基于红黑隔离架构的网络安全设备设计

doi:10.16180/j.cnki.issn1007-7820.2024.02.011

摘要/Abstract

摘要：

基于IP(Internet Protocol)技术的天地一体化网络数据传输易受非法攻击,基于IPSec(Internet Protocol Security)的传统网络安全设备采用单主机同时连接内网和外网处理单元进行设计,存在非授权用户通过外网直接访问受保护内网的风险。文中提出了一种基于红黑隔离架构的网络安全设备新方案。方案采用红黑分区的设计理念和基于Linux下IPSec框架的VPN(Virtual Private Network)技术,通过在红区实现传输数据、基于“五元组”的安全保密规则合法性验证以及IPSec ESP(Encapsulating Security Payload)协议封装与解封装变换,在黑区实现ESP封装加密数据的公网收发,在安全服务模块实现根据外部指令完成加密算法动态切换和ESP封装数据的加解密处理,并将安全服务模块作为红区和黑区之间数据交换的通道,达到内网和外网相互隔离且有效保障内网安全的目的。实验结果表明,基于红黑隔离架构的网络安全设备抗攻击能力强,加密算法可更换,在百兆带宽条件下1 024 Byte包长加密速率大于50 Mbit·s^-1。

关键词: IPSec, 红黑隔离, 基于“五元组”安全保密规则合法性验证, Linux, ESP协议, 强抗攻击能力, 可更换加密算法, 加密速率

Abstract:

The data transmission of the heaven and the earth integrated network based on IP(Internet Protocol) technology is vulnerable to illegal attacks. The traditional network security device based on IPSec(Internet Protocol Security) is designed by connecting a single host to both internal and external network processing units, which has the risk of unauthorized users directly accessing the protected intranet through the extranet. A new scheme for a network security device based on a red-black isolation architecture is proposed. The scheme adopts the design concept of red-black partition and VPN technology based on IPSec framework under Linux. It implements the validity verification of the transmitted data based on the "quintuple" security and security rules and the encapsulation and decapsulation transformation of the IPSec ESP protocol in the red zone, and implements the public network sending and receiving of the ESP encapsulated and encrypted data in the black zone. In this scheme, the security service module implements dynamic switching of encryption algorithms and encryption and decryption of ESP encapsulated data according to external instructions, and uses the security service module as a data exchange channel between the red and black zones to achieve isolation between the internal and external networks and effectively ensure Intranet security.The experimental results show that the network security device based on red-black isolation architecture has the advantages of strong anti-attack capability, replaceable encryption algorithm, and encryption rate of 1 024 bytes packet length greater than 50 Mbit·s^-1 under 100 megabit bandwidth.

Key words: IPSec, red-black isolation, the legality verification of the "five elements" security and confidentiality rules, Linux, ESP protocol, strong anti-attack capability, replaceable encryption algorithm, encryption rate

中图分类号:

TP393.0

龚智,刘超,付强. 基于红黑隔离架构的网络安全设备设计[J]. 电子科技, 2024, 37(2): 76-86.

GONG Zhi,LIU Chao,FU Qiang. Network Security Device Design Based on Red-Black Isolation Architecture[J]. Electronic Science and Technology, 2024, 37(2): 76-86.

图/表 20

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

图12

图13

图14

图15

表1

表2

表3

图16

表4

参考文献 19

[1]	庄建斌. 针对当前网络攻击技术对网络安全防护体系分析[J]. 电脑知识与技术, 2022, 18(5):50-51,58.
	Zhuang Jianbin. Analysis of network security protection system for current network attack technology[J]. Computer Knowledge and Technology, 2022, 18(5):50-51,58.
[2]	耿航. IPSec协议分析[J]. 电子科技, 2014, 27(8):142-143,146.
	Geng Hang. IPSec protocol analysis[J]. Electronic Science and Technology, 2014, 27(8):142-143,146.
[3]	赵菁. IPsec VPN与SSL VPN比较与分析[J]. 数字技术与应用, 2017, 34(10):183-184.
	Zhao Jing. Comparison andanalysis of IPSec VPN and SSL VPN[J]. Digital Technology and Application, 2017, 34(10):183-184.
[4]	朱海水. 基于IPSec的网络安全系统设计与VPN构建实现[J]. 数码世界, 2017(5):151-152.
	Zhu Haishui. IPSec-based network security system desi-gn and VPN construction implementation[J]. Digital Space, 2017(5):151-152.
[5]	胡天麟. 基于IPSec协议的VPN安全网关的设计与实现[J]. 通信电源技术, 2020, 37(3):78-79.
	Hu Tianlin. Design and implementation of VPN securety gateway based on IPSec protocol[J]. Telecom Power Technologies, 2020, 37(3):78-79.
[6]	杨静. 防火墙技术在计算机网络安全中的应用分析[J]. 南方农机, 2018, 49(19):157-167.
	Yang Jing. Analysis of the application of firewall technology in computer network security[J]. China Southern Agricultural Machinery, 2018, 49(19):157-167.
[7]	林宇红, 肖昊. 基于AES算法的eFlash控制器安全设计[J]. 电子科技, 2023, 36(10):62-67.
	Lin Yuhong, Xiao Hao. Security design of eFlash contr-ollerbased on AES algorithm[J]. Electronic Science and Technology, 2023, 36(10):62-67.
[8]	田道坤, 彭亚雄. 在区块链中基于混合算法的数字签名技术[J]. 电子科技, 2018, 31(7):19-23.
	Tian Daokun, Peng Yaxiong. Digital signature technology based on Hybrid algorithm in blockchain[J]. Electronic Science and Technology, 2018, 31(7):19-23.
[9]	张尧, 刘笑凯. 基于国密算法的IPSec VPN设计与实现[J]. 信息技术与网络安全, 2020, 39(6):49-52.
	Zhang Yao, Liu Xiaokai. Design and implementation of IPSec VPN based on national secret algorithm[J]. Cyber Security and Data Governance, 2020, 39(6):49-52.
[10]	李建立, 莫燕南, 粟涛, 等. 基于国密算法SM2、SM3、SM4的高速混合加密系统硬件设计[J]. 计算机应用研究, 2022, 39(9):2818-2825,2831.
	Li Jianli, Mo Yannan, Su Tao, et al. Hardware design of high-speed hybrid encryption system based on SM2,SM3 and SM4 algorithm[J]. Application Research of Computers, 2022, 39(9):2818-2825,2831.
[11]	王骞, 奚正波. 网络安全隔离技术探讨[J]. 中国新通信, 2022, 24(10):113-115.
	Wang Qian, Xi Zhengbo. Network security isolation technology discussion[J]. China New Telecommunications, 2022, 24(10):113-115.
[12]	姜艳龙, 李鹤. 全国产化高速嵌入式网络隔离网闸的硬件实现[J]. 电子世界, 2022(2):109-111.
	Jiang Yanlong, Li He. Hardware implementation of fully localized high-speed embedded network isolation gates[J]. Electronics World, 2022(2):109-111.
[13]	许晓明. 基于双网隔离的网络安全设备研究[J]. 舰船电子工程, 2018, 38(5):5-9.
	Xu Xiaoming. Research on network security equipment based on dual network isolation[J]. Ship Electronic Engineering, 2018, 38(5):5-9.
[14]	Texas Instruments. AM335x sitara processors datasheet[EB/OL].(2018-12-01) [2019-03-01]https://www.ti.com/document-viewer/AM3352/datasheet/device-nomenclature-sprs71745#SPRS71745.
[15]	Altera Corporation. 5CGTFD7D5F27I7N datasheet[EB/OL].(2012-02-01) [2019-03-01]https://html.alldatasheet.com/html-pdf/547120/ALTERA/5CGTD7/2204/10/5CGTD7.html.
[16]	Christian Benvenuti. 深入理解Linux网络技术内幕[M]. 北京: 中国电力出版社, 2009:56-72.
	Christian Benvenuti. Understanding Linuxnetwork internals[M]. Beijing: China Electric Power Press, 2009:56-72.
[17]	张越. 国密IPSec VPN安全机制研究与实现[D]. 西安: 西安电子科技大学, 2019:12-37.
	Zhang Yue. The research and implement of national standa-rd IPSec VPN security mechanism[D]. Xi'an: Xidian University, 2019:12-37.
[18]	Salman F A. Implementation of IPsec-VPN tunneling using GNS3[J]. Indonesian Journal of Electrical Engineering and Computer Science, 2017, 7(3):855-860. doi: 10.11591/ijeecs.v7.i3
[19]	蒋华, 李康康, 胡荣磊. 一种基于StrongSwan的IPSec VPN网关的实现[J]. 计算机应用与软件, 2017, 34(7):79-84.
	Jiang Hua, Li Kangkang, Hu Ronglei. An implementation of IPSec VPN gateway based on StrongSwan[J]. Computer Applications and Software, 2017, 34(7):79-84.

设备	内网IP	外网IP	选用算法	结果
子网1用户	210.150.150.23	无	无	ping 通
网络安全设备1	210.150.150.15	192.168.1.180	SM4
网络安全设备2	11.11.11.11	192.168.1.190	SM4
子网2用户	11.11.11.10	无	无

设备	内网IP	外网IP	选用算法	结果
子网1用户	210.150.150.23	无	无	ping 不通
网络安全设备1	210.150.150.15	192.168.1.180	AES
网络安全设备2	11.11.11.11	192.168.1.190	SM4
子网2用户	11.11.11.10	无	无

设备	内网IP	外网IP	选用算法	结果
子网1用户	210.150.150.23	无	无	ping 通
网络安全设备1	210.150.150.15	192.168.1.180	AES
网络安全设备2	11.11.11.11	192.168.1.190	AES
子网2用户	11.11.11.10	无	无

IP包长/Byte	加密速率/Mbit·s^-1
64	34.1
1 024	50.8
1 280	20.6
1 400	25.1