基于红黑隔离架构的网络安全设备设计

doi:10.16180/j.cnki.issn1007-7820.2024.02.011

Abstract

Abstract:

The data transmission of the heaven and the earth integrated network based on IP(Internet Protocol) technology is vulnerable to illegal attacks. The traditional network security device based on IPSec(Internet Protocol Security) is designed by connecting a single host to both internal and external network processing units, which has the risk of unauthorized users directly accessing the protected intranet through the extranet. A new scheme for a network security device based on a red-black isolation architecture is proposed. The scheme adopts the design concept of red-black partition and VPN technology based on IPSec framework under Linux. It implements the validity verification of the transmitted data based on the "quintuple" security and security rules and the encapsulation and decapsulation transformation of the IPSec ESP protocol in the red zone, and implements the public network sending and receiving of the ESP encapsulated and encrypted data in the black zone. In this scheme, the security service module implements dynamic switching of encryption algorithms and encryption and decryption of ESP encapsulated data according to external instructions, and uses the security service module as a data exchange channel between the red and black zones to achieve isolation between the internal and external networks and effectively ensure Intranet security.The experimental results show that the network security device based on red-black isolation architecture has the advantages of strong anti-attack capability, replaceable encryption algorithm, and encryption rate of 1 024 bytes packet length greater than 50 Mbit·s^-1 under 100 megabit bandwidth.

Key words: IPSec, red-black isolation, the legality verification of the "five elements" security and confidentiality rules, Linux, ESP protocol, strong anti-attack capability, replaceable encryption algorithm, encryption rate

CLC Number:

TP393.0

GONG Zhi,LIU Chao,FU Qiang. Network Security Device Design Based on Red-Black Isolation Architecture[J].Electronic Science and Technology, 2024, 37(2): 76-86.

Figures/Tables 20

Figure 1.

Figure 2.

Figure 3.

Figure 4.

Figure 5.

Figure 6.

Figure 7.

Figure 8.

Figure 9.

Figure 10.

Figure 11.

Figure 12.

Figure 13.

Figure 14.

Figure 15.

Table 1.

Table 2.

Table 3.

Figure 16.

Table 4.

References 19

[1]	庄建斌. 针对当前网络攻击技术对网络安全防护体系分析[J]. 电脑知识与技术, 2022, 18(5):50-51,58.
	Zhuang Jianbin. Analysis of network security protection system for current network attack technology[J]. Computer Knowledge and Technology, 2022, 18(5):50-51,58.
[2]	耿航. IPSec协议分析[J]. 电子科技, 2014, 27(8):142-143,146.
	Geng Hang. IPSec protocol analysis[J]. Electronic Science and Technology, 2014, 27(8):142-143,146.
[3]	赵菁. IPsec VPN与SSL VPN比较与分析[J]. 数字技术与应用, 2017, 34(10):183-184.
	Zhao Jing. Comparison andanalysis of IPSec VPN and SSL VPN[J]. Digital Technology and Application, 2017, 34(10):183-184.
[4]	朱海水. 基于IPSec的网络安全系统设计与VPN构建实现[J]. 数码世界, 2017(5):151-152.
	Zhu Haishui. IPSec-based network security system desi-gn and VPN construction implementation[J]. Digital Space, 2017(5):151-152.
[5]	胡天麟. 基于IPSec协议的VPN安全网关的设计与实现[J]. 通信电源技术, 2020, 37(3):78-79.
	Hu Tianlin. Design and implementation of VPN securety gateway based on IPSec protocol[J]. Telecom Power Technologies, 2020, 37(3):78-79.
[6]	杨静. 防火墙技术在计算机网络安全中的应用分析[J]. 南方农机, 2018, 49(19):157-167.
	Yang Jing. Analysis of the application of firewall technology in computer network security[J]. China Southern Agricultural Machinery, 2018, 49(19):157-167.
[7]	林宇红, 肖昊. 基于AES算法的eFlash控制器安全设计[J]. 电子科技, 2023, 36(10):62-67.
	Lin Yuhong, Xiao Hao. Security design of eFlash contr-ollerbased on AES algorithm[J]. Electronic Science and Technology, 2023, 36(10):62-67.
[8]	田道坤, 彭亚雄. 在区块链中基于混合算法的数字签名技术[J]. 电子科技, 2018, 31(7):19-23.
	Tian Daokun, Peng Yaxiong. Digital signature technology based on Hybrid algorithm in blockchain[J]. Electronic Science and Technology, 2018, 31(7):19-23.
[9]	张尧, 刘笑凯. 基于国密算法的IPSec VPN设计与实现[J]. 信息技术与网络安全, 2020, 39(6):49-52.
	Zhang Yao, Liu Xiaokai. Design and implementation of IPSec VPN based on national secret algorithm[J]. Cyber Security and Data Governance, 2020, 39(6):49-52.
[10]	李建立, 莫燕南, 粟涛, 等. 基于国密算法SM2、SM3、SM4的高速混合加密系统硬件设计[J]. 计算机应用研究, 2022, 39(9):2818-2825,2831.
	Li Jianli, Mo Yannan, Su Tao, et al. Hardware design of high-speed hybrid encryption system based on SM2,SM3 and SM4 algorithm[J]. Application Research of Computers, 2022, 39(9):2818-2825,2831.
[11]	王骞, 奚正波. 网络安全隔离技术探讨[J]. 中国新通信, 2022, 24(10):113-115.
	Wang Qian, Xi Zhengbo. Network security isolation technology discussion[J]. China New Telecommunications, 2022, 24(10):113-115.
[12]	姜艳龙, 李鹤. 全国产化高速嵌入式网络隔离网闸的硬件实现[J]. 电子世界, 2022(2):109-111.
	Jiang Yanlong, Li He. Hardware implementation of fully localized high-speed embedded network isolation gates[J]. Electronics World, 2022(2):109-111.
[13]	许晓明. 基于双网隔离的网络安全设备研究[J]. 舰船电子工程, 2018, 38(5):5-9.
	Xu Xiaoming. Research on network security equipment based on dual network isolation[J]. Ship Electronic Engineering, 2018, 38(5):5-9.
[14]	Texas Instruments. AM335x sitara processors datasheet[EB/OL].(2018-12-01) [2019-03-01]https://www.ti.com/document-viewer/AM3352/datasheet/device-nomenclature-sprs71745#SPRS71745.
[15]	Altera Corporation. 5CGTFD7D5F27I7N datasheet[EB/OL].(2012-02-01) [2019-03-01]https://html.alldatasheet.com/html-pdf/547120/ALTERA/5CGTD7/2204/10/5CGTD7.html.
[16]	Christian Benvenuti. 深入理解Linux网络技术内幕[M]. 北京: 中国电力出版社, 2009:56-72.
	Christian Benvenuti. Understanding Linuxnetwork internals[M]. Beijing: China Electric Power Press, 2009:56-72.
[17]	张越. 国密IPSec VPN安全机制研究与实现[D]. 西安: 西安电子科技大学, 2019:12-37.
	Zhang Yue. The research and implement of national standa-rd IPSec VPN security mechanism[D]. Xi'an: Xidian University, 2019:12-37.
[18]	Salman F A. Implementation of IPsec-VPN tunneling using GNS3[J]. Indonesian Journal of Electrical Engineering and Computer Science, 2017, 7(3):855-860. doi: 10.11591/ijeecs.v7.i3
[19]	蒋华, 李康康, 胡荣磊. 一种基于StrongSwan的IPSec VPN网关的实现[J]. 计算机应用与软件, 2017, 34(7):79-84.
	Jiang Hua, Li Kangkang, Hu Ronglei. An implementation of IPSec VPN gateway based on StrongSwan[J]. Computer Applications and Software, 2017, 34(7):79-84.

设备	内网IP	外网IP	选用算法	结果
子网1用户	210.150.150.23	无	无	ping 通
网络安全设备1	210.150.150.15	192.168.1.180	SM4
网络安全设备2	11.11.11.11	192.168.1.190	SM4
子网2用户	11.11.11.10	无	无

设备	内网IP	外网IP	选用算法	结果
子网1用户	210.150.150.23	无	无	ping 不通
网络安全设备1	210.150.150.15	192.168.1.180	AES
网络安全设备2	11.11.11.11	192.168.1.190	SM4
子网2用户	11.11.11.10	无	无

设备	内网IP	外网IP	选用算法	结果
子网1用户	210.150.150.23	无	无	ping 通
网络安全设备1	210.150.150.15	192.168.1.180	AES
网络安全设备2	11.11.11.11	192.168.1.190	AES
子网2用户	11.11.11.10	无	无

IP包长/Byte	加密速率/Mbit·s^-1
64	34.1
1 024	50.8
1 280	20.6
1 400	25.1

Network Security Device Design Based on Red-Black Isolation Architecture

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 20

References 19

Related Articles 15

Metrics

Comments

Recommended 10

[1]	JIN Hengkang,ZHANG Yiwen. Research on Design of Synchronous High Speed Acquisition System of Microphone Array Based on ZYNQ [J]. Electronic Science and Technology, 2019, 32(7): 28-32.
[2]	ZHANG Chao-Yuan, SHAO Gao-Beng, HONG Xiang. The Transplanting of embedded Linux Based on Zynq-7000 [J]. , 2018, 31(1): 9-.
[3]	XUAN Liping，WANG Tengshuai. Design of Object Linked Storage System Based on ARM Cortex-A9 [J]. , 2017, 30(9): 105-.
[4]	LIU Yao,GE Shuiying,LI Zhichao. Design and Implementation of Cluster Rendering System Based on Embedded Linux Platform [J]. , 2016, 29(3): 79-.
[5]	CHEN Jin,CHEN Si,WANG Yifan,WANG Zhe. ARM9-based Remote Video Monitoring System for Combine Harvester [J]. , 2016, 29(2): 85-.
[6]	LIU Wei. The Design of Smart Home System Based on ZigBee Technology [J]. , 2016, 29(11): 51-.
[7]	ZHU Enliang,ZHAO Lacai,RU Wei,HU Yufan. Development of USB Device Drivers of Linux [J]. , 2016, 29(1): 108-.
[8]	WANG Dong. Design and Implementation of a Simple Web Server [J]. , 2016, 29(1): 121-.
[9]	WEI Xuesong,SUN Wanrong,WANG Leilei,YUE Zhijia,WANG Danyu. General Data Acquisition and Transmission System Design in Perception Layer [J]. , 2015, 28(7): 157-.
[10]	WANG Xin,KONG Yong. Realization of Touch Screen's Driver with Linux Input Subsystem [J]. , 2015, 28(12): 62-.
[11]	WANG Hengliang,WANG Junchao. Analysis of the Fabrication of Ext 2 Root File System Based on Embedded Linux [J]. , 2015, 28(1): 114-.
[12]	GENG Hang. IPSec Protocol Analysis [J]. , 2014, 27(8): 142-.
[13]	YANG Xiaoan,LUO Jie,SU Hao,BAO Wenbo. High-Speed Image Acquisition and Real-time Processing System Based on Zynq-7000 [J]. , 2014, 27(7): 151-.
[14]	YAN Chenyang,YAN Yisong,LI Taotao. Network Server Design Based on MPC8313E [J]. , 2014, 27(6): 160-.
[15]	XU Shuangxia,ZHOU Yonggang. Design of Z85C30 Device Driver in Embedded Linux [J]. , 2014, 27(5): 116-.