Patent Application
20160094369
The present invention relates to a unidirectional relay device that allows data to travel, only in one direction.
As the related art, for example, in PTL 1, it is an object thereof to obtain “a simplex communication device configured such that only simplex data transmission is performed and an intrusion in a reverse direction is prevented” (see the Abstract), and in order to achieve such an object, it is described that “the simplex communication device includes a first component configured to perform only simplex data communication for transmitting data received from a data transmission source by an asynchronous protocol, and a second component configured to perform only simplex data communication for transmitting data received from the first component by an asynchronous protocol to a data transmission destination, in which the first component receives data transmitted from the data transmission source via a first network through IP communication, and the second component receives data from the first component by an asynchronous protocol” (see claim 1).
In PTL 2, it is an object thereof to “provide a data communication system having higher safety against an attack on a computer”, and in order to achieve such an object, it is described that “the data communication system includes a first computer 1 including a data transmission processing unit 110, a second computer 2 including a data reception processing unit 20, and a communication line 3 that connects the first computer 1 and the second computer 2, in which the communication line 3 performs unidirectional communication by excluding a signal line for transmitting data from the second computer 2 to the first computer 1. Thus, an attack from the outside on the first computer 1 is prevented” (see the Abstract).
As stated above, in PTL 1, a logical prevention mechanism is adopted in order to prevent the intrusion in the reverse direction. That is, by writing a filter program in a ROM, only single-directional data transmission is performed on a specific IP address or MAC address whose setting is difficult to be changed by using an upper-layer filter program, and thus, the attack in the reverse direction is prevented.
However, in the technology described in PTL 1, even when a logical unidirectional communication from an internal system to an external system is done, a communication line is actually in a state were duplex communication can be physically performed. For this reason, the duplex communication may be performed by manipulating the filter program, and as a result, an attack such as an illegal intrusion via a network may be carried out.
In PTL 2, a physical prevention mechanism is adopted. That is, the unidirectional communication is realized by excluding the signal line for transmitting data from the external system to the internal system, and an external attack on the internal system is prevented.
However, in the technology described in PTL 2, since a communication path from the external system to the internal system is not physically present, the attack such as the illegal intrusion on the internal system by manipulating the filter program may be excluded may be excluded. However, since the signal line for transmitting the data to the internal system is excluded from the communication line, it is difficult to establish a duplex link, in the communication line through autonegotiation.
The invention has been made in order to solve such problems, and it is an object of the invention to prevent an illegal intrusion from an external system and to safely provide data of an internal system to the external system.
To solve the problem described above, the invention provides a unidirectional relay device including: a first port that receives communication data from one network, a first physical layer circuit that is connected to the first port through a first signal line to perform a protocol process of a physical layer, a first MAC layer circuit that is connected to the first physical layer circuit through a second signal line to perform a protocol process of a MAC layer, a second MAC layer circuit that is connected to the first MAC layer circuit through a third signal line to perform a protocol process of a MAC layer, a second physical layer circuit that is connected to the second MAC layer circuit through a fourth signal line to perform a protocol process of a physical layer, and a second port that is connected to the second physical layer circuit through a fifth signal line to transmit communication data to the other network, wherein the third signal line is a signal line that transmits data in one direction to the second MAC layer circuit from the first MAC layer circuit, and a signal line for transmitting data from she second MAC layer circuit to the first. MAC layer circuit is opened or is connected to a ground.
According to the invention, it is possible to prevent an illegal intrusion from an external system and to safely provide data of an internal system to the external, system.
Hereinafter, embodiments will be described with reference to the drawings.
MAC refers to an IC that processes a protocol of a media access control (MAC) layer. PHY is an IC that processes a protocol of a physical layer. SwitchPort is a port that is connected to a UTP cable of a category 5 or 5e.
The SwitchPort 2-1 (210) and the PHY 2-1 (220) are connected through signal lines (711) and (712), and the PHY 2-1 (220) and the MAC 2-1 (230) are connected through signal lines (721) and (722). The transmission-side MAC 2-1 (230) and the reception-side MAC 2-2 (240) are connected through a unidirectional communication signal line group (730) of a parallel interface GMII (Gigabit Media Independent Interface). The MAC 2-2 (240) and the PHY 2-2 (250) are connected through signal lines (741) and (742), and the PHY 2-2 (250) and the Switchport 2-2 (260) are connected through signal lines (751) and (752).
Next,
In the invention, the signal line group (730) of the parallel interface GMII of
The signal group (730) is configured such that a transmission signal group including a transmission timing signal GTX_CLK (732) and 8 data lines TXD<7:0> (731) transmission frames are connected and a reception signal group including reception timing signals RX_CLK (734) and (736), 8 data lines RXD<7:0> (733) and (735) for reception frames are disconnected.
A connection configuration for achieving unidirectional relay will be described below. The reception timing signal (734) and the 8 data lines RXD<7:0> (733) for reception frames in the MAC 2-1 (230) which is a transmission side are pulled down, that is, are connected to a ground (GND). Since a voltage of a digital circuit is maintained through the pulling-down, it is possible to prevent a malfunction.
The reception timing signal RX_CLK (736) and the 8 data lines RXD:7:0> (735) for reception frames in she MAC 2-2 (240) at reception side are opened (internally pulled down). Thus, since a communication path from the MAC 2-2 (240) to the MAC 2-1 (230) is not present, it is impossible to physically perform data transmission in this direction.
A control unit 1 (233) determines whether data which is received by the reception unit (231) after passing from the SwitchPort 2-1 (210) to the PHY 2-1 (220) is relayed or discarded. Relay data is relayed to a CMII reception unit (244) via the 8 data lines TXD<7:0> (731) for transmission frames by a CMII transmission unit (234). A clock of 125 MHz is supplied to the CMII reception unit (244) from the CMII transmission unit (234). The data is transmitted to the PHY 2-2 (250) and the SwitchPort 2-2 (260) via a control unit 2 (243) and the transmission unit (242). In contrast, the data received by the reception unit (241) from the SwitchPort 2-2 (260) and the PHY 2-2 (250) is transmitted to a CMII transmission unit (245) via the control unit 2 (243). However, since the data lines RXD<7:0> (735) and the timing signal RX_CLK (736) are opened, the data is not transmitted to a CMII reception unit (235).
In such a configuration, only single-directional communication from the computer 1 (100) to the computer 2 (300) can be performed.
Next, a communication method of unidirectional relay according to the present embodiment will be illustrated in
Similarly, a communication link between the unidirectional relay device (200) and the computer 2 (300) is established through an autonegotiation operation between the PHY 2-2 (250) and a PHY 3 (302) using link, pulses (830) and (840), or by outputting the link pulses (830) and (840) between the PHY 2-2 (250) and the PHY 3 (302) and mutually performing a handshake (620).
Subsequently, the computer 1 (100) transmits data to the MAC 1 (101) from an upper layer (905). The MAC 1 (101) transmits she data as a frame conformable to general IEEE 802.3 (910), and it is determined whether or not the data is relayed to the computer 2 (300) or is discarded by checking a destination MAC address DA (520-1) of a frame (520) by the control unit 1 (233) of the MAC 2-1 (230) of the unidirectional relay device (200). The general frame includes the destination MAC address DA (520-1), a transmission source MAC address SA, and data.
Bits (23-21) of the destination MAC address CA (520-1) of the frame (520) are compared to bits (233-22) of a multi cast MAC address 1 (233-1) with a comparison circuit 1-1 (233-2), are compared to bits (233-24) of a broadcast MAC address 1 (233-3) with a comparison circuit 1-2 (233-4), and are compared to bits (233-26) of a unicast MAC address 1 (233-5) with a comparison circuit 1-3 (233-6). The multicast MAC address 1 (233-1), the broadcast MAC address 1 (233-3) and the unicast MAC address 1 (233-5) are registered in a register.
Here, a predetermined address is registered in the unicast MAC address 1 (233-5) in association with the computer (300) that is connected to the outside from an external setting terminal (400) (450).
In the comparison circuit 1 (233-2), the comparison circuit 2 (233-4) and the comparison circuit 3 (233-6), if two input values are she same, the output is 1, and if the two input values are different, the output is 0.
An OR is performed on the comparison results (233-23), (238-25) and (233-27) (233-7). If the output (233-28) of the OR is 1, the frame (520) is relayed, and if the output thereof is 0, this frame is discarded. When the frame (520) is relayed, this frame is relayed to a MAC 3 (301) of the computer 2 (300) from the GMII transmission unit (234) of the MAC 2-1 (230) via the MAC 2-2 (240), the PHY 2-2 (250), and the SwitchPort 2-2 (260) (930). Thereafter, the MAC 3 (301) transmits the frame to the upper layer (925).
As mentioned above, a broadcast frame, a multicast frame, and only a unicast in which the destination MAC address is registered are relayed by checking the destination MAC address (520-1) of the frame (520). Thus, it is possible to prevent a unicast frame with unknown destination from being relayed.
As stated above, in the present embodiment, by connecting only in a one direction the signal line of the physical wiring (GMII) of a data link layer (layer 2) that is not aware of link establishment, even if a condition such as filtering is manipulated, since there is no frame invasion path from the outside, it is possible to safely perform only single-directional communication. In the present embodiment, since duplex connection is performed up to the physical layer, it is possible to realize only single-directional frame relay without obstructing the process for link establishment.
Thus, the data communication from the internal system to the external system is defined in the single direction, and thus, it is possible to provide the unidirectional relay device that prevents an illegal intrusion from an external network. Since a physical communication path is not present in the unidirectional relay device, illegal access from the outside is cut-off. Thus, it is possible to prevent almost 100% of illegal access to an important system.
A communication method for reducing a load to a network will be described as Embodiment 2 of the invention with reference to
As an example, a frame being transmitted to the external system from the computer 1-1 (110) may be considered. When the destination is not specified, the broadcast frame is generally transmitted (990) In such a communication direction, the frame arrives at all devices of the internal system and the external system other than the computer 1-1 (110).
However, when the destination is specified, since an unnecessary load is applied to the devices other than the destination computer in the broadcast transmission method, the unicast transmission with specified destinations is considered. Such communication is performed by registering the MAC address of the targeted computer in a unicast MAC address 1 (233-5) of the unidirectional relay device. By this method, it is possible to relay only a necessary frame, and thus, it is possible to reduce a load applied to the devices other than the destination computer.
As described above, it is possible to transmit the data from the computer 1 to the computer 2. However, since it is impossible to physically perform communication from the computer 2 to the computes 1, it is possible to prevent an attack such as an illegal intrusion from the computer 2.
Since the destination computer is specified, it is possible to reduce an unnecessary load applied to the internal system and the external system by transmitting the unicast frame.
The present invention not limited to the aforementioned embodiments, and includes various modifications. For example, the aforementioned embodiments are described in detail to easily understand the present invention, and are not limited to necessarily have all the described configurations. A part of the configuration of a certain embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of a certain embodiment. Another configuration can be added to, removed from, or replaced with a part of the configurations of the respective embodiments.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2014-197755 | Sep 2014 | JP | national |
