AirGap机制及实现研究
摘要
当今世界,信息技术飞速发展,有力地推动着人类的社会发展和文明进步,信息化水平已成为衡量一个国家现代化和综合国力的重要标志。伴随着信息技术与信息产业的发展,网络与信息安全问题及其对经济发展、国家安全和社会稳定的重大影响,正日益地显现出来。
我国是发展中国家,信息产业正处于发展阶段,无论在硬件还是在软件上都严重依赖于人,国外电脑硬件、软件中可能隐藏着“特洛伊木马”,这就在安全上留下了严重隐患。因此构筑一个技术先进、安全可靠、建立在自主研发基础之上的国家信息安全保障体系,无疑具有十分重要的战略意义。
本文首先分析了现有的一些网络安全技术,分析了它们的优缺点和适用范围,在此基础提出了一种既在物理链路层上作了隔离,又能与Internet交换数据的网络安全隔离系统(隔离网闸AirGap)。它通过在内外网间来回切换,同一时刻内外网间没有连接,处于物理隔离状态,但又逻辑地相连。
本文详细地分析讨论了HTTP协议,研究了隔离网闸(AirGap)的实现原理和技术,建立了隔离网闸的模型,它用USB连接内外网,通过HTTP协议访问Internet;接着本文讨论了linux编程和USB系统及其在linux系统下的编程技术,最终给出了此系统的一个初步的编程实现。
Today, the information technology is developing at very fast speed, while promote effectively the development of human society. The information security have increasing effective to security and stabilization of a state with information technology developing.
Our country is a developing country. There are serious security hidden trouble because depending on other county in both hardware and software. So establishing a reliable information security system based on own technology undoubtedly has a very important strategic meaning.
The paper analyzes existing several kinds of network security technologies. Their advantages and disadvantages are compared, based on these analysis, a scheme of network security is proposed. Through switching over back and forth between internal and external network, this scheme isolates interior network from exterior network in physical link layer at same time, but logic link to each other.
HTTP protocol is analyzed in detail, the realization principle and technology of the scheme are studied. It utilizes USB to connect internal network with external network, and users can accesses Internet through HTTP protocol. Then, linux programming is discussed, USB system and USB programming under linux are studied. Finally, a preliminary programming realization of the scheme is presented.
我国是发展中国家,信息产业正处于发展阶段,无论在硬件还是在软件上都严重依赖于人,国外电脑硬件、软件中可能隐藏着“特洛伊木马”,这就在安全上留下了严重隐患。因此构筑一个技术先进、安全可靠、建立在自主研发基础之上的国家信息安全保障体系,无疑具有十分重要的战略意义。
本文首先分析了现有的一些网络安全技术,分析了它们的优缺点和适用范围,在此基础提出了一种既在物理链路层上作了隔离,又能与Internet交换数据的网络安全隔离系统(隔离网闸AirGap)。它通过在内外网间来回切换,同一时刻内外网间没有连接,处于物理隔离状态,但又逻辑地相连。
本文详细地分析讨论了HTTP协议,研究了隔离网闸(AirGap)的实现原理和技术,建立了隔离网闸的模型,它用USB连接内外网,通过HTTP协议访问Internet;接着本文讨论了linux编程和USB系统及其在linux系统下的编程技术,最终给出了此系统的一个初步的编程实现。
Today, the information technology is developing at very fast speed, while promote effectively the development of human society. The information security have increasing effective to security and stabilization of a state with information technology developing.
Our country is a developing country. There are serious security hidden trouble because depending on other county in both hardware and software. So establishing a reliable information security system based on own technology undoubtedly has a very important strategic meaning.
The paper analyzes existing several kinds of network security technologies. Their advantages and disadvantages are compared, based on these analysis, a scheme of network security is proposed. Through switching over back and forth between internal and external network, this scheme isolates interior network from exterior network in physical link layer at same time, but logic link to each other.
HTTP protocol is analyzed in detail, the realization principle and technology of the scheme are studied. It utilizes USB to connect internal network with external network, and users can accesses Internet through HTTP protocol. Then, linux programming is discussed, USB system and USB programming under linux are studied. Finally, a preliminary programming realization of the scheme is presented.
引文
[1] 信息系统安全技术国家标准汇编.北京:中国标准出版社,2000
[2] W.Richard Stevens.TCP-IP详解卷1.北京:机械工业出版社,2001.3
[3] W.Richard Stevens.TCP-IP详解卷2.北京:机械工业出版社,2001.3
[4] W.Richard Stevens.TCP-IP详解卷3.北京:机械工业出版社,2001.3
[5] Elliotte Rusty Harold.Java网络编程.北京:中国电力出版社,2001.8
[6] 林宇 郭凌云.LINUX网络编程.北京:人民邮电出版社,2000.10
[7] 喻志虎.UNIX平台下C语言编程.北京:清华大学出版社,2001.10
[8] W.Richard Stevens.UNIX网络编程.北京:清华大学出版社,2000.3
[9] 天夜创作室.Linux网络编程技术.北京:人民邮电出版社,2001.11
[10] 赵龙,况晓辉.高效防火墙体系结构研究.计算机工程,第26卷第1期,2000.1
[11] 张明武,陈启祥.HTTP代理服务器的设计与实现.湖北工学院学报,第15卷第4期,2000年12月
[12] 刘心松,邱元杰.代理服务器的设计与实现.小型微型计算机系统,第21卷第3期,2000年3月
[13] 华泽,杨明福.集Linux防火墙及代理服务为一体的安全系统及实现方法.微型机与应用,2001年12期
[14] 徐斌,孙亚民.FTP代理服务器的研究与实现.小型微型计算机系统,第20卷第4期,2000.4
[15] 张廷广.信息网络中代理服务器设计.情报科学,第19卷第4期,2001.4
[16] Robert L.Ziegler.Linux防火墙.北京:人民邮电出版社,2000.10
[17] 赫玉洁,常征.网络安全与防火墙技术.电子科技大学学报,第4卷第1期,2002.3
[18] 金炳荣,陆长艳.IN/Internet互能安全技术研究.南京邮电学院学报,第22卷第1期,2002.3
[19] 陈建奇,张玉清.安全电子由件的研究与实现.计算机工程,第28卷第6期,2002.6
[20] 叶锡君.Web用户认证和访问控制技术的研究与实现.南京:东南大学,2000.9
[21] 曾重,卢显良.Linux环境下动态防火墙技术的研究与实现.电子科技大学学,2002.5
[22] 黄维柱,许军.通用串行总线USB.计算机应用研究,第2期,2001.2
[23] 张宏伟Linux下USB设备驱动程序的编写.计算机应用研究,第9期,2001.9
[24] 王锋.Linux操作系统分析.重庆大学出版社,2001.11
[25] 陈兴蜀.利用SOCKS协议构建网络边界安全框架.计算机应用,2002.6
[26] 汪胜,时亚弘.USB2.0技术概述,计算机应用研究,第4期,20014
[27] Douglas E.Comer. Internetwork With TCP/IP Vol 1: Principles,protocols,and Architectures. Prentice-Hall,inc,2000
[28] Alessandro Robin. Linux Device Drivers. Oreilly & Associates Inc, 1998
[29] Don Anderson. Universal Serial Bus System Architecture. Anderson Weslay Longman,inc,2000
[30] Chris Hare, Karanjit Siyan. Internet Firewall and Network Security. New Riders Publishing, 1996
[31] Sandeep Kumar. Classification and detection of computer intrusions. Purdue University, 1995
[32] Kyas O. Internet Security. International Thomsun Computer Press, 1997
[33] Universal Serial Bus Specification Revision 1.1[S]. Compaq, IBM, Intel, Microsoft, NEC, Northern Telecom, 1999
[34] Universal Serial Bus Specification Revision 2.0[S]. Compaq, IBM, Intel, Microsoft, NEC, Northern Telecom, 2000.5
[35] Curry D, Deber H. Intrusion Detection Message Exchange Format. Internet-draft,Internet Engineering Task Force, 2001.2
[36] T. Berners-Lee, R. Fielding, H. Frystyk. RFC1945. Network Working Group, 1996.5
[37] J. Franks, P. Hallam-Baker, J. Hostetler. RFC2069. Network Working Group, 1997.1
[38] R. Fielding, J. Gettys, J. Mogul. RFC2616. Network Working Group,1999. 1
[39] J. Franks, P. Hallam-Baker, J. Hostetier. RFC2617. Network Working Group, 1999. 1
[40] Willian Stallings. Netware security essential: applications and standards. Prentice-Hall, 2000
[2] W.Richard Stevens.TCP-IP详解卷1.北京:机械工业出版社,2001.3
[3] W.Richard Stevens.TCP-IP详解卷2.北京:机械工业出版社,2001.3
[4] W.Richard Stevens.TCP-IP详解卷3.北京:机械工业出版社,2001.3
[5] Elliotte Rusty Harold.Java网络编程.北京:中国电力出版社,2001.8
[6] 林宇 郭凌云.LINUX网络编程.北京:人民邮电出版社,2000.10
[7] 喻志虎.UNIX平台下C语言编程.北京:清华大学出版社,2001.10
[8] W.Richard Stevens.UNIX网络编程.北京:清华大学出版社,2000.3
[9] 天夜创作室.Linux网络编程技术.北京:人民邮电出版社,2001.11
[10] 赵龙,况晓辉.高效防火墙体系结构研究.计算机工程,第26卷第1期,2000.1
[11] 张明武,陈启祥.HTTP代理服务器的设计与实现.湖北工学院学报,第15卷第4期,2000年12月
[12] 刘心松,邱元杰.代理服务器的设计与实现.小型微型计算机系统,第21卷第3期,2000年3月
[13] 华泽,杨明福.集Linux防火墙及代理服务为一体的安全系统及实现方法.微型机与应用,2001年12期
[14] 徐斌,孙亚民.FTP代理服务器的研究与实现.小型微型计算机系统,第20卷第4期,2000.4
[15] 张廷广.信息网络中代理服务器设计.情报科学,第19卷第4期,2001.4
[16] Robert L.Ziegler.Linux防火墙.北京:人民邮电出版社,2000.10
[17] 赫玉洁,常征.网络安全与防火墙技术.电子科技大学学报,第4卷第1期,2002.3
[18] 金炳荣,陆长艳.IN/Internet互能安全技术研究.南京邮电学院学报,第22卷第1期,2002.3
[19] 陈建奇,张玉清.安全电子由件的研究与实现.计算机工程,第28卷第6期,2002.6
[20] 叶锡君.Web用户认证和访问控制技术的研究与实现.南京:东南大学,2000.9
[21] 曾重,卢显良.Linux环境下动态防火墙技术的研究与实现.电子科技大学学,2002.5
[22] 黄维柱,许军.通用串行总线USB.计算机应用研究,第2期,2001.2
[23] 张宏伟Linux下USB设备驱动程序的编写.计算机应用研究,第9期,2001.9
[24] 王锋.Linux操作系统分析.重庆大学出版社,2001.11
[25] 陈兴蜀.利用SOCKS协议构建网络边界安全框架.计算机应用,2002.6
[26] 汪胜,时亚弘.USB2.0技术概述,计算机应用研究,第4期,20014
[27] Douglas E.Comer. Internetwork With TCP/IP Vol 1: Principles,protocols,and Architectures. Prentice-Hall,inc,2000
[28] Alessandro Robin. Linux Device Drivers. Oreilly & Associates Inc, 1998
[29] Don Anderson. Universal Serial Bus System Architecture. Anderson Weslay Longman,inc,2000
[30] Chris Hare, Karanjit Siyan. Internet Firewall and Network Security. New Riders Publishing, 1996
[31] Sandeep Kumar. Classification and detection of computer intrusions. Purdue University, 1995
[32] Kyas O. Internet Security. International Thomsun Computer Press, 1997
[33] Universal Serial Bus Specification Revision 1.1[S]. Compaq, IBM, Intel, Microsoft, NEC, Northern Telecom, 1999
[34] Universal Serial Bus Specification Revision 2.0[S]. Compaq, IBM, Intel, Microsoft, NEC, Northern Telecom, 2000.5
[35] Curry D, Deber H. Intrusion Detection Message Exchange Format. Internet-draft,Internet Engineering Task Force, 2001.2
[36] T. Berners-Lee, R. Fielding, H. Frystyk. RFC1945. Network Working Group, 1996.5
[37] J. Franks, P. Hallam-Baker, J. Hostetler. RFC2069. Network Working Group, 1997.1
[38] R. Fielding, J. Gettys, J. Mogul. RFC2616. Network Working Group,1999. 1
[39] J. Franks, P. Hallam-Baker, J. Hostetier. RFC2617. Network Working Group, 1999. 1
[40] Willian Stallings. Netware security essential: applications and standards. Prentice-Hall, 2000