KR102309115B1 - System and method for controlling network access of data flow based application - Google Patents

Abstract

The present invention relates to a system for controlling network access of a data flow-based application, which blocks ransomware and malware from propagating and attacking destination networks or critical service servers through tunneling, and a method thereof. According to one embodiment of the present invention, a network system comprises: a node including a communication circuit, a processor operatively coupled with the communication circuit, and a memory storing an access control application; a first gateway existing at the boundary of the node's network; a destination network to which the node intends to access; a second gateway existing at the boundary of the destination network; and a server including a communication circuit, a processor operatively coupled to the communication circuit, and a memory storing a database, and communicatively coupled with the node, the first gateway, and the second gateway. The node is configured to transmit or drop, through the access control application, a data packet of a target application to a destination network on the basis of whether a data flow corresponding to identification information of the target application, an IP address of the destination network, and port information exists. The first gateway is configured to transmit or drop the data packet to the second gateway on the basis of whether a tunnel corresponds to the identification information of the data packet received from the node and the tunnel authorized by the server exists. The second gateway is configured to transmit or drop the data packet to the destination network on the basis of whether the data packet received from the first gateway is received through the authorized tunnel.

Description

SYSTEM AND METHOD FOR CONTROLLING NETWORK ACCESS OF DATA FLOW BASED APPLICATION

Embodiments disclosed in this document relate to a system for controlling a network connection of a data flow based application and a method therefor.

When the network is separated between the head office and branch offices in a network environment, site-to-site VPN (IPSec VPN) technology (a typical example) It can be used universally.

In a network using this technology, the terminal does not tunnel with the gateway of the destination network, but rather through tunneling created between the gateway existing at the boundary of the network to which the terminal belongs and the gateway existing at the boundary of the destination network. It has a structure to connect to the network.

In a remote network environment where it is difficult to control risks in a network with this structure, when a terminal with potential risks is connected to the network, it becomes possible to access important services through always-connected tunneling. and may not be safe from malware.

In order to solve this problem, when an application running in the terminal accesses the network, it is checked whether the corresponding application is accessible to the destination network, and if the connection is possible, a technology for accessing the destination network through an authorized tunnel may be provided.

However, in the case of this technology, since tunneling is performed between the terminal and the gateway, if a tunnel does not exist, a method for fundamentally blocking the data packet transmitted from the terminal to the destination network is provided, but as described above, between the network and the network. In a tunneling structure that is always connected to , it may be difficult to control connectivity.

Various embodiments disclosed in this document may provide a method for performing data flow-based connectivity control of a terminal in a network structure that is always tunneled.

A network system according to an embodiment disclosed in this document includes a node including a communication circuit, a processor operatively connected to the communication circuit, and a memory for storing a connection control application, a node existing at a boundary of a network of the node. A server comprising a first gateway, a destination network to which the node intends to connect, a second gateway existing at a boundary of the destination network, and a communication circuit, a processor operatively connected to the communication circuit, and a memory for storing a database a server, communicatively connected to the node, the first gateway, and the second gateway, wherein the node includes, through the access control application, identification information of a target application, an IP address of a destination network, and transmit or drop a data packet to the destination network of the target application based on whether a data flow corresponding to the port information exists, wherein the first gateway includes: and send or drop the data packet to the second gateway corresponding to the identification information of and based on whether a tunnel authorized by the server exists, wherein the second gateway is configured to: and send or drop the data packet to the destination network based on whether the data packet is received through the authorized tunnel.

According to an embodiment, the server checks whether the node or the access control application is accessible in the access policy on the control flow generated between the node and the server, and if the access is possible, allows the access of the node To do this, check the first gateway located at the network boundary to which the node belongs in the tunnel policy, check whether a tunnel is created between the first gateway and the second gateway, and check the data flow table of the server. Check if there is a data flow accessible to the IP address and port of the destination network, and if the tunnel is created and there is no valid data flow in the data flow table, the node's IP to allow the access of the application Creates a data flow based on the address, IP address and port information of the destination network, transmits the generated data flow to each of the first and second gateways, and there is a data flow accessible in the data flow table. case, it may be configured to transmit the data flow to the node.

According to an embodiment, the node performs a validation procedure according to a validation policy when a data flow does not exist or a data flow needs to be updated before performing a network access request to the server, and the validation if the check is successful, use the communication circuitry of the node to request a network connection to the destination network from the server.

According to an embodiment, the node receives a first user input for requesting user authentication, and uses the communication circuit to request user authentication for the user of the node from the server, and the user authentication request is including user identification information, wherein the server, in response to the user authentication request from the node, checks whether a user attempting to access from the node is an accessible user and whether it is included in the blacklist, so that the user It is checked whether the user is blocked, and when the user is unable to access or the user is included in the blacklist, the access unavailable information is transmitted to the node, and when the user is an accessible user, the transmitted control flow identification information Search for a control flow in the control flow table, add the user identification information to the identified control flow identification information, and return the authentication completion status and the authenticated user's access policy information to the node as a user authentication result. have.

According to an embodiment, the node is configured to detect a control flow update event and request a control flow update to the server, and when the control flow update result is unreachable, terminate the application or close all network connections of the application configured to block, wherein the server checks whether a control flow exists in the control flow table based on the control flow identification information requested by the node, and if the control flow does not exist, returns the connection unavailable information to the node and updating an update time when a control flow exists, and searching for a data flow dependent on the control flow.

According to an embodiment, the node is configured to detect a connection release event and request the server to terminate the control flow, and the server removes the identified and searched control flow based on the control flow identification information requested by the node. and, when the control flow is removed, request the second gateway relaying all data flows to which it is dependent to remove the data flow, wherein the second gateway removes the data flow so that the application is no longer sent to the destination network. It may be configured to be in a state where data packets cannot be transmitted.

According to an embodiment, the access control application of the node checks whether an application running in the node is terminated, performs a data flow table check procedure when the application is terminated, and identifies information and PID of the terminated application Checks whether (Process ID and Child Process ID Tree) information exists in the data flow table. If the data flow corresponding to the ID information and PID of the terminated application exists in the data flow table, the data flow is deleted. and transmits the deleted data flow list to the server to request deletion of the deleted data flow list, wherein the server deletes the data flow from the data flow table based on the deleted data flow list received from the node. and transmit a deleted data flow list to the second gateway, wherein the second gateway includes an IP address of the node included in the deleted data flow list, an IP address of the destination network, and a port of the destination network and may be configured to process data packets corresponding to the information so that they are no longer forwarded.

According to an embodiment, in order to track the termination of multiple executable applications, the server deletes all data flows corresponding to identification information of the terminated application when the terminated application does not exist in the running process list. can be further configured.

According to the embodiments disclosed in this document, the access application is a terminal or one or more identification information to the controller for access to the destination network and an IP address assigned to the terminal through identification and authentication of the application and the terminal identified by the controller Receives data flow information (source IP address, destination IP address, port information) for allowing data packet transmission based on the IP address of

The access control application allows or blocks the transmission of the network access of the access application according to the data flow information received from the controller. If there is no received data flow, the data packet is blocked from being transmitted to the destination network. Therefore, using this patent, an unauthorized target uses the technology of the Site to Site VPN method to prevent tunneling in advance. Even in this case, access to the destination network can be basically blocked.

As a result, unauthorized devices, applications, and insecure applications block access to unauthorized networks, so devices that are imported into remote networks and devices with inherent vulnerabilities, especially antivirus or vaccine, detect malware It is possible to block the propagation and attack of ransomware and malware, which are new risk factors that are not discovered by tools, through tunneling connected to the destination network or critical service server.

It can also provide a complete isolation method because it provides a complete blocking method in the network by retrieving all data flow information when the network connection is no longer needed.

As a result, by utilizing data flow-based access control technology, it is possible to implement a secure network connection lifecycle from application network access control, threat blocking, and isolation, and the static (Site to Site VPN) method inherent in the Static) can provide a secure network connection in which the problem of tunneling is solved.

In addition, various effects directly or indirectly identified through this document may be provided.

1 illustrates an architecture within a network environment in accordance with various embodiments.
2 may explain an operation of blocking a network connection according to various embodiments of the present disclosure.
3 is a functional block diagram illustrating a database stored in a controller according to various embodiments of the present disclosure;
4 illustrates a functional block diagram of a node in accordance with various embodiments.
5 illustrates a signal flow diagram for controller connection according to various embodiments.
6 illustrates a signal flow diagram for user authentication according to various embodiments.
7 illustrates a signal flow diagram for processing a network connection according to various embodiments of the present disclosure;
8 illustrates a signal flow diagram for forwarding a data packet in accordance with various embodiments.
9 illustrates a signal flow diagram for updating a control flow according to various embodiments.
10 illustrates a signal flow diagram for releasing a network connection according to various embodiments.
11 illustrates a signal flow diagram for terminating application execution according to various embodiments.

Hereinafter, various embodiments of the present invention may be described with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, and it should be understood that various modifications, equivalents, and/or alternatives of the embodiments of the present invention are included.

In this document, the singular form of the noun corresponding to the item may include one item or a plurality of items unless the context clearly indicates otherwise. As used herein, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A; Each of the phrases "at least one of B, or C" may include any one of, or all possible combinations of, items listed together in the corresponding one of the phrases. Terms such as “first”, “second”, or “first” or “second” may simply be used to distinguish a component from another component in question, and refer to the component in another aspect (e.g., importance or order) is not limited. One (eg, first) component is referred to as “coupled” or “connected” to another (eg, second) component, with or without the terms “functionally” or “communicable”. When referenced, it may mean that one component can be coupled to another component directly (eg, by wire), wirelessly, or through a third component.

Each component (eg, a module or a program) of components described in this document may include a singular or a plurality of entities. According to various embodiments, one or more components or operations among the corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg, a module or a program) may be integrated into one component. In this case, the integrated component may perform one or more functions of each component of the plurality of components identically or similarly to those performed by the corresponding component among the plurality of components prior to integration. According to various embodiments, operations performed by a module, program, or other component are executed sequentially, in parallel, repeatedly, or heuristically, or one or more of the operations are executed in a different order, omitted, or , or one or more other operations may be added.

As used herein, the term “module” may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as, for example, logic, logic block, component, or circuit. A module may be an integrally formed part or a minimum unit of a part or a part thereof that performs one or more functions. For example, according to an embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of the present document may be implemented as software (eg, a program or an application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one of the one or more instructions stored from the storage medium and execute it. This may enable the device to be operated to perform at least one function according to the at least one command called. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not include a signal (eg, electromagnetic wave), and this term refers to the case where data is semi-permanently stored in the storage medium and It does not distinguish between temporary storage cases.

Methods according to various embodiments disclosed in this document may be provided by being included in a computer program product. Computer program products may be traded between sellers and buyers as commodities. The computer program product is distributed in the form of a machine-readable storage medium (eg, compact disc read only memory (CD-ROM)), or via an application store or between two user devices (eg, smartphones). It can be distributed directly, online (eg, downloaded or uploaded). In the case of online distribution, at least a portion of the computer program product may be temporarily stored or temporarily created in a machine-readable storage medium such as a memory of a server of a manufacturer, a server of an application store, or a relay server.

1 illustrates an architecture within a network environment in accordance with various embodiments.

Referring to FIG. 1 , the number of nodes 101 , a first gateway (eg, IPSec VPN) 103 , a second gateway 104 , and a destination network 105 is limited to the number shown in FIG. 1 . no. For example, the controller 102 may manage one or more nodes 101 (eg, “terminal A” and “terminal B” in FIG. 1 ) and one or more gateways 103 , 104 .

According to an embodiment, the data flow-based connectivity control technology provides a structure in which communication is possible only when there is a data flow authorized by the controller 102 in order for the node 101 to access the target network, and the data flow In the absence of , the node 101 may provide a structure in which communication cannot be performed.

Node 101 may include a connection control application and a network driver for all network access control for applications within node 101 .

The node 101 checks whether a connection is possible from the controller 102 when a network connection occurs, and only when the connection is possible, through the data flow information generated by the controller 102, without the need to perform tunneling with the first gateway 103 Data packets can be transmitted.

The controller 102 controls network access of the node 101 and checks whether a tunnel is created between the first gateway 103 and the second gateway 104, and the security received from each node 101 and the gateways 103 and 104 It is possible to provide a method for always maintaining a secure network state, such as removal of a data flow generated according to an event and isolation of the node 101 through a blacklist.

The first gateway 103 is a gateway existing at the boundary of the network to which the node 101 belongs, and may be disposed between the node 101 and the second gateway 104 . The first gateway 103 may forward the data packet received from the node 101 to the second gateway 104 . At this time, the first gateway 103 responds to the identification information indicated by the data packet (eg, identification information of the source node and/or access control application, IP address and port information of the destination network) and is authorized by the controller 102 . Data packets can be forwarded based on whether a tunnel exists. If the authorized tunnel does not exist, the first gateway 103 may drop the data packet.

The second gateway 104 may be a VPN gateway existing at a network boundary of the destination network 105 . The second gateway 104 may send or drop the data packet to the destination network 105 based on whether the data packet received from the first gateway 103 is received through an authorized tunnel. The authorized tunnel may correspond to identification information indicated by the data packet. In addition, the second gateway 140 checks the 5 tuples information among the received data packets, and if data flow information corresponding to the source IP address, destination IP address, and destination port information exists, it is sent to the destination network (or destination network). can be forwarded. The second gateway 104 may consider only an authorized tunnel, only a data flow, or both an authorized tunnel and a data flow, according to an embodiment.

According to the above-described method, the node 101 transmits a data packet to the destination network 105 without performing tunneling, while preventing a malicious attack in the application unit through the tunnel between the gateways 103 and 104 .

2 may explain an operation of blocking a network connection according to various embodiments of the present disclosure.

When the node 101 is not connected to the controller 102 through the access control application, the data packet transmitted to the network is blocked at the kernel stage of the network driver and the operating system, so that any data packet except the access control application is not transmitted to the network. is not sent to

In the case of a non-management terminal in which the access control application is not installed among the nodes 101 existing in the network, the network access application (eg, a web browser, or may be referred to as a 'target application') transmits unauthorized data packets to the network. However, since the second gateway 104 blocks all data packets unless there is an authorized tunnel between the first gateway 103 and the second gateway 104, the node 101 is effectively connected to the destination network. (105) can be unreachable, i.e., an isolated state.

3 is a functional block diagram illustrating a database stored in a controller (eg, controller 102 of FIG. 2 ) in accordance with various embodiments.

3 shows only the memory 330 , the controller includes a communication circuit for performing communication with an external electronic device (eg, the communication circuit 430 of FIG. 4 ) and a processor (eg, FIG. 4 ) for controlling the overall operation of the controller. It may further include a processor 410 of 4).

Referring to FIG. 3 , the controller may store databases 311 to 316 for controlling network access and data transmission in the memory 330 .

Since the administrator can access the controller 102 and set a connection-oriented policy for controlling the connection between the source and the destination, finer network access control is possible compared to the existing NAC and firewall.

The access policy database 311 identifies the identified network, the node 101, the user, the non-identified user (guest), the network and services accessible by the application, etc., based on the corresponding policy when the node 101 requests network access. network, node 101, and user information can be checked.

The tunnel policy database 312 contains information on the type and encryption method and level of the tunnel to be connected by the first gateway 103 to the second gateway 104 on the connection path according to the access policy, and the node 101 When requesting a network access of

The blacklist policy database 313 contains information (node 101, Based on the IP address, MAC address, user, etc.), a blacklist registration policy for permanently or temporarily blocking access to the node 101 may be set.

The blacklist database 314 contains the node 101, IP address, MAC address, user, etc., which are blocked from access by the blacklist policy, and the node 101 is included in the list when the controller 102 access request. If there is, the connection request is rejected, so it may be in a state of complete isolation in which network access is impossible.

The control flow table 315 is a kind of session table for managing the flow generated between the node 101 and the controller 102 . When the node 101 successfully accesses the controller 102 , the control flow and control flow Identification information for identification is generated, and information such as an IP address, terminal identification information, and user identification information, each identified when the controller 102 is accessed and authenticated, may be included in the control flow.

The control flow identification information transmitted when the node 101 requests network access and each identification information included in the control flow searched by the identification information are mapped with an access policy to determine whether access is possible and whether a data flow is created. can be used

The node 101 needs to periodically update the expiration time of the control flow, and if the update is not performed for a certain period of time, the control flow may be removed. In addition, when immediate access blocking is required according to the risk level of the security event collected from the node 101 and the second gateway 104 or according to the connection termination request of the node 101, the control flow is removed, and the control flow When removed, all connections to the node 101 may be blocked because all generated data flows are reclaimed.

The tunnel table 316 is a table for managing a tunnel connected between the first gateway 103 and the second gateway 104 .

The tunnel table 316 is a table for managing a tunnel connected between the first gateway 103 and the second gateway 104, and when a valid tunnel exists, tunnel identification information for managing and identifying the tunnel and the second gateway It may be composed of control flow identification information for control between the 104 and the controller 102 and additional information for managing TEP (tunnel end point), TSP (tunnel start point), tunnel algorithm and type, and the like.

The data flow table 317 is a table for managing a flow in which detailed data packets are transmitted between the node 101 and the second gateway 104, and is a TCP session or The flow can be managed by the application of the source node 101 and a more detailed management unit, and in the case of data flow identification information for identifying it and a data flow dependent on the control flow, the dependent control flow identification information, It may include detailed management unit information such as application identification information for identifying a data flow, a source IP address, a destination IP address, and a service port.

The data flow table structure included in the controller 102 may be equally applied to the node 101 and the second gateway 104 .

4 illustrates a functional block diagram of a node in accordance with various embodiments.

Referring to FIG. 4 , a node may be a node 101 , a gateway 103 , 104 , and a destination network 105 , and may include a processor 410 , a memory 420 , and a communication circuit 430 . have. According to an embodiment, the node may further include a display 440 to interface with the user.

The processor 410 may control the overall operation of the node 101 . In various embodiments, the processor 410 may include one processor core or a plurality of processor cores. For example, the processor 410 may include a multi-core such as a dual-core, a quad-core, or a hexa-core. According to embodiments, the processor 410 may further include a cache memory located internally or externally. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, and a graphical processing unit (GPU).

All or part of the processor 410 is electrically or operatively coupled to other components within the node (eg, memory 420 , communication circuitry 430 , or display 440 ). It can be coupled with or connected to. The processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process a message, data, command, or signal received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, instruction, or signal based on the received message, data, instruction, or signal. Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .

The processor 410 may process data or signals generated or generated in a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may write (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.

The memory 420 may store a command for controlling a node, a control command code, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS) (eg, Microsoft Windows, Google Android, Apple iOS, MacOS, etc.), middleware, or a device driver. may contain one.

The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). may include The nonvolatile memory may include a read only memory (ROM), a programmable ROM (PROM), an electrically programmable ROM (EPROM), an electrically erasable programmable ROM (EEPROM), a flash memory, and the like. The memory 420 includes a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), and a universal flash storage (UFS). may include more.

According to an embodiment, the memory 420 may store some of information included in the memory of the controller 102 (eg, the memory 330 of FIG. 3 ). For example, the memory 420 may store the tunnel table 316 and the data flow table 317 described in FIG. 3 .

The communication circuit 430 may support establishment of a wired or wireless communication connection between the terminal and an external electronic device (eg, the controller 102 or the gateway 203 of FIG. 2 ) and performing communication through the established connection. According to one embodiment, communication circuitry 430 may include wireless communication circuitry (eg, cellular communication circuitry, near field communication circuitry, or global navigation satellite system (GNSS) communication circuitry) or wired communication circuitry (eg, local area network (LAN) circuitry). ) communication circuit, or power line communication circuit), and using the corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct or IrDA (infrared data association) or a cellular network, Internet, or long-distance communication such as a computer network It can communicate with an external electronic device through a network. The above-described various types of communication circuits 430 may be implemented as a single chip or as separate chips.

The display 440 may visually output content, data, or a signal. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integrated touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input or the like. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or disposed below the display 440 .

Meanwhile, the server (eg, the controller 102 ) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410 , the memory 420 , and the communication circuit 430 included in the server may be substantially the same as the above-described processor 410 , the memory 420 , and the communication circuit 430 .

Terminal network access control

A user may install and execute an application for performing network access control of the node 101 .

controller connection

The user may enter access information when executing the access control application for access to the controller 102 and click the access button.

The controller 102 determines whether the access control application access request information (the type of the node 101, location information, environment, and the network including the node 101) is in a state accessible by the policy, the node 101 ) and network identification information (terminal identification information, IP address, MAC address, etc.) are included in the blacklist to check whether the node 101 is in an accessible state, and if it is in the accessible state, a control flow is generated. and transmit the generated control flow identification information to the node 101 .

If the node 101 is in an unreachable state, the access control application may display an access unavailable message and reason on the screen.

When the controller 102 is normally connected, all network access requests generated from the node 101 thereafter are checked for authorization through the controller 102, and since user authentication is not performed at the current stage, the unidentified user Access policy corresponding to (guest) may be applied.

5 illustrates a signal flow diagram for controller connection according to various embodiments.

In operation 505 , the node 101 may detect a controller connection request event. The connection control application 111 of the node 101 may request a connection to the controller 102 to create a control flow (control data packet flow and a series of sessions) with the controller 102 .

In operation 510 , the controller 102 controls access to information requested by the access control application 111 of the node 101 (the type of the node 101 , location information, environment, and a network including the node 101 , access control). application information, etc.) is in a state accessible by the policy, the node 101 and network identification information (terminal identification information, IP address, MAC address, etc.) You can check if the connection is possible.

If access is not possible or is included in the blacklist, access unavailable information may be transmitted.

In operation 515, in the case of an accessible node 101, a control flow is generated, control flow identification information is generated in the form of a random number, and node 101 and network identification information (terminal identification information, IP address, MAC address, etc.) are written in It can be added to the control flow table 315 .

In operation 520, the controller 102 generates accessable application whitelist information from the access policy matched with the identified information (node 101, source network information, etc.), and as a result of the access, the connection completion status and subsequent nodes ( When the user authentication request of 101) and the continuous node 101 information update are performed, control flow identification information for identifying the control flow and the application whitelist generated through the above process may be returned.

If the connection is not possible, the controller 102 may transmit a connection failure result to the node 101 .

In operation 525 , the node 101 may process the connection request result value received from the controller 102 .

If the connection is not possible, the execution of the access control application may be stopped and terminated, or a related error message may be displayed.

In operation 530 , when the node 101 receives the application whitelist from the controller 102 , the node 101 checks whether the corresponding application is installed on the node 101 , and in the case of an existing application, the corresponding application according to the validation policy. The result of performing an application integrity and safety check (application forgery, code signing check, fingerprint check, etc.) may be transmitted to the controller 102 .

In operation 535, if access is possible, the first gateway 103 where the node 101 is located is checked in the tunnel policy to allow access of the node 101 connected to the network, and the node 101 belongs to. It is checked whether a tunnel is created between the first gateway 103 of the network boundary and the second gateway 104 of the destination network boundary to be accessed, and a data flow accessible to the corresponding destination IP address and port in the data flow table. You can check if information (or data flow) exists.

If there is no valid data flow information in the data flow table, data flow information is generated based on the source IP address, destination IP address, and port information to allow access of the corresponding application, and the information is provided to the identified gateway (103, 104), respectively. In an embodiment, if the tunnel between the first gateway 103 and the second gateway 104 is not created, the data flow information may further include information for tunnel creation.

If there is data flow information accessible from the data flow table 316 , the corresponding information may be transmitted to the node 101 .

In operation 540 , the gateways 103 and 104 may receive data flow information from the controller 102 .

In operation 545 , the node 101 may process the connection request result value received from the controller 102 .

User authentication

The controller 102 checks whether the access control application is an accessible user based on the information requested for authentication (user identification information and password, enhanced authentication information, etc.) and whether the user is included in the blacklist to determine whether the user is blocked After checking whether or not it is in an accessible state, the authentication process can be completed and user identification information can be added to the control flow.

If user authentication fails, the access control application may display an access unavailable message and reason on the screen.

When the user is normally authenticated, an access policy corresponding to the authenticated user may be applied to check whether network access is authorized.

6 illustrates a signal flow diagram for user authentication according to various embodiments.

In operation 605 , the node 101 may detect a user authentication request event. The access control application 111 may perform user authentication in order to be granted detailed access rights to the network, and may transmit user identification information and password or authentication information by a reinforced authentication method.

In operation 610, the controller 102 checks whether the access control application 111 is an accessible user based on the authentication-requested information (user identification information and password, enhanced authentication information, etc.) and whether it is included in the blacklist You can check whether the user is blocked or not.

If access is not possible or if it is included in the blacklist, the access unavailable information may be transmitted.

In operation 615, in the case of an accessible user, a control flow may be searched for in the control flow table 315 using the transmitted control flow identification information, and user identification information (user identification information) may be added to the searched identification information of the control flow. .

The controller 102 may return an authentication completion status and access policy information of the authenticated user as a result of user authentication.

In operation 620, the controller 102 generates accessable application whitelist information from the access policy matched with the identified information (node 101, source network information, user identification information, etc.), and as a result of the access, the access completion status Then, when the user authentication request of the node 101 and the continuous node 101 information update are performed, the control flow identification information for identifying the control flow and the application whitelist generated through the above process may be returned. If the connection is not possible, the controller 102 may transmit a connection failure result to the node 101 .

In operation 625 , the node 101 may process the connection request result value received from the controller 102 . If the connection is not possible, the execution of the access control application 111 may be stopped and terminated, or a related error message may be displayed.

In operation 630 , when the node 101 receives the application whitelist from the controller 102 , the node 101 checks whether the corresponding application is installed on the node 101 , and in the case of an existing application, the corresponding application according to the validation policy. The result of performing an application integrity and safety check (application forgery, code signing check, fingerprint check, etc.) may be transmitted to the controller 102 .

In operation 635, if access is possible, the first gateway 103 in which the node 101 is located is checked in the tunnel policy to allow access of the node 101 connected to the network, and the node 101 belongs to. It is checked whether a tunnel is created between the first gateway 103 of the network boundary and the second gateway 104 of the destination network boundary to be accessed, and a data flow accessible to the corresponding destination IP address and port in the data flow table. You can check if the information exists.

If tunneling is created and there is no valid data flow information in the data flow table, data flow information is created based on the source IP address, destination IP address and port information to allow the access of the application, and the information can be transmitted to the identified gateways 103 and 104, respectively. In an embodiment, if the tunnel between the first gateway 103 and the second gateway 104 is not created, the data flow information may further include information for tunnel creation.

If there is data flow information that can be accessed in the data flow table, the corresponding information may be transmitted to the node 101 .

In operation 640 , the gateways 103 and 104 may receive data flow information from the controller 102 .

In operation 645 , the node 101 may process the connection request result value received from the controller 102 .

Run the application and enter the access web address

All applications of the node 101 may be controlled by the access control application when attempting to access the network.

The access control application may include a part operating as a kernel and a network driver for network access control of all applications of the node 101 .

As an example of network access control of the application, an Internet browser may be executed, and a web address to be accessed may be input and called.

Connection target identification and data packet transmission control

When a network access request is received, the access control application can identify the access requesting application, destination IP address, and service port information, and check whether there is valid data flow information that can be used as the corresponding identification information in the data flow table.

The data flow table may provide information for determining whether a data packet can be transmitted for each connection and management unit.

If data flow information is available, data packets can be transmitted.

If the data flow information does not exist, a validation procedure may be performed according to the validation policy. In the validation check, the integrity and safety of the access-requested application (application forgery, code signing check, fingerprint check, etc.) is checked and the access application, access target IP address and port are connected according to the access policy received from the controller 102 It is possible to perform a procedure to check in advance whether the state is possible.

If the validation check fails, the data packet may be DROPed and a connection unavailable message and reason may be displayed to the access control application.

When the validation check is successful, the node 101 performs a connection request to the controller 102 and may transmit each identification information (access application, connection target IP address, service port information, etc.) upon request.

In the access policy matched with the information identified on the control flow (node 101, user, source network information, etc.), the controller 102 provides access-requested identification information (access application and connection target IP address and service port information, etc.) You can check whether it is included and whether it can be accessed.

If the connection is not possible, the controller 102 may transmit a connection failure result to the node 101, and the access control application may drop the data packet and display a connection failure message and reason.

When access is possible, data flow information for allowing the corresponding data packet may be transmitted to the second gateway 104 existing at the boundary of the destination network.

The access control application may check the result of the access request received from the controller 102 .

Upon receiving the data flow information, the access control application transmits the data packet to the service server, and the second gateway 104 existing at the destination network boundary uses the source IP address and destination IP address based on 5 Tuples information of the received data packet. , it checks whether a valid data flow exists on a port-based basis, and if it is not valid, the data packet can be dropped (DROP).

If a valid data flow exists, the data packet can be forwarded.

Through this procedure, the application is basically blocked from the destination network, and an environment can be provided in which only data packets included in the allowed data flow table can be transmitted through the controller's authorization process and the gateway's data packet forwarding process. .

7 illustrates a signal flow diagram for processing a network connection according to various embodiments of the present disclosure;

In operation 705 , the node 101 may detect a network connection event.

In operation 710, when the access control application 111 of the node 101 needs to communicate with the service server, a data flow based on the identification information of the target application, the destination IP address and port information to communicate with the service server You can check if the information exists.

If the data flow exists but is not valid (eg, data packet transmission impossible state), the data packet may be dropped (DROP).

If there is a data flow, the data packet can be transmitted.

In operation 715, if the data flow does not exist, the authentication time expires, and the update is required, or if the data flow needs to be updated due to other matters, a validation procedure may be performed according to the validation policy. . The validation check may include checking whether the access application is integrity and secure (eg, whether the application forgery or not, code signing check, fingerprint check, etc.).

In operation 720, the access control application 111 of the node 101 has control flow identification information and application identification information for identifying the control flow generated with the controller 102 before the network access event, and the destination IP of the server to be accessed. A network access request may be made to the controller 102 based on the address and port information.

In operation 725, the controller 102 performs access-requested identification information (application, destination IP address, and service port information) in the access policy matched with information identified on the control flow (node 101, user, source network information, etc.) etc.) and whether access to the second gateway 104 existing between the destination server mapped with the corresponding identification information and the network boundary is possible may be checked.

If the connection is not possible, the controller 102 may transmit a connection failure result to the node 101 .

In operation 730, if access is possible, the first gateway 103 where the node 101 is located is checked in the tunnel policy to allow access of the node 101 connected to the network, and the node 101 belongs to. It is checked whether a tunnel is created between the first gateway 103 of the network boundary and the second gateway 104 of the destination network boundary to be accessed, and a data flow accessible to the corresponding destination IP address and port in the data flow table. You can check if the information exists.

If tunneling is created and there is no valid data flow information in the data flow table, data flow information is created based on the source IP address, destination IP address and port information to allow the access of the application, and the information can be transmitted to the identified gateways 103 and 104, respectively.

If there is data flow information that can be accessed in the data flow table, the corresponding information may be transmitted to the node 101 .

In operation 735 , the second gateway 104 may receive data flow information from the controller 102 .

In operation 740 , the access control application 111 may process the connection request result value received from the controller 102 .

If the network connection fails, the data packet may be dropped.

If access is possible based on an existing data flow, a data packet may be transmitted.

Controlling data packet forwarding at the gateway

When receiving a data packet through tunneling, the second gateway 104 may check whether a data packet existing in a data flow has been received.

The data flow information received from the controller 102 includes a source IP address, a destination IP address, and port information, and in the case of a data packet in which a data flow does not exist, the data packet may be DROPed.

If a valid data flow exists, the data packet can be forwarded.

8 illustrates a signal flow diagram for forwarding a data packet in accordance with various embodiments.

In operation 805 , the second gateway 104 may detect a data packet reception event. For example, the second gateway 104 may receive a data packet transmitted from the node 101 from the first gateway 103 .

In operation 810 , when receiving the data packet through the authorized tunnel, the second gateway 104 receives data based on the source IP address, destination IP address, and destination port information included in 5 Tuples information of IP (Internet Protocol). You can check whether a forwardable data flow exists in the flow table.

In operation 815, if there is a data flow, the corresponding data packet may be forwarded.

In operation 820, if there is no data flow, the corresponding data packet may be dropped.

9 illustrates a signal flow diagram for updating a control flow according to various embodiments.

In operation 905 , the node 101 may detect a control flow update event and request the controller 202 to update the control flow.

In operation 910 , the controller 102 may check whether a control flow exists in the control flow table based on the control flow identification information requested by the node 101 .

If the control flow does not exist (eg, disconnection by other security systems, over the update time, disconnection due to self-risk detection, etc.), the connection of the node 101 is not valid, so the connection impossible information can be returned

If the control flow exists, the update time may be updated, and data flow information dependent on the corresponding control flow may be searched.

In operation 915 , if the result of the control flow update is that the connection is unavailable, the node 101 may terminate the application or block all network connections of the application.

disconnect from the network

When the user no longer needs network access, or when the node 101 is shut down or restarted, the user can release the previously generated data flow information through the connection release procedure.

Since the node 101 for which the data flow information is released cannot access the network using the existing data flow information, it may be isolated from the network.

10 illustrates a signal flow diagram for releasing a network connection according to various embodiments.

In operation 1005 , the node 101 may detect a connection release event. When the application is terminated or the network connection is no longer used, when a connection termination request is generated based on information identified from the interworking system, a control flow termination request may be made to the controller 102 .

In operation 1010 , the controller 102 may remove the identified and found control flow based on the control flow identification information requested by the node 101 .

In operation 1015 , when the control flow is removed, the second gateway 104 relaying all dependent data flows may be requested to remove the corresponding data flow.

In operation 1020 , the second gateway 104 may be in a state in which the corresponding application can no longer transmit data packets to the destination network by removing the data flow.

11 illustrates a signal flow diagram for terminating application execution according to various embodiments.

In operation 1105, the access control application 111 of the node 101 checks whether the application running on the node 101 is terminated, that is, an application execution termination event, in real time, and when the application is terminated, the data flow table inspection procedure can be performed.

In operation 1110 , it may be checked whether identification information of the terminated application and PID (Process ID and Child Process ID Tree) information exist in the data flow table.

In operation 1115, if a data flow corresponding to the identification information of the terminated application and the PID exists in the data flow table, the corresponding data flow may be deleted.

In order to track the termination of multiple executable applications, if the terminated application does not exist in the running process list, all data flows corresponding to identification information of the terminated application may be deleted.

The access control application can request deletion by sending the deleted data flow list to the controller.

In operation 1120 , the controller may delete a corresponding data flow from the data flow table based on the deleted data flow list received from the terminal, and transmit the deleted data flow list to the gateways 103 and 104 .

In operation 1125 , the gateways 103 and 104 may process data packets corresponding to the source IP address, the destination IP address, and the destination port information included in the deleted data flow list to not be forwarded anymore.

The above description is merely illustrative of the technical idea disclosed in this document, and those of ordinary skill in the art to which the embodiments disclosed in this document belong are not departing from the essential characteristics of the embodiments disclosed in this document. Various modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are for explanation rather than limiting the technical ideas disclosed in this document, and the scope of the technical ideas disclosed in this document is not limited by these embodiments. The protection scope of the technical ideas disclosed in this document should be interpreted by the following claims, and all technical ideas within the equivalent range should be interpreted as being included in the scope of the present document.

Claims (8)

A network system comprising:
a node comprising communication circuitry, a processor operatively coupled to the communication circuitry, and a memory storing a connection control application;
a first gateway existing at a boundary of the node's network;
a destination network to which the node intends to access;
a second gateway existing at a boundary of the destination network; and
A server comprising communication circuitry, a processor operatively coupled with the communication circuitry, and a memory for storing a database, wherein the server is communicatively coupled with the node, the first gateway, and the second gateway.
including,
The node is
Through the access control application, based on whether a data flow corresponding to the identification information of the target application, the IP address of the destination network, and the port information exists, sending or dropping a data packet for the destination network of the target application ( DROP),
The first gateway,
and send or drop the data packet to the second gateway corresponding to the identification information of the data packet received from the node and based on whether a tunnel authorized by the server exists;
The second gateway,
and send or drop the data packet to the destination network based on whether the data packet received from the first gateway is received via the authorized tunnel. According to claim 1,
The server is
Checking whether the node or the access control application is accessible in the access policy on the control flow created between the node and the server,
If access is possible, check the first gateway located at a network boundary to which the node belongs in a tunnel policy to allow access of the node,
check whether a tunnel is created between the first gateway and the second gateway;
Checking whether there is a data flow accessible to the IP address and port of the destination network in the data flow table of the server,
When the tunnel is created and there is no valid data flow in the data flow table, a data flow is created based on the IP address of the node, the IP address of the destination network, and port information to allow the access of the application. do,
Transmitting the generated data flow to each of the first and second gateways,
and, if there is an accessible data flow in the data flow table, send the data flow to a node. The method of claim 2, wherein the node comprises:
Before performing a network access request to the server, if the data flow does not exist or the data flow needs to be updated, a validation procedure is performed according to the validation policy;
and if the validation check is successful, use the communication circuitry of the node to request a network connection to the destination network from the server. 3. The method of claim 2,
The node is
receiving a first user input requesting user authentication,
using the communication circuit to request user authentication for the user of the node from the server, wherein the user authentication request includes user identification information;
The server is
In response to the user authentication request from the node, it is checked whether the user attempting to access the node is an accessible user and whether the user is included in the blacklist to determine whether the user is blocked,
When the user's access is impossible or the user is included in the blacklist, the access unavailable information is transmitted to the node,
When the user is an accessible user, a control flow is searched for in the control flow table with the transmitted control flow identification information, and the user identification information is added to the searched identification information of the control flow;
and return an authentication completion status and access policy information of the authenticated user to the node as a user authentication result. According to claim 1,
The node is
and detect a control flow update event, and request a control flow update to the server;
configured to terminate the application or block all network connections of the application when the result of the control flow update is unreachable;
The server is
Checking whether a control flow exists in the control flow table based on the control flow identification information requested by the node,
If the control flow does not exist, return unreachable information to the node,
and update an update time when a control flow exists, and search for a data flow dependent on the control flow. According to claim 1,
The node is
configured to request the server to terminate a control flow by detecting a connection disconnection event,
The server is
Remove the identified and searched control flow based on the control flow identification information requested by the node,
when the control flow is removed, request the second gateway relaying all dependent data flows to remove the data flow,
The second gateway,
and removing the data flow puts the application into a state in which it is no longer able to send data packets to the destination network. According to claim 1,
the access control application of the node,
Check whether the application running on the node is terminated, and if the application is terminated, perform a data flow table check procedure,
Checks whether the identification information of the terminated application and PID (Process ID and Child Process ID Tree) information exists in the data flow table,
If there is a data flow corresponding to the identification information of the terminated application and the PID in the data flow table, the data flow is deleted;
Requesting deletion of the deleted data flow list by sending the deleted data flow list to the server,
The server is
delete a data flow from a data flow table based on the deleted data flow list received at the node, and send the deleted data flow list to the second gateway;
The second gateway is configured to process data packets corresponding to the IP address of the node, the IP address of the destination network, and the port information of the destination network included in the deleted data flow list to be no longer forwarded. system. The method of claim 7, wherein the server,
The network system, further configured to delete all data flows corresponding to identification information of the terminated application when the terminated application does not exist in the running process list to track the termination of the multi-executable application.

Images