sometimes there is a problem. The user must carefully check the rules added to ensure its results are their expected results. A good way is to help users design their security strategies so that their different rules is low, and the results are identical as possible.
Even if the user's rule order is effective, there is a fundamental limitations that pack the firewall in the package. It doesn't know what address is real, what is the fake. Because the address of the TCP / IP's header can be rewritten.
Even if the user can prohibit the uncertain source address, the hacker can also use the source address of others. This address is normal, but the hacker is used, which makes the problem more complicated. Such attacks such as sour address spoof, etc., such an attack are very effective for packing filtration firewalls. Therefore, although the performance and speed of the package filtration firewall is high, the safety is limited. Because the package filter firewall checks (1) source and target addresses, (2) source and target ports, do not check other important information. Therefore, hackers load malicious data and commands in other headers. Hackers can also hide malicious commands and data in the data of the package, which is the popular hidden tunnel attack.
In the router, packet filtering techniques are generally supported. However, due to limited security, users generally purchase separate firewalls to provide higher security.
Advantages: l Basically, the network performance does not affect the cost, the router and the general operating system are supported.
Disadvantages: W Working on the network layer, only check the IP and TCP Baotou L does not check the package data, the supplied safe line is not high L lack of state information L is easy to be fake and deceived, but it is very difficult to write Correct, rule test difficulty L protection level low dynamic package filter
Dynamic packet filtration is the development and evolution of static packet filtering technology. Therefore, it inherits a fundamental disadvantage of the static package filter: not knowing status information.
Typical dynamic packet is filtered, the static package is filtered, mainly working on the network layer, i.e., the third layer of OSI. Some advanced dynamic packing filtration firewalls also work to the transport layer, the fourth layer of OSI.
Dynamic Package Firewall Decide whether to release or reject a package, mainly based on some of the specific information on the IP Baotou and protocol, including: Source Address L Destination Address L Application Protocol (Application OR PROTOCOL) L Source Port Number L Destination Port Number
Unlike static package filtration technology, the dynamic package filter firewall knows a new connection and a connection that has been established. For connected connections, the dynamic packet filtering firewall writes the status information into the status table of the resident memory, and the later package is compared with the information in the status table, which is completed in the kernel of the operating system. Therefore, there is a lot of security. A typical example is that the static package cannot distinguish between a package that an external user enters is different from a package after the internal user out, the dynamic package filter firewall will know. Dynamic Package Filter firewall can limit external users to access inside, but ensure that internal users can access the outside, and can come back. The static package is filtered through the firewall.
When a package belongs to an established connection, the firewall can release this package without further check. By occupying some system memory, the package check workload is reduced, so the performance of dynamic packet filtration has a certain extent. Dynamic packet filtering technology can support symmetrical multi-processing systems (SMPs) and multi-CPU systems that achieve higher speed and performance. Generally, each addition processor is added, dynamic packet filtering technology can increase by 30%. However, the single-threading system cannot obtain the benefits of multiprocessors. For example, the vendor A uses a special RISC chip system, obtains 150Mbps speed, manufacturer B uses normal Intel's CPU, supports multi-CPU and symmetrical multi-processing system (SMP), but has achieved more than 600 Mbps speed.
Some vendors, in order to overcome the limitations brought by single-threaded dynamic packet filtering, the adventure uses the three-time handshake of the simplified RFC to establish a connected TCP / IP mechanism, and a handshake is established and written to the status table. This is easy to attack successfully giving a large-scale machine with a large hacker, like Land, Ping of Death, Teardrop, which is easy to attack.
Advantages: L speed and efficiency high L cost low L
Disadvantages: W Working on the network layer, only check the IP and TCP Baotou L I don't know the packet, the security is not high, easy to IP counterfeit and spoof L rules, difficulty, simplified three handshakes, resulting in additional security issues only provide low Safety protection
The circuit gateway gateway works in the session layer, that is, the fifth layer of OSI. In many ways, the circuit gateway is very similar to an extension of pack filtering. The circuit gateway, enabling the package filtering function, increasing a handshake, then confirming, increasing the legality check of the sequence number of the establishment of the connection.
Circuit Network checks and confirms TCP and UDP before establishing a session circuit.
The circuit gateway determines whether or rejects a package, relying on the following information of the IP header and TCP header: L source address L application protocol (Application or Protocol) L source port (Source Port Number) L Destination Port Number L Handshake and Series (Handshaking and Sequence Number)
Similar to packing filtering, the circuit network is compared to the information of the IP header and TCP header information with the user-defined rule table before forwarding a package.
The security of the circuit gateway has improved, mainly to be certified by the client. The authentication program determines if the user is trusted. Once authentication, the SYN flag and ACK indicate of the TCP handshake through the client, and the relevant series number is correct and coherent, the session is legal. Once the session is legal, the check of the package filter rule is started.
The theory of circuit gateways is high than package filtering. The efficiency and speed of the circuit gateway are also higher.
Advantages: L of the performance of the network is moderate or lower L DC connection L is one level with a level of security.
Disadvantages: Many of the shortcomings that have packet filters l do not check the data, allowing any data simple penetrating connection 1 to provide low-low security
Like the application gateway, the application gateway intercepts all incoming packets, runs the proxy mechanism, copies and forwards information through the gateway, and functions like a proxy server to prevent any direct connection. As the application gateway and the circuit network, there is a difference: L agent is related to the application, each application requires a specific agent L agent check package all data, including the header and data L working in the seventh floor of OSI, Application layer
Unlike the circuit agent, the application gateway only accepts the package generated by the specific application, and then reproduces, forwards, and filters. For example, the HTTP agent only processes HTTP traffic, and the FTP agent only processes FTP traffic. Data without application proxy cannot be processed, ie rejected.
Application proxy not only checks all protocols, but also checks all content. Therefore, the agent can filter the specific command, can filter malicious code, can kill viruses, and check and filter content. Obviously, the application agent must have a cache function. The application gateway can prevent the attack of the hidden tunnel.
The application gateway works in the seventh floor, related to specific applications, the application protocol specifies all procedures, so it is easier to design filtration rules. Application proxy is easier to configure and manage than package filtering.
By checking the complete package, the application gateway is the most secure firewall.
Advantages: L By supporting SMP and multi-CPU, the application gateway to network performance impact is a fully acceptable L-prohibition direct connection, eliminating the hazard of the tunnel attack, to check the protocol information, eliminating the highest security of memory overflow
Disadvantages l If the system is not good, the performance is poor L. The quality requirements of the program are high L. Finite L is dependent on the operating system.
Status detection package filtering status detection combines a lot of dynamic packet filtering, circuit gateways, and application gateways. Status detection package filter has a fundamental ability, that is, check all OSI seven layers. However, it is mainly the third floor, the network layer, which is mainly working, and mainly using dynamic packet filtering mode.
Status detection package filtering can also work like a circuit gateway and determine if the package in a session is normal. Status detection can also be checked for some content as a minimized application gateway. Just like the application gateway, once these functions are used, the performance of the firewall is also straight.
To a large extent, the success of the state detection firewall is not entirely a technical success, but a success of a market concept. Status detection is simplified for many techniques and then combined. Status detection has not been overcome technical limitations from technology. Mainly manifested in the following aspects: the contradiction between high security and performance is not resolved.
Most of the status detection firewalls are all configured in dynamic package filtration mode, which has achieved high performance, but the security is not high.
Once the high security mode is decided, the performance declines immediately.
The application gateway interrupts the direct connection of the network, creates two connections, between the two connections, the data is copied, checked, and forwarded. Unlike the application gateway, the status detection technology does not interrupt the direct connection of the network. This is the most famous state detection and application gateway dispute.
This reflects the philosophical dispute between the firewall: can do and do two yards.
The status detection firewall meets the conflict psychology of users on high performance and high security. It gives users a reasonable credibility, I can achieve high security through the configuration section, but now I am actually used. It is the third layer of high-performance dynamic packet filtration.
Advantages: l Provides the ability to detect all OSI seven layers L. Do not change the current direct connection mode L Provides a complete dynamic packet filtering function l Dynamic packet filtering provides faster speed
Disadvantages l Single-threaded status detection has a big impact on performance, so users are multi-work-filtered mode L Direct connection to high security is unsuitable L-dependent security L works in dynamic packet filtering mode Not very high security
Switching agent switching agent is a hybrid firewall for dynamic packet filtration and circuit proxy. Simply put, the switching agent first acts as a circuit agent to perform the three handshakes and any authentication requirements specified by the RFC, and then switch generation of dynamic packet filtering mode. Therefore, just starting him working on the session layer of the network, the fifth layer of OSI, is transferred to the network layer, i.e., OSI, after the authentication is completed and established. Sometimes, the switching agent is also called adaptive firewall. Obviously, the security of the session layer and the high efficiency of the network layer.
I know what to switch the agent, but the most important thing is to know what he has no. The switching agent is not a traditional circuit agent, and he does not have a direct connection of an interrupt circuit. We note that the switching agent provides a balance between security and efficiency. We believe that all firewall architectures have his own position on the Internet security. If your security policy requires access to authentication, check the three-time handshake mechanism, does not require interrupt direct connection, switching agent is a good choice. However, the user should understand that the switching agent is not a circuit agent, and the direct connection is not interrupted.
Advantages: L is more impact on network performance, and the three handshake inspection mechanism reduces the possibility of IP counterfeiting and spoofing.
Disadvantages: L is not the circuit agent L or the shortcomings of dynamic packet filtering L does not check data, providing lower security L design rules difficult
New ideas: physically isolated
In the development of firewalls, people finally realize the limitations of firewalls in security. The contradiction between high performance, high security, and ease of use is not well solved. The firewall architecture is defective in high security, driving people to pursue higher security solutions, and people expect more technical means, physical isolation techniques come to life.
Physical isolation is a black horse in the safe market. After a long marketing concept clarifies and marathon technology evolving, the market finally accepts physical isolation has the highest security. All of the requirements of high security are concentrated on physical isolation, interrupt direct connections, not light to check all the protocols, and put the agreement to peel off, restore to the most original data, check and scan data, prevent malicious code And viruses, even the properties of the data, do not support TCP / IP, do not rely on the operating system, one sentence, to completely check the seven layers of OSI, reorganize all the data on the heterogeneous medium (top 7, Eight floors?). Physical isolation has made great breakthroughs in technology. First, in performance, physical isolation utilizes SCSI to reach the speed of 320 Mbps, and the speed of 1000 Mbps can be reached using real-time exchange. In security, the current security problem is theoretically in theory. This is the main reason for governments and military to enforce physical isolation.
Advantages: l Interrupt Direct Connection L Powerful Check Mechanism L The highest security disadvantage: l The protocol is opaque, and there must be a specific implementation for each protocol.
Physical isolation: disconnect with the Internet
Position
Physical isolation technology, not to replace firewalls, intrusion detection, vulnerability scanning and antivirus systems, reverse, it is another cornerstone of the security strategy of users "deep defense". Physical isolation technology is absolutely to solve the security problem of the Internet, not what other problems.
Physical isolation to solve problems
Solve the fundamental problem of the current firewall: l The dependence on the operating system, because the operating system also has a vulnerability L TCP / IP protocol vulnerability: no TCP / IPL firewall, internal network and DMZ directly connect, l Application protocol vulnerability, because Commands and instructions may be illegal L files with viruses and malicious code: do not support MIME, only support TXT, or kill virus software, or malicious code check software
The guiding ideology of physical isolation is very different from the firewall: (1) The idea of firewall is as safe as possible under the premise of ensuring interconnection, and (2) physical isolation is to ensure that it is necessary to safely. May interconnect.
Operating system vulnerability: The operating system is a platform, to support a wide range of applications, the OS has the following features: L the function, the more the loopholes, the more new, the more people, the more people, to find out The larger the likelihood of the vulnerability, the more widened, the larger the chance of vulnerability exposure is, the greater
The hacker offensive firewall is generally first attack operating system. The firewall is controlled to control the operating system.
Vulnerability of TCP / IP: TCP / IP is the product of the Cold War period, the goal is to ensure communication to ensure the transmissions. By regular confirmation to ensure the integrity of the data, uncertain recognition is retransmitted. TCP / IP has no internal control mechanism to support the authentication of the source address to confirm where IP comes from. This is the root cause of TCP / IP vulnerability. The hacker uses this vulnerability of TCP / IP to intercept the data in a listener, and the data can be checked, speculate on the series number of TCP, modify the transmission rout, modify the authentication process, and insert a hacker's data stream. Morris virus is to use this and cause huge harm to the Internet.
Firewall Vulnerability: The firewall must ensure that the corresponding port must be opened. If the firewall is allowed to allow HTTP services, you must open an 80-port. To provide Mail service, you must open the 25-port. Attack the open port, the firewall cannot prevent it. With DOS or DDOS, an open port is attacked, and the firewall cannot be prohibited. The firewall cannot prevent using the data that is inflowing from open service. The firewall cannot prevent it with an open service data hidden tunnel. Software defects that attack open service, the firewall cannot prevent it. The firewall cannot prevent yourself from attacking, can only force confrontation. The firewall itself is a passive defense mechanism and is not active safety mechanism. The firewall cannot interfere with the bag of the firewall, if this package is attacking the firewall, only an attack has occurred, the firewall can confront, and it is not possible to prevent it.
There is currently no technology to solve all security problems, but the depth of defense is deep, and the network is safe. Physical security is the only safety device that can solve the above problems.
Physical isolation technology route
At present, there are three physically isolated technology routes: Network Switcher, Real-Time Switch, and One Way Link.
The network switch is a relatively easy to understand. Install two sets of virtual systems and a data system in a system, and the data is written to a virtual system, then swap to the data system, swap to another virtual system.
Real-time exchange, equivalent to between two systems, sharing a swap device, switching device to network A, get data, then swaping to network B.
One-way connection, early index movement to one direction, generally refers to network movement from high security network to a low security.
Physical isolation technology principle
Physical isolation technology architecture is isolated. The following graphs can give us a clear concept, how physical isolation is implemented.
Figure 1, the external network is an Internet with a high security, and the intranet is a high security internal private network. Under normal circumstances, isolation equipment and external network, isolation equipment and intranet, external network and intranet are completely disconnected. Ensure that the network is completely disconnected.
The isolation device can be understood as a pure storage medium, and a simple scheduling and control circuit.
When the external network needs to have data to reach the intranet, the external server immediately initiates data connection to the non-TCP / IP protocol of the isolation device, the isolation device peels all protocols, and writes the original data Storage medium. According to different applications, it may be necessary to integrity and security checks, such as anti-viruses and malicious code. See Figure 2 below. Once the data is completely written to the storage medium of the isolation device, the isolation device immediately interrupts the connection to the external network. Transfer to initiate a data connection for non-TCP / IP protocols of the intranet. The isolation device pushes data within the storage medium to the intranet. After receiving the data, the intranet receives the package and the package of the Package and application protocols of TCP / IP, and is handed over to the application system.
At this time, the intranet email system received an email for the external network through the Isolation Equipment. See Figure 3 below.
After the console receives a complete swap signal, the isolation device immediately cuts off the direct connection of the isolation device in the intranet. See Figure 4 below.
If this, the internal network has an email to be issued. After the isolation device receives the request for the internal network, the data connection between the non-TCP / IP protocol between the intranet is established. The isolation device peels all TCP / IP protocols and application protocols to obtain the original data, and write data to the storage medium of the isolation device. If necessary, anti-virus treatment and anti-malware check. Then interrupt the direct connection to the intranet. See Figure 5 below.
Once the data is fully written to the storage medium of the isolation device, the isolation device immediately interrupts the connection with the intranet. Transferring data connection for non-TCP / IP protocols for the external network. The isolation device pushes the data within the storage medium into the outer network. After receiving the data, the external network immediately performs TCP / IP packages and application protocols, and is given to the system. See Figure 6 below. After the console receives the information processing, the console immediately interrupts the connection of the isolation device and the external network, and returns to the fully isolated state. See Figure 7 below.
Each time data exchange, the isolation device has experienced three processes for data acceptance, storage, and forwarding. Since these rules are completed in memory and kernel, there is a guarantee to achieve 100% bus processing capabilities.
A feature of physical isolation is that the intranet and external network are never connected, the intranet and external networks are available in the same time. There is only one equipped device to establish a non-TCP / IP protocol. Its data transmission mechanism is storage and forwarding.
The benefits of physical isolation are obvious, even if the external network is in the worst case, the intranet will not have any damage. It is also very easy to repair the external network system.
