Distributed network isolating system and method

Abstract

The invention discloses a distributed network isolating system and method. The system comprises an inner-network host, an outer-network host and a security isolation device. The security isolation device is arranged at the boundary of an inner network and an outer network, and comprises a plurality of communication ports for transceiving inner-network and outer-network data packets and being in communication with manager computers. The security isolation device is connected with the inner-network host and the outer-network host through a light opening or an electricity opening by means of a cable or an optical fiber. Client side software is arranged on the inner-network host and the outer-network host. A security channel based on a private protocol is established between cores of operation systems of the inner-network host and the outer-network host. Data exchange can be conducted between an inner-network designated application and an outer-network designated application through the security channel. Meanwhile, the data packets between the networks are filtered at the boundary between the inner network and the outer network, the security of the inner network and the outer network is ensured, various existing applications are supported, and the distributed network isolating system has the advantages of being high in communication efficiency, simple in strategy configuration and high in universality.

Description

technical field [0001] The invention relates to the technical field of network information security, in particular to a distributed network isolation system and method. Background technique [0002] In order to achieve security isolation and information exchange between networks of different security levels or different security domains, the usual method is to deploy security isolation and information exchange systems (such as gatekeepers), firewalls and other equipment at the network border. [0003] The traditional security isolation and information exchange system generally has a "2+1" structure, 2 refers to 1 internal network processing unit, 1 external network processing unit, and 1 refers to 1 isolated switching unit. The internal network processing unit is connected to the internal network, the external network processing unit is connected to the external network, and the isolation switching unit is responsible for isolating the internal and external network processin...

AI Technical Summary

Problems solved by technology

[0004] This traditional "2+1" structure has the following disadvantages: 1. It requires two forwarding agents to complete an information exchange, which reduces communication efficiency; 2. It is necessary to configure policies and configure management for different services in the internal and external network processing units. Complicated; 3. Centralized security detection at the network border, with a large amount of data processing and increased network delay; 4. Only limited application types such as file exchange, mail exchange, database synchronization, and web page access are supported, which cannot support existing There are a large number of various applications

Images