网络隔离器虚拟化多路改造的设计和实现

发布时间：2018-05-20 11:49

本文选题：网络隔离 + 虚拟化　；参考：《电子科技大学》2017年硕士论文

【摘要】：我单位曾为用户研制出了一种网络隔离器。这种网络隔离器是通过专用通信协议、专用通信硬件等安全机制,打断直接的网络连接,在不同安全域之间仅仅摆渡应用系统的应用数据,而不是公开的网络协议。这样的隔离交换,不仅完成了网络协议安全检查,还着重于应用数据的内容检查,相起比经过防火墙进行防护的场景,实现网络隔离和数据交换,降低或阻止了利用网络协议制造的攻击行为,适用于有一定的安全隔离要求还没有要求物理隔离的程度的环境。随着用户使用业务种类和业务规模的持续壮大,各种各样的不同安全等级的网络被接入原本业务单一的分部门。显然将这些网络通过同一个网络隔离器接入部门内部网络进行安全防护,显然是一件很具有安全风险的事情。但如果部署多台网络隔离器分别对各个网络进行安全防护,又对用户的空间、资金、电力等成本提出了翻倍的要求。目前虚拟化技术如火如荼的形势下,采用虚拟化技术实现在同一台网络隔离器同时对不同安全等级网络提供安全防护,相比起部署多台网络隔离器的解决方案,将极大减少用户的成本投入。本篇论文说明了一种利用现有单路的网络隔离的产品,进行软件改造实现多路网络隔离的产品的方案。这种方案通过获取进入网络隔离器的数据包的进接口信息,并计算出指定的出接口,将接口信息随数据会话一起携带到发送单元,最后在发送数据包时,在绑定到指定的接口,实现“接口”到“接口”的虚拟的数据通道传输。各数据通道的数据处理保持跟原有产品一致,保留了原有产品的功能特性,并且利用虚拟化思路,快速地实现了多路的传输和安全防护。
[Abstract]:My unit has developed a network isolator for users. This kind of network isolator breaks the direct network connection through the security mechanism such as the special communication protocol, the special communication hardware, and only ferry the application data of the application system between the different security domains, but not the public network protocol. This kind of isolation exchange not only completes the network protocol security inspection, but also focuses on the application data content check, compared with the scene of protection through the firewall, it realizes the network isolation and data exchange. It reduces or prevents the attacks made by network protocols and is suitable for environments with a certain degree of security isolation that does not require physical isolation. With the continuous expansion of user service types and service scale, various networks with different security levels are connected to the original single service subsector. Obviously, it is a security risk to connect these networks through the same network isolator to the internal network of the department for security protection. However, if multiple network isolators are deployed to protect each network separately, the cost of user space, capital and electricity will be doubled. At present, virtualization technology is in full swing, using virtualization technology to realize security protection for different security level network in the same network isolator at the same time, compared with the solution of deploying multiple network isolators. Will greatly reduce the user's cost investment. In this paper, we present a solution to realize multiplex network isolation by software transformation using existing single-way network isolation products. In this scheme, the incoming interface information of the data packet entering the network isolator is obtained, and the specified output interface is calculated. The interface information is carried along with the data session to the sending unit. Finally, when the data packet is sent, the interface is bound to the specified interface. Implementation of the "interface" to "interface" virtual data channel transmission. The data processing of each data channel is consistent with the original product, and the functional characteristics of the original product are retained, and the multi-channel transmission and security protection are realized quickly by using the virtualization idea.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】