Research On One-way Communication Mechanism For Network Security Isolation And Information Exchange

With the growing demand for the rail service, the current railway system is facing great challenges. Railway developing and planning strategy group has taken intelligent railway as the future direction. In order to make the railway system running more intelligently and efficiently, it is necessary to connect various railway subsystems for further teamwork. However, the interconnections between networks with different security levels often bring serious network security threats, such as sensitive information leakage, network attacks and intrusions. Traditional network security protection have ease such problems in some extent, but still far from the goal of security isolation, and especially incapable of preventing sensitive information leakage.Facing with new network attacks, and special security needs of the railway information systems, how to ensure the security of the border between networks with different security levels, and implement security isolation and information exchange between networks in the railway information system have become an unavoidable issue on the process of the intelligent railway development, which is also the topic of this paper.First of all, we analyzed most of the current network isolation and information exchange technologies, and summarized their advantages and disadvantages. In theory, after the study of the classical Bell-Lapadula model, we discussed the contradiction between security and availability in one-way communication, which was based on Bell-Lapadula model. In order to resolve this contradiction, we introduced information flow non-interference model to allow information reversely flow with downgrader, which improved the availability of classical BLP security model apparently. On the other hand, to control any potential covert channels caused by downgrader, we separated the execution environment of the communication process based on virtualization. Above all, we proposed one-way security isolation and information exchange mechanism, which not only formed a double-isolation with physical isolation and virtualized isolation, but also ensure the reliability of information exchange between networks with different security levels. Finally, based on the one-way security isolation and information exchange mechanism, we designed and implemented a one-way communication gateway. After test and canalization of the system, we demonstrated the feasibility of the mechanism. In practice, with one-way communication gateway, we accomplished files, database and email transfer between networks with different security levels, which was applied in the railway information security protection demonstration system.In this paper, we research on a variety of network isolation technologies. Based on Bell-Lapadula security model, and combined with the noninterference idea of information flow model, the mechanism proposed in this paper coordinated the contradiction between security and availability well. And it not only satisfies the needs in information exchange between networks, but also prevents from network attacks and sensitive information leakage. To sum up, this paper provides reference for the implementation of security isolation and information exchange between different security networks in the railway information system both on theory and technology.