With the Internet in the popularization and application of the world, as well as the deepening of China's Informatization, LAN users on the Internet needs more and more, with the attendant network security issues have become increasingly prominent.
Some of the local area, especially for certain safety requirements extremely high sector LAN, is strictly limited and that is directly connected to the Internet. In 2000, the protection of State secrets has issued the international networking of computer information system security management regulations, the provisions of the "file involves State secrets of the computer information systems, directly or indirectly, and Internet or other public information network connected, it must implement physical isolation". These LAN from the Internet to get information from the traditional way is to use the Teleport, offline browsing software, to collect data from the Internet, and then manually copy to the internal LAN. So while ensuring network security, but to the actual work has brought a lot of inconvenience. First of all, this kind of offline software cannot handle acquisition invalid link in data; second, each acquisition must be completed by the manual start, not depending on your application needs to automatically capture; Moreover, all actions are completed by hand, leading to productivity is very low; but as the information demand increases, the labor intensity. In order to address this growing information needs and information security between, our research and development on RedHatLinux platform based on the physical isolation of the "Internet information security acquisition system". The Internet information security acquisition system is a guarantee that at any one time, in LAN and Internet physical isolation of the safe browsing Internet network resources of the system software. It provides the user with a physical isolation-based secure network environment, and provides information acquisition, load balancing, automatic forwarding, information and control functions. System logical structure of the Internet information security acquisition system consists of the collection server, intermediate server (including physical isolator) and internal server three-part. The main design idea is through an intermediate server on the Internet and LAN connection to the LAN for indirect users online process is actually only browse LAN internal server offerings, and the collection server from the Internet automatically download the content of the specified Web site, the Internet user simulated LAN. Intermediate server can guarantee that no simultaneous connection to the LAN and the Internet, which connects the internal LAN, intermediate server and Internet connection whether physically or software settings are completely disconnected, and vice versa. In this way, the effect of from the Internet or not likely to enter the internal local area network, LAN internal cannot really connected to the Internet, the security of the entire system, mainly by intermediate servers. The logical structure of the system as shown in Figure 1. Figure 1 Internet information security acquisition system logic chart from can be seen in Figure 1, the collection server cluster by RAS or otherwise connected to the Internet, and internal LAN between physical isolator physical isolation. By way of the isolator, middle management server and collection server or internal server establishes a connection, but the moment you can only connect with one of the parties, and not with two-party connection. Specially designed physical isolator ensures that whenever the collection server and the internal server for the circuit breaker. 1. the collection server (groups) of the collection server (groups) used to collect information from the Internet, so it's network interface configuration should be accessible through the firewall on the Internet to browse the Web service. In a collection server (groups), it must be logically and there should be a maximum of one acquisition Manager, collection Manager provides can be collection server (Group) visited network database (MySQLServer) and network shares (NFSServer), and may be the intermediate server to access the FTP directory (FTPServer). Because the acquisition Manager management operations is through Web operation is complete, so acquisition Manager should be able to access Web services (HTTPServer). Similarly, logically it should be at least one collection server, the collection server should be able to access the Internet collecting information, and you can access the collection Manager database (MySQLClient) and network shares (NFSClient). 2. the intermediate server between the capabilities of the server from the collection manager on the acquisition of good information, and then forwarded to a local area network server for publishing, so intermediate servers on the network interface configuration should be able to access the collection manager, can access LAN Server. Intermediate server should be able to access the collection manager and LAN Server FTP directory (FTPClient). 3. LAN Server LAN Server function is used to post information on the internal LAN, so its network interface should be internal LAN computer access. Because the LAN Server is used to publish information that is collected, should provide Web services (HTTPServer), and may be the intermediate server to access the FTP directory (FTPServer). Here, the collection server and LAN internal server can use one or more computers, and can be based on system sizing and demand at any time to expand the new server, the system of collecting ability is dynamically adjustable. System function module system can be divided into a functional network configuration and system security management module, task queue management module, collector queue management module, scheduling, coordinating management module, internal server management module five parts. Function module framework as shown in Figure 2. Figure 2 Internet information security acquisition system function module figure ◆ network configuration and system security management module is a complete system of protection control center, including physical isolator, firewall, user management, is responsible for ensuring the normal circulation of information flow throughout the system. ◆ Task queue management module is responsible for receiving, filing the demand for Internet access, and then define, generate a download task, and submit the schedule coordination management module. ◆ Collector queue management module manages the acquisition server cluster, to scheduling coordination management module provides completeInternet download task of collector. ◆ Scheduling coordination management module is responsible for specific tasks on the rational distribution to each collector, and the task results back from the collector to be sent to the internal server cluster. ◆ Internal server management module is responsible for receiving and processing the download information, last to the internal LAN users with a virtual online environment. The Internet information security collection system network operating system, Web server selected RedHat7.2 selection of Apache, MySQL database platform selection, development tools use PHP and standard C.
No comments:
Post a Comment