Programme background
According to the technical requirements of information confidentiality, the secret-related network can not be directly connected with the internet; when the secret-related network is connected with the non-secret-related network, if the non-secret-related network is physically isolated from the internet, the two-way gateway is used to isolate the secret-related network and;If the non-secret network and the internet are logically isolated, the one-way gateway is used to isolate the secret network and the non-secret network, so as to ensure that the secret-related data does not flow from the high-secret network to the low-secret network.
The isolation function of the gateway is based on the directional "ferry" data. The principle of the gateway is to simulate the manual data "copy" and not to establish the "physical path" of the two networks. Therefore, the general form of the gateway is to "strip" the applied data. After ferrying to the other party, it is sent to the destination through normal communication. Therefore, from a security point of view, the less format information in the data of the gate ferry, the better. Of course, the raw data without any format is better, because there is no format. Text of information can not hide other non-data. Reduced the number of vectors that carry the virus.
The gateway is a communication protocol that cuts off the upper services and sees the original data. In order to achieve the effect of "isolation," private communication protocols, or storage protocols, are used to indicate the complete stripping of all protocol additional information. Let the ferry data be the cleanest. However, in order to facilitate the "ferry business", in the gate on both sides of the establishment of a business proxy server, logically connected to the business.
Although the gateway transmits the actual data, each ferry may no longer be a complete data content after the proxy protocol is proposed. For the difficulty of security inspection, the attacker can divide a "worm" into several fragments and pass them separately. Even as small as a single command, it's hard to know what it is without restoring it; if you pass "executable code" binaries, it's hard for a gateway to distinguish between data and attacks.
The gateway adopts a shutdown strategy for unfamiliar services, and only opens the controllable business services that it thinks are needed. Therefore, the isolation effect of the gateway between different secret-level networks still has certain effects.
In the confidentiality requirements of confidential information, high-level data in high-level network can not flow to low-level network, but low-level data can flow to high-level network (data confidentiality requirements), which puts forward the requirement of one-way flow of data. If we only retain one-way data flow, we can achieve data confidentiality requirements, in this case, the need for one-way gates.
Solution
One-way gateway is the use of specific technology, only one-way data flow is allowed. The one-way optical fiber network card produced by Beijing Guangrun Tong Company is the key hardware component to realize one-way gate.
The commonly used techniques for realizing one-way data transmission are as follows
Forced transmission:
The normal optical fiber network card starts to work when the receiver has data, and the forced transmission is to pull up the voltage of the receiver so that it is always in working state, so that the whole network card has been in an abnormal state, especially the main chip of the optical fiber network card is in a pathological state. It is prone to bag loss.
Use a spectrometer
Common spectrometers have two types of spectroscopy, 2: 8 spectroscopy or 5: 5 spectroscopy. There are only 2 or 5 copies of light source on the main link for 8 or 5 copies of light source to the receiver. If the spectrometer is used, It will weaken the signal on the main link. The signal on the shunt is not large, and it is easy to cause signal loss.
GRT one-way transmission network card
The one-way transmission card of GRT autonomous R&D can realize one-way transmission by modifying the circuit and supporting modules without changing the working state of the optical fiber card and reducing the signal intensity. Such a network card is always in the normal working state. The signal is not weakened, so there will be no packet loss or error packets, and ensure the normal operation of one-way transmission for a long time.
GRT one-way optical fiber network card is a one-way transmission gateway of computer network, which belongs to the technical field of computer network. It includes the sender Ethernet optical fiber card, the receiver Ethernet optical fiber card and the network optical fiber line connecting them. The module of the sender Ethernet fiber card has only the sending port. The module of the receiver Ethernet fiber card has only the receiver port. The sending port of the sending card and the receiving port of the receiving card are connected by a single optical fiber. It not only realizes the physical isolation between the computer internal network and the external network, but also ensures the real-time, reliable and secure one-way transmission of data between the internal and external
One-way network card (one-way gate) can transfer data directionally, so it is very useful to transfer data between many internal and external government networks.
File transfer: Due to the confidential network of the government intranet, it is "physically isolated" from the external network (connected to the Internet), but many government documents on the external network hope to be used in the internal network, and the workload is very large by manual copying. Using one-way gate can transfer the files of the external network to the internal network, which meets the requirements of data confidentiality.
Information collection: the external network is connected with the internet, is the government's external service window, and the internet itself is a treasure trove of information, but a large number of information can not be timely transmitted to the internal network of the relevant systems, the summary of information and statistics bring difficulties. If you set up a server on the external network, collect relevant information about the Internet, and send it to the intranet through a one-way gate, you can guarantee the timeliness of the information.
Mail forwarding: government personnel often have to check the inside and outside the network two mailboxes, very inconvenient. In the external network to establish a mail proxy server, the mail received in a timely manner to the internal network mail server, the staff do not have to go to the external network to receive mail.
Since there is no reverse data channel in the one-way gateway, it has a certain effect on suppressing the intrusion of hackers. The hacker attack must obtain relevant information. If the communication is one-way, it will cut off the hacker's control mode, and there is no "interest". There's no point in attacking.