I. Overview
Today, the network technology has been isolated from the user's attention more and more important networks and departments began to use isolation network gateway products to protect the internal network and critical infrastructure sites.There are three types of world isolation network gateway (physical isolation switch / SGAP) technology, that is, SCSI technology, dual-port RAM technology and the physical one-way transmission technology.SCSI disk copy is a typical exchange of technology, dual-port RAM disk copy is analog technology, physical one-way transmission technology is the diode one-way technology.And everyone will work together this is the physical separation of the exchange technology.
As we all know, with the spread of the virus on the Internet hackers, information terrorism, computer crime, the growing threat, firewall break rate rise, the government, military, business and other fields, the relationship between the core sector of information security to national security, social stabilityTherefore, a more urgent need than the traditional products and reliable technical protection measures.Physical isolation network gateway first appeared in the United States, Israel and other countries of the military, to solve the secret network and public network connection security.In e-government construction, we get security domain, security domain are classified by level of information in cyberspace.Domain is related to state secrets classified network space.Domain is not involved in non-classified state secret, but related to the unit, the department or the work of the system secret cyberspace.Public service domain is not involved in the work of the secret does not involve state secrets, is a completely open to the public Internet exchange of information space.Stringent requirements of the relevant documents to the State, the Chief-government within the network and external network to implement a strict physical separation.Chief foreign network and the Internet to implement the logical isolation, according to the division of security domain, the government is classified within the network domain, the government is non-classified domains outside the network, the Internet is in the public service domain.The relevant national research institutions have studied the safety net gate technology, the future according to demand, there will be a better gateway technology appears.Via a secure gateway to the network and external network links; therefore gateway into e-government information systems must be configured device, which began, network gateway products and technology in the rapid rise of China as China's information industry development of a new securityof growth.
Second, the concept of gateway
Gateway control function is used with a variety of solid-state switch to connect two separate read and write media information on the host system safety equipment.Since the physical isolation network gateway is connected to two separate host systems, there is no physical connection communication, logical connection, information transfer command, the information transmission protocol, there is no packet forwarding according to the agreement, only the data files of no agreement "ferry ", and on the solid-state storage media is only" read "and" write "two commands.Therefore, the physical isolation physically isolated from the network gateway, blocking all attacks could potentially connected, so that "hackers" can not invade, can not attack, can not be destroyed to achieve real security.
Security isolation and information exchange system, that gateway, a new generation of high security, enterprise-class information security protection devices, which rely on the information network security isolation technology provides a higher level of security protection, not only makes information networks against attackability greatly enhanced, and effectively prevent the occurrence of information leakage.
First-generation gateway technology is the use of single pole double throw switch processing unit makes the internal and external network access to shared storage devices time-to complete the data exchange is realized in the air gap isolated (Air Gap) in case of data exchange, security principlesthrough the application layer data extraction and Security Review protocol layer to prevent attacks based on application layer security and enhanced the effect.
It is in the second generation gateway learned the advantages of the first generation of gateway based on the concept of creative use of new exchange channel dedicated PET (Private Exchange Tunnel) technology, without reducing the premise of safety net to complete the internal and externalhigh-speed data exchange between, effectively overcome the shortcomings of the first generation of gateway, the second generation gateway security data exchange process is through a dedicated hardware communications card, private communication protocol and encryption mechanism to achieve the signature, though still through the application oflayer data extraction and safety review to prevent attacks based on protocol layer and application layer security enhancement effect, but it provides a gateway for more than the first generation of network application support, and because of its high-speed hardware with a dedicated communication card, makingwith greater capacity, to the first generation of gateway several times as many as the signature private communications protocol and encryption mechanisms to ensure the data exchange between inside and outside the processing unit the confidentiality, integrity and credibility, thus ensuring the safetyat the same time, provide better processing performance, to adapt to the complex network of isolated applications.
Gatekeeper (SGAP) and compare the technical characteristics of the traditional firewall, the following table:
Third, the gateway works
Isolation network gateway (security isolation and information exchange), is in ensuring the safety of the two networks based on the isolation and resource sharing of safety information exchange technology.It uses a unique hardware design and integrates a variety of software protection strategy that can withstand a variety of known and unknown attacks, significantly increase security strength within the network for users to create a worry-free web applications.
GAP from the English "Air Gap", GAP technology is a proprietary hardware so that by two or more networks in the case is not connected, secure data transfer and resource sharing technology.Chinese name is safely isolated GAP GAP, which uses a unique hardware design that can significantly increase the strength of the internal security of the user network.
GAP technology, the basic principle is: cut off the network connection between the General Agreement; the data packets as a static data decomposition or reorganization; safety review of the static data, including network protocols, inspection and code scanning; confirmed the internal security of the data flowunit; internal users through a stringent authentication mechanism to obtain the required data.
Security isolation and information exchange system SGAP generally consists of three parts: the network processing unit, processing unit and a dedicated external network hardware switching unit isolation.System within the network processing unit connected within the network, external network processing unit to connect an external network, dedicated isolation hardware switching unit at any one time point only the processing units within the network connection or outside the network processing unit, and to accept the connection between the control hardware circuitHigh-speed switching.This unique hardware design of Bao Zheng dedicated Geli exchange unit connected at any one time Jin intranet or extranet, intranet not only meet the physical isolation and the external requirements of the network, and can realize the dynamic data exchange.SGAP system, embedded software system built-protocol analysis engine, content security engine and the virus killing the engine and other security mechanisms, based on user needs to implement complex security policies.SGAP system can be widely used in banking, government and other departments within the network to access the external network, can also be used for internal network information between different trust domains interact.
Fourth, the application gateway orientation
1) The classified network and between non-classified network;
2) between the LAN and the Internet (between the internal network and external networks);
Some local area networks, in particular the Government Office Network, Government of sensitive information involved, and sometimes need to physically disconnect the Internet, with the physical isolation network gateway is a common approach.
3) between the office network and business network
The office of information network and business network have different sensitivities, for example, banks and banking office network is a typical information network is the sensitivity of two different networks.In order to improve efficiency, office network is sometimes necessary to exchange information and business networks.To address the network security business, the better way is to network and service network in the office to use physical isolation between the network gateway, two types of networks to achieve physical isolation.
4) e-government between the network and special network
E-government system in the building asked the Government to look inside and outside the network with a logical separation between the government and the private network with a physical separation between the internal network.Now commonly used method is to use physical isolation network gateway to achieve.
5) between the service network and the Internet
E-commerce business networks connected to the network server side, the side connected to the general public through the Internet.Business network server in order to protect the security of the network and the Internet in the business to be achieved between the physical isolation.
Five areas of application gateway
Currently, as in the domestic network isolation network gateway, network security isolation WISELY gatekeeper, Lenovo network gateway security isolation Royal manufacturers such as gateway products to meet the trust and external network users to exchange files, send and receive mail, one-way browsing, databaseswitching and other functions, while in e-government, such as the leadership within the Government decision support systems, government applications (OA system, dedicated business processing systems) and public information processing systems (information collection system, information exchange systems, information release system, etc.) has been applied gateway solves the safety information under the control exchange isolation and other issues, thus promoting the application of e-government to the era.
As gateway to disconnect a network to achieve the two physical layer information between ferry, building control information exchange "Island", so in the government, military, electric power and other fields have very broad application prospects.Gateway are outside the network will exceed e-government data exchange between and within the network bottlenecks, and eliminate government departments because of security caused by information silos effect.Most of the current gateway provides file exchange, e-mail, web browsing and other basic functions.In addition, gateway products in the load balancing, redundant backup hardware cryptographic acceleration, ease of integration management, need to be further improved, while better integrating intrusion detection and encryption channel, digital certificates and other technologies, but also a new generation gateway productstrends.
Whale's currently abroad e-GAP system, Spearhead Company's NetGAP other gateway products, military, aerospace, finance and other departments to be used.Whale will e-GAP system is positioned as the application layer of protective equipment.The product passed the quarantine server, temporary data storage area, isolating switch (Air GAP Switch), and combined with application layer security controls to achieve overall security.It incorporates encryption technology, licensing certification, PKI, HTTP mirror, rule filtering, Air GAP (air separation) and other security hardware and software integration platform for technical composition.
Spearhead's NetGAP directly connect the two networks.Inserted in the PCI slot by the safety board and LVDS bus with the realization of the "Reflective GAP" technology, each board contains a pair of security double switch, dual switch fabric between the two networks to ensure a complete link layerpartition.Packets within the network from the outside need to be transmitted to terminate the session manager, stripping the data, coding, malicious code scanning, transfer resume, session regeneration process to ensure the security of the network.In addition, NetGAP also provides intrusion detection, load balancing and fault tolerance extensions.
Judging from the current applications, the domestic market at present gateway has a certain size, users are mainly concentrated in government, public security, electricity and other high security requirements of key sectors.In short, the security gateway for government, military, public security, banking, business, aviation, power and e-commerce needs a high level of network security, of course, gateway can also be used to isolate the protection of the host server or database server dedicated isolation.