Physical isolation function and technology analysis
◎ Physical isolation network gate positioning physics isolation technology, not to replace firewall, intrusion detection, vulnerability scanning and anti-virus system, reverse, it is another cornerstone of the security strategy of users "deep defense", generally used to protect for " core". Physical isolation technology is absolutely to solve the security problem of the Internet, not what other problems.
◎ Physical isolation to solve the problem solving the fundamental problem of current firewall: · The relief of the firewall on the operating system, because the operating system also has a vulnerability, TCP / IP protocol vulnerability: no TCP / IP, firewall, internal network and DMZ directly connected , The vulnerability of the application agreement, because commands and instructions may be illegal · files with viruses and malicious code: do not support MIME, only support TXT, or kill virus software, or malicious code check software
The guiding ideology of physical isolation is very different from the firewall: (1) The idea of firewall is as safe as possible under the premise of ensuring interconnection, and (2) physical isolation is to ensure that it is necessary to safely. May interconnect.
◎ TCP / IP vulnerability TCP / IP is the product of the Cold War, the goal is to ensure the communication and ensure the transmissions. By regular confirmation to ensure the integrity of the data, uncertain recognition is retransmitted. TCP / IP has no internal control mechanism to support the authentication of the source address to confirm where IP comes from. This is the root cause of TCP / IP vulnerability. The hacker uses this vulnerability of TCP / IP to intercept the data in a listener, and the data can be checked, speculate on the series number of TCP, modify the transmission rout, modify the authentication process, and insert a hacker's data stream. Morris virus is to use this and cause huge harm to the Internet.
◎ The firewall's vulnerability firewall must ensure that the corresponding port must be opened. If the firewall is allowed to allow HTTP services, you must open an 80-port. To provide Mail service, you must open the 25-port. Attack the open port, the firewall cannot prevent it. With DOS or DDOS, an open port is attacked, and the firewall cannot be prohibited. The firewall cannot prevent using the data that is inflowing from open service. The firewall cannot prevent it with an open service data hidden tunnel. Software defects that attack open service, the firewall cannot prevent it. The firewall cannot prevent yourself from attacking, can only force confrontation. The firewall itself is a passive defense mechanism and is not active safety mechanism. The firewall cannot interfere with the bag of the firewall, if this package is attacking the firewall, only an attack has occurred, the firewall can confront, and it is not possible to prevent it. There is currently no technology to solve all security problems, but the depth of defense is deep, and the network is safe. Physical isolation network gates are the only safety equipment that can solve the above problems.
◎ Physical isolation technology principles Physical isolation technology architecture is isolated. The following graphs can give us a clear concept, how physical isolation is implemented. Figure 1, the external network is an Internet with a high security, and the intranet is a high security internal private network. Under normal circumstances, isolation equipment and external network, isolation equipment and intranet, external network and intranet are completely disconnected. Ensure that the network is completely disconnected.
The isolation device can be understood as a pure storage medium, and a simple scheduling and control circuit. When the external network needs to have data to reach the intranet, the external server immediately initiates data connection to the non-TCP / IP protocol of the isolation device, the isolation device peels all protocols, and writes the original data Storage medium. According to different applications, it may be necessary to integrity and security checks, such as anti-viruses and malicious code. See Figure 2 below.
Once the data is completely written to the storage medium of the isolation device, the isolation device immediately interrupts the connection to the external network. Transfer to initiate a data connection for non-TCP / IP protocols of the intranet. The isolation device pushes data within the storage medium to the intranet. After receiving the data, the intranet receives the package and the package of the Package and application protocols of TCP / IP, and is handed over to the application system. At this time, the intranet email system received an email for the external network through the Isolation Equipment. See Figure 3 below.
After the console receives a complete swap signal, the isolation device immediately cuts off the direct connection of the isolation device in the intranet. See Figure 4 below.
If this, the internal network has an email to be issued. After the isolation device receives the request for the internal network, the data connection between the non-TCP / IP protocol between the intranet is established. The isolation device peels all TCP / IP protocols and application protocols to obtain the original data, and write data to the storage medium of the isolation device. If necessary, anti-virus treatment and anti-malware check. Then interrupt the direct connection to the intranet. See Figure 5 below.
Once the data is fully written to the storage medium of the isolation device, the isolation device immediately interrupts the connection with the intranet. Transferring data connection for non-TCP / IP protocols for the external network. The isolation device pushes the data within the storage medium into the outer network. After receiving the data, the external network immediately performs TCP / IP packages and application protocols, and is given to the system. See Figure 6 below.
After the console receives the information processing, the console immediately interrupts the connection of the isolation device and the external network, and returns to the fully isolated state. See Figure 7 below.
Each time data exchange, the isolation device has experienced three processes for data acceptance, storage, and forwarding. Since these rules are completed in memory and kernel, there is a guarantee to achieve 100% bus processing capabilities. A feature of physical isolation is that the intranet and external network are never connected, the intranet and external networks are available in the same time. There is only one equipped device to establish a non-TCP / IP protocol. Its data transmission mechanism is storage and forwarding. The benefits of physical isolation are obvious, even if the external network is in the worst case, the intranet will not have any damage. It is also very easy to repair the external network system.
