KR102349039B1 - Control data packet processing system optimized for distributed gateway environment and method therefor - Google Patents

Abstract

A node according to an embodiment of the present invention includes: a communication circuit; a processor operatively coupled to the communication circuit; and a memory operatively coupled to the processor and storing a connection control application. The memory stores instructions causes, when executed by the processor, the node to: detect, through an access control application, a network access event to a destination network; check, through the access control application, whether a tunnel between the node and a gateway and a data flow corresponding to the destination network and authorized from an external server exist; perform, when the tunnel connected to the gateway exists and there is a set of information capable of performing control flow distribution processing in the gateway, a network access request to the gateway; and perform, when the set of information does not exist in the gateway, a network access request to the external server. According to the present invention, stable network access control can be possible.

Description

CONTROL DATA PACKET PROCESSING SYSTEM OPTIMIZED FOR DISTRIBUTED GATEWAY ENVIRONMENT AND METHOD THEREFOR

Embodiments disclosed in this document relate to a control data packet processing system optimized for a distributed gateway environment and a method therefor.

Tunneling-based connectivity control technology and the like have a structure in which a terminal must connect with at least one gateway to configure a dedicated data packet flow for accessing a destination network.

When accessing a remote cloud or network using this structure in a national, regional, and physically segmented network and work environment, it may be necessary to maintain a connection with a gateway existing at the boundary of the final destination network.

For example, when a branch in South Africa connects to a gateway located at the boundary of the network or the cloud of the head office in Korea, communication is performed through numerous borders and routers between countries on the communication path. Since encrypted data packets are transmitted, communication performance is greatly degraded.

To solve this problem, telecommunication companies are providing cross-border leased line services using technologies such as SD-WAN and MPLS, but their utility value may be reduced due to high introduction and maintenance costs.

In addition, web acceleration technology that preferentially provides cached information through a distributed cache server that exists on the communication path for some content or files received during communication is also used, but when sending and receiving real-time data that cannot be cached and encrypted data packets In the case of processing the cache server, there is a problem that these technologies cannot be utilized because the required information cannot be verified.

In the case of IPSec tunneling, encryption and encapsulation are performed at the operating system level, so to solve this problem at the application level, the gateway and the terminal located in the distributed network closest to the region where the access terminal is located are connected, and the corresponding gateway connected to the terminal is a distributed network. Utilizing the dedicated network and router or dedicated line provided by By using the tunnel routing technology that connects with the service resources connected to the existing gateway, it is possible to provide a technology to quickly access the destination network from anywhere in the world by utilizing the infrastructure provided by telecommunication companies and cloud companies.

However, unlike the existing communication method that does not perform special access control after the tunnel is established between the terminal and the gateway, it uses a data flow-based connectivity control technology that uses a controller to perform access control at the application level of the terminal. In this case, it is necessary to query the controller whenever an application connection request is made.

In general, the controller exists in the head office network or a distributed network located near the head office for integrated management of unified policies and sessions and resource protection due to its characteristics. At the same time as this occurs, these control data packets arrive at the controller through a general routing path rather than through an edge gateway, so that the processing between the terminal and the controller is inevitably delayed.

Furthermore, there may be a problem in that the controller has to transmit the data flow information generated according to the access request of the terminal to the neighboring gateway as well.

When a user runs an application and tries to access any network, this delay problem causes a problem of waiting for several seconds for a data flow access control request, which may adversely affect the user experience.

In particular, when the controller is deployed in all edge distributed networks, there is a synchronization problem between the controllers, and due to the nature of the distributed network infrastructure, when deploying the controller in each region, a lot of costs are incurred because it has to be placed like a gateway. A way to solve the problem is needed.

Various embodiments disclosed in this document minimize the connection with the controller by performing a data flow access control function that needs to be processed by the controller in the edge gateway existing in the distributed network, and when the edge gateway and the terminal are connected, the edge gateway and the controller are connected The above problem can be solved by providing a method for establishing a minimized routing path based on a distributed network infrastructure to ensure optimized performance between gateways.

A node according to an embodiment disclosed in this document includes: a communication circuit; a processor operatively coupled to the communication circuitry; and a memory operatively coupled to the processor and storing a connection control application, wherein the memory, when executed by the processor, causes the node, via the connection control application, to detect a network connection event to a destination network. Detect, through the access control application, check whether a data flow corresponding to the destination network and authorized from an external server and a tunnel between the node and the gateway exist, wherein the node has a tunnel connected with the gateway and the gateway When there is a set of information for performing control flow distribution processing in You can store instructions that allow you to fulfill a request.

According to an embodiment, the instructions cause the node to detect a control flow update event through the access control application, request a control flow update from the gateway, receive a first response to the control flow update request, The first response may include updated control flow information.

According to an embodiment, the commands may cause the node to request the control flow update from the external server after a tunnel connected to the gateway is terminated until a new gateway is designated.

According to an embodiment, the instructions may cause the node to receive a second user input requesting release of the network connection, and in response to the second user input, request the gateway to release the network connection.

According to one embodiment, the commands may cause the node to request the external server to release the network connection until a new gateway is designated after the tunnel connected to the gateway is terminated.

According to one embodiment, a gateway comprises: communication circuitry; a memory for storing the database; and a processor operatively connected to the communication circuit and the memory, wherein the processor receives a request for control flow processing from a connection control application of a node, and receives a request for control flow processing from the connection control application , check the control flow information requested by the node to confirm whether it is a valid control flow processing request, return a processing result for the request to the terminal if it is a request that can be processed by the gateway, and if the request cannot be processed by the gateway, It is possible to store commands for requesting the request to an external server, receiving the requested result from the external server, and returning a result for the request to the node.

According to an embodiment, the instructions include, when the gateway receives a control flow update request from the access control application, and the gateway can process the control flow update, a first response to the control flow update request send to the terminal, and when the gateway cannot process the control flow update, request the request to an external server, receive the requested result from the external server, and return the result for the request to the node; The first response may include updated control flow information.

According to an embodiment, the instructions cause the gateway to receive a request for release of a network connection from the access control application, and in response to the request for release of the network connection, remove a control flow and a tunnel, and at the gateway When the request for release of the network connection cannot be processed, the request may be made to an external server.

A gateway according to an embodiment disclosed in this document includes: a communication circuit; a memory for storing the database; and a processor operatively connected to the communication circuit and the memory, wherein the processor receives a request for control flow processing from a connection control application of a node, and receives a request for control flow processing from the connection control application , check the control flow information requested by the node to determine whether it is a valid control flow processing request, and if the control flow processing request is a request that can be processed by the gateway, returns a processing result for the request to the terminal, and processes the control flow When the request is a request that cannot be processed by the gateway, commands for requesting the request to an external server, receiving the requested result from the external server, and returning a result for the request to the node may be stored.

According to an embodiment, the instructions include, when the gateway receives a control flow update request from the access control application, and the gateway can process the control flow update, a first response to the control flow update request is the send to the terminal, and when the gateway cannot process the control flow update, request the request to an external server, receive the requested result from the external server, and return the result for the request to the node, and The first response may include updated control flow information.

According to one embodiment, the instructions cause the gateway to receive a request for release of a network connection from the access control application, and in response to the request for release of the network connection, remove a control flow and a tunnel, and at the gateway When the request for release of the network connection cannot be processed, the request may be made to an external server.

A method of operating a network access control system according to an embodiment disclosed in this document includes the steps of: detecting a network access event to a destination network through an access control application of a node; checking, through the access control application, whether a data flow corresponding to the destination network and authorized from an external server and a tunnel between the node and the gateway exist; When there is a tunnel connected between the node and the gateway and there is a set of information for performing control flow distribution processing in the gateway, the node performing a network access request to the gateway - the set of information includes the IP address and port information of the gateway for control flow processing, whether the control flow is distributed processing, and a list of commands that can be processed by the gateway; and when the set of information does not exist in the gateway, allowing the node to perform a network access request to the external server.

According to an embodiment, detecting a control flow update event through the access control application; and requesting, in the node, a control flow update from the gateway. The method may further include sending, by the gateway, a first response to the control flow update request to the node, wherein the first response includes updated control flow information.

According to an embodiment, after the tunnel connected to the node and the gateway is terminated, the method may further include requesting the external server to update the control flow until a new gateway for the node is designated.

According to an embodiment, receiving a second user input requesting release of the network connection at the node; and requesting, at the node, to release the network connection from the gateway in response to the second user input.

According to one embodiment, after the tunnel connected between the node and the gateway is terminated, the request for release of the network connection until a new gateway is designated may further include the step of requesting the external server.

A method of operating a network access control system according to an embodiment disclosed in this document, the method comprising: receiving, in a gateway, a request for control flow processing from an access control application of a node; when the gateway receives a request for control flow processing from the access control application, checking the control flow information requested by the node to determine whether it is a valid control flow processing request; returning a processing result for the request to the terminal when the control flow processing request is a request that can be processed by the gateway; when the control flow processing request is a request that cannot be processed by the gateway, requesting the request to an external server; and receiving a result requested from the external server and returning a result for the request to the node.

According to the embodiments disclosed in this document, by distributing commands that can be processed by the edge gateway, the controller only needs to process core commands among numerous commands not listed in the table above, so efficient load balancing processing is possible, and as above, temporarily Stable network access control may be possible even in the case of an explosion in control requests

Furthermore, according to the embodiments disclosed in this document, the edge gateway is expanded in proportion to the data packet throughput, and has the advantage of securing idle processing capacity at all times, and has the advantage of rapidly expanding resources compared to the controller, so it is cost-effective It may be possible to configure infrastructure and secure processing capacity.

In particular, according to the embodiments disclosed in this document, all network access requests of terminals distributed in various regions are not processed by a controller aggregated in a specific cloud or network, but network access is controlled through an edge gateway located nearby , which can significantly improve performance for network latency not listed in the table above.

According to the embodiments disclosed in this document, when a large-scale global network is provided, it is possible to provide a tunnel and data flow-based network access control service and infrastructure with improved stability and performance in a cost-effective manner.

In addition, various effects directly or indirectly identified through this document may be provided.

1 shows an environment including a plurality of networks.
FIG. 2 shows an environment including a plurality of networks in FIG. 1 .
2 illustrates an architecture within a network environment in accordance with various embodiments.
3 is a functional block diagram illustrating a database stored in a controller according to various embodiments of the present disclosure;
4 illustrates a functional block diagram of a node in accordance with various embodiments.
5 may explain an operation of blocking a network connection according to various embodiments of the present disclosure.
6 illustrates a signal flow diagram for controller connection according to various embodiments.
7 illustrates a user interface screen for accessing a controller according to various embodiments of the present disclosure.
8 illustrates a signal flow diagram for user authentication according to various embodiments of the present disclosure.
9 shows a signal flow diagram for processing a network connection.
10 shows a flowchart for forwarding a data packet in accordance with various embodiments.
11 is a flowchart for control flow processing according to various embodiments of the present disclosure;
12 is a flowchart illustrating a signal flow for updating a control flow according to various embodiments of the present disclosure;
13 is a diagram illustrating a signal flow for releasing a network connection according to various embodiments of the present disclosure;
14 illustrates a user interface screen for releasing a network connection according to various embodiments of the present disclosure.

Hereinafter, various embodiments of the present invention will be described with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, and it should be understood that various modifications, equivalents, and/or alternatives of the embodiments of the present invention are included.

In this document, the singular form of a noun corresponding to an item may include one or a plurality of items unless the context clearly dictates otherwise. As used herein, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C" and "A; Each of the phrases such as "at least one of B, or C" may include any one of, or all possible combinations of, items listed together in the corresponding one of the phrases. Terms such as "first", "second", or "first" or "second" may be used simply to distinguish the element from other elements in question, and may refer to elements in other aspects (e.g., importance or order) is not limited. It is said that one (eg, first) component is "coupled" or "connected" to another (eg, second) component, with or without the terms "functionally" or "communicatively". Where referenced, it may mean that one component can be connected to the other component directly (eg, by wire), wirelessly, or through a third component.

Each component (eg, a module or a program) of components described in this document may include a singular or a plurality of entities. According to various embodiments, one or more components or operations among the corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg, a module or a program) may be integrated into one component. In this case, the integrated component may perform one or more functions of each component of the plurality of components identically or similarly to those performed by the corresponding component among the plurality of components prior to the integration. . According to various embodiments, operations performed by a module, program, or other component are executed sequentially, in parallel, repeatedly, or heuristically, or one or more of the operations are executed in a different order, or omitted. or one or more other operations may be added.

As used herein, the term “module” may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as, for example, logic, logic block, component, or circuit. A module may be an integrally formed part or a minimum unit or a part of the part that performs one or more functions. For example, according to an embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of the present document may be implemented as software (eg, a program or an application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine. For example, the processor of the device may call at least one of the one or more instructions stored from the storage medium and execute it. This may enable the device to be operated to perform at least one function according to the called at least one command. The one or more instructions may include code generated by a compiler or code executable by an interpreter. The device-readable storage medium may be provided in the form of a non-transitory storage medium. Here, 'non-transitory' only means that the storage medium is a tangible device and does not include a signal (eg, electromagnetic wave), and this term is used in cases where data is semi-permanently stored in the storage medium and It does not distinguish between temporary storage cases.

Methods according to various embodiments disclosed in this document may be provided by being included in a computer program product. Computer program products may be traded between sellers and buyers as commodities. The computer program product is distributed in the form of a machine-readable storage medium (eg compact disc read only memory (CD-ROM)), or via an application store or between two user devices (eg smartphones). It can be distributed directly or online (eg, downloaded or uploaded). In the case of online distribution, at least a portion of the computer program product may be temporarily stored or temporarily created in a machine-readable storage medium such as a memory of a server of a manufacturer, a server of an application store, or a relay server.

1 shows an environment including a plurality of networks.

Referring to FIG. 1 , the first network 10 and the second network 20 may be different networks. For example, the first network 10 may be a public network such as the Internet, and the second network 20 may be a private network such as an intranet or VPN.

The first network 10 may include a source node 101 . 1 and the embodiments described below, the 'source node' may be various types of devices capable of performing data communication. For example, the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, a virtual reality (VR) device. , or a home appliance, and is not limited to the above-described devices. For example, the source node 101 may include a server or gateway capable of sending data packets through an application. The source node 101 may also be referred to as an 'electronic device' or a 'terminal'. On the other hand, the destination node 102 may include the same and similar device as the above-described origin node 101 .

The source node 101 may attempt to access the second network 20 and transmit data to the destination node 102 included in the second network 20 . The source node 101 may transmit data to the destination node 102 through the gateway 103 and the tunnel 105 .

When the access of the source node 101 to the first network 10 is approved, the source node 101 can communicate with all servers included in the first network 10, so that the source node 101 is malicious. ) can be exposed from program attack. For example, the source node 101 is a trusted and/or secure application, such as an Internet web browser 110a, business application 110b, as well as malicious code 110c, infected (infected) ) may receive data from an untrusted or unsecured application, such as business application 110d.

The source node 101 infected with the malicious program may attempt to access and/or transmit data to the second network 20 . When the second network 20 is formed based on IP such as VPN, it may be difficult for the second network 20 to individually monitor a plurality of devices included in the second network 20, and the application in the OSI layer It may be vulnerable to security at the layer or transport layer. In addition, if the source node 101 includes a malicious application after the tunnel has already been created, the data of the malicious application is transmitted to another electronic device (eg, the destination node 102 ) in the second network 20 . can

2 illustrates an architecture within a network environment in accordance with various embodiments.

Referring to FIG. 2 , the number of the node 201 , the gateway 203 , and the destination node 204 is not limited to the number illustrated in FIG. 2 . For example, the node 201 may transmit data to a plurality of destination nodes through a plurality of gateways, and the controller 202 may manage a plurality of source nodes, gateways, and destination nodes. Meanwhile, some terminals 201-4 may transmit data to the destination node through the edge gateway 202-4 without going through the core gateway 203-2. The terminals 201-1, 201-2, 201-3, and 201-4 may perform the same and similar functions as the source node 101 shown in FIG. 1, and the edge gateways 202-1, 202-2, 202-3 and 202-4) and the core gateway 203 may perform the same and similar functions as the gateway 103 shown in FIG. 1, and the destination node 204 is the destination node 102 shown in FIG. can perform similar functions as

The node 201 includes a Windows terminal 201-1 in region A, an Android terminal 201-2 in region A, a Windows terminal 201-3 in region B, and an iOS terminal 201 in region C. -4) may be included. Node 201 may include a connection control application and a network driver for all network access control for applications within node 201 . The node 201 checks whether a connection is possible from the controller when a network connection occurs, and sends a data packet to the gateway 203 existing at the boundary of the connection target network through the data flow information generated by the controller 202 only when connection is possible. can be transmitted Tunnel and data flow-based connectivity control technology provides a structure in which communication is possible only when a tunnel 210 and a data flow authorized by the controller 202 exist for the node 201 to access the target network, and the tunnel and when the data flow does not exist, the node 201 may provide a structure in which communication cannot be performed.

According to various embodiments, the node 201 may include a connection control application (not shown) and a network driver (not shown) for managing network connections of applications stored in the node 201 . For example, the access control application may control transmission of data packets through a network driver and a kernel including an operating system in the node 201 .

The controller 202 may be, for example, a server (or cloud server). The controller 202 can ensure reliable data transmission within the network environment by managing data transmission between the node 201 , the gateway 203 , and the destination node 204 . The controller 202 controls the network access of the node 201, checks whether the tunnel 210 is created between the gateway 203 and the gateway 203, and responds to the security event received from each node 201 and the gateway 203. It is possible to maintain a secure network state at all times, such as removing the generated data flow and isolating the terminal through a blacklist. For example, the controller 202 manages the connection of the node 201 to the destination node 204 through policy information or blacklist information, or an authorized tunnel 210 between the node 201 and the gateway 203 . ) may be created, or the tunnel 210 may be removed according to a security event collected from the node 201 or the gateway 203 . The node 201 can communicate with the destination node 204 only through the tunnel 210 authorized by the controller 202, and if the authorized tunnel 210 does not exist, the terminal 2014 returns to the destination node 204. access may be blocked. According to one embodiment, the controller 202 transmits and receives control data packets with the node 201 to perform various operations (eg, registration, authorization, authentication, update, termination) associated with the network connection of the node 201 . can In addition, the controller 202 transmits/receives control data packets to and from the destination node 204 to perform various operations (eg, registration, approval, authentication, update, termination) associated with network access and network reception of the destination node 204 . can do. Flows through which control data packets are transmitted (eg, 220 and 240 ) may be referred to as control flows. Meanwhile, the controller 202 may include a server or an external server.

The gateway 203 checks 5 tuples information among the data packets received through the authorized tunnel 210 among the received data packets. If there is data flow information corresponding to the source IP, destination IP, and destination port information, the destination node You can forward to (204). The gateway 203 may include an edge gateway 203 - 1 and a core gateway 203 - 2 . The gateway 203 may include an edge gateway 203 - 1 and a core gateway 203 - 2 . The number of edge gateways 203 - 1 and core gateways 203 - 2 is not limited to the number shown in FIG. 2 .

The edge gateway 203-1 provides the type of terminal to be supported for each region and coverage, the average distance, the number and processing capacity of terminals to be processed, the tunneling type and load distribution according to the network situation, and the network connection type (wireless network, WIFI, Wired network, etc.), may be deployed in a distributed network in consideration of factors for high availability.

Each edge gateway 203-1 is directly connected to the destination node 204 according to a distributed network environment, or through a core gateway 203-2 existing at the boundary of the destination node 204, the terminal and the destination node 204. By providing a way to connect the node 201 through an efficient routing path on a distributed network and a dedicated network between the edge gateway 203-1 and the core gateway 203-2 or the destination node 204, the network and regional boundaries It is possible to solve the problem of network performance degradation that may occur according to various situations such as

The node 201 controlled by the controller 202 creates a control flow (a kind of session and control data packet flow) with the controller 202 and controls it in a centralized manner such as node 201 and user authentication, network connection request, etc. In the control flow path, the node 201 and the controller 202 communicate directly without going through the edge gateway 203-1 (220-1) or communicate through the edge gateway 203-1. It can be (220-2, 220-3).

The node 201 performs one or more tunneling 210 with the edge gateway 203 - 1 optimized according to the environment such as region and network, and actual network access control (data packet control) is performed between the node 201 and the edge gateway Since it is performed between 203-1, the edge gateway 203-1 may instead perform processing for specific requests, tasks, and commands that need to be frequently queried and requested from the controller 202.

That is, the edge gateway 203-1 has a function to replace some requests (eg, control flow update, network access control, tunnel update, etc.) that occur frequently between the controller 202 and the node 201, The node 201 sends some requests that occur frequently through the connection with the optimized edge gateway 203-1 to the edge gateway 203-1 located at the shortest distance rather than the controller 202 located at the farthest position on the communication path. ) through which you can request and process quickly.

3 is a functional block diagram illustrating a database stored in a controller (eg, controller 202 of FIG. 2 ) in accordance with various embodiments. 3 shows only the memory 330 , the controller is an external electronic device (eg, terminals 201-1, 201-2, 201-3, 201-4 in FIG. 2 ), gateway 203 or destination node 204 . )) and a communication circuit for performing communication (eg, the communication circuit 430 of FIG. 4 ) and a processor (eg, the processor 410 of FIG. 4 ) for controlling the overall operation of the controller may be further included.

Referring to FIG. 3 , the controller may store databases 311 to 317 for controlling network access and data transmission in the memory 330 .

The access policy database 311 may include information on networks and/or services to which the identified network, terminal, destination node, user, or application can access. For example, when a connection to the destination node 204 is requested from the node 201, the controller 202 identifies a network (eg, a network to which the terminal belongs) based on the access policy database 311, the node ( 201 ), a user (eg, a user of node 201 ), and/or an application (eg, an application included in node 201 ) may determine whether the destination node 204 is reachable. In an embodiment, the access policy database 311 may include data packet inspection information.

The tunnel policy database 312 stores the type of tunnel to be connected to the gateway existing at the boundary between the terminal and the network on the connection path, encryption method, and encryption level information, the location of the terminal, network type information, the status of the gateway, etc. It may include gateway information that can be accessed preferentially according to various environmental factors. For example, when a connection to the destination node 204 is requested from the node 201 , the controller 202 determines an optimal tunnel for accessing the destination node 204 based on the tunnel policy database 312 and the related information may be provided to the terminal.

The blacklist policy database 313 may include a policy for permanently or temporarily blocking access of a specific node (eg, node 201 or destination node 204 ). The policy of the blacklist policy database 313 is identified through risk level, occurrence period, and/or behavior analysis of security events among security events periodically collected from node 201 , destination node 204 or gateway 203 . information (eg, at least one of a terminal identifier (ID), an IP address, a media access control (MAC) address, or a user ID) may be generated.

The blacklist database 314 may include a list of at least one of a terminal, a destination node, an IP address, a MAC address, and a user blocked by the blacklist policy database 313 . For example, if the identification information of the node 201 requesting access to the destination node 204 is included in the blacklist database 314, the controller 202 isolates the terminal from the destination node by rejecting the access request of the terminal. can do it

The control flow table 315 is a session for managing the flow (eg, control flow) of control data packets generated between a node (eg, node 201 or destination node 204 ) and the controller 202 . This is an example of a table. When the node 201 successfully connects to the controller 202 , control flow information and identification information for control flow identification may be generated by the controller 202 . The control flow information may include at least one of identification information of the control flow, an IP address each identified when accessing and authenticating a controller, a node ID (terminal ID), and a user ID. For example, when access to the destination node is requested from the terminal, the controller 202 searches for control flow information through the control flow identification information received from the node 201, and an IP address included in the retrieved control flow information; By mapping at least one of the terminal ID and the user ID to the access policy database 311, it is possible to determine whether the terminal can access and whether to generate a data flow.

According to one embodiment, the control flow may have an expiration time. The node (eg, the node 201 or the destination node 204 ) must update the expiration time of the control flow, and if the expiration time is not updated for a certain period of time, the control flow (or control flow information) may be removed. In addition, when it is determined that immediate access blocking is necessary according to a security event collected from the terminal or gateway, or in response to the terminal's request to terminate the access, the controller 201 may remove the control flow. When the control flow is removed, all of the previously generated data flows are recovered, so that all connections of the terminal may be blocked.

The tunnel table 316 is for managing the tunnel connected between the terminal and the gateway and the gateway and the gateway (eg, the edge gateways 202-1, 202-2, 202-3, 202-4 and the core gateway 203). It is a table. The tunnel may be created, for example, in units of devices or IPs. For example, the tunnel table 316 is a table for managing a tunnel connected between the node 201 and the gateway 203 and the gateway 203-1 and the gateway 203-2. When a valid tunnel exists , tunnel table 316 includes tunnel identification information (tunnel ID) for managing and identifying a tunnel, control flow identification information for control between the gateway 203 and the controller 202 (control flow ID), and a tunnel endpoint ( tunnel end point (TEP), tunnel start point (TSP), tunnel algorithm, tunnel type, and/or additional information for managing the tunnel may be included.

The data flow table 317 is a table for managing a flow (eg, data flow) in which detailed data packets are transmitted between a terminal and a gateway, and a TCP session within a tunnel created in units of terminals or IPs, application of a source terminal , or you can manage data flow in more granular units. The data flow table 317 includes data flow identification information, dependent control flow identification information when a data flow is dependent on a control flow, an application ID for identifying whether the data packet transmitted from the terminal is an authorized data packet, a source IP address, destination IP address, and/or service port. Also, the data flow table 317 may include identification information of a tunnel through which the data flow is to be used. Also, the data flow table 317 may include a header (or header information) for determining whether a data packet is valid. In addition, the data flow table 317 may further include whether a data flow header, which is authentication information, is inserted into the data packet, an insertion method of the header, whether or not authentication of the data flow is required, an authentication state, and/or an authentication expiration time. . Also, the data flow table 317 may include terminal information (eg, source IP) of the destination node, service port information, and receivable application information. In one embodiment, the data flow table 317 may include data packet inspection information. For example, the data packet inspection information may indicate whether data packet inspection is required and may include a rule database. Here, the rule database includes a data packet inspection method (eg, single data packet inspection, multiple data packet inspection), a pattern to be applied when inspecting a data packet, a location to be applied when inspecting a data packet, and a processing method after inspection (eg, blocking data packets, data packet replacement and data packet copying).

Also, the data flow table structure included in the controller 202 may be equally applied to the node 201 and the gateway 203 .

4 illustrates a functional block diagram of a node (eg, node 201 and destination node 204 in FIG. 2 ) in accordance with various embodiments.

Referring to FIG. 4 , a node may include a processor 410 , a memory 420 , and a communication circuit 430 . According to an embodiment, the node may further include a display 440 to interface with the user.

The processor 410 may control the overall operation of the node. In various embodiments, the processor 410 may include one processor core or a plurality of processor cores. For example, the processor 410 may include a multi-core such as a dual-core, a quad-core, or a hexa-core. According to embodiments, the processor 410 may further include a cache memory located internally or externally. According to embodiments, the processor 410 may be configured with one or more processors. For example, the processor 410 may include at least one of an application processor, a communication processor, and a graphical processing unit (GPU).

All or part of the processor 410 is electrically or operatively coupled to other components within the node (eg, memory 420 , communication circuitry 430 , or display 440 ). It can be coupled with or connected to. The processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands. The processor 410 may interpret and process a message, data, command, or signal received from the memory 420 , the communication circuit 430 , or the display 440 . The processor 410 may generate a new message, data, instruction, or signal based on the received message, data, instruction, or signal. The processor 410 may provide the processed or generated message, data, instruction, or signal to the memory 420 , the communication circuitry 430 , or the display 440 .

The processor 410 may process data or signals generated or generated in a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may write (or store) or update instructions, data, or signals to the memory 420 to execute or control a program.

The memory 420 may store a command for controlling a node, a control command code, control data, or user data. For example, the memory 420 may include at least one of an application program, an operating system (OS) (eg, Microsoft Windows, Google Android, Apple iOS, MacOS, etc.), middleware, or a device driver. may contain one.

The memory 420 may include one or more of volatile memory and non-volatile memory. Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM). may include The nonvolatile memory may include a read only memory (ROM), a programmable ROM (PROM), an electrically programmable ROM (EPROM), an electrically erasable programmable ROM (EEPROM), a flash memory, and the like. The memory 420 includes a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), and a universal flash storage (UFS). may include more.

According to an embodiment, the memory 420 may store some of information included in the memory of the controller (eg, the memory 330 of FIG. 3 ). For example, the memory 420 may store the tunnel table 316 and the data flow table 317 described in FIG. 3 .

The communication circuit 430 may support establishment of a wired or wireless communication connection between a node and an external electronic device (eg, the controller 202 or the gateway 203 of FIG. 2 ) and performing communication through the established connection. According to one embodiment, communication circuitry 430 may include wireless communication circuitry (eg, cellular communication circuitry, near field communication circuitry, or global navigation satellite system (GNSS) communication circuitry) or wired communication circuitry (eg, local area network (LAN) circuitry). ) communication circuit, or power line communication circuit), and using the corresponding communication circuit among them, a short-distance communication network such as Bluetooth, WiFi direct or IrDA (infrared data association) or a cellular network, Internet, or long-distance communication such as a computer network It can communicate with an external electronic device through a network. The above-described various types of communication circuits 430 may be implemented as a single chip or as separate chips.

The display 440 may visually output content, data, or a signal. In various embodiments, the display 440 may display image data processed by the processor 410 . According to embodiments, the display 440 may be configured as an integrated touch screen by being coupled with a plurality of touch sensors (not shown) capable of receiving a touch input or the like. When the display 440 is configured as a touch screen, a plurality of touch sensors may be disposed above the display 440 or below the display 440 .

Meanwhile, the server (eg, the controller 202 ) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 . The processor 410 , the memory 420 , and the communication circuit 430 included in the server may be substantially the same as the above-described processor 410 , the memory 420 , and the communication circuit 430 .

5 may explain an operation of blocking a network connection according to various embodiments of the present disclosure.

According to an embodiment, the data packet of the network access application is blocked at the kernel stage of the network driver and the operating system, so that no data packet except for the access control application 211 may be transmitted to the network (connection is blocked in the access control application) ).

According to an embodiment, in the case of an unmanaged terminal in which the access control application 211 is not installed among the nodes 201 existing in the network, the network access application may transmit an unauthorized data packet to the network, but at the network boundary. Since the existing gateway (eg, the edge gateway 203-1) blocks all data packets for which the authorized tunnel and data flow do not exist, the data packet of the node 201, in particular, the data packet for TCP Session creation is blocked. It can be (blocking access at the gateway due to non-existence of the tunnel).

As such, when the connection in the access control application 211 is blocked or when the connection is blocked at the gateway due to the non-existence of the tunnel, the node 201 cannot reach the target network (eg, the destination node 204). , that is, it can be in an isolated state.

6 to 7 may explain an operation for connecting a controller according to various embodiments of the present disclosure. 6 shows a signal flow diagram for controller connection, and FIG. 7 shows a user interface screen for controller connection.

Since the node 201 needs to be authorized by the controller 202 to access or receive the network, the access control application 211 of the node 201 sends the controller 202 a control flow (control data packet flow and serial Session of the node 201 can be attempted to access the controller by requesting creation of the Also, the access control application 211 may include the access control application 211 in FIG. 2 .

Referring to FIG. 6 , in operation 605 , the node 201 may detect a controller access event. For example, the node 201 may detect that the access control application 211 is installed and executed in the node 201 , and that access to the controller 202 is requested through the access control application 211 .

For example, referring to FIG. 7 , when the access control application 211 is executed, the node 201 may display a user interface screen 710 for receiving information necessary for accessing the controller. The user interface screen 710 includes an input window 711 for inputting an IP or domain of the controller 202, an input window 712 for inputting a user ID, an input window 713 for inputting a password, and / Alternatively, it may include an input window 714 for inputting a connection location. After information on the input windows 711 to 714 is input, the node 201 may detect a controller access event by receiving a button 715 for an authenticated user's controller access. For another example, if user authentication of the node 201 is not yet completed, the node 201 detects a controller access event by receiving a button 716 for controller access of an unauthorized user (ie, a guest). can do.

In operation 610 , the node 201 may request a controller connection from the controller 202 in response to detecting the controller connection event. The node 201 may request a controller connection through the access control application 211 . According to one embodiment, the access control application 211 is the identification information (eg, terminal ID, IP address, MAC address) of the node 201, the type of the node 201, location information, environment, the node 201 Identification information of the included network, and/or identification information of the access control application 211 , and basic area information selected by the user may be transmitted to the controller 202 .

In operation 615 , the controller 202 may identify whether the node 201 is reachable in response to the received request. According to an embodiment, the controller 202 may check whether the node 201 is accessible based on a database included in the memory of the controller 202 (eg, the memory 330 of FIG. 3 ). The controller 202 determines whether the information received from the access control application 211 is included in the access policy database, and identification information of the node 201 and/or the network to which the node 201 belongs is included in the blacklist database. It can be checked whether the node 201 is accessible or not based on whether or not. For example, the controller 202 accesses information requested by the access control application 211 (type of the terminal, location information, environment and network including the terminal, access control application information, basic area information selected by the user, etc.) It is possible to check whether the access of the node 201 is possible based on whether the state is accessible by the policy and/or whether the terminal and network identification information (terminal ID, IP, MAC address, etc.) is included in the blacklist database. have.

If node 201 is reachable, in operation 620 , controller 202 may create a control flow between node 201 and controller 202 . In this case, the controller 202 generates control flow identification information in the form of a random number, and uses the node 201 and/or identification information of the network to which the node 201 belongs (eg, terminal ID, IP address, MAC address, etc.) It can be stored in the control flow table. Information stored in the control flow table (eg, control flow identification information and/or control flow information) may include: user authentication of the node 201 , updating information of the node 201 , checking a policy for network access of the node 201 , and / or can be used for validation.

If the node 201 is unreachable or included in the blacklist, the controller 202 does not generate a control flow in operation 615 and transmits a response indicating that the node 201 is unable to connect to the controller to the node 201 . can If the terminal is in an unreachable state, the access control application may display an access unavailable message and reason on the screen.

In operation 625, in the access policy and tunnel policy matched with the identified information (terminal, source network information, etc.), the controller 202 determines a destination network (destination node) information that the currently connected node 201 can basically connect to. can be checked to see if it exists.

In operation 625, if access is possible, information such as the type of terminal included in the control flow, location information, environment, and the network including the terminal and the controller 202 in order for the node 201 to access the destination network List the tunneling types and gateways that the terminal can connect to through the IP address of the terminal identified through the terminal and the IP address of the terminal identified from the terminal, and check the status (throughput, failure) of the listed gateways. It is possible to identify one tunnel and one gateway optimized for the corresponding terminal from among the gateways. The gateway 203 may be an edge gateway 203 - 1 .

In operation 630, in order to provide and identify the optimized gateway, the order of the gateways that exist closest to the node 201 is arranged according to the region in which the node 201 is located, and when the node 201 is Windows, the most stable according to the tunnel policy The order of providing tunneling optimized for the terminal in the order of the gateway 203 capable of creating an accessible IPSec tunnel, and the gateway 203 capable of creating an SSL/TLS tunnel optimized for Android when the node 201 is Android sort, exclude from the list when the corresponding gateway 203 is in trouble, and sort the order according to the remaining amount of capacity that the corresponding gateway 203 can handle (eg, the number of tunnel connections or processor usage, network bandwidth, etc.) can do.

When the node 201 is connected to WIFI and there is a dedicated gateway 203 for processing WIFI network traffic, there is a dedicated gateway 203 connected to a carrier through a mobile network (3G, LTE, 5G, etc.) , and when the node 201 is connected by wire, the network is a dedicated network configured in the form of an intranet for the terminal, and there is a dedicated gateway for data packet control at the boundary of the dedicated network, etc., the terminal has priority You can sort the order according to the gateways that can be connected to.

Other sorting criteria may be added or changed in consideration of billing systems and variables, such as cost per section for processing data traffic on a distributed network.

The controller 202 may complexly calculate the corresponding sorting criteria, sort the gateways that can be provided to the corresponding node 201 in order, and process so that the gateways can be selected by rank.

If a tunnel and gateway 203 connectable to the node 201 exist, the controller 202 transmits to the gateway authentication and a series of information enabling the terminal to create a tunnel to the terminal, and the corresponding tunnel creation information may be registered in the tunnel table 316 , and the corresponding tunnel creation information may be transmitted to the gateway 203 .

In addition, when the corresponding gateway 203 can perform the control flow related processing of the node 201, the corresponding node 201 requests a control flow related processing to the corresponding gateway (gateway for control flow processing) transmits IP and port information and control flow distributed processing, a list of commands that can be processed by the corresponding gateway, etc.), and the controller 202 sends a series of information (corresponding terminal) for control flow related processing control flow information, etc.) can be transmitted.

If there is a gateway with the next highest priority among the listed gateways, when the connection fails, information on whether the next priority gateway can be accessed is returned, and when the terminal cannot access the corresponding gateway, authentication to request access to the next highest priority gateway You can make a request for information to the controller.

If there are tunnels and gateways accessible to the node 201, but tunnel access is not possible due to a high throughput or a failure, information for retrying the tunnel connection may be returned to the terminal.

In operation 635 , if a tunnel and a gateway accessible to the node 201 exist, the controller 202 transmits to the gateway 203 authentication and a series of information for the terminal to create a tunnel to the node 201 . and registers the corresponding tunnel creation information in the tunnel table 316 , and transmits the corresponding tunnel creation information to the gateway 203 . In operation 640 , the gateway 203 (edge gateway 203 - 1 ) may receive a tunnel creation request from the controller 202 .

In addition, when the corresponding gateway 203 can perform the control flow related processing of the node 201 , the corresponding node 201 requests a control flow related processing to the corresponding gateway 203 (control flow) IP address and port information of the gateway for processing, whether the control flow is distributed processing, a list of commands that can be processed by the gateway, etc.) of information (such as control flow information for the corresponding terminal) may be transmitted.

If there is a gateway with the next highest priority among the listed gateways, when the connection fails, information on whether the next priority gateway can be accessed is returned, and when the terminal cannot access the corresponding gateway, authentication to request access to the next highest priority gateway Information can be requested from the controller.

If there are tunnels and gateways accessible to the node 201, but tunnel access is not possible due to a high throughput or a failure, information for retrying the tunnel connection may be returned to the terminal.

In operation 645 , the node 201 may process the connection request result value received from the controller 202 . If the connection is not possible, the execution of the access control application may be stopped and terminated, or a related error message may be displayed. According to an embodiment, upon receiving a response indicating that the connection to the node 201 is impossible, the node 201 may output a user interface screen indicating that the gateway connection is impossible to the user. For example, referring to FIG. 7 , the node 201 may display the user interface screen 720 through the access control application 211 . The user interface screen 720 indicates that there is no accessible gateway at the corresponding location of the node 201 in FIG. 7B (717), and indicates that an access attempt is made after 30 seconds in FIG. 7C (718), It may include a user interface 725 indicating (719) that the connection to the gateway has been terminated and an attempt is made to access another gateway.

In operation 650 , when tunnel creation is required, the node 201 may make a tunnel creation request to the gateway 203 . In operation 635 , when the tunnel 210 and the gateway 203 accessible to the node 201 exist, the node 201 may create the tunnel 210 in the gateway 203 received from the controller 202 . Using the existing authentication and a set of information, a tunnel creation request can be made, and in operation 640 , the gateway 203 (edge gateway 203-1) uses the corresponding tunnel creation received from the controller 202 to transmit the node 201 ), the requested tunnel can be created.

After the tunneling 210 with the default gateway 203 is completed, the node 201 sends all commands related to the control flow communicating with the controller 202 (eg, network access control request, control flow update, etc.) to the default gateway 203 . ) or only some commands (eg, control flow termination, etc.) to the default gateway 203 and other commands to the controller 202 may be processed.

In addition, the node 201 processes all commands in the controller 202 until the default gateway 203 is designated after tunneling with the default gateway 203 is terminated, so that the terminal can always be controlled by the controller 202 environment can be provided.

8 illustrates a signal flow diagram for user authentication according to various embodiments of the present disclosure.

In order for the node 201 to be granted detailed access to the destination network, the access control application 211 of the node 201 (eg, the access control application 211 in FIG. 2 ) is transmitted from the controller 202 to the node 201 ) of the user can be authenticated. The access control application 211 may perform user authentication in order to be granted detailed access rights to the network, and may transmit user ID and password or authentication information by a reinforced authentication method.

Referring to FIG. 8 , in operation 805 , the source node 201 may receive an input for user authentication. The input for user authentication may be, for example, a user input inputting a user ID and password. As another example, the input for user authentication may be a user input (eg, biometric information, fingerprint, iris, etc.) for more enhanced authentication.

In operation 810 , the source node 201 may request user authentication from the controller 202 . For example, the access control application 211 may transmit input information for user authentication to the controller 202 . If the control flow between the source node 201 and the controller 202 has already been created, the access control application 211 may transmit input information for user authentication together with the control flow identification information.

In operation 815 , the controller 202 may authenticate the user based on the information received from the node 201 . For example, the controller 202 may include a user ID, password, and/or enhanced authentication information included in the received information, and a database (eg, the access policy database of FIG. 3 ) included in the memory of the controller 202 . Based on 311 or the blacklist database 314), it is possible to check whether the user is blocked by checking whether the user is an accessible user and whether the user is included in the blacklist.

In case of an accessible user, in operation 820, a control flow is searched for in the control flow table using the transmitted control flow identification information (control flow ID), and user identification information (user ID) is added to the searched control flow identification information. can be added For example, if the user is authenticated, the controller 202 may add the user's identification information (eg, user ID) to the control flow identification information, and the added user identification information may include the authenticated user's controller access or network connection. can be used for The controller 202 may return an authentication completion status and access policy information of the authenticated user as a result of user authentication.

In operation 825, the controller 202 determines whether there is destination network information that the currently connected terminal can basically connect to in the access and tunnel policy matched with the identified information (eg, terminal, source network information, user ID, etc.) can be checked

In operation 830, if access is possible, the type of terminal included in the control flow, location information, environment, and the network including the terminal in order for the node 201 to access the destination network (destination node 204) List the tunneling types and gateways 203 that the node 201 can connect to through information and the IP address of the terminal identified through the controller 202 and the IP address of the terminal identified in the terminal, and the gateways listed It is possible to identify one tunnel and one gateway optimized for the terminal from among the listed gateways by checking the status (throughput, failure or not).

According to an embodiment, in order to provide and identify an optimized gateway, the order of the nearest gateways is arranged according to the region where the terminal is located, and when the terminal is Windows, the most stable IPSec tunnel creation is possible according to the tunnel policy. If available gateways and devices are Android, the order to provide tunneling optimized for devices is arranged in the order of gateways that can create SSL/TLS tunnels optimized for Android, and if the corresponding gateway is in trouble, it is excluded from the list, The order of gateways may be arranged according to the remaining amount of capacity that can be processed (eg, the number of tunnel connections or processor usage, network bandwidth, etc.).

When the node 201 is connected to WIFI and there is a dedicated gateway for processing WIFI network traffic, if there is a dedicated gateway connected to the carrier through the mobile network (3G, LTE, 5G, etc.), the node 201 ) is connected by wire, the network is a dedicated network configured in the form of an intranet for the terminal, and there is a dedicated gateway for data packet control at the boundary of the dedicated network, etc. You can sort the order according to the gateway.

Other sorting criteria may be added or changed in consideration of billing systems and variables, such as cost per section for processing data traffic on a distributed network.

According to an embodiment, the controller 202 may complexly calculate the corresponding sorting criteria, sort the gateways 203 that can be provided to the corresponding terminal in order, and process so that the gateways 203 can be selected by rank. have.

According to an embodiment, when the tunnel 210 and the gateway 203 accessible to the terminal 209 exist, the controller 202 determines that the node 201 creates the tunnel 210 in the gateway 203 . Possible authentication and a series of information may be transmitted to the node 201 , the corresponding tunnel creation information may be registered in the tunnel table 316 , and the corresponding tunnel creation information may be transmitted to the gateway 203 .

In addition, if access to the corresponding gateway 203 fails, if there is a gateway in the second order among the listed gateways, information on whether access to the next priority gateway is possible is returned in case of access failure, so that the terminal cannot access the gateway In this case, it is possible to request authentication information for requesting access to the gateway of the next priority from the controller.

If there are tunnels and gateways accessible to the terminal, but tunnel access is not possible due to a high throughput or a failure, information for retrying the tunnel connection may be returned to the terminal.

According to another embodiment, the controller 202 may determine that user authentication is impossible. For example, when the user's identification information is included in the blacklist database, the controller 202 may determine that user authentication is impossible. In this case, in operation 820, the controller 202 transmits information indicating that user authentication is impossible to the source node 201, and in operation 825, the source node 201 displays a user interface screen indicating that user authentication has failed. It can be output through

9 may explain an operation of controlling a network connection according to various embodiments of the present disclosure. 9 shows a signal flow diagram for processing a network connection.

After the node 201 is authorized from the controller 202, the node 201 controls the network connection of other applications stored in the source node 201 via the access control application 211 to ensure reliable data transmission. can

Referring to FIG. 9 , in operation 905 , the access control application 211 may detect a network access event. For example, the access control application 211 may detect that a target application, such as a web browser, is attempting to connect to a destination network including the destination node 204, such as the Internet. For example, the user may launch a web browser and input and call a web address to access.

In operation 910, when the access control application needs to communicate with the service server, it may check whether data flow information exists based on application identification information, destination IP, and port information to communicate with the service server. Data packets can be transmitted when tunnels and data flows exist. If a data flow exists but is not valid (eg, a data packet transmission disabled state), the data packet may be dropped (DROP).

In operation 915, if the data packet does not exist, the authentication time expires, and the update is required, and if the data flow needs to be updated due to other matters (eg, when network access fails), according to the validation policy A validation procedure can be performed. The validation check may include a check on the integrity and safety of the access application (eg, whether the application is forged or tampered with, a code signing check, a fingerprint check, etc.).

In operation 920, the access control application 211 is based on the control flow identification information and application identification information for identifying the control flow generated with the controller 202 before the network access event, and the destination IP and port information of the server to be accessed. You can check the target to perform the network connection request with.

When a tunnel 210 in which the node 201 is connected to the edge gateway 203 exists and a series of information for performing this procedure in the corresponding gateway 203 exists (the gateway IP and Whether port information and control flow distributed processing, whether this processing element is present in a list of commands that can be processed by the corresponding gateway, etc.), a network access request can be performed to the corresponding gateway 203 . If the corresponding information does not exist, the access control application 211 may perform a network access request to the controller 202 .

In operation 925, the controller 202 or the gateway 203 performs access-requested identification information (application, destination IP, and service port) in the access policy matched with the information (terminal, user, source network information, etc.) identified on the control flow. information, etc.) and whether access to the gateway 203 existing between the destination server mapped with the corresponding identification information and the network boundary is possible can be checked. If the connection is not possible, the controller 202 may transmit a connection failure result to the node 201 .

If access is possible, the gateway where the terminal is located is checked in the tunnel policy to allow access of the terminal connected to the network, and a tunnel is created between the gateway of the network boundary to which the terminal belongs and the gateway of the destination network to access. It can be checked whether or not the data flow is enabled, and it can be checked whether data flow information that can be accessed through the corresponding destination IP and port exists in the data flow table. If tunneling is created and there is no valid data flow information in the data flow table, data flow information is created based on the source IP, destination IP and port information to allow the access of the application, and the information is identified. Each can be transmitted to the gateway.

If accessible data flow information exists in the data flow table, the corresponding information may be transmitted to the terminal.

In operation 930 , the access control application 211 may process a result of the access request received from the controller 202 or the gateway 203 . When the network connection fails, the data packet may be dropped (DROP). If access is possible based on an existing data flow, a data packet may be transmitted.

10 shows a flowchart for forwarding a data packet in accordance with various embodiments.

According to an embodiment, when the gateway 203 receives a data packet through an authorized tunnel (operation 1005), based on the source IP, destination IP, and destination port information included in 5 Tuples information of IP (Internet Protocol) It may be checked whether a forwardable data flow exists in the data flow table (operation 1010). If there is a data flow, the corresponding data packet may be forwarded (operation 1015). If there is no data flow, the corresponding data packet may be dropped (operation 1020).

11 is a flowchart for control flow processing according to various embodiments of the present disclosure;

In operation 1105, the terminal may detect a control flow processing request event.

In operation 1110, the gateway may check the control flow request information received from the terminal.

It can be checked whether the control flow identification information included in the operation corresponding control flow information exists in the control flow table synchronized with the controller existing in the gateway.

In the case of a valid control flow, request command information included in the corresponding control flow information may be checked.

In operation 1115 , if the corresponding request command is a command that can be processed by the gateway 203 - 1 , a related processing may be performed and a result may be returned (operation 1135 ).

In operation 1120 , if the corresponding request command is a command that cannot be processed by the gateway 203 - 1 , the corresponding control flow information is transmitted to the controller 202 , and in operation 1125 , the result is returned to the gateway 203 - 1 and, in operation 1130, the gateway may receive the control flow processing request result and return the control flow processing request result (operation 1135).

If it does not exist in the corresponding control flow table, processing failure information for the corresponding request may be returned in operation 1140 .

According to an embodiment, in order to synchronize policies, the gateway 203 periodically processes common information (data flow policy, tunnel policy, access policy, etc.) to be processed by the corresponding gateway 203 and currently accessed information (tunnel table, A data flow table and a control flow table) may be synchronized with the controller 202 to always maintain the latest policies and related information.

12 is a flowchart illustrating a signal flow for updating a control flow according to various embodiments of the present disclosure;

In operation 1205 , the node 201 may detect a control flow update event. The application maintains the control flow and the currently connected data flow information, and updates the control flow based on the control flow identification information periodically granted to receive the updated data flow from the controller 202 or the gateway 203 - 1 you can request The controller 202 or the gateway 203 may check whether a control flow exists in the control flow table based on the control flow identification information requested by the node 201 (operation 1210 ).

If the control flow does not exist (e.g., disconnection by other security systems, over the update time, disconnection due to self-risk detection, etc.) have.

If the control flow exists, the update time may be updated and data flow information dependent on the corresponding control flow may be searched (operation 1215). If re-authentication needs to be performed among data flows or there is a data flow that can no longer be accessed, the corresponding data flow information can be returned. When the result of the control flow update is that the connection is unavailable, the application may be terminated or all network connections of the application may be blocked. When the control flow update result is normal and there is updated data flow information, data flow table information in the application may be updated and the result value may be processed (operation 1220 ).

13 illustrates a signal flow diagram for releasing a network connection according to various embodiments of the present disclosure; 14 illustrates a user interface screen for releasing a network connection according to various embodiments of the present disclosure.

Referring to FIG. 13 , in operation 1305 , the node 201 may request a network connection release from the controller 202 or the edge gateway 203 - 1 .

According to an embodiment, the node 201 may attempt to disconnect the network in response to a network connection disconnection event, such as a user's request, a restart of the node 201, or a request of the access control application 211 . For example, referring to FIG. 14 , the node 201 may receive a user input for selecting the connection termination button 1615 on the user interface screen 1610 output through the display. The node 201 may reconfirm the termination of the connection to the user by outputting the user interface screen 1620 including the pop-up window 1625 . As another example, the node 201 may directly perform operation 1305 without outputting the user interface screen 1620 .

In operation 1310 , the controller 202 or the edge gateway 203 - 1 may remove (or release) a control flow and a tunnel corresponding to the received identification information in response to a request from the node 201 .

Through the above-described operation, the system including the destination node 204 can provide complete blocking and isolation from which data packets transmitted from the node 201 can no longer be received.

The above description is merely illustrative of the technical idea disclosed in this document, and those of ordinary skill in the art to which the embodiments disclosed in this document belong are not departing from the essential characteristics of the embodiments disclosed in this document. Various modifications and variations will be possible.

Therefore, the embodiments disclosed in this document are for explanation rather than limiting the technical ideas disclosed in this document, and the scope of the technical ideas disclosed in this document is not limited by these embodiments. The protection scope of the technical idea disclosed in this document should be interpreted by the following claims, and all technical ideas within the equivalent range should be interpreted as being included in the scope of the present document.

Claims (14)

In the node,
communication circuit;
a processor operatively coupled to the communication circuitry; and
a memory operatively coupled to the processor and configured to store a connection control application, wherein the memory, when executed by the processor, causes the node to:
Through the access control application, to detect a network access event to the destination network,
Through the access control application, it is confirmed whether a data flow corresponding to the destination network and authorized from an external server and a tunnel between the node and the gateway exist,
When the node has a tunnel connected to the gateway and there is a series of information for performing control flow distribution processing in the gateway, a network access request is made to the gateway,
When the set of information that can perform control flow distribution processing in the gateway does not exist, the node stores instructions to make a network connection request to the external server;
wherein the gateway corresponds to a network environment of the node. The method of claim 1, wherein the instructions cause the node to:
Detecting a control flow update event through the access control application,
and request a control flow update from the gateway, and receive a first response to the control flow update request, wherein the first response includes updated control flow information. 3. The method of claim 2, wherein the instructions cause the node to:
After the tunnel connected to the gateway is terminated, the request for updating the control flow is made to the external server until a new gateway is designated. The method of claim 1, wherein the instructions cause the node to:
receiving a second user input requesting release of network connection;
and in response to the second user input, request the gateway to disconnect from the network. 5. The method of claim 4, wherein the instructions cause the node to:
After the tunnel connected to the gateway is terminated, the request for release of the network connection is made to the external server until a new gateway is designated. In the gateway,
communication circuit;
a memory for storing the database; and
a processor operatively coupled with the communication circuitry and the memory, the processor comprising:
receiving a request for control flow processing from a connection control application of the node;
When a control flow processing request is received from the access control application, the node checks the requested control flow information to check whether it is a valid control flow processing request,
When the control flow processing request is a request that can be processed by the gateway, a processing result for the request is returned to the terminal,
When the control flow processing request is a request that cannot be processed by the gateway, the request is made to an external server,
storing commands for receiving a result requested from the external server and returning a result for the request to the node;
A gateway corresponding to the network environment of the node. 7. The method of claim 6, wherein the instructions are performed by the gateway,
receiving a control flow update request from the access control application;
When the gateway can process the control flow update, sending a first response to the control flow update request to the terminal;
When the gateway cannot process the control flow update, it requests the request to an external server, receives the requested result from the external server, and returns a result for the request to the node, and the first response is updated A gateway to include controlled flow information. 7. The method of claim 6, wherein the instructions are performed by the gateway,
receiving a request for release of a network connection from the access control application;
in response to the request for release of the network connection, removing a control flow and a tunnel;
when the gateway cannot process the request for release of the network connection, request the request to an external server. A method of operating a network access control system, comprising:
detecting, through the node's access control application, a network connection event to the destination network;
checking, through the access control application, whether a data flow corresponding to the destination network and authorized from an external server and a tunnel between the node and the gateway exist;
when there is a tunnel connected between the node and the gateway and there is a set of information for performing control flow distribution processing in the gateway, the node performs a network access request to the gateway; and
When the set of information that can perform control flow distribution processing in the gateway does not exist, allowing the node to perform a network access request to the external server;
The gateway is an operating method of a network access control system corresponding to the network environment of the node. 10. The method of claim 9,
detecting a control flow update event through the access control application; and
requesting, at the node, to update a control flow from the gateway;
sending, by the gateway, a first response to the control flow update request to the node
further comprising, wherein the first response includes updated control flow information. 11. The method of claim 10,
After the tunnel connected with the node and the gateway is terminated, requesting the external server to update the control flow until a new gateway for the node is designated
A method of operating a network access control system further comprising a. 10. The method of claim 9,
receiving a second user input requesting release of a network connection at the node; and
requesting, at the node, to release the network connection from the gateway in response to the second user input;
A method of operating a network access control system further comprising a. 11. The method of claim 10,
after the tunnel connected with the node and the gateway is terminated, requesting the external server to release the network connection until a new gateway is designated;
A method of operating a network access control system further comprising a. A method of operating a network access control system, comprising:
receiving a request for control flow processing from a connection control application of the node at the gateway;
when the gateway receives a control flow processing request from the access control application, checking the control flow information requested by the node to determine whether it is a valid control flow processing request;
returning a processing result for the request to the terminal when the control flow processing request is a request that can be processed by the gateway;
when the control flow processing request is a request that cannot be processed by the gateway, requesting the request to an external server; and
receiving a result requested from the external server and returning a result for the request to the node; including,
The gateway is an operating method of a network access control system corresponding to the network environment of the node.

Images