Shulou(Shulou.com)05/31 Report--

This article mainly analyzes the relevant knowledge points of the hardware architecture of the industrial firewall architecture and technology, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to have a look, and follow the editor to learn more about "what the hardware architecture of industrial firewall architecture and technology is like".

1) to meet the stability requirements of industrial environment

From the point of view of meeting the stability requirements of the industrial environment, the industrial firewall needs to consider the impact of its stability on the industrial network from the hardware and software levels. From this point of view, industrial firewalls need to have both hardware and software Bypass functions. Once the device is abnormal or restarted, the Bypass function will be started without having to worry about the disconnection of the industrial network due to problems with the industrial firewall itself. As the name implies, Bypass is a bypass protection system, that is, two networks can be physically connected without passing through the industrial firewall system through a specific trigger state (power outage or crash). At this time, the industrial firewall will no longer deal with the data packets in the network. Based on this design, Bypass is also a loophole from the point of view of security. As long as * finds a way to enable the industrial firewall to trigger the state of the Bypass function, then the security isolation and control function will lose its function on the industrial firewall that triggers the Bypass function, and the internal protected resources can be accessed directly. So is this idea feasible in the end? Is there such a loophole in Bypass function? Let's take a look at how the Bypass function is designed and implemented.

Here I use the simplest model to explain the architecture and working principle of Bypass. In the industrial firewall, if it is the design of the Bypass function based on the industrial Ethernet environment, then it is related to the industrial motherboard and the network card. The Bypass function varies with the design architecture of the motherboard and the network card.

From the simplest Bypass model, this model consists of two parts: "Bypass controller" and "executive circuit board". The Bypass controller is the control and scheduling core of the whole system, and the executive circuit board is the specific executor, which acts on different network transmission media (such as electric port, optical port, serial port, etc.). As shown in the following figure:

How does this executor act on different network transmission media? This requires us to understand the components of the underlying network transmission media and their relationship, which is explained by the architecture of the network card.

This is a physical diagram of the network card, which contains all the components of the network card:

① RJ-45 interface

② Transformer (isolation transformer)

③ PHY chip

④ MAC chip

⑤ EEPROM

⑥ BOOTROM slot

⑦ WOL connector

⑧ crystal oscillator

⑨ voltage converter chip

⑩ LED indicator

You can see a lot of components and devices that we didn't know much about before. The following is a brief description of the role of each component.

RJ-45 is a Jack module, which is simply a transmitter or receiver. The RJ-45 has 8 pins. When the network card generally uses the RJ-45 Jack, the RJ-45 socket of the 10m network card uses only 1meme, 2jingle, 3je, six and four needles, while the 100m or 1000m network card uses all eight pins. Each pin finger of it is responsible for the sending and receiving of data and is not used for other purposes. It mainly exists at both ends of the network cable and on various network Ethernet devices. It is just a socket, without any logic control intelligence in it, so it is connected backwards to the PHY chip.

PHY is a physical interface transceiver and a component used by the network card to implement the physical layer. The IEEE-802.3 standard defines Ethernet PHY, including MII/GMII (Media Independent Interface) sublayer, PCS (physical coding sublayer), PMA (physical Media attachment) sublayer, PMD (physical Media dependence) sublayer, and MDI sublayer. Its interior is also a very complex and sophisticated component. When PHY sends data, it receives data from MAC (for PHY, there is no concept of frames. For it, it's all data, no matter what address, data or CRC. For 100BaseTX, because of using 4B/5B coding, the error detection code of 1bit is added to each 4bit), then the parallel data is converted into serial stream data, and then the data is encoded according to the coding rules of the physical layer, and then the data is sent out into an analog signal, and vice versa. Another important function of PHY is to implement some of the functions of CSMA/CD. It can detect whether there is data in the network transmission, if there is data in the transmission will wait, once detected that the network is idle, and then wait for a random time to send the data out. If two happen to send data at the same time, it is bound to cause a conflict. At this time, the conflict detection mechanism can detect the conflict and wait for each to resend the data at a random time. This random time is very particular, it is not a constant, the random time calculated at different times is different, and there are multiple algorithms to deal with the second conflict between the two hosts with very low probability.

Crucially, RJ45 and PHY are not together. In other words, the RJ45 of the head of the network cable that we usually see does not include the PHY chip. Therefore, in the design of the motherboard, there is a transmission distance between RJ45 and PHY. Is the key to designing Bypass.

The function of the isolation transformer is to filter the differential signal sent by PHY with differential mode coupled coil to enhance the signal, and to couple it to the other end of the connection line through the conversion of electromagnetic field. In this way, not only there is no physical connection between the network cable and the PHY, but also the signal is transferred, the DC component of the signal is cut off, and the data can be transmitted in devices with different 0V levels. The isolation transformer itself is designed as the voltage of 2KV~3KV, which also plays the role of lightning induction protection. Some friends' network equipment is easy to burn out in thunderstorm weather, most of them are caused by unreasonable PCB design, and most of them burn down the interface of the equipment, and few chips are burned, that is, the isolation transformer plays a role in protecting the chip.

The MAC chip is called the media access controller, which is used to implement MAC, namely Media Access Control, the chip controller of the media access control sublayer protocol. The protocol is located in the lower part of the data link layer of the OSI seven-layer protocol and is mainly responsible for controlling and connecting the physical media of the physical layer. This layer protocol is Ethernet MAC defined by the IEEE-802.3 Ethernet standard. The Ethernet data link layer actually consists of the MAC (Media access Control) sublayer and the LLC (logical Link Control) sublayer. The function of an Ethernet card MAC chip is not only to realize the functions of MAC sublayer and LLC sublayer, but also to provide standard PCI or PCIE interface to realize data exchange with the host. As shown in the following figure:

The communication between PHY and MAC chip is realized by MII bus. The following network card components have nothing to do with our implementation of Bypass functions. Now the network card has realized the implementation of PHY chip and MAC chip on the same chip. In other words, on the motherboard, the chip connected to the Ethernet interface may be the network controller with both PHY chip and MAC chip functions. With the above concepts in mind, let's take a look at how Bypass makes use of the transmission path between PHY and Ethernet interfaces.

As shown in the following figure, an Ethernet port circuit board is arranged in the middle, and the Ethernet port circuit board is then connected with the Bypass controller to receive the control instructions of the switch.

The Ethernet port circuit board contains two components: a relay (electronic switch) and a transformer.

So the more detailed architecture is the one shown in the following figure:

We can see that between each PHY chip and Ethernet interface, there is a transformer and a relay, these two devices are the specific executors of Bypass. Among them, the relay can be a simple electronic circuit switch controller, such as an electronic switch. The Bypass controller provides a control signal to the relay, and the two relays are controlled by the control signal via the control circuit. When our industrial firewall works normally, the software makes the control signal effective, and the switch of the two relays is in the normal state, that is, the valve of the switch is closed upward, that is, the connection between transformer and RJ45 (Ethernet interface) is realized.

When there is a failure or power loss in our industrial firewall, the switches of both relays jump to the switch connected to the relay, disconnecting the RJ45 from the industrial firewall, but the two relays are connected so that the two RJ45 are connected. This makes the internal and external network interfaces on the industrial firewall physically directly connected.

That's how Bypass works. Sometimes in order to save cost and space on the embedded motherboard, there can be just one relay, and then another relay or other relay can be realized by an electronic switch, which is a valve closed by a simple electronic circuit switch. the switch is closed by the operation of the control circuit.

After understanding the operation mode of the lower layer, we will see how to trigger the Bypass. The current Bypass trigger mode is through the Bypass controller to issue control instructions to achieve the Bypass function. The Bypass controller receives the following three situations and issues control instructions:

(1) triggered by power supply. In this way, generally, when the device is not powered on, the Bypass function is turned on, and once the device is powered on, the Bypass is immediately adjusted to the normal working state.

(2) controlled by GPIO (Universal input / output Port). After entering the operating system, the specific port can be operated through GPIO, thus the control of Bypass switch can be realized.

(3) controlled by Watchdog (watchdog). This situation is actually an extension of mode 2, through Watchdog to control the GPIOBypass program on and off, so as to achieve the control of the Bypass state. In this way, Watchdog can open Bypass when the system goes down.

At present, the implementation of Bypass functions is generally implemented on the first and second devices at the same time, and sometimes three are also implemented on the same device at the same time. In the first case, when the equipment is not powered on, the network card must have power and the relay must have power if the Bypass function is to be turned on.

Based on this, additional power supplies isolated from the main power supply are required for Bypass-enabled Ethernet, fieldbus, and 485 buses, if any.

This article mainly analyzes the relevant knowledge points of the hardware architecture of the industrial firewall architecture and technology, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to have a look, and follow the editor to learn more about "what the hardware architecture of industrial firewall architecture and technology is like".

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.