You help me take a look at the inside and outside the network isolation, file into not only the unidirectional transmission scheme is reliable?
This is a one-way network brake:
Requirement is that the internal and external network isolation, file into not only the unidirectional transmission:
My plan:
Network with a Intranet front machine, net outside with an external web frontend,
Intranet frontend front machine in the room, and the network cabinets, seal up,
Network frontend and frontend between networks outside put one-way adapter, guarantee the physical layer, data layer and network layer are one-way,
Write a file, one-way transmission based on UDP no handshake signal and the feedback mechanism, all is completely one-way data,
-- -- -- -- -- -- -- -- -- --
You to look at on unreliable?
Thank you very much!

CodePudding user response:

UDP no handshake
If your file transfer process is carried out in your program, then seal off all ports, only to leave your program, then set up a "role" (network, network, communication of control allow don't allow in the program

CodePudding user response:

And they were afraid of these two frontend being breached (Intranet frontend is from the network, the network frontend is breached) from the network,
Is there any good precautionary measures?

CodePudding user response:

Your problem now is not sorted out demand, suggest you to decompose the demand again - not tell me, are you going over in his mind a complete process, every detail analysis, after analysis, write it out, can let everybody to this after a careful analysis of plan Suggestions, such as:

Have any outside web frontend, the difference?
That is front file through the network to the network through the firewall to network front, and file directly through a firewall to network front have what different place?

In addition, after the file to the Intranet frontend, how to use this file, the file will flow from the Intranet front? Or the file on the Intranet front processing, processed won't move?

How is your communication? Web frontend machine to the network, external network lead to the Intranet front, Intranet front to the back of the machine, in the process, is you write software to deal with? Or use the standard protocol?

CodePudding user response:

You need about two parts: the server security, communications security

CodePudding user response:

Have any outside web frontend, the difference?

We are share net and outer net machine, employees have internal network and external network machine at the same time, the machine is used for the Internet to collect information, network machine for work (software development),

Outside the web frontend use is the outside net machine frontend, collecting the data to the network

Intranet frontend frontend is for the use of the network information one-way incoming network front machine, network machine can fetch the data,

Intranet frontend and outside net in the frontend are confined in the room,

Intranet frontend frontend and communication software, and the network together, is a one-way network gateway, network isolation belt,

The communication software if use ready-made one-way file synchronization software, do not know can not safe,

This "network frontend and frontend and communications networks outside the software how to avoid breach?

CodePudding user response:

Cancel the network frontend
See how data classification, everyone has their own upload directory or all people sharing an upload directory
On the Intranet front Shared out the upload directory (or all) of everyone, set the NTFS permissions on the Shared directory: only allows you to create files and create folders, in this case, the Shared folder can only to preach, cannot open, cannot view the file list, do not modify,

If you must use the structure of the now, only need to block outside the web frontend all ports, and network frontend all ports, open the Intranet frontend listening ports can receive files,

CodePudding user response:

Each one separate folders,
Canceled web frontend, only rely on the Intranet frontend, a less heavy isolation, and in fact the network through the Intranet,
Now I structure, at least as long as the "barrier" design is reasonable, should be to the "single",

CodePudding user response:

Firewall can block, do strategy, in addition to file sharing port and other ports are blocked, similarly, you can also use FTP to implement can upload can't read the demand of the folder

Your structure is no problem now, more than just a dispensable frontend, you have to do is still in the firewall to block all ports in both directions, opening outside the web frontend to the direction of the Intranet frontend listening ports can receive files,

CodePudding user response:

But this network is physically or through ah, if the firewall is breached?
Also please recommend one of firewall, thanks a lot!

CodePudding user response:

Our company is doing just that, but it is difficult to guarantee performance, or packet loss again, again want to travels fast, but also to do data encapsulation, I do