The most common practice in the existing network structure implemented by companies and agencies is to establish a local area network, which is connected to the external internet through the firewall or NAT (an internal network address translation protocol) so that computers within the internal network can access internet through the firewall, whereas a connection attempt from outside can not succeed prior to going through the firewall's conformance verification.
To track and control the computers within the local area network accessing internet, most enterprises will set up a proxy server. All computers within the local area network can only access internet through it.
FIG. 1 illustrates a typical topology used for a local area network connected with a wide area network, which includes a local area network composed of a number of computers (1), converter (2) and router (3), firewall (4) and internet (5).
The concept of isolation is developed to protect high-security network environment. Isolation products have experienced continuous integration of theory with practice on five generations of isolation technologies before swarming into market.
1st Generation—Absolute Isolation
This method makes the network an isolated information island by an absolute physical isolation. It requires at least two sets of network and system, on top of which is the inconvenience of information exchange and increased cost, and therefore complicates both operation and maintenance.
2nd Generation—Isolation Card
This method adds a hardware card on client-side. The hard disc and other storage devices on client-side must connect to the card before being connected to the main board. Thereby, the disc and other storage devices on client-side are being controlled. While different discs are chosen, different network interfaces are chosen too to connect to different networks. However, some of the cards still require 2-wire network wiring structure, in which great potential of security danger exists.
3rd Generation—Data Relay
Isolation is achieved by data relay system copying files in a time-sharing manner, which takes a very long time and even needs manual operation. It slows down the access speed, and supports none of the frequently used network applications, leaving network usage senseless.
4th Generation—Air-Gap Switch
The internal and external network access the tentative cache at different times using a single-pole double-throw switch, by which data exchange is achieved. There are many problems with this method in both security and performance.
5th Generation—Security Channel Isolation
With this technology, isolation between the internal and external networks and data exchange is achieved by such security mechanisms as dedicated session hardware and security protocol etc. This method solves the problems with the previous technologies, isolates the internal and external networks effectively, achieves secure data exchange between the internal and external networks efficiently, and supports multiple network applications in a transparent way, therefore leading the development of current isolation technology.
However, security and convenience is believed to be what the 5th generation isolation technology needs to tackle.
The most common approaches to accessing internet include web, mail and FTP etc, which are all flexible and robust. The immense resources on the internet provide great help and convenience to the interaction between our business and the outside world.
Interaction with internet includes both obtaining information from the internet and sharing our own information or uploading it onto the internet for sharing with others. Internet technology provides us hundreds and thousands of means to share or upload our own information, which provides convenience to organizations and agencies, but carries great danger of information leakage.
To technically avoid these dangers, most organizations and agencies implement two methods, i.e. protecting the confidential documents by encryption and isolating the network containing these documents from the internet.
As the first method, protecting the confidential documents by encryption brings inconvenience to users in that it controls the access to these documents by using password and all the documents need passwords, the method of centralized key control is developed. However, here comes another problem. Since the confidential documents are of different types, reading them requires different file readers, which again brings inconvenience for password control.
The second method is also used widely. In many practices, network is divided into two physically, to which two computers are connected respectively. Along with that emerge a large amount of related technologies, among which are physical isolation card and network gap. Physical isolation card requires modification to one computer so as to achieve physical isolation of two hard disks in it and allow for switch between two different networks. Network gap is designed to isolate the internal and external networks, while allowing for necessary transmission between the two networks.
However, both methods incur increased operating cost and inconvenience. Logic means allow for multiple connections to internet, but absolute logic isolation is next to impossible. The invention described herein is intended to get us out of the dilemma.