Secure Information Exchange System Based On Physical Isolation Technology

With the rapid development and ubiquity of the Internet in recent years, it has become another information revolution all over the world. In China, on one hand, the Internet has been playing a more and more important role in people’s daily life, especially the blossom of e-commerce and e-government, which not only bring a great convenience,but also create enormous wealth. On the other hand, the Internet security threats are increasing with new types of attacks, which make the security become extremely difficult. For the party, government, military system, and some special industries and departments such as electric power and bank, the invasion by criminals leads to security issues, even threaten national security and people’s property. With this in mind, some departments isolate the internal network from the Internet, causing a lot of inconvenience to data exchanging between inner and outer. As noted above, it’s an important but challenging work that protecting the internal network while maintaining the normal information exchange to meet the needs of business.This paper implements a safety information exchange system based on the physical isolation technology. The main work of this paper is as follows:1. Design the overall architecture and work program based on the basic principles of physical isolation technology. This thesis designs the structure and communication mechanism upon the hardware of physical isolation board. The system consists of outer-network processing unit, inner-network processing unit and network isolation unit.Outer network connects to the Internet which is weak in security, and processes the packets from the Internet while forwarding packets from inner-network to the Internet.Inner-network processing unit connects to the internal high-security business network and processes requests from the inner while forwarding filtered packets from outer to inner. Network isolation unit has the function of physical isolation, it maintains the inner and outer network disconnected by a logical switch on the hardware through a scheduling control circuit. Selects the appropriate chips and devices, and programs the hardware device drivers based on the Linux kernel.2. Capture packets from the Internet, filter them with packet filtering firewall, and thenforward them to user space to process. The inner net disconnects from the Internet in all OSI model layers, remove header of each layer by protocol stripping and restructuring to remove the protocol of the packets while reserving the effective data and necessary protocol recovery information. It also prevents attacks based on communication protocol by exchanging information through writing and reading storage medium,which eliminate the effect of the application layer protocol and TCP/IP protocol to achieve better network security.3. Set up the software and hardware environment and test various aspects during the runtime. The system security has been tested through network attacks simulation to ensure that it can resist common network attacks. Ensuring data consistency and integrity by comparing the content in the exchanged packets on each side. And the stability of the system has been tested by long continuous operation to ensure its availability in practical usage. With all above, the system can exchange information with security, accuracy, efficiency and stability based on physical isolation.