1. Background
Network isolation is an ineffective method for many private networks. The security of dedicated services carried on the network must be guaranteed. However, the construction of the network is for interworking, there is no data sharing, and the role of the network has shrunk a lot. Therefore, network isolation and data sharing and exchange are inherently contradictory. Many network security technicians have been exploring how to solve network security and facilitate data exchange.
There are many reasons for the network to be isolated. Generally speaking, there are the following two points:
1. The interconnection of secret-related networks and low-density networks is insecure, especially intrusions and attacks from uncontrollable networks cannot be located and managed. The Internet is a world-class network and a network that is difficult to control in terms of security. It must be connected to provide public business services, and it must be protected against various attacks and attacks. Isolation and data exchange are the first problems faced by various enterprises and governments in network construction.
2. The security protection technology always lags behind the attack technology. With the spear first, the enemy can be stabbed, and then the shield can protect the stabbed by the enemy. The attack technology is constantly changing and upgrading, the threshold is lowered, the vulnerability cycle is shortened, the propagation technology has become a Trojan's delivery tool ... and the protection technology seems to always be an endless patch. The current "hackers" on the Internet have been industrialized Some are like "triads" on the Internet. Although they sometimes do "righteous actions" to kill the rich and help the poor, in order to survive, it is inevitable to continue to specialize in new attack techniques. After the emergence of a new type of attack, the protection technology has to deal with it after a period of time, which is also the current status of the network security community.
Therefore, network isolation is to separate the network from the non-secure area. Of course, the best way is to dig a moat around the city, and then build several controllable "suspension bridges" to maintain communication with the outside of the city. The development of data exchange technology is to study the protection technology on the "bridge".
Regarding isolation and data exchange, Venustech has a comparative security strategy study, which can be summarized as follows:
Bridge repair strategy: business agreements are passed directly, data is not reorganized, impact on speed is small, and security is weak
â—† Firewall FW: Network layer filtering
â—† Multiple security gateways: filtering from the network layer to the application layer, multiple checkpoint strategies
Ferry strategy: business agreements are not passed directly, data must be reorganized, and security is good
â—† Gatekeeper: The agreement is implemented, and the security detection depends on the existing security technology
â—† Exchange network: establish exchange buffer, adopt multi-faceted security protection of protection, monitoring and audit
Manual strategy: No physical connection, manual exchange of data with mobile media, the best security.
2. Data exchange technology
1. Firewall
Firewall is the most commonly used network isolation method, mainly through the network routing control, that is, access control list (ACL) technology, the network is a packet switching technology, data packets reach the destination through routing exchange, so the routing , You can control the communication line, control the flow of data packets, early network security control is basically a firewall. The domestic manufacturers with greater influence include Tianrongxin, Venus Star, and Lenovo.
However, the firewall has a significant shortcoming: the firewall can only control the network below the fourth layer, and there is no way for the * and worms in the application layer. For security requirements, primary isolation is possible, but it is insufficient for deep network isolation.
It is worth mentioning that the NAT technology in the firewall, address translation can hide the IP address of the internal network, many people regard it as a kind of security protection, thinking that without routing is enough security. Address translation is actually a kind of proxy server technology. Not allowing business access to pass directly is a step forward in security. However, at present, application layer bypassing NAT technology is very common, and hiding addresses is only relative. At present, many attack technologies are aimed at firewalls, especially firewalls do not control the application layer, which facilitates the entry of Trojans. Trojans that enter the internal network see the internal network address and report it directly to the attackers of the external network. The security role of NAT It's not big.
2. Multiple security gateways (also called a new generation firewall)
A firewall is a checkpoint set up on a "bridge" and can only do "passport" checks. The method of multiple security gateways is to set up multiple checkpoints, with luggage checkers and checkers. Multiple security gateways also have a unified name: UTM (Unified Threat Management). Whether it is designed as one device or multiple devices is only the difference in the processing capabilities of the device itself. It is important to conduct a comprehensive inspection from the network layer to the application layer. There are many domestic manufacturers of UTM, such as Tianrongxin and Venus Star.
The inspection of multiple security gateways has several levels:
FW: ACL at the network layer
IPS: Anti-intrusion behavior
AV: Anti-intrusion
Expandable functions: own anti-DOS attack, content filtering, traffic shaping ...
Firewalls and multiple security gateways are both "bridging" strategies, mainly using security checks, without changing the protocol of the application, so the speed is fast and the traffic is large. You can pass the "automotive" business. From the perspective of customer applications, No different.
3. Gatekeeper
The design of the gate is "agent + ferry". Instead of building a bridge over the river, a ferry boat can be set up. The ferry boat does not directly connect the two sides. The safety is of course better than the bridge. Even if it is an attack, it is impossible to enter at once. It is always subject to various controls on the boat. In addition, the function of the gatekeeper is a proxy. This proxy is not just a protocol proxy, but a "disassembly" of data, which restores the data to its original appearance, and removes "headers and tails" added by various communication protocols. Many attacks are carried out by The disassembly and assembly of data to hide one's own, without these "communication coats", it is difficult for attackers to hide.
The security concept of the gatekeeper is:
Network isolation --- "boats without bridges across the river": use "ferry mode" to isolate the network
Protocol isolation --- "containment of container transportation is prohibited": the communication protocol is landing, the connection of the communication protocol is blocked by a special protocol or storage, and the upper layer business is supported by the proxy method
According to national security requirements, gatekeeper isolation is required when interconnecting secret-related networks and non-secret-related networks. If non-secret-related networks are connected to the Internet, use one-way gatekeepers. If non-secret-related networks are not connected to the Internet, use Two-way gatekeeper.
4. Exchange network
The exchange network model is derived from the Clark-WilsON model of the banking system, mainly to protect the integrity of the data through the idea of ​​business agency and two-person audit. Switching network is to establish a data exchange area between two isolated networks, responsible for business data exchange (unidirectional or bidirectional). Both ends of the switching network can use multiple gateways or gatekeepers. Security technologies such as monitoring and auditing are adopted inside the switching network to form a three-dimensional switching network security protection system as a whole.
The core of the switching network is also a business agent. Customer services must pass through the application agent for access to the buffer and the business agent to the business buffer before they can enter the production network.
Gatekeepers and switched network technologies both use ferry strategies to extend the "mileage" of data communications and increase safety measures.
3. Comparison of data exchange technology
Different business networks choose different data exchange technologies according to their own security needs, mainly depending on the amount of data exchange, real-time requirements, and business service requirements.
Plug,Plug Power Stock,Plug Power Yahoo,Power Plug Stock
WENZHOU TENGCAI ELECTRIC CO.,LTD , https://www.tengcaielectric.com