Isolation hardware design based on embedded system

1 Introduction

The rapid development of the Internet has further improved the degree of information sharing, and thus the problem of information security has become increasingly prominent. At this time, the only solution is to actively solve the problems of information security and network security. At present, the most widely used and common network security measures at home and abroad are to use firewall software. However, firewall software itself has two inherent defects: first, the network isolated by the firewall is still based on the TCP/IP protocol for information exchange, and the TCP/IP protocol has loopholes, so it cannot prevent the loopholes of the protocol itself; second, the operation of the firewall is inseparable from the operating system. Both the operating system and the firewall software have loopholes, so they cannot prevent network security problems caused by these loopholes [1]. Therefore, it is necessary to develop corresponding application systems. Based on the analysis of existing firewall technology and physical isolation technology, this paper proposes a dual-channel real-time switch technology with buffer. The network isolator designed by this technology can meet the transmission of real-time data. At the same time, this paper proposes a technical concept of data security forwarding in a physical isolation environment. This solution makes the network isolator have good security performance.

2 Principles of physical isolation technology

2.1 Introduction

Physical isolation means that the internal network cannot be directly or indirectly connected to the external network, namely the Internet[2]. Physical isolation technology interrupts the connection between the internal network and the external network, does not support the TCP/IP protocol, and does not rely on the operating system. It solves the fundamental problem of current network security, namely the security problems caused by operating system vulnerabilities and TCP/IP protocol vulnerabilities, effectively prevents the occurrence of malicious code, viruses and network intrusions, and meets the confidentiality, integrity, availability, controllability and auditability requirements of network security.

2.2 Physical Isolation Technology

At present, the physical isolation technologies commonly used at home and abroad include: single hard drive physical isolation card and dual motherboard physical isolation technology.

2.2.1 Single Hard Drive Physical Isolation Card

This technology is to divide a single hard disk of a computer into two partitions, public and secure, at the physical layer, and install an operating system in each partition. During operation, users work in two mutually exclusive operating system environments, the secure state and the public state, thereby achieving secure isolation of the internal and external networks. The disadvantage of this technology is that it cannot transmit real-time data.

2.2.2 Dual motherboard physical isolation technology

The two motherboards transmit data via a dual-port RAM in a non-network manner. The dual-port RAM is divided into two areas. The first area is the channel for unidirectional data transmission from the intranet client to the extranet server. The second area is the channel for unidirectional data transmission from the extranet client to the intranet server. Normally, the intranet and the extranet are disconnected, and the dual-port RAM is in a disconnected state. When there is data to be transmitted, the intranet and the extranet transmit data through the dual-port RAM [3].

3. Network Isolator Technology Principle

Currently, there are two main ways to implement real-time switching of network isolators: SCSI-based switching technology and bus-based switching technology.

The network isolator based on bus real-time switch technology uses dual-port static memory (Dual Port SRAM) with independent ARM-based control circuit. The dual ports are connected to independent computer hosts through switches, as shown in Figure 1. ARM, as an independent control circuit, ensures that there is a switch on each port of the dual-port static memory, and the two switches cannot be closed at the same time, that is, K1×K2=0.

The network isolator based on SCSI switch technology is similar to Figure 1, except that the data channel is replaced by a SCSI hard disk interface, the storage medium uses a SCSI hard disk, and the control unit is implemented using a specially designed hardware circuit board.

The data exchange principle of the system is as follows: Taking the transmission of data from the external network to the internal network as an example, the external host first strips the TCP/IP protocol and application protocol from the data received from the external network, restores it to the original data, and examines the integrity and security of the data; after the examination is passed, the secure data is passed to the switching device, and then the internal host receives the data, encapsulates them with the TCP/IP protocol and application protocol, and sends them to the internal network. Vice versa.

Taking the example of receiving emails on the intranet, when the external network needs to have data reach the intranet, the external server immediately initiates a non-TCP/IP protocol data connection to the isolation device. The isolation device strips all protocols and writes the original data to the storage medium. Depending on the application, it may be necessary to perform integrity and security checks on the data, such as anti-virus and malicious code.

Once the data is completely written to the storage medium of the isolation device, the isolation device immediately disconnects from the external network and instead initiates a non-TCP/IP protocol data connection to the intranet. The isolation device pushes the data in the storage medium to the intranet. After the intranet receives the data, it immediately encapsulates the TCP/IP and application protocol and hands it over to the application system.

At this time, the intranet email system receives the email forwarded by the extranet email system through the isolation device. After the console receives the complete exchange signal, the isolation device immediately cuts off the direct connection between the isolation device and the intranet.

If there is an email to be sent from the intranet at this time, the isolation device will establish a non-TCP/IP protocol data connection with the intranet after receiving the request to establish a connection from the intranet. The isolation device strips off all TCP/IP protocols and application protocols, obtains the original data, and writes the data to the storage medium of the isolation device. If necessary, it will be processed for anti-virus and anti-malicious code. Then the direct connection with the intranet will be interrupted. After the console receives the information and completes the processing, it will immediately interrupt the connection between the isolation device and the external network and restore to a completely isolated state.

Each time data is exchanged, the isolation device undergoes three processes: receiving, storing, and forwarding data. Since these rules are implemented in the memory and the kernel, the speed is guaranteed and 100% of the bus processing capacity can be achieved [4].

4 Isolation Hardware Design

The process of data exchange in the network isolator is completed by reading and writing the storage chip on the isolation hardware. The storage chip is the data exchange storage area between the internal and external networks. Its access design determines the data exchange speed of the network isolator. In order to meet the requirements of data exchange speed, dual-channel real-time switch technology with buffer is adopted.

The dual-port static memory is divided into two storage areas A and B.

The external host can only write data to A or read data from B through K1, while the internal host can only read data from A or write data to B through K2. The constraints of K1 and K2 are K1a×K2c=0 and K1b×K2d=0. In this way, the bidirectional data channel is transformed into two unidirectional data channels. This design improves the situation in the original design where one of the internal and external processing units performs read and write operations on the isolated hardware while the other cannot access the isolated hardware. It allows both parties to enter the read-read or write-write state at the same time. However, in this structure, there is such a read-write conflict problem. For example, when the external host writes data to A through K1, the internal host cannot read data from A, or when the internal host reads data from A, the external host cannot write data to A. The operation on B also has a similar situation. Therefore, a dual-channel real-time switch technology with a buffer is proposed.

Figure 2 is a schematic diagram of the dual-channel real-time switch technology with a buffer

Divide the A and B storage areas into N equal small storage areas ai, bi (1≤i≤N), and the constraints of K1 and K2 are K1ai×K2ai=0 and K1bi×K2bi=0.

This improvement allows one of the internal and external hosts to access ai or bi while the other can still access aj or bj (i≠j), reducing the chance of read/write conflicts and improving the efficiency of the data channel, thereby achieving the goal of increasing the data exchange speed between the internal and external networks.

5 Design of data security forwarding solution in physical isolation environment

The design goal of the data security forwarding solution in a physically isolated environment is to achieve secure, dynamic, and real-time data exchange under the premise of isolating the internal and external networks.

The data storage and forwarding architecture consists of external network processing unit, data forwarding area, internal network processing unit, physical isolation module, on-off control circuit and other functional parts. Among them:

(1) The external network processing unit is responsible for determining and collecting external network data, which is determined by the needs of internal network users, such as specifying the target website to be visited.