Electronic Science and Technology ›› 2024, Vol. 37 ›› Issue (2): 76-86.doi: 10.16180/j.cnki.issn1007-7820.2024.02.011

Previous Articles     Next Articles

Network Security Device Design Based on Red-Black Isolation Architecture

GONG Zhi,LIU Chao,FU Qiang   

  1. Wuhan Maritime Communication Research Institute,Wuhan 430205,China
  • Received:2022-10-29 Online:2024-02-15 Published:2024-01-18
  • Supported by:
    National Key R&D Program of China(2016YFB0800304)


The data transmission of the heaven and the earth integrated network based on IP(Internet Protocol) technology is vulnerable to illegal attacks. The traditional network security device based on IPSec(Internet Protocol Security) is designed by connecting a single host to both internal and external network processing units, which has the risk of unauthorized users directly accessing the protected intranet through the extranet. A new scheme for a network security device based on a red-black isolation architecture is proposed. The scheme adopts the design concept of red-black partition and VPN technology based on IPSec framework under Linux. It implements the validity verification of the transmitted data based on the "quintuple" security and security rules and the encapsulation and decapsulation transformation of the IPSec ESP protocol in the red zone, and implements the public network sending and receiving of the ESP encapsulated and encrypted data in the black zone. In this scheme, the security service module implements dynamic switching of encryption algorithms and encryption and decryption of ESP encapsulated data according to external instructions, and uses the security service module as a data exchange channel between the red and black zones to achieve isolation between the internal and external networks and effectively ensure Intranet security.The experimental results show that the network security device based on red-black isolation architecture has the advantages of strong anti-attack capability, replaceable encryption algorithm, and encryption rate of 1 024 bytes packet length greater than 50 Mbit·s-1 under 100 megabit bandwidth.

Key words: IPSec, red-black isolation, the legality verification of the "five elements" security and confidentiality rules, Linux, ESP protocol, strong anti-attack capability, replaceable encryption algorithm, encryption rate

CLC Number: 

  • TP393.0