KR101198329B1 - Wireless network security system of client foundation and method thereof - Google Patents

Abstract

PURPOSE: A wireless network security system based on a client and method thereof are provided to promote security by controlling network packets for unauthorized wireless AP(Access Point) by dividing a wireless AP into the authorized AP and the unauthorized AP. CONSTITUTION: A security server(200) transmits unauthorized policy information and authorized wireless AP list according to the request of a client terminal(100-1~100-n). One or more client terminals receive the authorized wireless AP list and the unauthorized policy information from the security server. When an external wireless AP is the unauthorized wires AP, the client terminals acquire network card information connected to the requested wireless AP. The client terminals the MAC(Media Access Control) address of the acquired network card information and the unauthorized policy information to an NDIS(Network Driver Interface Specification) medium driver. [Reference numerals] (10) Communication network; (20) External communication network; (AA) External network; (BB) Unauthorized AP; (CC) Inner network; (DD) Authorized AP; (EE) Unauthorized Wibro AP; (FF) Allowance; (GG,HH) Block

Description

Client-based wireless network security system and its method {WIRELESS NETWORK SECURITY SYSTEM OF CLIENT FOUNDATION AND METHOD THEREOF}

The present invention relates to a client-based wireless network security system and method thereof, and more particularly, to distinguish an authorized / unauthorized wireless AP through authentication of an external wireless AP at a client terminal and to control a network packet for an unauthorized wireless AP. The present invention relates to a client-based wireless network security system and method for improving availability by enabling not only IP but also some IPs and ports.

In recent years, wireless technologies such as smart phones, Wibro (Wireless Broadband Internet), and HSDPA (High Speed Downlink Packet Access) have been widely spread and developed. It has changed into a wireless network structure that supports high-speed transmission such as smooth mobility, scalable network construction, and wired LAN. However, security problems for wireless access point (AP) continue to emerge.

Although the WEP (Wired Equivalent Privacy) method of IEEE 802.11b was adopted as a standard, there was an error in the WEP design itself, and IEEE 802.11i was established as an international wireless local area network (WLAN) security standard to compensate for this.

As a result, security problems between wireless communication have been solved to some extent, but attacks using vulnerabilities of wireless terminals are gradually increasing, and there are cases in which internal information is leaked to the outside by using mobility and scalability of wireless AP. Attacks on wireless APs, server-based control schemes for external wireless APs, wireless sensor schemes, and client-control schemes have been proposed. However, there is a problem in that the security of the external network is weak and the availability of the control method is inferior.

On the other hand, in wireless AP security, IEEE 802.11b, a wireless AP communication standard, provides authentication and confidentiality, and each structure includes an SSID (SErvice Set IDentifier) and a WEP. The SSID is a wireless AP network name and can be changed. When the user requests a connection by SSID, authentication is performed at the wireless AP. However, access and authentication to SSID is vulnerable to security as anyone can access.

The WEP stream-encodes communication packets in order to increase the security of data communication between the user and the wireless AP in IEEE 802.11b. It is a symmetric structure that uses the same key and algorithm for packet encryption / decryption.

The IEEE 802.11b standard provides two authentication methods, an open authentication method and a shared key authentication method. The open authentication method, which is a basic method, is a method in which the entire authentication process is made in plain text, and the terminal can connect to the AP without having a WEP key.

The shared key authentication method transmits an authentication challenge packet to the wireless AP to the terminal, and the terminal encrypts the WEP key to the wireless AP. Data confidentiality is provided using WEP. In the WEP algorithm, the terminal and the wireless AP share a 40-bit encryption key, and the wireless AP sends a random challenge to authenticate the terminal. The terminal has a 40-bit encryption key and a 24-bit IV ( Initialization Vector) is combined, a random key stream is generated using the RC4 Pseudo Random Number Generator (PRNG) encryption algorithm, and plain text is encrypted and transmitted (see Non-Patent Document 1).

Meanwhile, the received packet is decrypted by the wireless AP to authenticate the terminal. When the user accesses the wireless AP, the user can compare the previously set WEP key with the WEP key that is requested to access, and allow only the user with the correct WEP key to access the network. It is higher in authentication and security compared to the SSID access method (see Non-Patent Document 2).

However, the WEP key is exposed when a virtual wireless AP is created by a malicious user and an internal authorized user enters a connection request and requests authentication. In this case, a malicious user can access the internal wireless AP with an intercepted WEP key and attack the internal network.

On the other hand, when looking at the weakness caused by the rogue AP among the wireless AP security vulnerabilities, the rogue AP is a wireless AP that is connected to the internal network but does not have security authentication. Rogue APs can endanger the security of a wired infrastructure by bypassing firewall or VPN structures. It can expose a company's network to hackers who are peeping into the company's wireless environment with the intention of leaking information.

The probing station transmits a probing signal containing the SSID information previously accessed. A device such as a laptop that can be connected to a malicious user or an external wireless AP. The ability to connect a malicious user to an internal wired network is vulnerable to security.

An Ad-Hoc network is an autonomous network in which nodes that communicate wirelessly without an AP communicate with each other. Since this network structure does not have nodes in the middle, each node must communicate in the network by making the most of its own information, and communicate with other nodes through a long distance to communicate with a long distance node. Accordingly, Ad-Hoc network communication poses a significant risk of network security. Laptops with Ad-Hoc networks, peer-to-peer communications, can be easily hacked and potentially a good way for malicious intruders looking to connect to internal wireless networks.

The external wireless AP refers to a wireless AP used in a neighboring office or home, not a wireless AP for use of an internal network. Although these wireless APs are not a threat by themselves, there are security vulnerabilities that can be combined with wireless APs in the internal network at any time. When an internal PC (personal computer) accesses such a wireless AP, it serves as a connection between the internal network and other corporate networks.

Therefore, if the classification for neighboring wireless APs is not made in advance, it may be difficult for the administrator to accurately detect hackers. In addition, when ignoring management of neighboring wireless APs, internal stations may have a great difficulty in preventing phishing attacks using Evil-twin and the like.

In order to solve the wireless AP security vulnerability, wireless AP control methods have been proposed. Among them, the method of controlling the wireless AP based on the server is to put an authentication server at the network access control (NAC) level to monitor the packet and check whether the packet is outgoing to the outside, If the packet is checked for authentication and control.

However, it can be controlled only from the internal wireless AP and cannot control the wireless AP, which is the external network, and cannot be controlled when the internal licenser exports the data to the wireless AP by exporting the notebook to the outside. It requires more equipment to monitor packets, which is more expensive than client-based control.

Meanwhile, the method of controlling by using the device is controlled by placing a sensor that can control the wireless AP in the space to be controlled. Up to 500 APs can be controlled per sensor, and multiple defenses against 20 radio threats can be performed simultaneously. The sensor collects the control information and sends it to the server.

Since sensors are installed in each zone, it is easy to track the location when a problem occurs. However, it is vulnerable to security because it can't control when it is out of the sensor's scope or when the internal licensor sends data out of the notebook. It is expensive because additional sensors are added to extend the control range.

As such, a method of controlling a wireless AP based on a client has been proposed to compensate for space constraints and costs. That is, when a client attempts to connect to a wireless AP, it collects a Media Access Control (MAC) address of the accessing AP and determines whether it is an authorized AP.

However, availability is reduced because only wireless APs can be allowed / blocked. Even unauthorized wireless APs need a way to increase their availability without compromising security. In addition, since the client is based, for example, malicious code, hacking tools, and reversing tools can be used to attack security programs.

As described above, the conventional server-based authentication method has a security problem and a cost problem when the external network, the client-based authentication method has a low availability.

(Non-Patent Document 1) J. H. Lee, et al., "Implementation of a Secure Wireless LAN System using AP Authentication and Dynamic Key Exchange", Korea Information Processing Society, Vol. 11-C No. 4 pp. 497-508, August, 2004. (Non-Patent Document 2) ANSI / IEEE Std 802.11 "Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specification", September, 1999.

The present invention has been made to solve the above-described problem, an object of the present invention is to distinguish the authorized / unauthorized wireless AP through the authentication of the external wireless AP in the client terminal, security by controlling the network packet for the unauthorized wireless AP In addition, the present invention provides a client-based wireless network security system and method for improving availability by enabling some IPs and ports to be used.

In order to achieve the above object, a first aspect of the present invention, a security server for transmitting a wireless access point (AP) list and unauthorized policy information that is authorized according to a request of a client terminal connected through a communication network; And an NDIS intermediate driver, which is provided in the kernel area and selectively controls a network packet transmitted / received through a network device according to unauthorized policy information, and includes a list of unauthorized wireless APs and unauthorized access from the security server. After receiving the policy information and determining whether the external wireless AP is requested to be accessed through an external communication network, whether or not the external wireless AP is an unauthorized wireless AP, after acquiring network card information connected to the requested wireless AP, And at least one client terminal for transmitting the unauthorized policy information to the NDIS-mediated driver together with the obtained MAC (Media Access Control) address of the network card information.

Here, the security server, preferably stored in a separate database (DB) the wireless AP list and unauthorized policy information.

Preferably, the security server may provide a web service to an external terminal to register, modify, and set the authorized wireless AP list and unauthorized policy information through a separate web server.

Preferably, the security server may be stored in the database (DB) to store and manage the external wireless AP access list and access log information requested for each client terminal.

Preferably, the wireless AP list registered in the security server may include a MAC address list and SSID (Service Set IDentifier) information of each wireless AP.

Preferably, the client terminal may periodically transmit a wireless AP list request message to the security server, and periodically receive the wireless AP list and unauthorized policy information from the security server and store them in a separate memory.

Preferably, the unauthorized policy information includes a first unauthorized policy allowing only a web page access (PORT), a second unauthorized policy allowing only a predetermined IP bandwidth, and a third unauthorized license allowing both the first and second unauthorized policies. At least one of the policies may be an unauthorized policy.

A second aspect of the present invention is a method for securing a wireless network using a system comprising at least one client terminal and a security server connected to each other via a communication network, the method comprising: (a) a wireless AP to the security server through the client terminal; (Access Point) periodically transmitting a list request message, and periodically receiving the wireless AP list and unauthorized policy information from the security server and storing them in a separate memory; (b) periodically monitoring the connection of the external wireless AP through the client terminal to obtain a MAC (Media Access Control) address of the connected external wireless AP when a connection request of the external wireless AP is detected; (c) comparing the list of pre-authorized wireless APs in step (a) with the MAC addresses of the external wireless APs obtained in step (b) to determine whether to permit / disable the requested external wireless AP; step; (d) acquiring network card information connected to the requested wireless AP when the requested external wireless AP is an unauthorized wireless AP as a result of the step (c); (e) NDIS intermediate driver (NDIS intermediate) provided in the kernel area of the client terminal with the unauthorized policy information in the step (a) together with the MAC address of the network card information obtained in the step (d) through the client terminal; driver); And (f) selectively controlling a network packet transmitted / received through a network device according to the unauthorized policy information transmitted in step (e) through an NDIS mediated driver of the client terminal. To provide a security method.

Here, before the step (a), it is preferable to further include the step of storing the wireless AP list and unauthorized policy information previously authorized through the security server in a separate database (DB).

Preferably, the method may further include providing a web service to an external terminal so as to register, modify, and set an authorized wireless AP list and unauthorized policy information stored in the database through a separate web server. .

Preferably, after step (b), the method may further include storing and managing an external wireless AP access list and access log information requested for each client terminal through the security server as a database (DB).

Preferably, in step (a), the wireless AP list registered in the security server may be composed of a MAC address list and SSID (Service Set IDentifier) information of each wireless AP.

Preferably, in the step (a), the unauthorized policy information registered in the security server may include a first unauthorized policy allowing only a web page access (PORT), a second unauthorized policy allowing only a predetermined IP bandwidth, and the first unauthorized policy. And a third unauthorized policy allowing both of the second unauthorized policy.

According to the client-based wireless network security system and method according to the present invention as described above, the authorized / unauthorized wireless AP is distinguished through authentication of the external wireless AP in the client terminal, and the network packet for the unauthorized wireless AP is controlled. In addition to improving security, some IPs and ports can be used to increase availability.

In addition, according to the present invention, authentication based on MAC address when accessing the wireless AP, and finds the wireless network card and transmits it to the NDIS-mediated driver to calculate the IP (IP), the range of the port (PORT) to the network packet By controlling the control, it is possible to effectively solve the security and cost problems of the existing server-based authentication, there is an advantage that the availability of the client-based authentication can be flexible and scalable.

1 is an overall conceptual diagram illustrating a client-based wireless network security system according to an embodiment of the present invention.
2 is a detailed block diagram illustrating a client-based wireless network security system according to an embodiment of the present invention.
3 is a block diagram illustrating in detail the NDIS mediated driver applied to an embodiment of the present invention.
4 is a flowchart illustrating a client-based wireless network security method according to an embodiment of the present invention.
FIG. 5 is a diagram for specifically describing MAC address information acquisition of a connected external wireless AP in a client-based wireless network security method according to an embodiment of the present invention.
FIG. 6 is a diagram for describing in detail acquiring of connected external wireless AP network card information in a client-based wireless network security method according to an embodiment of the present invention.
7 is a diagram illustrating an unauthorized policy applied to an embodiment of the present invention.
8 is a flowchart illustrating packet control by an unauthorized policy of an NDIS mediated driver applied to an embodiment of the present invention.
9 is a diagram illustrating an actual experimental environment for implementing a client-based wireless network security method according to an embodiment of the present invention.
FIG. 10 is a diagram illustrating setting of an unauthorized policy in an actual test environment for implementing a client-based wireless network security method according to an embodiment of the present invention.
11 is a diagram illustrating a wireless AP registration request in an actual test environment for implementing a client-based wireless network security method according to an embodiment of the present invention.
12 is a diagram illustrating wireless AP registration in a server in an actual test environment for implementing a client-based wireless network security method according to an embodiment of the present invention.
FIG. 13 is a diagram illustrating a log access to an authorized wireless AP in a result of an actual test environment for implementing a client-based wireless network security method according to an embodiment of the present invention.
14 is a diagram illustrating a log of access to an unauthorized wireless AP in a result of an actual test environment for implementing a client-based wireless network security method according to an embodiment of the present invention.
15 and 16 are diagrams for explaining a performance evaluation of an actual test environment for implementing a client-based wireless network security method according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the following embodiments of the present invention may be modified into various other forms, and the scope of the present invention is not limited to the embodiments described below. The embodiments of the present invention are provided to enable those skilled in the art to more fully understand the present invention.

First, in a client-based wireless network security system according to an embodiment of the present invention, wireless AP authentication (Authentication) is a method of allowing access to only authorized wireless AP and blocking or controlling unauthorized illegal wireless AP. In other words, if the internal information is leaked to the outside by using a bandwidth other than the internal IP bandwidth, the monitoring is not performed because the bandwidth is different.

1 is a conceptual diagram illustrating a client-based wireless network security system according to an embodiment of the present invention, and FIG. 2 is a diagram illustrating a client-based wireless network security system according to an embodiment of the present invention. FIG. 3 is a block diagram illustrating in detail an NDIS mediated driver applied to an embodiment of the present invention.

1 to 3, a client-based wireless network security system according to an embodiment of the present invention includes at least one client terminal 100-1 to 100-n and a wired / wireless communication network 10. It is made, including a security server 200 connected through.

Here, the wired / wireless communication network 10 is an internal network, that is, an inner network, for example, a local area network (LAN), a virtual area network (VAN), or the like, which is connected by coaxial cable, optical fiber, or wirelessly. It can include wireless communication networks such as Wireless Local Area Network (WLAN) as well as Internet Information Network, Packet Switched Network (PSTN), Integrated Service Digital Network (ISDN), and Broadband Integrated Information Network (B). It may be a local area network (WAN), such as ISDN), and may include a cable TV network, a satellite network that enables Internet connection, a wireless Internet network, and a mobile carrier's Internet network. The transmission of data using the internal network may include transmission by TCP / IP, transmission by X.25, and transmission by serial communication.

Each client terminal (100-1 to 100-n) is NDIS-mediated driver (NDIS) to selectively control the network packet (Packet) transmitted / received through the network device (130) in accordance with unauthorized policy information intermediate driver 115).

In addition, each client terminal (100-1 to 100-n) receives a wireless AP (Access Point) list and unauthorized policy information from the security server 200, the external is requested to access through the external communication network 20 After determining whether the wireless AP is authorized / disabled, if the requested external wireless AP is an unauthorized wireless AP that does not exist in the list of authorized wireless APs, after acquiring network card information connected to the requested wireless AP, And transmits the unauthorized policy information to the NDIS-mediated driver 115 together with the MAC (Media Access Control) address of the obtained network card information.

At this time, the external communication network 20 is an external network (external network), for example, it is preferably made of the Internet (Internet) or a wireless LAN (WiFi) network, the wireless LAN (WiFi) network is a plurality of wireless LAN AP It is a well-known wireless data communication network for providing a wireless Internet service to each client terminal (100-1 to 100-n) in a wireless LAN zone formed by each.

In this case, the Internet is a TCP / IP protocol and a number of services existing in the upper layer, that is, Hyper Text Transfer Protocol (HTTP), Telnet, File Transfer Protocol (FTP), Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP). It is a global open computer network architecture that provides Simple Network Management Protocol (SNMP), Network File Service (NFS), Network Information Service (NIS). The Internet may be a wired or wireless internet, or may be a core network integrated with a wired public network, a wireless mobile communication network, or a portable internet.

Each of the client terminals 100-1 to 100-n is, for example, a personal computer such as a desktop PC or a notebook PC, but is not limited thereto. The security server is provided through a wired / wireless communication network 10. Any type of wired / wireless communication device capable of accessing the 200 and using a bidirectional transmission / reception service may be used.

For example, each client terminal 100-1 to 100-n may be a cellular phone, a PCS phone (PCS phone), a synchronous / asynchronous IMT that communicates via a wireless Internet or a portable Internet. Including a mobile terminal such as -2000 (International Mobile Telecommunication-2000), in addition to a Palm Personal Computer (PDA), Personal Digital Assistant (PDA), Smart Phone, WAP phone (WAP phone) All wired / wireless home appliances / communication devices having a user interface for accessing the information providing server 300, such as a protocol phone and a mobile play-station, may be comprehensively referred to.

In addition, each of the client terminals 100-1 to 100-n is driven through a general operating system (OS). An operating system provided by Microsoft, for example, Windows is largely kernel level (Kernel). Level, 110 (or kernel area) and user level (User Level, 120) (or user area), the operating system kernel and various device drivers are driven at the kernel level 110, mainly at the user level (120) Application is started. In addition, programs operating at the kernel level 110 exist in the form of device drivers. In the meantime, the packet flow is transmitted in the order of the user level 120, the TDI layer of the kernel level 110, the NDIS layer, and the network device 130.

Herein, the structure of the kernel level 110 will be described in more detail. As shown in FIG. 2, AFD (afd.sys) (not shown), NDIS (Network Driver Interface Specification), which is largely a kernel part of a Windows socket, is illustrated. ) And TDI (Transport Driver Interface).

At this time, afd.sys in the top layer at the kernel level 110 communicates with msafd.dll, which is a DLL (Dynamic Link Library) in the lowest layer of the user level 120, in the Windows socket, and interfaces with TDI in the lower layer. Will be achieved.

In addition, the TDI defines a kernel level interface existing on a protocol stack. The NDIS provides a standard interface for NIC device drivers (Network Interface Card Device Drivers). In other words, the NDIS is a driver standard dedicated to a network interface card (NIC), and is an interface standard that separates a network card / driver used from Microsoft's Windows NT or the like and a network layer communication protocol.

In addition, the network device 130 exchanges data by transmitting / receiving packets through a network stack including a layered network architecture.

In particular, between the TDI and the NDIS selectively control network packets transmitted / received through the network device 130 according to unauthorized policy information, including TCP, IP, RaWIP and UDP devices. An NDIS intermediate driver 115 and the like are provided.

Here, as shown in FIG. 3, the NDIS mediated driver 115 is a component included in, for example, NDIS version 4.0, and is located between a transport driver and an NDIS network interface card (NIC) miniport. It appears to the NIC driver as a transport driver, while to the transport driver it appears as an NDIS miniport driver. The NDIS Intermediate Layer is useful when you want to connect to a transport driver or any new type of media, and performs the necessary translations and transfers between the transport driver and the NIC miniport that manages the new media.

That is, the NDIS mediated driver 115 usually sends a MiniportXxx function at its upper edge and a Protocol function at its lower edge. In another case, although not common, the NDIS-mediated driver 115 can send a private interface to the MiniedgeXxx function at the upper edge and a non-NDIS driver at the lower edge. Can be.

In addition, one NDIS mediated driver 115 is typically layered below one or more NDIS NOC drivers and a transport driver supporting a TDI (Transfer Driver Interface) at the upper edge. In theory, the NDIS mediated driver 115 may not be a layer directly above or just under another NDIS mediated driver 115.

In addition, the user level 120 of each client terminal 100-1 to 100-n is connected to the security server 200 through a wired / wireless communication network 10 to control data transmission / reception and external wireless. A communication control module 125 for authenticating an AP is provided. The communication control module 125 receives an approved wireless AP list and unauthorized policy information from the security server 200 to receive an external communication network ( 20) If it is determined whether or not the external wireless AP is requested to access through the wireless access AP is an unauthorized wireless AP that does not exist in the list of authorized wireless AP, the connected wireless AP is connected to the requested wireless AP After acquiring the network card information (eg, the MAC address of the network card), the device for transmitting the unauthorized policy information to the NDIS mediated driver 115 together with the MAC (Media Access Control) address of the acquired network card information. To be carried out.

In addition, the communication control module 125 provided at the user level 120 of each client terminal 100-1 to 100-n periodically transmits a wireless AP list request message to the security server 200. It is preferable to periodically receive a list of pre-authorized wireless APs and unauthorized policy information from the 200 and store them in a separate memory (not shown).

The security server 200 transmits a list of authorized wireless APs and unauthorized policy information according to a request of the client terminals 100-1 to 100-n connected through the wired / wireless communication network 10. It performs the function. At this time, the wireless AP list registered in the security server 200 is preferably made of a MAC address list (List) and SSID (Service Set IDentifier) information of each authorized wireless AP.

The security server 200 preferably stores a list of authorized wireless APs and unauthorized policy information in a separate database, and the authorized wireless AP through a separate web server (not shown). The web service may be provided to an external terminal (eg, an administrator or a client terminal) to register, modify, and set the list and unauthorized policy information.

In addition, the security server 200 may store and manage an external wireless AP access list and access log information requested for each client terminal as a database (DB).

The unauthorized policy information may include a first unauthorized policy allowing only webpage access, a second unauthorized policy allowing only a predetermined IP bandwidth, and a third allowing both the first and second unauthorized policies. Preferably, at least one of the unauthorized policies consists of unauthorized policies.

4 is a flowchart illustrating a client-based wireless network security method according to an embodiment of the present invention, Figure 5 is a connection of the external wireless AP in the client-based wireless network security method according to an embodiment of the present invention FIG. 6 is a diagram for describing MAC address information acquisition in detail. FIG. 6 is a diagram for specifically describing connection of external wireless AP network card information obtained from a client-based wireless network security method according to an embodiment of the present invention. 7 is a diagram illustrating an unauthorized policy applied to an embodiment of the present invention, and FIG. 8 is a flowchart illustrating packet control by an unauthorized policy of an NDIS mediated driver applied to an embodiment of the present invention. As long as there is no client terminal (100-1 to 100-n) is to be performed as a subject.

1 to 8, in a client-based wireless network security method according to an embodiment of the present invention, a list of previously authorized wireless access point (AP) and unauthorized policy information through a security server 200 is first provided. Store in a separate database (S100).

In this case, in step S100, the unauthorized policy information registered in the security server 200 may include: a first unauthorized policy allowing only a web page access (PORT); a second unauthorized policy allowing only a predetermined IP bandwidth; At least one of the third unauthorized policy allowing both the first and the second unauthorized policy is preferably an unauthorized policy.

Meanwhile, a web service may be provided to an external terminal so as to register, modify, and set an authorized wireless AP list and unauthorized policy information stored in the database through a separate web server.

Thereafter, after periodically transmitting a wireless AP list request message to the security server 200 through the client terminals 100-1 to 100-n, the wireless AP list and unauthorized policy information authorized from the security server 200 are periodically transmitted. It is periodically received and stored in a separate memory (S110).

At this time, in step S110, the wireless AP list registered in the security server 200 is preferably made of the MAC address list and SSID (Service Set IDentifier) information of each wireless AP.

Then, when the connection request of the external wireless AP is detected by periodically monitoring the connection of the external wireless AP through the client terminals 100-1 to 100-n, a MAC (Media Access Control) address of the connected external wireless AP is provided. ) Is obtained (S120).

That is, when the communication control module 125 of the client terminals 100-1 to 100-n monitors the connection of the external wireless AP and detects an access request of the external wireless AP, the wireless network connected to the network card is examined by checking the network card. Find the card. Then, the MAC address information is requested to the corresponding wireless network card to obtain the MAC address of the connected external wireless AP (see FIG. 5).

On the other hand, the communication control module 125 checks the connected WLAN for a predetermined time period (for example, about 3 seconds to 8 seconds), and then registers a callback function to the operating system (WlanRegisterNotification) to access the WLAN. If a callback function registered in the operating system is called, the external wireless AP connection request can be detected.

In addition, after step S120, the method may further include storing and managing an external wireless AP access list and access log information requested for each client terminal through the security server 200 as a database (DB).

Thereafter, the communication control module 125 of the client terminals 100-1 to 100-n compares the MAC address of the external wireless AP obtained in step S120 with the list of authorized wireless APs in step S110. It is determined whether the access is requested or not for the external wireless AP (S130).

Meanwhile, as a result of the determination in step S130, when the access request external wireless AP is an authorized wireless AP, the access is allowed, while the access request external wireless AP is an unlicensed wireless AP, that is, the previously authorized If there is no MAC address of the external wireless AP requested to access in the wireless AP list, network card information (eg, MAC address of the network card) connected to the external wireless AP requested to obtain the access is obtained (S140).

That is, the communication control module 125 of the client terminals 100-1 to 100-n determines whether the requested external wireless AP is an authorized wireless AP by using a list of authorized wireless APs. In the case of an unauthorized wireless AP, if a network device name is obtained by searching for a connected network card, a MAC address of the network card can be obtained using the network device name.

Next, through the communication control module 125 of the client terminals (100-1 to 100-n) with the MAC address of the network card information obtained in the step S140 and the unauthorized policy information in the step S110 client terminal 100 In step S150, the NDIS-mediated driver 115 included in the kernel level 110 of -1 to 100-n is provided.

Thereafter, the network packet selectively transmitted / received through the network device 130 according to the unauthorized policy information transmitted in step S150 through the NDIS mediated driver 115 of the client terminals 100-1 to 100-n is selectively selected. Control (S160).

At this time, the unauthorized policy applied to the NDIS mediated driver 115 of the client terminals 100-1 to 100-n operates according to the policy value, and the policy values are 2 in total, as shown in FIG. 7. It consists of four sections.

That is, the CERTIFICATION section is about authentication, and the CFG section is about configuration. The count means the number of authorized wireless APs, and the number of authorized wireless APs can be authenticated. The authentication method is determined by the mode key.In case of MAC-based authentication, authentication is performed by referring to the mac% key value in the CERTIFICATION section.In case of SSID-based authentication, the ssid% key value is referred to. do. The logpath key means a path for storing access information of the wireless AP, and the stored log is sent to the security server 200.

In addition, in the packet control policy of the NDIS mediated driver 115, the range for controlling the unauthorized wireless AP is a value obtained by ORing and ANDing the range of IP and port of each policy. . Since unavailability of unauthorized wireless APs is reduced, the availability is lowered. Therefore, some policies allow unauthorized access to increase availability and maintain security.

For example, in the case of "| 192.168.1.225-192.168.1.225 | 21-21 | & | 0.0.0.0-255.255.255.255 | 80-80 |", an example of operation of the packet control policy will be described in detail. The AP was able to use the FTP server (port 192.168.1.224, port 21) and the Internet (port 80) on the internal network. At the beginning of the operation is the IP range to allow, and the second is the PORT range. Thirdly, it determines whether there is the following condition, and if there is the next decision, it performs AND operation to determine the control range. The first IP range and the second PORT range are ORed together to determine the control range.

Meanwhile, in the case of network communication using an unauthorized external wireless AP, the process of controlling by an unauthorized policy, as illustrated in FIG. 8, detects a packet in the NDIS mediated driver 115 and transmits an IP when the packet is transmitted. It scans and port information to block if it violates the policy and to allow it if it does not, to increase availability.

Hereinafter, an actual test example for implementing a client-based wireless network security method according to an embodiment of the present invention will be described in detail.

9 is a diagram illustrating an actual test environment for implementing a client-based wireless network security method according to an embodiment of the present invention.

Referring to FIG. 9, in addition to the wireless AP device, the test environment added a smart phone that is converted into a wireless AP terminal using Wibro and tethering technology as a control range.

In addition, as an example for configuring a wireless AP list authorized on the server side, a client may display a wireless AP authentication request list and an access log, and grant authorization to the requested wireless AP. Web (JSP) was constructed. The authorized wireless AP is stored in a file and a DB (MS-SQL 2008), and the stored information is transmitted to the client.

Client used C / C ++ language to implement wireless AP authentication process, and ASEM / Kernel C language was used to control unauthorized wireless AP.

The access terminal uses a smartphone and a Wibro terminal that can be switched to two different WLAN cards and a wireless AP terminal.

FIG. 10 is a diagram illustrating setting of an unauthorized policy in an actual test environment for implementing a client-based wireless network security method according to an embodiment of the present invention, and FIG. 11 is a client-based method according to an embodiment of the present invention. FIG. 12 is a diagram illustrating a wireless AP registration request in an actual test environment for implementing a wireless network security method of FIG. 12 is a diagram illustrating a wireless AP registration request in an actual test environment for implementing a client-based wireless network security method according to an embodiment of the present invention. It is a figure for demonstrating wireless AP registration in a server.

11 to 12, first, a database DB and a web server are constructed in a server, and an unauthorized policy, that is, an unauthorized wireless AP control policy is set. The policy is reflected when the usage, description, IP range, PORT range, time zone, and day of the week are set.

Set up wireless APs around the test client PCs, but at least two because they must be split between authorized and unauthorized. If policy establishment is completed, install SW-Client for client. The scenario for WLAN authentication registration and unauthorized wireless AP is as follows.

First, at least one wireless LAN card is installed in the client, and as shown in FIG. 11, the server requests a wireless AP to be authorized. Then, clicking the wireless AP search button brings up a list and signals that can be accessed through the WLAN card. If you select a wireless LAN from the list and click the register button, it is requested to the server.

Thereafter, the wireless AP requested to the server can be checked on the web page of the server (Server) as shown in FIG. If the administrator determines that it is an inappropriate wireless AP, it will not accept the authentication request by clicking the delete button, and if it is authorized, check the use part and reflect the policy.

Next, the client attempts to connect to the wireless AP and the unauthorized wireless AP is controlled by the policy. If the blocked wireless AP is a normal wireless AP, the authentication request is used. The blocked AP may be modified to control IP and be used as another IP or port.

FIG. 13 is a diagram illustrating a log access to an authorized wireless AP in a result of an actual test environment for implementing a client-based wireless network security method according to an embodiment of the present invention, and FIG. 14 is an embodiment of the present invention. In the result of the actual test environment for implementing the client-based wireless network security method according to the example, the log showing the access to the unauthorized wireless AP.

Referring to FIGS. 13 and 14, it is checked whether the control is performed by accessing an authorized wireless AP and an unlicensed wireless AP. As the AW-Client module operates, it gets a list of operating system versions and authorized wireless APs. If the wireless AP is connected, it collects the wireless network card and finds the connected wireless AP and performs the authentication process. If the wireless AP is connected, the wireless AP is determined to be an unauthorized wireless AP when not compared with the authorized list, and blocked, and the user is notified by a notification window.

15 and 16 are diagrams for explaining a performance evaluation of an actual test environment for implementing a client-based wireless network security method according to an embodiment of the present invention.

Referring to FIG. 15 and FIG. 16, a control method for a known wireless AP includes a method of blocking a corresponding frequency band by using a frequency interference device in a server, and a method of controlling a security server at a NAC level. In the client, a program is installed in the user's PC to control the wireless AP.

The method of controlling in the conventional server and the method of controlling using the proposed model of the present invention are compared in FIG. 15. Because the frequency base is up to the frequency jammer range, and the NAC base is the range of the internal network, it is impossible to control when the user goes out of range with a laptop to get out of range. However, since the proposed model of the present invention is controlled by the client, it can be controlled even if it goes out. Therefore, when it goes outside, the frequency and NAC base is vulnerable to external network security.

Conventional frequency and NAC base has a low scalability because of the limited range, and there is a part in cost because the equipment must be installed, but the proposed model of the present invention is no cost for the equipment because it is controlled by the program.

As shown in FIG. 16, the conventional server-based control method selects a method controlled by the client because a vulnerability occurs when it is outside. The scheme of controlling the conventional client and the proposed model of the present invention are compared in FIG. 16. That is, although the confidentiality is high between the conventional client base and the proposed model of the present invention, there are many differences in availability, scalability, and program security.

Conventional client bases have high security for unauthorized APs that block, allow, and control, but cannot control packets one by one. However, the proposed model of the present invention can use the Internet, FTP, etc. while maintaining the strength of security as set by the administrator, and the used log can be stored and monitored by the server.

Extensibility In addition, since the conventional client base only blocks, further expansion is not possible, but the proposed model of the present invention is configured to be flexible to expand additional functions such as mail, messenger, and web hard.

In addition, the proposed model of the present invention is not attacked by a malicious code or a debug tool because only authentication is performed at the user level and control is performed at the kernel level.

In addition, the proposed model of the present invention has no restriction on location, high scalability, and data can be secured in an external network and low cost than conventional frequency and NAC. In addition, it can be seen that availability, scalability, and program security are higher than those of the conventional client-based model.

As described above, existing methods for authentication of wireless APs have security weaknesses and limited availability for a limited range. Therefore, the present invention proposed a client-based proposal model to authenticate in addition to the external network range that is a security vulnerability of server-based authentication. In addition, the kernel level network driver (NDIS intermediate driver), which is not a permit / block method, is installed for an unauthorized wireless AP, thereby improving packet availability.

In addition, the proposed model of the present invention may have various unauthorized policies according to a packet control equation, and a separate policy may be managed for each user, thereby providing high scalability.

Although a preferred embodiment of the client-based wireless network security system and method thereof according to the present invention has been described above, the present invention is not limited thereto, but is not limited to the claims and the detailed description of the invention and the scope of the accompanying drawings. It is possible to carry out the transformation by the branch and this also belongs to this invention.

100-1 to 100-n: a client terminal,
200: security server

Claims (13)

A security server transmitting a wireless AP list and unauthorized policy information according to a request of a client terminal connected through a communication network; And
NDIS intermediate driver (NDIS intermediate driver) provided in the kernel area to selectively control the network packet transmitted and received through the network device according to the unauthorized policy information, and the wireless AP list and unauthorized policy authorized from the security server If the external wireless AP is an unauthorized wireless AP by determining whether the external wireless AP requested to be connected through an external communication network is received or not, and obtaining the network card information connected to the requested wireless AP, And at least one client terminal for transmitting the unauthorized policy information to the NDIS-mediated driver together with the media access control (MAC) address of the acquired network card information.
The method according to claim 1,
The security server, the client-based wireless network security system, characterized in that for storing a list of authorized wireless AP and unauthorized policy information in a separate database (DB).
The method according to claim 1,
The security server is a client-based wireless network security system, characterized in that to provide a web service to the external terminal to register, modify and set the authorized wireless AP list and unauthorized policy information through a separate web server .
The method according to claim 1,
The security server is a client-based wireless network security system, characterized in that for storing and managing the database (DB) of the external wireless AP access list and access log information requested for each client terminal.
The method according to claim 1,
The wireless AP list registered in the security server is a client-based wireless network security system, characterized in that consisting of the MAC address list and SSID (Service Set IDentifier) information of each authorized wireless AP.
The method according to claim 1,
The client terminal periodically transmits a wireless AP list request message to the security server, and periodically receives a wireless AP list and unauthorized policy information from the security server and stores the received wireless AP list in a separate memory. Based wireless network security system.
The method according to claim 1,
The unauthorized policy information may include at least one of a first unauthorized policy allowing only a web page access (PORT), a second unauthorized policy allowing only a predetermined IP bandwidth, and a third unauthorized policy allowing both the first and second unauthorized policies. Client-based wireless network security system, characterized in that any one of the unauthorized policy.
A method for securing a wireless network using a system consisting of at least one client terminal and a security server connected to each other through a communication network,
(a) periodically transmitting a wireless access point list request message to the security server through the client terminal, and periodically receiving a list of authorized wireless APs and unauthorized policy information from the security server, and using a separate memory Storing in;
(b) periodically monitoring the connection of the external wireless AP through the client terminal to obtain a MAC (Media Access Control) address of the connected external wireless AP when a connection request of the external wireless AP is detected;
(c) comparing the list of pre-authorized wireless APs in step (a) with the MAC addresses of the external wireless APs obtained in step (b) to determine whether to permit / disable the requested external wireless AP; step;
(d) acquiring network card information connected to the requested wireless AP when the requested external wireless AP is an unauthorized wireless AP as a result of the step (c);
(e) NDIS intermediate driver (NDIS intermediate) provided in the kernel area of the client terminal with the unauthorized policy information in the step (a) together with the MAC address of the network card information obtained in the step (d) through the client terminal; driver); And
(f) selectively controlling a network packet transmitted / received through a network device according to the unauthorized policy information transmitted in step (e) through an NDIS mediated driver of the client terminal. Way.
The method of claim 8,
Before the step (a), further comprising the step of storing the wireless AP list and unauthorized policy information authorized through the security server in a separate database (DB).
10. The method of claim 9,
And providing a web service to an external terminal to register, modify, and set an authorized wireless AP list and unauthorized policy information stored in the database through a separate web server. Based wireless network security method.
The method of claim 8,
After the step (b), further comprising the step of storing and managing the database (DB) of the external wireless AP access list and access log information requested for each client terminal through the security server (DB) Wireless network security method.
The method of claim 8,
In the step (a), the wireless AP list registered in the security server is a client-based wireless network security method, characterized in that consisting of the MAC address list and each SSID (Service Set IDentifier) information of each wireless AP.
The method of claim 8,
In the step (a), the unauthorized policy information registered in the security server may include: a first unauthorized policy allowing only a web page access (PORT), a second unauthorized policy allowing only a predetermined IP bandwidth, and the first and second A client-based wireless network security method comprising at least one unauthorized policy of a third unauthorized policy allowing all unauthorized policies.

Images