基于红黑隔离架构的网络安全设备设计  

作　　者：龚智[1] 刘超[1] 付强 GONG Zhi;LIU Chao;FU Qiang(Wuhan Maritime Communication Research Institute,Wuhan 430205,China)

机构地区：[1]武汉船舶通信研究所,湖北武汉430205

出　　处：《电子科技》2024年第2期76-86,共11页Electronic Science and Technology

基　　金：国家重点研发计划(2016YFB0800304)。

摘　　要：基于IP(Internet Protocol)技术的天地一体化网络数据传输易受非法攻击,基于IPSec(Internet Protocol Security)的传统网络安全设备采用单主机同时连接内网和外网处理单元进行设计,存在非授权用户通过外网直接访问受保护内网的风险。文中提出了一种基于红黑隔离架构的网络安全设备新方案。方案采用红黑分区的设计理念和基于Linux下IPSec框架的VPN(Virtual Private Network)技术,通过在红区实现传输数据、基于“五元组”的安全保密规则合法性验证以及IPSec ESP(Encapsulating Security Payload)协议封装与解封装变换,在黑区实现ESP封装加密数据的公网收发,在安全服务模块实现根据外部指令完成加密算法动态切换和ESP封装数据的加解密处理,并将安全服务模块作为红区和黑区之间数据交换的通道,达到内网和外网相互隔离且有效保障内网安全的目的。实验结果表明,基于红黑隔离架构的网络安全设备抗攻击能力强,加密算法可更换,在百兆带宽条件下1024 Byte包长加密速率大于50 Mbit·s^(-1)。The data transmission of the heaven and the earth integrated network based on IP(Internet Protocol)technology is vulnerable to illegal attacks.The traditional network security device based on IPSec(Internet Protocol Security)is designed by connecting a single host to both internal and external network processing units,which has the risk of unauthorized users directly accessing the protected intranet through the extranet.A new scheme for a network security device based on a red-black isolation architecture is proposed.The scheme adopts the design concept of red-black partition and VPN technology based on IPSec framework under Linux.It implements the validity verification of the transmitted data based on the"quintuple"security and security rules and the encapsulation and decapsulation transformation of the IPSec ESP protocol in the red zone,and implements the public network sending and receiving of the ESP encapsulated and encrypted data in the black zone.In this scheme,the security service module implements dynamic switching of encryption algorithms and encryption and decryption of ESP encapsulated data according to external instructions,and uses the security service module as a data exchange channel between the red and black zones to achieve isolation between the internal and external networks and effectively ensure Intranet security.The experimental results show that the network security device based on red-black isolation architecture has the advantages of strong anti-attack capability,replaceable encryption algorithm,and encryption rate of 1024 bytes packet length greater than 50 Mbit·s^(-1)under 100 megabit bandwidth.

关 键 词：IPSEC 红黑隔离 基于“五元组”安全保密规则合法性验证 Linux ESP协议 强抗攻击能力 可更换加密算法 加密速率 

分 类 号：TP393.0[自动化与计算机技术—计算机应用技术]