The hottest isolation hardware design based on Emb

  • Detail

The rapid development of Internet has further improved the degree of information sharing, so the problem of information security has become increasingly prominent. At this time, the only solution can be to actively solve the problem of information security and network security. At present, the most commonly used network security measure at home and abroad is to use firewall software, but firewall software itself has two congenital defects: one is that the firewall isolated network is still based on tcp/ip protocol for information exchange, and tcp/ip protocol has loopholes, which cannot prevent accuracy: 0.5 level stops the loopholes of the protocol itself; The second is that the operation of firewall cannot be separated from the operating system. There are loopholes in the operating system and firewall software, so it can not prevent the network security problems caused by these loopholes [1]. Therefore, it is necessary to develop the corresponding application system. Based on the analysis of the existing firewall technology and physical isolation technology, this paper puts forward the dual channel real-time switching technology with buffer. The electronic universal experimental machine designed through this technology is a very important preliminary preparation. The network isolator can meet the transmission of real-time data. At the same time, this paper puts forward a technical idea of data safe forwarding in the physical isolation environment, This scheme makes the network isolator have good safety performance

2 principle of physical isolation technology

2.1 introduction

physical isolation means that the internal network cannot be directly or indirectly connected to the external network, that is, interconnected [2]. By interrupting the connection between the internal network and the external network, the physical isolation technology does not support tcp/ip protocol and does not rely on the operation


system, which solves the fundamental problems existing in the current network security, that is, the security problems caused by operating system vulnerabilities and tcp/ip protocol vulnerabilities, effectively prevents the occurrence of malicious code, viruses and network intrusion, and meets the confidentiality, integrity, availability Controllability and auditability requirements

2.2 physical isolation technology

at present, the commonly used physical isolation technologies at home and abroad are: single hard disk physical isolation card and dual motherboard physical isolation technology

2.2.1 single hard disk physical isolation card

this technology is to divide a single hard disk of the computer into public and security partitions from the physical layer, and each partition is installed with a set of operating system. In operation, users work in two mutually exclusive operating system environments, security state and public state, so as to achieve internal and external security isolation. The disadvantage of this technology is that it cannot transmit real-time data

2.2.2 dual motherboard physical isolation technology

data transmission between the two motherboards is carried out through a dual port RAM in a non network mode. The dual port RAM is divided into two areas. The first area is the channel for one-way data transmission from the internal client to the external server. The second area is the channel when the external client transmits data to the internal server in one direction. At ordinary times, the internal and external are disconnected, and the dual port RAM is disconnected. When there is data to be transmitted, the internal and external data are transmitted through dual port RAM [3]

3 technical principle of network isolator

at present, the realization methods of real-time switching of network isolator mainly include SCSI based switching technology and bus based switching technology

the network isolator based on the bus real-time switching technology adopts the dual port static memory (dualportsram) combined with the control circuit based on the independent arm, and the dual ports are respectively connected with the independent computer host through the switch, as shown in Figure 1. As an independent control circuit, arm ensures that there is a switch on each port of the dual port static memory, and the two switches cannot be closed at the same time, that is, K1 k2=0

the network isolator based on SCSI switch technology is similar to figure 1, except that the data channel is replaced by SCSI hard disk interface, while the storage medium is SCSI hard disk, and the control unit is realized by specially designed hardware circuit board

the data exchange principle of the system is as follows: Taking the transmission of data from outside to inside as an example, first, the external host will split the data received from outside with tcp/ip protocol and application protocol, restore it to the original data, and review the integrity and security of the data at the same time; After passing the review, the secure data is transmitted to the switching device, and then the internal host receives this batch of data, and sends them internally after encapsulating them with tcp/ip protocol and application protocol. Vice versa

for example, when there is data needed from outside to inside, the external server immediately initiates the data connection of non tcp/ip protocol to the isolation device, and the isolation device splits all protocols and writes the original data to the storage medium. According to different applications, it may be necessary to check the integrity and security of data, such as anti-virus and malicious code

once the data is completely written into the storage medium of the isolation device, the isolation device immediately interrupts the connection with the outside. Instead, initiate an internal non tcp/ip data connection. The isolation device pushes the data in the storage medium inward. After receiving the data, immediately encapsulate the tcp/ip and application protocol, and hand them over to the application system

at this time, the internal e-mail system receives the e-mail forwarded by the external e-mail system through the isolation device. After the console receives the complete exchange signal, the isolation equipment immediately cuts off the direct connection of the isolation equipment in the

if there is an email to be sent at this time, the isolation device will establish a non tcp/ip data connection with the internal after receiving the request to establish a connection. The isolation device separates all tcp/ip protocols and application protocols, obtains the original data, and writes the data to the storage medium of the isolation device. If necessary, carry out anti-virus treatment and anti malicious code inspection. Then interrupt the direct connection with the. After receiving and processing the information, the console immediately interrupts the connection between the isolation equipment and the outside, and restores to the fully isolated state

every data exchange, the isolation device goes through three processes: data acceptance, storage and forwarding. Because these rules are completed in the memory and kernel, the speed is guaranteed and can reach 100% of the bus processing capacity [4]

4 Design of isolation hardware

the process of data exchange in the network isolator is completed by reading and writing the memory chip on the isolation hardware. As the internal and external data exchange storage area, the access design scheme of the memory chip determines the data exchange speed of the network isolator. In order to meet the requirements of data exchange speed, the dual channel real-time switching technology with buffer is adopted

dual port static memory is divided into two storage areas a and B

the external host can only write data to a or read data from B through K1, while the internal host can only read data from a or write data to B through K2. The constraints of K1 and K2 are k1a k2c=0 and K1b k2d=0. In this way, the bidirectional data channel is changed into two unidirectional data channels. This design improves the situation that one side of the internal and external processing unit reads and writes the isolated hardware while the other side cannot access the isolated hardware in the original design. It allows both sides to enter the state of reading or writing at the same time. However, in this structure, there is such a read-write conflict problem. For example, when the external host writes data to a through K1, the internal host cannot read data from a, or when the internal host reads data from a, the external host

cannot write data to a, and there is a similar situation for the operation of B. Therefore, a dual channel real-time switching technology with buffer is proposed

Figure 2 is the schematic diagram of dual channel real-time switching technology with buffer

the A and B storage areas are divided into N equal small storage areas AI and Bi (1 i n), and the constraints of K1 and K2 are k1ai k2ai=0 and k1bi k2bi=0

this improvement enables one of the internal and external hosts to access AI or Bi, while the other can still access AJ or BJ (ij), which reduces the probability of read-write conflict and improves the efficiency of the data channel, thus achieving the purpose of improving the speed of data exchange between internal and external networks

5 design of data security forwarding scheme in physical isolation environment

the design goal of data security forwarding scheme in physical isolation environment is to realize safe, dynamic and real-time data exchange on the premise of internal and external isolation

the framework of data storage and forwarding is composed of external processing units that infringe the legitimate rights and interests of consumers, data forwarding areas, internal processing units, physical isolation modules, on-off control circuits and other functional parts. Among them:

(1) the external processing unit is responsible for the determination and collection of external data, which is determined by the needs of internal users, such as specifying the station to access the target

(2) the data forwarding area is responsible for the temporary storage and forwarding of internal and external data. In the process of data exchange, the internal processing unit exports the data to the internal forwarding area or the external processing unit imports the data to the external forwarding area. Whether there is data exchange between the internal forwarding area and the external forwarding area is determined by the isolation hardware according to the forwarding authority of the user. When the user does not have the authority of data forwarding, the outer forwarding area is completely separated from the inner forwarding area

(3) the internal processing unit performs scanning and analysis, screening and filtering, virus detection and other processing on the data according to the preset security policy. Data from or to the outside will be blocked if it violates the established security rules

(4) physical isolation hardware separates internal and external networks in physical conduction, and physically separates internal and external networks. The physical isolation hardware is set on the lowest physical layer, and the internal and external data forwarding is performed by the physical isolation hardware operating the on-off control circuit. In the same period of time, the physical isolation hardware can only accept the request for data forwarding from the internal processing unit or the external processing unit, and cannot receive the request for data forwarding from the internal processing unit and the external processing unit at the same time, so that the internal forwarding area and the external forwarding area can carry out data forwarding operations in both directions. And its failure will only affect the performance of internal and external data exchange, but will not affect the internal security

(5) the on-off control circuit is responsible for controlling the line connection between the inner forwarding area and the outer forwarding area, and controlling the forwarding or clearing of data in the data forwarding area. Generally, only the users and roles who are granted data forwarding permission can connect the internal and external forwarding areas and implement data forwarding according to their data flow direction when they are determined that the data forwarding permission is consistent with the permission in the object list after passing the physical isolation hardware inspection

6 Conclusion

this paper improves the dual channel real-time switching technology, and puts forward the dual channel real-time switching technology with buffer. Through this technology, the internal and external two-way data transmission is converted into two one-way data transmission, which greatly improves the internal and external data transmission speed; And the security scheme of data transmission in the physical isolation environment is proposed. Therefore, it ensures the internal and external security isolation from the hardware and software, improves the defense level of hackers and other criminals against network attacks and leaks, eliminates most of the network security risks, and plays an important role in maintaining the information security of industrial control systems and the safe operation of systems

Copyright © 2011 JIN SHI