本文選題：網(wǎng)絡(luò)隔離 + 虛擬化��； 參考：《電子科技大學(xué)》2017年碩士論文

【摘要】：我單位曾為用戶研制出了一種網(wǎng)絡(luò)隔離器。這種網(wǎng)絡(luò)隔離器是通過專用通信協(xié)議、專用通信硬件等安全機(jī)制,打斷直接的網(wǎng)絡(luò)連接,在不同安全域之間僅僅擺渡應(yīng)用系統(tǒng)的應(yīng)用數(shù)據(jù),而不是公開的網(wǎng)絡(luò)協(xié)議。這樣的隔離交換,不僅完成了網(wǎng)絡(luò)協(xié)議安全檢查,還著重于應(yīng)用數(shù)據(jù)的內(nèi)容檢查,相起比經(jīng)過防火墻進(jìn)行防護(hù)的場景,實(shí)現(xiàn)網(wǎng)絡(luò)隔離和數(shù)據(jù)交換,降低或阻止了利用網(wǎng)絡(luò)協(xié)議制造的攻擊行為,適用于有一定的安全隔離要求還沒有要求物理隔離的程度的環(huán)境。隨著用戶使用業(yè)務(wù)種類和業(yè)務(wù)規(guī)模的持續(xù)壯大,各種各樣的不同安全等級的網(wǎng)絡(luò)被接入原本業(yè)務(wù)單一的分部門。顯然將這些網(wǎng)絡(luò)通過同一個網(wǎng)絡(luò)隔離器接入部門內(nèi)部網(wǎng)絡(luò)進(jìn)行安全防護(hù),顯然是一件很具有安全風(fēng)險的事情。但如果部署多臺網(wǎng)絡(luò)隔離器分別對各個網(wǎng)絡(luò)進(jìn)行安全防護(hù),又對用戶的空間、資金、電力等成本提出了翻倍的要求。目前虛擬化技術(shù)如火如荼的形勢下,采用虛擬化技術(shù)實(shí)現(xiàn)在同一臺網(wǎng)絡(luò)隔離器同時對不同安全等級網(wǎng)絡(luò)提供安全防護(hù),相比起部署多臺網(wǎng)絡(luò)隔離器的解決方案,將極大減少用戶的成本投入。本篇論文說明了一種利用現(xiàn)有單路的網(wǎng)絡(luò)隔離的產(chǎn)品,進(jìn)行軟件改造實(shí)現(xiàn)多路網(wǎng)絡(luò)隔離的產(chǎn)品的方案。這種方案通過獲取進(jìn)入網(wǎng)絡(luò)隔離器的數(shù)據(jù)包的進(jìn)接口信息,并計算出指定的出接口,將接口信息隨數(shù)據(jù)會話一起攜帶到發(fā)送單元,最后在發(fā)送數(shù)據(jù)包時,在綁定到指定的接口,實(shí)現(xiàn)“接口”到“接口”的虛擬的數(shù)據(jù)通道傳輸。各數(shù)據(jù)通道的數(shù)據(jù)處理保持跟原有產(chǎn)品一致,保留了原有產(chǎn)品的功能特性,并且利用虛擬化思路,快速地實(shí)現(xiàn)了多路的傳輸和安全防護(hù)。
[Abstract]:My unit has developed a network isolator for users. This kind of network isolator breaks the direct network connection through the security mechanism such as the special communication protocol, the special communication hardware, and only ferry the application data of the application system between the different security domains, but not the public network protocol. This kind of isolation exchange not only completes the network protocol security inspection, but also focuses on the application data content check, compared with the scene of protection through the firewall, it realizes the network isolation and data exchange. It reduces or prevents the attacks made by network protocols and is suitable for environments with a certain degree of security isolation that does not require physical isolation. With the continuous expansion of user service types and service scale, various networks with different security levels are connected to the original single service subsector. Obviously, it is a security risk to connect these networks through the same network isolator to the internal network of the department for security protection. However, if multiple network isolators are deployed to protect each network separately, the cost of user space, capital and electricity will be doubled. At present, virtualization technology is in full swing, using virtualization technology to realize security protection for different security level network in the same network isolator at the same time, compared with the solution of deploying multiple network isolators. Will greatly reduce the user's cost investment. In this paper, we present a solution to realize multiplex network isolation by software transformation using existing single-way network isolation products. In this scheme, the incoming interface information of the data packet entering the network isolator is obtained, and the specified output interface is calculated. The interface information is carried along with the data session to the sending unit. Finally, when the data packet is sent, the interface is bound to the specified interface. Implementation of the "interface" to "interface" virtual data channel transmission. The data processing of each data channel is consistent with the original product, and the functional characteristics of the original product are retained, and the multi-channel transmission and security protection are realized quickly by using the virtualization idea.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前4條

1 王雪莉;;網(wǎng)絡(luò)信息安全傳輸系統(tǒng)的設(shè)計和實(shí)現(xiàn)[J];信息安全與技術(shù);2011年10期

2 周大海;;淺談網(wǎng)絡(luò)防御及安全對策[J];鐵道建筑技術(shù);2007年S2期

3 楊秀榮;;基于OSI七層斷開方式的網(wǎng)絡(luò)安全技術(shù)[J];運(yùn)城學(xué)院學(xué)報;2007年05期

4 何鵬舉,王萬誠,李高盈,陳明;網(wǎng)絡(luò)隔離器的設(shè)計與實(shí)現(xiàn)[J];控制工程;2002年06期

相關(guān)碩士學(xué)位論文 前3條

1 劉瀟清;服務(wù)器虛擬化在電廠信息化建設(shè)中的應(yīng)用研究[D];華北電力大學(xué);2015年

2 唐晉;網(wǎng)絡(luò)單向隔離控制系統(tǒng)的設(shè)計與實(shí)現(xiàn)[D];電子科技大學(xué);2012年

3 李韶光;基于入侵容忍技術(shù)的監(jiān)管體系結(jié)構(gòu)研究[D];電子科技大學(xué);2004年

，

本文編號：1914501