This section introduces 8 solutions for physical isolation technology for readers' reference.
1. Dedicated line access scheme
surfs the Internet through dedicated line, uses a firewall to protect the entire internal network system, and isolate the external network outside the firewall. The structure of the scheme is shown in Figure 1.
Figure 1 Dedicated access solution
Figure 1 has two security vulnerabilities: one is the insecurity of the firewall itself, and some high-level hacking software can break through the firewall; the other is that in the intranet protected by the firewall, if the user terminal is not confidential to connect to the Internet through Modem dial-up, if other terminals do not take any precautions, the entire network will be exposed to the hacker's current situation, causing serious leakage. The solution of
uses two independent wiring systems, but the computer relies on the network to unplug and plug the network to log in to confidential networks or the Internet in turn. The problem with the method is: there is only one hard disk system on the terminal computer used. When the computer accesses the external network, it will be invaded by various resident hacker viruses. When the computer works on the internal network, the virus will be spread to the internal network. When the computer surfs the Internet again, it will cause a large amount of online information to be leaked, and the information on the computer will be completely exposed when accessing the external network.
2. Dual hard disk isolation solution
During the physical isolation process, users can choose the dual hard disk isolation technology solution. The basic idea is: when the client installs two hard disks. When the user logs into the intranet, the intranet hard disk is valid, and the external hard disk is invalid; when the user logs into the external network, the external hard disk is valid, and the internal hard disk is invalid. Depending on the network, this solution can be divided into single network solution and dual network solution. The single network solution adds a secure hub to the network selection end. The hub is responsible for communicating with the client and connecting the internal and external networks according to the user's choice. This solution has the characteristics of simple deployment and easy use, and is suitable for most ordinary users. The structure of the scheme is shown in Figure 2.
Figure 2 Dual hard disk isolation scheme
3 and 3 network isolation scheme
The internal financial network of many enterprises and institutions is a relatively independent network, isolated from the internal office network, and when users of this network log in to the Internet and internal network, they need to switch between the financial network, intranet and external Internet network. This solution has three network isolation capabilities, is simple to deploy, and is suitable for users with independent small networks. Its structure is shown in Figure 3.
Figure 3 Three network isolation scheme
4. Isolation scheme for providing external services
Many units can provide external services such as electronic tax filing while requiring internal and external network isolation. When the external Web server accepts electronic tax forms sent from the Internet, it will connect to the external network and disconnect the internal network. The electronic tax forms are temporarily local. When certain conditions are met, they will disconnect the external network and connect to the internal network, forward the electronic tax forms to the internal business system, and at the same time, they will receive the electronic tax forms completed by the internal business system from the internal network. After the exchange is completed, disconnect the internal network again, connect to the external network, and accept the new electronic tax form. This method is like a user transmitting goods from both sides of the river back and forth through a ship, without the problem of bridges directly connecting the two sides of the river or ships docking on both sides of the river at the same time. This not only ensures external service needs, but also ensures network security. This solution can provide external services while achieving physical isolation. Its structure is shown in Figure 4.
Figure 4 Isolation scheme that can provide external services
5. Isolation scheme based on diskless system
Some users hope to strengthen internal management while achieving internal and external network isolation to prevent internal users from leaking unit secrets. Users with this need can adopt a disc-free system-based isolation solution. This solution adopts a single hard disk method. When the user logs into the intranet, the diskless boot system starts the operating system from the server through the network, and blocks local hard disk, optical drive and floppy drive and other storage devices. The hard disk seen by the user is actually the hard disk image assigned to the user by the server, and the client is equivalent to a thin terminal.In this way, internal users cannot steal internal information through local downloading, disassembling hard disks, etc. While achieving isolation of internal and external networks, this solution can effectively prevent information leakage from internal networks. Its structure is shown in Figure 5.
Figure 5 Isolation scheme based on diskless system
6. Standalone access scheme
is for stand-alone users, generally the secure isolation card HI type is equipped with dual hard disks. The structure is shown in Figure 6.
Figure 6 Standalone access solution
This structure has an internal and external network hard disk. Whether it is working on the internal or external network hard disk, the generated files and data are stored on the hard disk or floppy disk, which are quite safe.
7. Dual network cable access solution
Dual network cable access solution requires two sets of wiring systems, but the number of users using the Internet is not large. When the network wiring interface is relatively abundant, the dual network cable method is adopted and the security isolation card type II is used. The structure is shown in Figure 7.
Figure 7 Dual network cable access solution
Dual network cable access method When using the Internet, confidential users configure security isolation card D and dual hard disks. The two network cables are connected to the isolation card at the same time, and connected to the local network card through isolation card . The switches on the isolation card are controlled by manual buttons or software, so that they can choose to connect to the intranet while selecting the confidential hard disk. Therefore, when installing the card, you must pay attention to the internal and external network cables that cannot be reversed.
8. Single network cable access solution
In practical applications, many integrated wiring systems have limited ports at each terminal location, which cannot meet the need for each device to occupy two ports. At this time, the single network cable method must be used, as shown in Figure 8.
Figure 8 Single network cable access solution
This method requires installing a security isolation card I and a dual hard disk on each device, and configuring an internal and external network remote switching Hub between each network device. The terminal is connected to the internal and external network remote switching Hub in the device management room through a standard network cable. The Hub is connected to the internal and external network remote switching Hub respectively. By using the 4th, 5th, 7th and 8th pair of unused in the 5th category network cable, the remote internal and external network remote switching Hub allows users to flexibly choose to connect to the internal network or external network.
—END—
If you need weak current information, you can send a private message to me
or follow the official account: Weak current learning home
My name is Lao Liang. A weak current enthusiast who has been in the industry for 12 years.
Only free and share here!
